By Sergio Caltagirone

Any illicit access into civilian industrial control systems (ICS), like electric power, unacceptably places innocent human lives at risk. Decision makers and policy makers worldwide must establish a red line disallowing all forces from operating within civilian industrial networks to ensure civilian safety.

Cyber threats to industrial control systems worldwide, including electric utilities, grow quickly, and the escalating rhetoric threatening these systems proliferates the threat and increases the risk that lives will be lost needlessly. Any public messaging of threats to or of industrial control systems likely increases additional investment in offensive capabilities to achieve or maintain an assumed operational parity – nobody wants to get left behind. If country X can take down Y’s electric grid, then we must be able to as well. Rhetoric and specific knowledge of ICS breaches drive a silent weapons and access race threatening everyone’s industrial processes such as those in electric utilities. Furthermore, it motivates a “first strike” or “retaliatory strike” mentality – “we must be able to shut off their power first or at least nearly after ours is lost” which requires pre-positioning assets and access into industrial networks. This activity is inherently and unnecessarily risky – even when conducted with defensive intent.

ICS supports modern civilization, but external elements can cause unexpected disruption. ICS provides immeasurable benefit to civilization and manages highly reliable services supporting the health, livability, and safety of billions worldwide. Well engineered ICS, even highly reliable processes, can be disrupted and unsafe when interacting with non-native and untrained elements like malware and external adversaries. The simple presence of an external adversary in an industrial control system network can unintentionally cause catastrophic effects leading to the death of operators and nearby civilian populations, irreparable harm to the environment, and more. These are unreasonable costs for conducting simple “access operations” to preposition assets for later effects operations or learning.

One example of the catastrophic effects grid disruptions can have on civilians is the nationwide power outage Venezuela experienced in March 2019. An event at or near the Guri Hydroelectric Complex, the source of approximately 80% of Venezuela’s electricity, resulted in near country-wide blackouts beginning on 07 March. There is no evidence to suggest a cyberattack was involved in anyway – but a cyber-enabled event could potentially cause similar consequences. The power outage caused humanitarian crises in the country. According to media reporting and medical aid groups, patients at the country’s hospitals died due to lack of power, and medical personnel could not use public transportation to get to work. Additionally, food storage became an issue due to refrigeration failing.

Countries cannot act with flagrant disregard for human lives by flippantly operating within civilian industrial environments. Cyberspace is a domain across which states and non-states project power long distances and asymmetrically. Like, air and sea, it’s not a surprise when countries launch offensive operations, or signal their intent, across cyberspace. However, unlike land, sea, and air – domains we’ve controlled and operated within for centuries and for which norms developed – cyberspace norms have not yet developed; this increases freedom of movement for militaries but also increases the potential risk to innocent lives as we’ve not yet learned the hard lessons. A hard lesson we can avoid is disrupting industrial environments due to our knowledge of their operations, fragility, and civilian reliance. Disregarding this knowledge flagrantly puts lives at risk.

Decision and policy makers worldwide must establish a red line disallowing all illicit access from within civilian industrial networks for any reason. Industrial control environments don’t lend themselves well to only “some malicious activity but not others.” When ransomware encrypts a computer’s files, it is safe to assume there won’t be a release of toxic gas into a nearby city. But, when adversaries access industrial environments whether for espionage, learning, or pre-emptive access for later war –the death of nearby civilians is a possible outcome. Therefore, as an outsider one cannot effectively differentiate which malicious actions carry more or less risk. The only safe and reasonable policy is to disallow such activity completely.

The time is now to reduce the risk before damage occurs. The confluence of many concerning elements have reduced our time to act. First, Dragos has noted significant and increasing malicious activity targeting industrial control systems worldwide. Second, inflammatory rhetoric (real, implied, or misrepresented) threatening the disruption or destruction of electric power entities risks real response. Third, actual attacks against industrial control safety systems places this discussion on this topic beyond hyperbole.

We encourage real and positive change in response to this threat.

  • Countries must better evaluate and restrict their own rhetoric and actions. The risk of accidental damage and destruction to civilian industrial processes leading to loss of life must be considered realistically.
  • The international community must unite and establish norms to protect civilian human life. Dragos recently participated with others at the International Committee for the Red Cross experts meeting on “The Potential Human Cost of Cyber Operations.” The global community must now consider and address the very real possibility that cyber operations will likely cause humanitarian crises.
  • Governments worldwide must issue definitive rebukes of all identified malicious activity within industrial control environments followed by proper non-escalatory responses.
  • All industrial asset owners and operators must establish proper cybersecurity monitoring so that in any disruptive situation, quick and effective investigation and response can occur to limit harm. It is now imperative to consider cyber in addition to other traditional root causes for any industrial incident.
  • ICS asset owners and operators require financial support to surge cybersecurity investment. We cannot expect every electric utility site, for instance, to protect themselves alone against every conceivable cyber threat. We don’t expect electric utilities to install anti-missile defenses, nor can we expect them to shoulder the burden of protecting against multi-million dollar cyber weapons. This means cross-industry, cross-government, and international collaboration achieving quantifiable improvements likely best achieved through tax credits and other financial incentives.

Industrial control systems and our critical infrastructure can be made defensible against cyberattacks. The time increasingly draws near when our discussion of a major event harming civilians is going to be in past tense. However, with concrete actions by policy makers, international cooperation, strong industry cybersecurity coalitions, and serious support for implementing defensive capabilities and response plans widely and immediately, we may avert greater harm and a true disaster.