Brazil’s Critical Infrastructure Faces a Growing Risk of Cyberattacks

Brazils_Story_Pic.jpg

COMMENTARY

by Robert Muggah & Nathan Thompson

Council on Foreign Relations
April 10, 2018

For almost twenty-four hours, nearly a quarter-million people had no access to power. The sounds of wailing sirens reverberated across the blacked-out city. Investigators discovered that thirty electrical substations were disabled. Engineers sent to fix them found that the power outage had erased critical computer files. Days later, digital forensics specialists traced the blackout to a malware called Killdisk, which had infected unprotected supervisory control and data acquisition (SCADA) devices. The location for this attack was Kiev, but it could just as easily have been New York, Tokyo, or Sao Paulo.  

Most of the world's critical infrastructure—nuclear plants, electrical transmission systems, water treatment plants, etc.—is managed by SCADA systems. SCADA platforms may keep operations running, but the software and hardware that makes them up are also vulnerable to malicious cyber activity. For years, security experts have called for better protections. Some government agencies wisely took note and designed standards and guidelines for industrial control systems to prevent SCADA systems from being compromised. But many industry representatives are in denial about just how vulnerable their networks and systems are. Their negligence is dangerous.

Attacks on SCADA systems are growing more common. Dell detected over 160,000 attacks globally in 2014, double the number from the previous year. In another study by the SANS Institute, 20 percent of SCADA system administrators surveyed reported that their networks had at some stage been infected or infiltrated. Many others simply weren't sure. 

Countries often have hundreds—if not thousands—of industrial control system components available and visible on the internet. Governments and businesses that do not protect their SCADA systems face catastrophic risks. In 2009, malware purportedly developed by the United States and Israel called Stuxnet targeted the SCADA systems of an Iranian uranium enrichment facility, disabling centrifuges. In 2003, the Blaster virus likely played a role in a massive blackout that affected the United States, which cost its economy between $7 and 10 billion.  

Hackers, such as Gheorge Razvan Eugen (aka GhostShell), believe that it is not too difficult to cause enormous disruption. This is because the internet protocol (IP) addresses for many SCADA devices are easily found online. Although some devices are password protected, others are not. At least 250 Brazilian devices across multiple critical sectors were visible within seconds by using a publicly available search engine called Shodan.

According to Razvan, the threats are real: "Like the internet, SCADA was never created with security in mind," he said. "SCADA servers in Brazil and just about everywhere else are exposed to the most basic attacks. Connecting to a programmable logic controller takes one simple step: use the client interface to breach the targeted protocol.”

The Brazilian government has taken some tentative steps to minimize the risk to the country's SCADA system. In 20082009 and 2014, the government set-up a series of critical infrastructure technical groups to review the issue, involving Petrobras, the central bank, and the ministries of defense, external affairs, health, science and technology, and the federal government's IT department, among others. The Department of Information and Communications Security has also worked to educate public and private sector partners. 

Brazil needs to step-up its efforts. In 2015, Brazil’s National Telecommunications Agency (Anatel) released official guidelines for the inspection of critical infrastructure, and the agency is now reviewing cyber regulations for the telecom sector. While a move in the right direction, Anatel has limited resources and capacity and was rebuked by Brazil’s Federal Accountability Office for not adequately carrying out its oversight duties. Likewise, the country’s national electricity agency (Aneel) also held consultations on cybersecurity in 2016 to set out best practices.

Brazil needs more than guidelines or best practices. It needs action. Like many countries, Brazil has a national Computer Emergency Response Team (CERT.br) made up of specialists who are responsible for registering and responding to digital threats. We recently notified CERT.br of the exposed SCADA IPs in Brazil and provided evidence of a wide range of vulnerabilities. CERT.br is also part of Brazil’s Internet Steering Committee (CGI.br), a governing body that promulgates rules for the management of Brazil’s internet backbone. At a minimum, both CERT.br and CGI.br can play a pivotal role in developing standards and monitoring their implementation to better protect Brazil’s SCADA systems.

The only way Brazil and other countries can confidently protect their critical infrastructure is if the main players start working together. No one regulator or response team can protect SCADA systems on their own. Multistakeholder governance models are required, involving federal authorities, public utilities, private companies and the telecom providers deploying SCADA devices. This collaboration is critical to improving incident reporting and patching security holes. Fortunately, several private companies in Brazil have established Computer Security Incident Response Teams (CSIRTs), and incentives and support are required to expand these measures. At the very least, the Brazilian government needs to set out some basic ground-rules to prevent SCADA network exposure. The costs of inaction could not be higher.

Robert Muggah is co-founder and research director of the Igarapé Institute, as well as co-founder of the SecDev Group. Nathan B. Thompson is a researcher at the Igarapé Institute.

Image credit: Laszlo Balogh/Reuters

Be the first to comment

Please check your e-mail for a link to activate your account.
SUBSCRIBE TO OUR NEWSLETTERS
 
SEARCH
PODCAST

An Update on the NAFTA Renegotiations

May 21, 2018


On today's Global Exchange Podcast, we touch base with CGAI's North American trade experts in light of a busy week on the NAFTA file in Washington. After months of hard-pressed negotiations, and 6 weeks of 'perpetual' discussions in Washington, the deal has reached its next turning point, with Congressional leadership signalling that they'd need a new deal by May 17th in order to have it passed before U.S. mid-term elections in the Fall. With no deal in sight, and the Congressional deadline now in the rear-view mirror, we sit down with Sarah Goldfeder, Laura Dawson, and Eric Miller to ask where we go from here.


IN THE MEDIA

No suitors emerge for pipeline project stake as Kinder Morgan deadline looms

by Dan Healing (feat. Dennis McConaghy), The Canadian Press, May 23, 2018

Iran Nuclear weapons deal: ticking time bomb

by Marc Montgomery (feat. Ferry de Kerckhove), Radio Canada International, May 23, 2018


LATEST TWEETS

HEAD OFFICE
Canadian Global Affairs Institute
Suite 1800, 421-7th Avenue SW
Calgary, Alberta, Canada T2P 4K9

 

OTTAWA OFFICE
Canadian Global Affairs Institute
8 York Street, 2nd Floor
Ottawa, Ontario, Canada K1N 5S6

 

Phone: (613) 288-2529
Email: contact@cgai.ca
Web: cgai.ca

 

Making sense of our complex world.
Déchiffrer la complexité de notre monde.

 

© 2002-2018 Canadian Global Affairs Institute
Charitable Registration No. 87982 7913 RR0001

 


Sign in with Facebook | Sign in with Twitter | Sign in with Email