Critical infrastructure refers to physical and cyber assets so vital to a nation or organization that their incapacitation would have a debilitating impact. This includes sectors like energy, water, transportation and communications. The document outlines growing threats to critical infrastructure from both physical attacks and cyber incidents. It notes recent attacks on energy facilities, water systems and rail networks. While governments set standards, ultimate responsibility lies with infrastructure owners to assess vulnerabilities, design security into new systems, and partner through information sharing on threats and responses.

1. Potential Impact of Cyber Attacks on
Critical Infrastructure
John S Kendall
Director of Public Sector and Security Programs
Unisys Asia-Pacific

2. Outline
Cyber Attacks on Critical Infrastructure
What all the fuss about?
What are the real threats?
Who is responsible for taking
what actions?
© 2012 Unisys Corporation. All rights reserved.
2

3. What is “critical infrastructure”?
The Australian, State and Territory governments define
critical infrastructure as:
“Those physical facilities, supply chains, information
technologies and communication networks which, if
destroyed, degraded or rendered unavailable for an
extended period, would significantly impact on the
social or economic wellbeing of the nation or affect
Australia’s ability to conduct national defence and
ensure national security.”
Source: Australian Government Critical Infrastructure Resilience Strategy
© 2012 Unisys Corporation. All rights reserved.
3

4. What is “critical infrastructure” for business?
For which extended
disruption or destruction
would seriously
impact or
jeopardise
 Physical facilities
 IT facilities
 Networks
 Services
 Assets





Health
Safety
Security
Economic well-being
Effective functioning
of the business, employees,
channel partners or customers
© 2012 Unisys Corporation. All rights reserved.
4

5. What is “critical infrastructure”?
Physical Infrastructure
•
Power production/distribution
•
Refineries and critical manufacturing
•
Water supplies
•
Transportation systems
•
Communication networks
Physical Threats
• Armed attacks
• Bombs
• Sabotage
Cyber Infrastructure
•
Internet
•
Critical information systems
•
Online business/financial services
Cyber Threats
• Malware
• Denial of Service
• Data Breach
© 2012 Unisys Corporation. All rights reserved.
5

6. What is “critical infrastructure”?
Physical Infrastructure
Cyber-Physical Infrastructure
•
Power production/distribution
Physical Threats
•
Power production / distribution
•
Refineries and critical manufacturing
• Armed attacks
•
Refineries and critical manufacturing
•
WaterBombs
• supplies
•
Water Supplies
•
• Sabotage
Transportation systems
•
Transportation systems
•
Communication networks
•
Communication networks
•
Cars
•
Airplanes
•
Medical devices / systems
Cyber Infrastructure
•
•
Internet Threats
Cyber
Critical information systems
• Malware
•
Online business/financial services
• Denial of Service
• Data Breach
© 2012 Unisys Corporation. All rights reserved.
6

7. Impact of Critical Infrastructure Outages
Public Concerns
Major impact from
2-day outage
Infrastructure
Electricity supply in your city/region
84%
Water supply in your city/region
80%
Banking systems such as ATM & EFTPOS
60%
Mobile phone network
46%
Internet
46%
Public transport network
27%
Major thoroughfare such as Sydney Harbour Bridge
20%
Capital city airport
17%
Source: Unisys Security Index Research 2012
© 2012 Unisys Corporation. All rights reserved.
7

8. Impact of Critical Infrastructure Outages
Public Concerns
Government Concerns
– National security
– National economy
© 2012 Unisys Corporation. All rights reserved.
8

9. Impact of Critical Infrastructure Outages
Public Concerns
Government Concerns
Business Concerns
–
–
–
–
Business Operations Impact
Financial Impact
Supply Chain Impact
Business Reputation Impact
© 2012 Unisys Corporation. All rights reserved.
9

10. Impact of Critical Infrastructure Outages
Public Concerns
Government Concerns
Business Concerns
Cascade Effect
– Interconnectedness of systems creates
risk of cascade effect. For example…
Extended power failure
Gas and oil pipeline outage
Petrol supply shortfall
Transportation / logistics shutdown
Exhaust just-in-time inventories for
hospitals, manufacturers…
© 2012 Unisys Corporation. All rights reserved.
10

11. What are the threats to your infrastructure?
• Traditional Physical Threats
– Destruction / Damage / Disruption
– Natural disaster / Accidental / Deliberate
© 2012 Unisys Corporation. All rights reserved.
11

12. What are the threats to your infrastructure?
• Traditional Physical Threats
– Destruction / Damage / Disruption
– Natural disaster / Accidental / Deliberate
• Traditional Cyber Threats
–
–
–
–
Accidental breaches
External hacks
Denial of Service
Virus / worm infiltration
© 2012 Unisys Corporation. All rights reserved.
12

