Amid fresh threats by ISIS against the US and its allies this week, worries of what the well-financed and social-media savvy militant group could do in the cyber realm has triggered debate over whether ISIS ultimately could or would disrupt US critical infrastructure networks.
ISIS has made no specific threats to US critical infrastructure, and no one knows for sure whether the militant group has any plans for a cyber attack against US interests or even the technical capabilities to pull it off. Even so, US officials are keeping a watchful eye on ISIS' movements in the digital realm: NSA director Michael Rogers last week hinted that the agency is monitoring this. "We need to assume there is a cyber dimension in every area we deal with," Rogers said in a speech at a Washington conference.
Meanwhile, ICS/SCADA security experts dismiss dire predictions in some circles that ISIS -- or any other group -- could ultimately "take down" or significantly disrupt the US power grid via a distributed denial-of-service (DDoS) or other type of cyber attack. "The power grid isn't something you send a command to and it crashes. It has survived" nature and other events over the years, says Eric Byres, CTO and vice president of engineering at Belden's Tofino Security Products. "Even with the attack on the substation in Metcalf, Calif., the power stayed up," he says, referring to the bizarre April 2013 sniper attack there that took out 17 transformers.
The power grid is highly distributed and built with Mother Nature's fickle whims in mind, with plenty of redundancy and backup. "What is often lost is that this industry understands in a real way what's resilient. They know there are going to be equipment failures, [and] Mother Nature," says Patrick Miller, founder, director, and president emeritus of Energysec.org. "It's virtually impossible to cause a widespread outage."
Former US Department of Homeland Security counterterrorism official John Cohen says ISIS's preferred and flashy use of social media for recruitment, its graphic video productions of hostage executions, and its ability thus far to amass significant funding -- hundreds of millions of dollars by some estimates -- make ISIS a potential cyber attack threat. Cohen says he's not seen any information suggesting ISIS is targeting the US power grid.
"I would be concerned if they were able to attract" cyber experts who could execute cyber attacks, says Cohen, who is chief strategy advisor at Encryptics. "From the standpoint of a security person, even if I don't have specific intel about a specific threat or plot underway, I have to look at all factors if I'm going to be prudent and establish the capacity to mitigate this type of threat."
Concerns over ISIS's cyber capabilities recently were raised publicly by some former government officials. Peter Pry, executive director of the Task Force on National and Homeland Security, told multiple media outlets that ISIS has made contact with a major Mexican drug cartel that once took down a power grid in its native Mexico, and the US should prepare for such a threat.
The ICS/SCADA community considers nation-states or other technically sophisticated attackers the main threat to industrial systems and plants. There are plenty of weaknesses in the security chain of ICS/SCADA environments, so hacking into an ICS system that runs centrifuges or other processing equipment is possible. But inflicting real damage on a plant, such as forcing centrifuges to slow or speed up dramatically, would require inside knowledge of the plant as well as plenty of engineering know-how, notes Dale Peterson, founder and CEO of Digital Bond.
"What we see that's misunderstood is the engineering and automation skills needed to do real damage. We've seen these things are fragile and insecure … It's not difficult to gain access to many critical infrastructure systems -- a simple spear [phishing exploit] and pivot" can crash a control system, for instance, he says.
But real physical damage would require engineering expertise, such as understanding how the targeted centrifuges operate, Peterson says. "But if you get the right team, with an engineer who understands how to program it, and a hacker, then it's not that hard to do" damage, he says.
Renowned Stuxnet expert Ralph Langner says he doesn't believe ISIS would spend its time and money on cyber attacks against the US power grid when it appears to prefer more violent acts against people. Plus, the power grid would be less of a terror target than say, a chemical plant, which could potentially incur more physical damage and casualties, he says.
Those sites are vulnerable to a sophisticated attacker, says Langner, founder of Langner Communications. There's a misconception in some of those sites that the safety logic in their systems protects against cyber attacks, he says. "That's nonsense," Langner says. A station controller system may be able to shut down a plant in a safe manner, but that doesn't mean it can't be hacked by a sophisticated nation-state actor, he notes.
Craig Guiliano, senior threat specialist at security consultancy TSC Advantage, considers ISIS a legitimate cyber threat, pointing to reported claims of ISIS building a "cyber caliphate" and its own encrypted software. "They are pouring money into developing that type of cyber offensive capability," Guiliano says. "They have made good on their promises … If there's any group on the world stage where you have to take them at their word, it would be ISIS."
The bottom line is that most software has flaws that attackers can exploit, and ICS/SCADA systems in power plants, manufacturing sites, and other utilities run vulnerable systems, security experts say. "Whether ISIS has the means to pull off something is an open question. What is clear is that fundamentally, all software can be hacked," says Andrew Ginter, vice president of industrial security at Waterfall Security.
Some major ICS/SCADA vendors are getting better about issuing fixes for software flaws, but the actual patching of ICS/SCADA systems remains the exception rather than the rule. Industrial plant operators are often hesitant to apply patches -- or make any software changes -- for fear of disrupting operations, which is the priority in manufacturing, power-plant generation, and other industrial environments.
"Every change to software is a threat to safety and reliability" of the plant, Ginter says.
Take Belden's Tofino Security, which four years ago offered a free upgrade to its Tofino Industrial Security System version 1.6 that included a security patch to all users -- even those not under a support contract -- who downloaded it within 30 days. "After 30 days, nobody was downloading it," recalls Belden's Byres, so the company reached out by email and added another 30 days to the offer. "It was super-frustrating for us," he says, after under a third of them ultimately downloaded it after two months.
"We're not sure if anyone installed" the patch, he says.