Cyber Safety Risk: Fact or Fiction?
Is the long touted cyber risk to critical transport infrastructure finally becoming real?
Welcome to the first edition of Tech Safe Transport.
New content will be arriving on a two-weekly basis – I really hope it hits the mark and please pass on the link to anyone and everyone who might like to get on board.
I’ll be covering a range of topics looking at issues like software safety assurance in the wake of the 737 Max plane crashes and the challenge of making self-driving cars and trains safe. My aim is to engage you on the latest developments (whether you’re a technical expert or not) and point you in the right direction if you want to dig a little deeper.
This first edition is a dive into the current status of transport infrastructure cyber security risk, and in particular what the SolarWinds cyber breach might mean in practice.
But before you start reading don’t forget to subscribe so that you’ll be sure to get part 2…
Did Hollywood get it right after all?
Watching old movies over the Christmas and New Year period, I was reminded that the dramatic, dangerous potential of cyber threats has been long touted. From the surprisingly plausible breach of a military supercomputer in 1983’s ‘War Games’ to the sight of John McClane’s truck being attacked by a hacked F-35 Lightning in 1995’s ‘Die Hard with a Vengeance,’ the cyber threat to critical infrastructure has been a disaster movie staple for decades. Hashed Out’s recent list of the 40 best ‘hacker’ movies of all time even listed ‘The Italian Job’ – which was released before the Beatles broke up - as a cyber-crime classic.
Watching these old low-fi film depictions – with all of their flaws and exaggerations - might breed complacency and the idea that the threat was always overblown science fiction that would never really materialise. But Sci-Fi often gets it right in the end – look at the flip phones and zoom calls in Star Trek. So the question is: will serious cyber events of the type depicted in the movies actually occur? and if so, how and when? As we begin 2021, how significant is the cyber security risk? and how seriously should those in transport sectors be taking it?
In early July 2020, it was reported that the transition to home working as a result of COVID (and more lax cyber security practice as a result) had led to a 72% increase in ransomware attacks. In such an attack, the criminal remotely accesses an IT network and encrypts key data, offering to de-encrypt it on payment of a ransom (usually paid in bitcoin). The attacker also threatens to publish private company information online as an additional incentive to pay. Although payment of such ransoms is strongly discouraged, it does regularly happen. Ransomware is a really significant business and is increasingly professionalised. We now see ‘ransomware as a service’ where developers sell or lease hacking tools to non-computer-savvy criminals, who then use them to perform an attack. High profile companies – including major transport companies - have been caught by such methods and we can expect to see continued growth in this and similar threats in 2021.
Many draw a clear distinction between attacks on business IT networks by financially motivated criminals and attacks on critical infrastructure by nation states and find some consolation from this. But the distinction is actually a very blurry one: the UK’s National Cyber Security Centre (NCSC) has confirmed its view that the North Korean government was behind the Wannacry cyber attacks in 2017 that caused widespread devastation, including major disruption to Deutsche Bahn and the German railway network. It is also the case that a persistent actor can often find a way to hop from a business network to operating technology, even if it involves tricking or co-opting humans into the attack.
Consolation is also sometimes drawn from the assumption that serious attacks on critical national infrastructure would only occur during an overt and open war between nations. But history shows that the reality is again more opaque than this. Nation states are prepared to use such capabilities where they see a strategic interest; when and where a war begins is often only really understood with hindsight. It is also the case that cyber attacks are difficult to attribute, making a proportionate response difficult for nations who abide by international law. The ‘BlackEnergy’ malware that remotely shut down 30 power stations in a carefully coordinated attack against the Ukraine in 2015 has been attributed to the ‘Sandworm’ group of hackers - the nickname given to Russian cyber military unit 74455 - but the Russian government has never acknowledged this, even though the Russo-Ukranian War began a year before the attacks. Going further back, neither the US or Israel have admitted to being behind the ‘Stuxnet’ attack on the centrifuges of the Iranian state nuclear programme in 2010, although it has been strongly asserted that this was the case. Major infrastructure attacks – like BlackEnergy and Stuxnet - suddenly expose and inadvertently spread enhanced capability and the understanding of risk suddenly ramps up too.
One way of considering the current environment is that there is a quiet cyber arms race underway, with rogue nation states earning both revenue and cyber intelligence from ransomware attacks. Both of these fruits are food for their more advanced and potentially catastrophic cyber-attack capability. Such overt attacks – which are the closest we can envisage to the sorts of events depicted in ‘disaster movies’ – are generally held in reserve. But we can be almost certain that the capability is steadily and rapidly developing in tandem with the growth in ransomware attacks. It is also the case that corporate cyber security companies continue to grow on the NASDAQ in proportion to the growing threat. It’s not clear that anyone is currently able or willing to put the brakes on this escalation of capability.
