In the last few years, several government officials have made a series of alarmist claims, warning that the United States would soon be hit a "Cyber Pearl Harbor." That analogy indicates a theoretical cyber attack that shuts down the power grid, or causes real world, physical damage by hitting critical infrastructure like a nuclear power plant or a reservoir. It's definitely a scary scenario, and one that's fueled some Hollywood flicks.
But according to cybersecurity experts that actually work on industrial control systems, or ICS, we shouldn't worry about a "Cyber Pearl Harbor" so much. Yet, there are real threats to critical infrastructure that are being wrongly ignored and underestimated.
For example, infrastructure cyber defenders are not taking the threat of targeted malware seriously enough, according to Robert Lee, the founder of security firm Dragos and a former Air Force cyberwarfare officer.
"We don't have grid-ending stuff going on. It's not like all this stuff is going to fail, it's not like a random piece of malware in a power system or water system or even a nuclear system is going to cause anything bad to happen. It might impact operations, and it's not good. But it's not life ending and it's not a safety issue at all," Lee told Motherboard in a phone call.
"But at the same time we do have obviously targeted efforts by adversaries that are seemingly increasing year on year and we can at least show that there's dozens of them that we found and that speaks to the level of needing to do better," Lee added.
"It's not life ending and it's not a safety issue at all."
Lee and his team looked at real world malware targeting ICS and found a dozen cases where hackers sent malware to critical infrastructure facilities, malware that was tailored to compromise them, as opposed to random old malware that somehow finds its way to ICS networks.
In an upcoming paper that Lee is previewing at an infrastructure hacking conference on Tuesday, he will reveal two new malware samples and campaigns found targeting ICS facilities. One used a PDF of a document about nuclear material management, which was laced with malware; and the second one pretends to be legitimate software to target Siemens programmable logic controllers, or PLCs, essentially the computers that control how industrial control systems operate. The malicious Siemens malware infected 10 sites across the world, mostly in the United States but also Europe and China, according to Lee.
It's important to note that these two kinds of malware don't appear to have the goal of manipulating how the target's industrial system work, but are likely espionage efforts.
Lee, who last year warned that the ICS world is woefully ignorant of the actual risks of hacking infrastructure, is just trying to raise awareness of real world threats that are already out there.
"No, it's not raining," Lee said, "but that doesn't mean we shouldn't build the roof."
Subscribe to pluspluspodcast, Motherboard's new show about the people and machines that are building our future.