Credit: Carla Wosniak
The debate over the chances of a catastrophic cyber attack taking down a major part of the nation’s critical infrastructure (CI) has been ongoing for a generation.
But it hasn’t been settled – in some ways it is more intense now than ever.
On one side are those, including high government officials, who warn of a “cyber Pearl Harbor” that could leave swaths of the country in darkness and cold – without electric power – for months.
Retired Adm. James Stavridis, dean at Tufts Fletcher School and a former NATO supreme allied commander, used that term just three months ago, saying such an attack would be aimed either at the electrical grid or the financial sector.
"It is the greatest mismatch between the level of threat, very high, and the level of preparation, quite low," he told CNBC in December.
On the other side are experts who say such warnings are vast exaggerations peddling FUD (fear, uncertainty and doubt) – that natural disasters and rodents are more of a threat than cyber attacks to industrial control systems (ICS) that power the grid, water distribution, transportation and other critical services.
The evidence – so far – seems to favor the latter view. No cyber attack in the US has crippled the grid, water, communication or other CI systems even for weeks. Indeed, major storms have left tens of thousands of people without power for longer than any cyber attack has.
But the growth of the Internet of Things (IoT) may be changing that calculus. The billions – and growing billions more – of connected devices are bringing both unimaginable benefits to society and unprecedented dangers.
As numerous experts have been pointing out, anything connected to the internet – home appliances, vehicles, public utilities, health care and financial institutions and more – are part of an “attack surface” for hostile actors ranging from so-called “script kiddies” to political activists, criminal gangs and nation states.
Last fall’s Distributed Denial of Service (DDoS) attack on internet backbone provider Dyn is one recent high-profile example. Attackers used a botnet of tens of thousands of insecure cameras and DVDs (all part of the IoT) to take down a number of popular websites, including Twitter, Netflix, Reddit and PayPal.
Incidents like that have intensified the debate over the risks to CI, which means an increasing focus on the debate is over whether ICSs are part of the IoT or not.
According to some experts, they aren’t. They say the North American power grid is much more resilient and almost invulnerable to IoT attacks for a simple reason: Its crucial generation and transmission components – the operational hardware – are not part of the IoT - not connected to the internet.
Sign up for Computerworld eNewsletters.