Cyber attacks on infrastructure: real risk or clear and present danger?

Infected USB drives were thought to have been the cause of the virus attack.

BLM partner Nicholas Gibbons explains why cyber risk needs to be raised up the agenda.

Last week the national newspapers reported that a German nuclear power plant located about 75 miles northwest of Munich had been infected with computer viruses.

The viruses, which included "W32.Ramnit" and "Conficker" viruses were discovered in a computer system retrofitted in 2008 with data visualisation software associated with equipment for moving nuclear fuel rods.

RWE, the plant’s owner, said that the viruses did not pose a threat to its operations because the infected operating system is isolated from the Internet.

Malware was also found on 18 removable data drives, mainly USB sticks, in office computers maintained separately from the plant's operating systems. 

Many well-educated professional and business people believe, when they think about it at all, that the cyber threat to infrastructure organisations is “blue-sky thinking”, a sort of science-fiction threat which has little to do with real life. Such people include many who actually work in infrastructure organisations.

Part of the reason for this attitude is that public understanding of cyber risk is associated almost completely with the theft of personal data and the release of embarrassing and sometimes sensitive commercial information. 

Anonymous, Talk Talk, Wikileaks and Edward Snowden are the names that spring to most people’s minds when the subject of cyber risk is raised.

There is also a widespread but unconscious public assumption that, if there was a serious threat to infrastructure organisations, it would either have been comprehensively addressed or alternatively be the subject matter of urgent political debate.

This ignorance is unfortunate for two reasons. Firstly, the cyber threat to infrastructure is real, very serious and potentially extremely dangerous. Secondly, reliable statistics evidence that the greatest weakness in cyber security within infrastructure organisations is not the absence of sophisticated technical defences but a lack of rigour in the implementation of security policies and procedures which should be adhered to by those who manage and work in those organisations.

The big differences between a cyber attack on say a retailer or a financial services firm and an infrastructure organisation lie in the fact that attacks on infrastructure organisations may well involve devastating physical damage, personal injury and fatalities rather than simply financial loss.

In this regard, it is worth bearing in mind that infrastructure organisations run roads railways; power stations; water supplies; medical facilities; factories; construction projects; tube stations; airports; marine facilities  and oil and gas plants. Many of these organisations rely on outdated computer systems and/or have reportedly inadequate security procedures.

It is true that it is only relatively recently that the first cyber attack causing physical damage occurred. In 2010 an Iranian Nuclear facility at Natanz suffered serious damage when its centrifuges were attacked by the Stuxnet virus. But this incident has been followed by numerous other attacks around the world which are occurring with increasing frequency. Sadly, terrorists, pranksters and at least some governments have few scruples about causing personal injury and death as well as property destruction. Reported attacks include incidents at other nuclear facilities, water companies, power stations, oil rigs and factories. There are over 1,000 denial of service attacks on hospitals in the USA alone every year.

The reality of the threat is obviously understood in Brussels. The new EU Network and Information Security Directive was passed in December 2015 and is likely to come into force in 2018. Unlike the general Data Protection Regulations, which apply only to personal data, it will apply to every type of cyber incident.

The risk of a serious cyber incident in infrastructure is a clear and present danger. Urgent and concerted action is needed to address it. Cyber risk management is an issue that concerns not only social and economic infrastructure businesses and the engineers and consultants who advise them but also government and the insurance industry. Collaboration and cooperation between these and wider stakeholders groups will bring about effective solutions more quickly.  

Nicholas Gibbons will be joining a panel of infrastructure business leaders, engineers, and insurance industry leaders at the ACE-Willis Towers Watson seminar, Infrastructure and Cybercrime: The Die is Cast, on 18 May at Lloyds Library in London.  Click here to find out more.

Thanks to Willis Towers Watson, BLM, Atkins and the ACE for their input to this article.