If hackers cause a blackout, what happens next?
If hackers take out a local power station, the electricity may go out. But what else might happen?
Could harmful software spread? Would water systems stop functioning? Will hospitals need power generators? What else could malicious hackers hit after turning off the lights?
That's what two veteran cybersecurity researchers are setting out to discover. In a bid to help emergency responders mitigate potential damage after digital assaults on such industries as power suppliers, water facilities, or chemical factories, they're attempting to chart the chain reactions of cyberattacks.聽
"What is the impact of somebody coming in and hitting a regional portion of the power grid and taking it down?" asks聽Brian Biesecker,聽a 30-year veteran of the National Security Agency who now works for Esri, a mapping software firm.聽"That impacts not only the power grid, but also all of your ability to provide pumping for your water, all your emergency services ... all of these various聽cascading effects."
No one has ever mapped the earthly reverberations of聽cyberattacks on a large scale, says Mr.聽Biesecker, who teamed up with聽Shane聽Cherry,聽an infrastructure analysis and technology manager at the Department of聽Energy's Idaho National Laboratory, to聽map the likely ripple effects of聽hacks.
The聽effort is expected to last three years聽and is聽funded by the Energy Department聽and聽Esri. Biesecker and Mr. Cherry will rely on聽standard mapping techniques and geographic language in hopes of broadening the understanding among the various stakeholders 鈥 technologists, cybersecurity specialists, business executives, and government officials 鈥 about the full effect of cyberattacks.聽
Experts have so far pinpointed only a handful of聽malicious hacks that have caused physical damage.聽One of the most significant and well documented was the attack on the Ukrainian power grid in December 2015.
The unprecedented聽聽there left聽225,000聽residents聽in the dark for several hours. The assailants, who some experts say were Russian government proxies, targeted systems at three聽Ukrainian聽power companies. Simultaneously, the perpetrators clogged telephone networks by directing an army of infected devices to make bogus calls, thereby preventing legitimate calls from getting through.
After the Ukraine grid hack, NSA Director Adm. Mike Rogers that聽it's a聽"matter of when, not if"聽a nation-state attempts a聽similar聽cyberattack聽against US critical infrastructure.聽What's more,聽Homeland Security, the head agency for defending US private sector and civilian government networks, has warned all industries to be on guard for digital abnormalities in their systems to prevent or minimize any potential outages.
"This type of attack can happen in any critical infrastructure company across all sectors,"聽Ret. Brig. Gen. Gregory Touhill, former DHS deputy assistant secretary for cybersecurity and communications, said of the Ukraine episode at a Washington cybersecurity conference in April. He was named the聽first-ever US Chief Information Security Officer in September.
One of many challenges with this geography project is that the spread of malware across a network, let alone a region,聽is hard to forecast,聽as are the聽malicious computer commands of an unknown adversary, say聽Biesecker and Cherry.
With hurricanes, weather models predict the path of the storm, says Cherry. But, he says, "when you are talking about people who are trying to do harm via cyber means, it's as much an art as it is science. So it's very hard to predict what pathways they are going to take."
While the cybersecurity industry may be good at detecting cyberattacks, figuring out how to contain them has continued to vex specialists.聽"The bottom line is that we don't fully understand the effects that a聽cyberattack聽may have on a system, such as a water treatment or distribution facility," says Cherry.
For instance, during an apparent hack that could have become a public health issue, activists with ties to Syria, at least twice, adjusted the amount of chemicals used to treat tap water in an undisclosed country, according to a March Verizon Security Solutions聽.聽The incident occurred at some point during the past eight years at an unnamed plant, when the hacktivists聽broke聽into an insecure Internet-connected control system.聽While they聽managed to handicap production so that it took longer to replenish water supplies, the facility was able to swiftly reverse the tinkering聽with minimal customer impact.
Other pockets of the US government and industry also are trying to visualize the potential physical world repercussions of a聽cyberattack, on a smaller scale.
For example, the聽聽expects to deploy a "virtual test bed of the cyberthreats" by September 2021. It'll聽involve geographically dispersed聽networks聽of聽an unnamed energy sector entity and explore how the outcomes of a digital attack聽affect聽"the聽resiliency聽of the Air Force mission," according to a聽Sept. 26聽contracts notice.聽聽聽
Sue Gordon, second-in-command at the聽National Geospatial-Intelligence Agency, says she聽has challenged her staff at the US spy mapping agency to聽consider how the link between digital activity and physical space could聽be useful to the defense and intelligence communities.
"No answer to that yet. But it鈥檚 a great question" says Ms. Gordon.聽"There are too many people that think that cyber is its own domain and quite frankly everything resolves to physical."
