On June 17th, 2010, Sergey Ulasen was at a party when he received a call from one of his clients, an Iranian company. Ulasen worked at VirusBlocAda, a small computer security firm in Minsk, when he came across a curious report from an Iranian client. The clients’ computers were caught in a “reboot loop”, turning on and off repeatedly, and on-site technicians were unable to reassert control over them. In the following days, Sergey Ulasen remotely accessed the computer in order to examine the operating system. He located the worm, which was exploiting an unknown bug in the Windows operating system. Realizing that he did not have the resources to thoroughly analyze this virus, Sergey Ulasen contacted Microsoft and released the code to the cybersecurity community, which led to the second major discovery. Although the worm infected thousands of computers, the virus was targeting industrial control systems (ICS). Specifically, the Natanz nuclear enrichment facility in Iran. This worm came to be known as Stuxnet, the world’s first cyber weapon.

What exactly did Stuxnet do, and why is it important?

Stuxnet was targeting ICS, the computer systems that control the operations of industrial institutions, such as power plants, gas distribution pipelines, sewage, and nuclear reactors. When analyzing such attacks, it is useful to do so in three distinct, but interconnected, fields: cyberspace, or the virtual pathways for information and electronic commands, the physical plane, and the strategic field.

In the case of Stuxnet, the worm transmitted confidential information about the Iranian nuclear weapons program back to the code’s creators and took control of the virtual pathways that the ICS uses to operate physical machinery. This advantage gained in cyberspace translated directly to the physical plane, allowing the code’s creators to control the machinery which executed functions of the enrichment plant through the ICS. They varied the centrifuges’ speeds, breaking them and interfering with the process of enriching uranium. In the strategic field, Stuxnet crippled Iran’s ability to develop nuclear weapons, drastically changing the geopolitics of the region and the world. Without a reliable method of enriching uranium, they lacked the nuclear material central to the devastating power of the bomb. Geopolitically, they were denied the prestige and strategic importance that comes with a country’s acquisition of nuclear weapons.

What danger to cyber-attacks pose to the United States?

The Stuxnet attack raised concern about the potential for devastating attacks on U.S. infrastructure. Although national security professionals are divided over the actual role that cyberspace will play in the future of warfare, there is no doubt that the United States needs to be defended against such attacks. What does it mean to be defended? In short, it means protecting sectors which are necessary to the functioning of American society, known as critical infrastructure.

Arguably, the most important of these is the energy sector, which supplies power for almost all other critical infrastructure sectors. Therefore, an attack on the U.S. energy sector could quickly paralyze the economy, healthcare systems, and communications. This has dangerous implications for governance and law enforcement. Depending on the duration of the attacks, it could paralyze sanitation systems and hurt food production. Furthermore, in very hot and very cold parts of the country, a lack of power for temperature control could result in direct casualties, as evidenced by the approximately 70,000 deaths due to heat wave in Europe in 2003.

Who might conduct these attacks?

Despite the devastating impact these attacks could have on the power grid, countries would not conduct them on a whim. There are three major strategic motivations, other than outright conflict, to do so:

  1.      To respond to a U.S. attack or other action
  2.     To undermine public support for the U.S. government
  3.     To distract the U.S. from other international actions

However, cyberwarfare is still risky. Due to its largely unexplored potential and impact on large populations, aggressors could easily miscalculate the effects of their actions, thereby inflicting far more damage than intended.

How could the U.S. prevent cyber-attacks on critical infrastructure?

Since the primary goal of a cyber-attack against the US power grid would be to deny service to Americans, any security considerations must focus on maintaining service in the face of an attack. To secure the grid, stakeholders can take four major types of actions.

The first are protective measures, which involve heavy investment in the energy sector so that utilities can raise the security of their systems to at least “basic cybersecurity competence.” Often, these older systems do not even have the ability to authenticate users, which would ensure that only authorized personnel are operating the system, nor do they maintain activity logs for forensic analysis. These are obviously major vulnerabilities which allow for easy interference. However, propositions for grid modernization have their own drawbacks. These suggestions for modernization include adding sensors that “allow operators to assess grid stability”, meters that can report outages, and automated feeder switches that re-route power around problems. These proposals all involve some form of automation, which has proven dangerous in recent years. In 2015, the Ukrainian power grid sustained a cyber-attack which caused outages for approximately 225,000 people. A key to recovering from this attack was that Ukranian utility operators were able to switch to manual control to recover energy distribution functions. With newer smart grids in the United States, retaining manual control capabilities is an essential contingency that will help utility companies respond to potential cyber-attacks in the future.  

The second type of preventative measures are forms of deterrence. These involve political deterrence such as a policy of exposing the attacker. This is useful because if the attacker is another state, exposure will harm their reputation internationally and could incur retributive measures such as sanctions etc. If the attacker is a private actor, exposure will make them a target of law enforcement. Another type of deterrent would be for the U.S. to clearly state how it views a cyber-attack on critical infrastructure. Clearly stating that cyber-attacks on critical infrastructure are equivalent to physical attacks would make other states far less likely to employ cyberwarfare against the U.S. However, taking a strong stance against the use of cyber-attacks on critical infrastructure would bind the U.S. to the same principles and inhibit its use of cyberspace in order to protect its interests.

There are also important actions to take before cyber-attacks. As mentioned earlier, instituting manual control will allow grid operators to recover from attacks and reassert control over their systems. Utility companies also need to spend time in crisis games which will help them prepare for response and recovery from an attack. Additional recommendations include methods for reducing grid reliance such as investing in diversifying energy generation using sources such as wind and solar power, and moving military installations off the public grid so that they are capable of responding to potential threats.

Why is this not common practice?

This is the enduring problem in cybersecurity, generally. There is not enough will to invest in cybersecurity on the side of the utility companies. Due to thin profit margins and the likelihood of power outages due to weather being far higher than those resulting from a cyber-attack, utility companies would be spending significantly with almost no immediate return. In order to ensure the protection of the energy sector from cyber-attacks, the federal and state governments must allocate part of the budget to subsidizing these efforts. Without governmental subsidy the status-quo will never incentivize utility companies to invest in cyber security and the U.S. will remain at great risk of a cyber-attack.