This past week was the anniversary of Hurricane Katrina, and those with a vested interest in cybersecurity have, for some time, been sounding warning bells about the vulnerabilities of our critical infrastructure. An overwhelming cyber attack on our Energy, Water, Chemical Industry, or any of these infrastructures could cripple our nation. Nevertheless, as there always are, there are people who casually dismiss ideas of such an attack as nonsense.
However, consider if you will a scenario where an ‘event’ causes the loss of power to millions of Americans. Combine that with the loss of our dearly beloved communication devices – no cell phones – no Internet – no search capability – no nothing – your mobile device essentially becomes as useful as a paper weight in your pocket. Add to that the failure of bridges, water systems, medical treatment, and emergency systems. If that sounds impossible, or unthinkably apocalyptic, then stop and recall the damage that was done during Hurricane Katrina ten years ago this week.
Katrina came to life on August 23, 2005 as a tropical wave east of the Bahamas. The next day she strengthened into a tropical storm and was given her name. Hurricane Katrina eventually made landfall on the Gulf coast with winds over 125mph and creating a storm surge that averaged between 12 and 15 feet. Damage was widespread in the region with entire areas along the shore wiped clean. Inland, bridges were swept away and power was completely disrupted to millions of people in the region. As a storm itself, Katrina was not the most powerful, and if events following the storm had not occurred, she would not have been the defining tragedy that she is today. However, because of the storm surge and proximity to low lying areas she will be long remembered as the storm that breached the levees, flooded New Orleans, and brought about weeks – months of turmoil and tragedy to that city.
There were countless lessons to be learned from Katrina, but the one that we should be concerned with in the cybersecurity community is the impact that the disaster had on the critical infrastructure in the region. One could debate which of those critical sectors is the ‘most’ important, but most would agree that without power and water, human conditions and our societal structure rapidly deteriorates. Primarily with Katrina, there was no power. No power means no electricity to charge cell phones, run water pumps, gas pumps, generators, and a host of other vital equipment dependent on electricity. Without electricity our society reverts to the stone age and chaos ensues.
We have identified our critical infrastructures, and Katrina demonstrated our complete dependence on those vital sectors. Clearly, we need to do everything in our power to defend them from those with malicious intent. That includes not only their physical security but their cybersecurity as well. Of particular concern are the modern technology driven SCADA systems found in industries which are a popular target for hackers. Assante (2014) wrote about the HAVEX trojan and noted that “The malware infiltrated an indeterminate number of critical facilities by attaching itself to software updates distributed by control system manufacturers. When facilities downloaded the updates to their network, HAVEX used open communication standards to collect information from control devices and send that information to the attackers for analysis.” Ashford, (2015) wrote that a “…survey report by the Organization of American States (OAS) and security firm Trend Micro revealed that 44% of more than 500 critical infrastructure suppliers in North and South America report attempts to delete files.” Goldman, (2013) wrote that “The energy sector was the most-targeted field, with 82 attacks, and the water industry reported 29 attacks last year. Chemical plants faced seven cyber attacks, and nuclear companies reported six.” Our critical infrastructures are clearly under attack.
As technology evolves, more and more of those systems are networked and dependent on each other. In so doing they increase their vulnerability due to their interconnectivity. Yet there are those who feel the cyber defenses of our critical infrastructure are adequate. Ten years ago there were those who felt certain the levees guarding New Orleans would hold. There is no margin for error regarding the safety of our critical sectors so we must develop defense strategies, safeguard those systems, and prepare contingency plans in the event a ‘CyberKatrina’ should strike. A cyber storm is building, the alarm bells have sounded….we need to heed them.
If you would like to learn more about protecting our country through cybersecurity, we offer many programs and courses.
Ashford, W. (2015). Critical infrastructure commonly hit by destructive cyber attacks, survey reveals. Retrieved from the Internet at http://www.computerweekly.com/news/4500243886/Critical-infrastructure-commonly-hit-by-destructive-cyber-attacks-survey-reveals
Assante, M. (2014). America’s Critical Infrastructure Is Vulnerable To Cyber Attacks. Retrieved from the Internet at http://www.forbes.com/sites/realspin/2014/11/11/americas-critical-infrastructure-is-vulnerable-to-cyber-attacks/
Goldman, D. (2013). Hacker hits on U.S. power and nuclear targets spiked in 2012. Retrieved from the Internet at http://money.cnn.com/2013/01/09/technology/security/infrastructure-cyberattacks/
Miller, R. (2006). Hurricane Katrina: Communications & Infrastructure Impacts. Retrieved from the Internet at http://csis.org/images/stories/HomelandSecurity/071022_Chap5-KatrinaCommunicationsAndInfrastructureImpacts.pdf
Rushton, C. (2015). Timeline: Hurricane Katrina and the aftermath. http://www.usatoday.com/story/news/nation/2015/08/24/timeline-hurricane-katrina-and-aftermath/32003013/