I do my best to protect my computer and my files. But what happens when organisations or individuals online are attacked?
In the worst case scenario, even the best digital self-defence cannot help. If an organisation with a web presence is attacked, individual users of that site or service are also affected. If a bank’s server crashes, its services are unavailable for all of its customers. An attack on critical infrastructure is especially dangerous. In the worst case scenario, the consequences are not only felt in the digital world, but in the offline world too. For example, if electricity or water supplies are interrupted by a hack at a power station or processing station.
Are the authorities aware of the dangers?
You can assume so. Electricity and water supplies, transport, health, financial systems and telecommunications: today’s world is based on the same electronic control modules. They represent the connection between cyberspace and the real world. This ever-increasing interconnectedness has made us more vulnerable.
For years now, the German Federal Office for Information Security has been pointing out that critical infrastructures are still insufficiently protected. SCADA (supervisory control and data acquisition) systems can be detected by digital hackers without any great effort. They tend not to be as secure as they should be; often, the data that they contain isn’t even encrypted. SCADA systems are easy prey for hackers. This is shown by this excellent example: in 2011, the hacker pr0f gained access to the controls of the water works in South Houston. He was able to crack the three-character password in an extremely short time. This was intended as a protest against lax security precautions.
And what precautions do they take?
Ever since Estonia came under the fire of hackers for several weeks in 2007, Europe and the USA carry out exercises in order to prepare countries for digital emergencies. In 2008 and 2010, the USA’s Cyber Storm training programme tested their ability to resist an attack on critical infrastructure. The Department of Homeland Security simulated breakdowns of the communications, transport and energy networks. The exercises revealed that the USA’s digital defence walls were in no real position to withstand an attack.
Cyber Europe 2010 was a programme that simulated an incremental breakdown of the internet connections in European countries, affecting essential online services and making communication between countries increasingly difficult. The training was organised by the European Network and Information Security Agency (ENISA). Two years later followed Cyber Europe 2012, which simulated a botnet attack on government servers, the private sector and individual users. Several hundred security experts had to deal with over 1,000 incidents that not only paralysed banks’ payment systems and telecommunications systems, but also brought the worlds of politics and the media to a standstill. The aim of the exercises is to detect weaknesses, both in the systems themselves and in crisis management procedures, so as to learn lessons for the future.
In Europe, there is also the European Defence Agency (EDA), which was founded in 2004. It is responsible for defence planning, procurement and research, including in the realm of cybersecurity. In this respect, the EDA is carrying out research in the field of cybersecurity, and aims to establish an early warning system that can detect any weak points so that any security holes can be patched as quickly as possible.
However, these exercises are not always enough. Many businesses are simply not well-enough prepared for any possible online attack. Recent incidents like malware infecting a Japanese nuclear plant control room demonstrate that many operators of industrial facilities still underestimate the dangers facing them from the internet. There are even some system operators who are aware of the security holes in current control systems, such as SCADA, and yet who ignore these dangers. This is what made it possible for the USA and Israel to implant their Stuxnet worm in the Natanz nuclear plant in Iran. Unfortunately, it cannot be ruled out that the west will come into the sights of hackers. Security researcher Kyle Wilhoit’s experiment proves this: he created a simulation of a virtual system for a hydroelectric plant, and within a month, had recorded 39 attacks on the control system.