Five years ago, in the Ukraine, the computer system of an electrical plant owned by a power company called Ukrenergo was attacked by hackers, blacking out part of Kyiv. Technicians at the plant watched on their own computers as hackers manipulated physical operations at the plant remotely. An hour later the hackers relented and the lights came back on.
It was a terrifying dry run, traced to Russian cybercriminals.
No American power plant or other infrastructure has ever been reported to have the software that controls its physical operation taken over. The attacks have apparently always been on the data and business systems.
But there's no reason to believe that will continue to be true, and the threat of hackers taking over power plants, water systems, transportation operations and other critical facilities is a deadly one. Plain and simple, this is organized crime, and a threat to national security.
Last Friday the Colonial Pipeline Co. closed its 5,500 miles of pipeline stretching from Texas to New Jersey after its information systems, but not its control systems, were attacked by ransomware. The pipeline transports 110 million gallons of fuels each day, and if it is shut down for more than five days the impact on airports, businesses and consumers could become severe. Monday, the company said it was slowly restarting systems and hoped to have the operation mostly up and running by Friday. It didn’t say whether it had paid ransom to the hackers, believed to be the Russia-based operation "Dark Side," but their silence and the continued viability of their systems suggest they may have paid, probably in untraceable cryptocurrency.
In the United States the vast majority of the crucial power, transportation and industrial resources are privately owned. A congressional attempt to set cybersecurity standards for such companies in 2012 died after industry leaders and lobbyists whined about the difficulties and expense of following the protocols necessary to protect such resources.
And Thursday one of the largest insurers in Europe, AXA, announced it would stop writing policies that reimburse companies that pay ransom to hackers. In April, at a cybercrime roundtable, Paris cybercrime prosecutor Johanna Brousse argued, "The word to get out is that we can’t pay, and we won’t pay."
Refusing to pay off terrorists and hackers is one sure way to put them out of business, but people often pony up. When the Rockville Centre School District got hit with ransomware two years ago, it paid almost $100,000 to regain control of its computers.
Governments and businesses in the U.S. are woefully unprepared for cyberattacks. We lack the industry standards and laws necessary to assure crucial facilities and equipment are protected, from mercenary criminals, enemy governments and terrorists.
We also lack a unified policy on when, if ever, to pay such extortionists.
We have been lucky. We will not be forever. The Colonial Pipeline attack is a wakeup call.
We are vulnerable. We’ve been warned.
The editorial board