Robert Lee, the founder of Dragos Security, talks about this dynamic and where the risk will ultimately land, in the excellent book ‘Sandworm’ by WIRED journalist Andy Greenberg.
There will be a rush for [nation states] to build these capabilities. And the losers will be civilian infrastructure owners.
So the general environment is one of real and rising infrastructure risks, which are very much fact, not fiction. Those of us with a safety background know the drill here well: we need to make our best estimate of this risk and act accordingly.
SolarWinds
Bringing us bang up to date, the big news story in the cyber world as we transition into 2021 is the ‘SolarWinds’ cyber breach. The emerging story here shows many of the points described above in frantic action.
In mid-December, the Washington Post reported that multiple government agencies were breached through SolarWinds's Orion software. SolarWinds reported that hackers managed to fake the digital certificates used to control access to networks. From as early as March 2020, they were able to roam freely, undetected, among a vast number of critical and secret computer networks, including the US Treasury Department and the US Department of Homeland Security. With a nod back to the movie ‘War Games,’ the US nuclear weapons agency was even reported to have been breached. The Russian Foreign Intelligence Service (SVR) was said to be behind the attack.
The U.S. Cybersecurity and Infrastructure Security Agency, stated that the breach:
poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations.
The scale and impact of this takes time for the brain to process; in addition to the government agencies, at least 18,000 organisations were hacked. Once inside, the hackers have been able to scout for intelligence and IP at their leisure, harvest access credentials to dig even deeper into systems and may well have inserted back doors for future action. Breaches of this scale undermine assumptions about the separation of standard IT infrastructure from critical ‘Operating Technology.’ An adversary can play the long game, with secret malware biding its time to jump from network to network.
One thing in particular that caught my eye was the news that one of the victims of this attack was the cybersecurity firm FireEye. Alarmingly, they disclosed that their ‘Red Team tools’ had been stolen. A Red Team is a group of security professionals who mimic a potential adversary’s attack or exploitation capabilities to test them. For them to do their job well, they must use the latest attack methods and be at the cutting edge of capability. All of FireEye’s information is now in the hands of those it was supposed to be defending us against. It’s clear to see that just this breach alone could rapidly escalate the cyber threat to critical infrastructure.
There seems to be two schools of thought in the media commentary around the SolarWinds breach. One is that the attack is an act of war. Senator Chris Coons of Delaware was quoted as saying:
It’s pretty hard to distinguish this from an act of aggression that rises to the level of an attack that qualifies as war. [T]his is as destructive and broad scale an engagement with our military systems, our intelligence systems as has happened in my lifetime.
The other opinion is that this is just routine espionage: these types of breach occur all of the time and that the Western powers are equally as likely to be undertaking similar surveillance of what are seen as the hostile actors: Russia, Iran and North Korea. Although this latter point is perhaps true, it provides little reassurance to those responsible for critical infrastructure – it simply shows that the cyber domain is one of immense uncertainty, with governments everywhere continually upping the ante.
Unfortunately there’s no John McClane to singlehandedly take out the terrorists in the real world. What is needed is a group effort, based on clear strategy, coordination and long term commitment. Transportation infrastructure is classified as critical for a reason - It is expected to be of interest to hostile actors. It is sometimes said that there are easier ways to cause a train or airline accident than through complex cyber attacks. But that doesn’t factor in the plausible deniability that comes with a remote attack. Attacks don’t have to immediately lead to accidents either: major operational incidents have been known to create considerable ‘knock’ on risks like panic and overcrowding. As transport sectors rapidly embrace digitalisation and inter-connectivity they are in danger of exposing an unprotected underbelly that is ripe for attack.
In the next issue…
And in true Hollywood serial style, having shown the imminent threat, that’s where I have to leave things until the next installment on 22 Jan.
I’ll be picking up with part 2 of the story; taking you through my views on the state of cyber risk in various transport sectors and setting out some broad themes for how each will need to go about the challenge of building robust systems and behaviours. Please subscribe to make sure you get it.
Thanks for reading
I hope you enjoyed the first edition of Tech Safe Transport. All views are my own and I don’t assume you will agree with much (or even any) of what I say. I’m always open to feedback in the interests of sharing and shaping ideas; if you have any thoughts or comments please feel free to send me a message on Twitter. And last, but by no means least, many thanks to my necessarily ruthless editor, Nicola Gray.