13. What are the threats to your infrastructure?
• Traditional Physical Threats
– Destruction / Damage / Disruption
– Natural disaster / Accidental / Deliberate
• Traditional Cyber Threats
–
–
–
–
Accidental breaches
External hacks
Denial of Service
Virus / worm infiltration
• Cyber-Physical Threats
– All of the above
– Often more susceptible to physical and cyber attacks than purely
physical or purely cyber infrastructures
© 2012 Unisys Corporation. All rights reserved.
13

14. What makes Cyber-Physical systems so vulnerable?
• Tempting Target:
– Fragility of cyber-physical systems
– Ability to “strike from afar”
– Low “cost of entry”
• Inadequate security practices
– “Poor cousin” to both physical and cyber specialists
– Careless inattention to the basics (authentication practices)
– Lack of user security training
• Intentional interconnectedness  Unintended vulnerabilities
– Internet access for remote support/maintenance can be exploited by hackers
– Integration of systems across facilities, companies, locations – often using
insecure networking protocols (e.g., MODBUS)
• Long system lifespans without modernising security mechanisms:
– Lack of upgrades may be due to limited memory / processor capability
– Original system supplier may no longer exist – so no ongoing support
– Need for continuous operations prevents system changes or upgrades
© 2012 Unisys Corporation. All rights reserved.
14

15. Evidence to support this fear
Reported Attacks on US Critical Infrastructure
400
350
US Critical Infrastructure Targets
Postal/Shipping
1%
Public Health
1%
300
250
200
Commercial
Facilities
3%
Energy
54%
Nuclear
3%
150
100
50
Govt Facilities
4%
0
Water
4%
2010
InfoTech
4%
2011
2012
2013*
* Projection based on
6 months data
Communications
5%
Transportation
5%
Critical Mfg
16%
Source: US Dept of Homeland Security ICS-CERT
© 2012 Unisys Corporation. All rights reserved.
15

16. Evidence to support this fear: “Honeypot” test
North Korea, 2%
Croatia, 2%
Chile, 2%
Palestinian
Territory, 2%
Vietman, 2%
Poland, 2%
Japan, 2%
China, 35%
“Honeypot” emulates several
types of ICS/SCADA devices
and mimics those that are
commonly internet facing –
with traditional vulnerabilities
found across similar systems.
First attack occurred 18
hours after the honeypot
was activated.
Netherlands, 2%
Brazil, 4%
US, 19%
Russia,
6%
And over the next 28 days,
attacks originated from the
following countries
UK, 8%
Laos, 12%
Source: Trend Micro Incorporated Research Paper “Who’s Really Attacking your ICS Equipment”, Author Kyle Wilhoit
© 2012 Unisys Corporation. All rights reserved.
16

17. Recent cyber attacks on Critical Infrastructure
Stuxnet Malware (2010-2012)
• Sophisticated attack on nuclear manufacturing facilities in Iran
• US/Israel malware exploits vulnerabilities in Microsoft Windows
Power Plant (2012)
• Plant shut down for three days after technician unknowingly inserts virus infected USB disk
• US Dept of Homeland Security declines to share additional information
Water Supply (2011)
• Critical pump damaged by Russian hackers
• Cycled pump on/off until it burned out
Rail Network (2011)
• Hackers manipulated railway company computer systems
• Disrupted rail service – could have been much worse
Chemical Plant (2011)
• PoisonIvy malware infected systems at more than 48 chemical and defense companies
• Source of attack traced back to China
© 2012 Unisys Corporation. All rights reserved.
17

18. Who is responsible for fixing this?
• Government?
– Regulations / Legislations / Standards
– Information Sharing
– Research
• Suppliers of CPS systems?
– Address/fix security vulnerabilities
– Best practices for implementation
– Design enhanced security into new releases
• Organisations that implement and use CPS!!
– Primary responsibility!
© 2012 Unisys Corporation. All rights reserved.
18

19. What actions does my company need to take?
• Assume someone is actively attempting to infiltrate your systems
(both information systems and cyber-physical systems)
• Identify vulnerabilities with security assessments of all systems
–
–
–
–
–
Internet connections / VPN access
Aging operating systems and applications
“Auto run” settings for USB devices
Poorly configured firewalls
Inadequate access controls
• Include security as key design feature in new/updated systems
• Don’t work in isolation
– Government-Business Partnership: Trusted Information Sharing Network
(TISN) and Critical Infrastructure Advisory Council (CIAG)
– Industry Segment User Groups
• Education/training
– Awareness of the threat and individual responsibilities
© 2012 Unisys Corporation. All rights reserved.
19

20. Thank you and
Good Luck!
John S Kendall
Public Sector and Security Program Director
Asia-Pacific Region
Unisys
Unisys Australia Pty Limited
Equinox 2, Level 1
70 Kent Street
Deakin ACT 2600 Australia
john.kendall@unisys.com
Office:
Direct:
Mobile:
Fax:
1300 088 833
+61 2 6274 3571
+61 424 152 034
+61 2 6274 3533
© 2012 Unisys Corporation. All rights reserved.
20