FYI.

This story is over 5 years old.

Tech

We’re Crying Wolf Over Nonexistent Infrastructure Hackers

The recent blackouts in Ukraine and a run-of-the-mill incident in Israel have set off all the alarms.
Image: Oran Viriyincy/Flickr

Crippling cyberattacks have for years been fodder for ominous over-the-top hacker movies such as Live Free or Die Hard and Black Hat. But in the real world, we've only seen a handful of successful hacks on infrastructure. Yet, that hasn't stopped the public and the media from worrying—even freaking out—about hackers shutting down the power grid or breaking wells open.

On Tuesday we saw a glimpse of those types of panic attacks when an Israeli minister revealed that the country's electricity regulatory body had suffered "one of the largest cyberattacks we have experienced," according to the Jerusalem Post. That statement somehow prompted the paper to use the headline: "Israel's electrical grid attacked in massive cyber attack," causing several media outlets to echo the report.

Advertisement

As it turned out, however, the "cyberattack" wasn't on the power grid, nor it was really a cyberattack. Ynet News later reported that someone inside Israel's Electricity Authority, which has no direct control over the power grid, was tricked by a phishing email and was infected with ransomware.

So much for "massive cyberattack."

For experts in industrial control systems and infrastructure cybersecurity, this was the perfect example of a government agency miscommunicating what happened, and the media hyping up a theoretical, yet sexy threat.

"Hackers turning off the grid is movie-plot nonsense, at least for now."

"Use of the word attack isn't really appropriate," Michael Toecker, a control systems engineer and consultant, told Motherboard. "[It] sounds like the normal stuff most companies deal with on a day to day."

Toecker stressed that we shouldn't discount cyberattacks on critical infrastructure. On the contrary, infrastructure providers need put the appropriate protections in places, especially segregating their corporate networks from their control systems, so that malware attacks on one can't grant hackers access to the other. At the same time, governments, security experts, and providers need to be aware of the risks, but without panicking.

"A lot of this is a conversation that needs to happen but when we have this 'hey, let's jump up quick and yell cyber' we get distracted for a little while, and sometimes I'm worried that going down that rabbit hole too far leads to poor decisions," Toecker said in a phone interview.

Advertisement

Malware on an ICS network is not uncommon. Targeted intrusions that lead to outages are. Knowing the difference can be difficult.

Robert M. LeeJanuary 27, 2016

In the wake of the blackouts in Ukraine, which were in part enabled by a strain of malware known as BlackEnergy, cyberattacks on critical infrastructure are a real concern. But even in those cases, the cyberattacks were not what caused the blackouts, which still had a limited, localized impact.

"Humans are bad at judging risk," said Patrick Miller, a partner at the security consulting firm Archer Energy Solutions. "They worry feverishly about possible cyberattacks when in reality, every infrastructure organization, company, agency, etc I've ever dealt with has suffered *far* more damage from mother nature and general accidents than any real attacker."

"Every infrastructure organization, company, agency, etc I've ever dealt with has suffered *far* more damage from mother nature and general accidents than any real attacker."

In fact, squirrels have caused far more blackouts than hackers. According to the hilarious website CyberSquirrel1.com, which collects news and media reports of outages caused by rodents and other animals, there have been 623 successful "cyber war" operations carried out by squirrels.

So, perhaps, we shouldn't be crying wolf over a threat that's more theoretical than real at this point. If we do, we might even run the risk of desensitizing people, who will end up taking this issue less seriously than they should. Either way, it's a little too early to freak out about malicious hackers turning off our lights.

"Currently, the only successful cyberattacks on power systems have been something that the utility would consider a nuisance," Miller told me. "They have seen storms that caused longer outages—and storms (and squirrels) actually damage equipment."

That's why, he added, "hackers turning off the grid is movie-plot nonsense, at least for now."