The UK's transportation network, power grids and water systems are all critical infrastructure needed to keep the country running. However, if these crucial systems were to suddenly shut down due to a severe cyberattack, it would cause a nightmare scenario. Cambridge University and Lockheed Martin have produced a simulation of the fallout should another nation state attack us in this manner –and the results aren't pretty.
In the first study of its kind, entitled The Integrated Infrastructure: Cyber Resiliency in Society, researchers from the Centre for Risk Studies at Cambridge University created a feasible fictional scenario and used it to model how much of an economic impact all the related power outages would have on UK consumers, third-party companies who work with the electricity company and even businesses that rely on electricity to function.
How the hack could happen
Electrical companies tend to work with third-party contractors in order to maintain all the substations in a regional power distribution network. In the situation dreamed up by Cambridge University, a disgruntled electrical engineer employed by one of these third party contractors is contacted by a nation state that wants to hack into the UK's critical infrastructure.
The nation state pays the disgruntled employee money to install rogue hardware – an innocent piece of equipment that looks like either a power bar or TV monitor – across a number of substations across South East England over a period of six months. Each piece of equipment has 3G / 4G connectivity to communicate with the foreign nation state's hackers, powered by SIM cards from a range of different UK mobile operators, just in case somehow intelligence agencies figure out the plan and switches off SIM cards from one of the mobile providers.
A persistent series of cyberattacks trigger blackouts across London and the rest of the region over the winter. Then, when customers call their energy provider's call centre to complain about the power outage, the attackers execute "cover-up attacks" such as a Distributed Denial of Service (DDoS). The DDoS attack prevents customer calls from being picked up by the electricity company in order to prevent it from finding out the true extent of the problem.
The cost of hacking the UK's critical infrastructure
The researchers studied three different versions of the above scenario, whereby it took either three weeks, six weeks or 12 weeks until the power company and authorities were able to detect the rogue hardware and restore power to UK consumers.
If the ongoing cyberattacks and off-and-on power outages lasted for three weeks and affected 65 substations, then the total losses would be £85bn ($121bn) as nine million people would be affected by the blackouts, and 800,000 individual train journeys and 150,000 air passenger tickets would be impacted daily. The total potential losses to the GDP would be £49bn over five years. However, in the most extreme situation where 125 substations were impacted, the total losses would be £85bn and the over five-year impact on GDP would rise to £442bn.
The researchers' model makes use of both cyberattacks and physical espionage, but the closest situation we have so far seen in real life is the Ukraine power plant cyberattacks on 23 December 2015, where 225,000 customers were hit by outages due to persistent cyberattacks over 30-minute intervals on three regional power companies.
Phishing emails and maintenance backdoors
In this case, only cyberattacks were used, and the researchers say that email phishing, where victims are tricked into downloading a malicious attachment or clicking on a malicious link, is still the most popular technique.
"Currently the pattern is to phish the IT employees and then once inside their network, try to pivot onto the control system. Purchasing equipment that comes with backdoors is another one – malicious nation states can tamper with the equipment before it is bought by utility companies," Eirann Leverett, a risk researcher with the Centre of Risk Studies at Cambridge Judge Business School, Cambridge University told IBTimes UK.
"Frustratingly, companies do this as much as malicious nation states. We often find maintenance backdoors in operational technology [OT] equipment as well."
But Lockheed Martin, which helps to secure and protect critical OT systems from cyberattacks, says the problem has to do with people. Even if you have the best technology in the world, people can still enable attackers to gain access to critical infrastructure.
People are still the problem
"There was a recent case whereby we carried out a penetration test on a company and we were able to get into their company and get everything off their systems. They were amazed as they had the latest IT protections, but we were able to get a guy to walk into the building, and his badge wasn't tested, and he waited till he found a machine that was unlocked, and then he stole the information. It's not just about cybersecurity – it's also about people, about processes, about HR, about making sure all these things join together," Lockheed Martin's David Butler told IBTimes UK.
"If you go back 10 years, some guy would have seen [a problem with an electrical substation] and gone, 'that that doesn't look right'. Any big company will have tens of thousands of attacks a day. It's not about one guy seeing the problem – it needs to be the system that says, 'hang on, something over there has done something odd', and it will stop it. That's what we're working on with Industrial Defender, a company we acquired."