I recently published a white paper describing some unconventional threats to utility infrastructure. In addition to rather unusual (but potentially devastating) threats such as coronal mass ejections from the sun, electromagnetic pulses and space debris, the paper also talks about threats to utility infrastructure from cyber warfare and cyber terrorism. If you think that power grids, water networks, railways and airports are not vulnerable to such threats – then you had better read the white paper!
Since that paper was written, there has been a cyber attack on Istanbul Airport’s passport control system. Airports are massive users of IT, and it’s heavily interconnected, so this attack surely demonstrates the very real possibility that an airport could be shut down by a cyber attack. At the Black Hat conference in Las Vegas last July, Trend Micro threat researcher Kyle Wilhoit demonstrated that critical utility infrastructure is not only vulnerable to attacks, but has already been targeted – with power grids and water plants being particularly vulnerable. Just recently, the BBC devoted an episode of their “Click” technology program to the same issue. Utilities may not be particularly exciting, but life without them would be very difficult indeed.
Of course, utilities are fully aware of their responsibilities. However, there can sometimes be a focus on threats that have been a problem in the past rather than those that might be a problem in the future. Furthermore, disaster recovery plans are often based on the implicit assumption that damage is constrained to one system or one geographical area. The white paper challenges such comfortable assumptions.
The tendency of technologies to build on other technologies means that the failure of something like the electricity grid or the GPS system can create a domino effect that spreads far beyond the original problem. It was the failure to recognise systemic risks in a highly-interconnected system that led directly to the financial crisis of 2008. As was the case with the banks in 2008, many disaster recovery plans are likely to be of little or no value when confronted with new or unusual threats – such as those discussed in the white paper.