by Robert Muggah & Nathan Thompson
Council on Foreign Relations
April 10, 2018
For almost twenty-four hours, nearly a quarter-million people had no access to power. The sounds of wailing sirens reverberated across the blacked-out city. Investigators discovered that thirty electrical substations were disabled. Engineers sent to fix them found that the power outage had erased critical computer files. Days later, digital forensics specialists traced the blackout to a malware called Killdisk, which had infected unprotected supervisory control and data acquisition (SCADA) devices. The location for this attack was Kiev, but it could just as easily have been New York, Tokyo, or Sao Paulo.
Most of the world's critical infrastructure—nuclear plants, electrical transmission systems, water treatment plants, etc.—is managed by SCADA systems. SCADA platforms may keep operations running, but the software and hardware that makes them up are also vulnerable to malicious cyber activity. For years, security experts have called for better protections. Some government agencies wisely took note and designed standards and guidelines for industrial control systems to prevent SCADA systems from being compromised. But many industry representatives are in denial about just how vulnerable their networks and systems are. Their negligence is dangerous.
Attacks on SCADA systems are growing more common. Dell detected over 160,000 attacks globally in 2014, double the number from the previous year. In another study by the SANS Institute, 20 percent of SCADA system administrators surveyed reported that their networks had at some stage been infected or infiltrated. Many others simply weren't sure.
Countries often have hundreds—if not thousands—of industrial control system components available and visible on the internet. Governments and businesses that do not protect their SCADA systems face catastrophic risks. In 2009, malware purportedly developed by the United States and Israel called Stuxnet targeted the SCADA systems of an Iranian uranium enrichment facility, disabling centrifuges. In 2003, the Blaster virus likely played a role in a massive blackout that affected the United States, which cost its economy between $7 and 10 billion.
Hackers, such as Gheorge Razvan Eugen (aka GhostShell), believe that it is not too difficult to cause enormous disruption. This is because the internet protocol (IP) addresses for many SCADA devices are easily found online. Although some devices are password protected, others are not. At least 250 Brazilian devices across multiple critical sectors were visible within seconds by using a publicly available search engine called Shodan.
According to Razvan, the threats are real: "Like the internet, SCADA was never created with security in mind," he said. "SCADA servers in Brazil and just about everywhere else are exposed to the most basic attacks. Connecting to a programmable logic controller takes one simple step: use the client interface to breach the targeted protocol.”
The Brazilian government has taken some tentative steps to minimize the risk to the country's SCADA system. In 2008, 2009 and 2014, the government set-up a series of critical infrastructure technical groups to review the issue, involving Petrobras, the central bank, and the ministries of defense, external affairs, health, science and technology, and the federal government's IT department, among others. The Department of Information and Communications Security has also worked to educate public and private sector partners.
Brazil needs to step-up its efforts. In 2015, Brazil’s National Telecommunications Agency (Anatel) released official guidelines for the inspection of critical infrastructure, and the agency is now reviewing cyber regulations for the telecom sector. While a move in the right direction, Anatel has limited resources and capacity and was rebuked by Brazil’s Federal Accountability Office for not adequately carrying out its oversight duties. Likewise, the country’s national electricity agency (Aneel) also held consultations on cybersecurity in 2016 to set out best practices.
Brazil needs more than guidelines or best practices. It needs action. Like many countries, Brazil has a national Computer Emergency Response Team (CERT.br) made up of specialists who are responsible for registering and responding to digital threats. We recently notified CERT.br of the exposed SCADA IPs in Brazil and provided evidence of a wide range of vulnerabilities. CERT.br is also part of Brazil’s Internet Steering Committee (CGI.br), a governing body that promulgates rules for the management of Brazil’s internet backbone. At a minimum, both CERT.br and CGI.br can play a pivotal role in developing standards and monitoring their implementation to better protect Brazil’s SCADA systems.
The only way Brazil and other countries can confidently protect their critical infrastructure is if the main players start working together. No one regulator or response team can protect SCADA systems on their own. Multistakeholder governance models are required, involving federal authorities, public utilities, private companies and the telecom providers deploying SCADA devices. This collaboration is critical to improving incident reporting and patching security holes. Fortunately, several private companies in Brazil have established Computer Security Incident Response Teams (CSIRTs), and incentives and support are required to expand these measures. At the very least, the Brazilian government needs to set out some basic ground-rules to prevent SCADA network exposure. The costs of inaction could not be higher.