Or, a disgruntled insider with network access credentials could remotely take control of systems.
“Are these cyberattacks? You bet they are,” he said. “And they actually happened to two companies in the US.”
And Michael Patterson, CEO of Plixer International, said while he agrees that ICSs should be disconnected from the internet, “that will never happen. Even if they are disconnected, technologies have come along that allow miscreants to bridge the air gaps thought to prevent systems from being attacked from the internet.”
James Scott, a senior fellow at the Institute for Critical Infrastructure Technology (ICIT), said he agreed with Sachs that taking down the grid, “would be extremely difficult.”
But he also agreed with Patterson that, “a cyber kinetic approach using social engineering methods to bridge the air gap and introduce self-replicating malware to a network is actually very possible and not too complicated to do.”
That, he said, could lead to a regional blackout on the scale of the August 2003 cascading power failure that left about 50 million people in southeastern Canada and eight northeastern US states without power for up to two days.
That event was attributed to equipment failure and human error.
Stewart Kantor, CEO of Full Spectrum, has the same concern. “The US population is already highly concentrated in a few geographic regions nationwide creating rich targets,” he said, “where a single focused attack could leave millions in danger, and one small action could result in billions of dollars in damage and recovery costs.”
Sachs insisted again that, while the risks are real, they are minimal with control systems. “I would never say that there are zero connections,” he said, “but they’re (control systems) not designed to be connected to the internet. If somebody wants to challenge that, show me the connection.”
While the debate will continue, there is a measure of agreement that there is good news – an increased focus on ICS security.
“Technological advances in cybersecurity, such as the application of machine learning and artificial intelligence is creating some optimism,” Capdevielle said. “These advances offer better visibility into the operational risks regardless of the cause.”
Kantor said there are various ongoing “best-practices” initiatives. The Electric Power Research Institute (EPRI), the Utilities Technology Council (UTC) and a group of major utilities, are supporting a new IEEE standard for secure field area networks,
“The standard, known as 802.16s, addresses reliability and security in a wide area wireless network,” he said, adding that it is helping utilities shift their operations to, “entirely private networks, separated digitally and physically from the public network.”
Still, the nation’s critical infrastructure remains a potentially dangerous soft spot.
Sign up for Computerworld eNewsletters.