Can hackers turn off the lights?

On December 23, 2015, large sections of western Ukraine were plunged into darkness following a devastating attack on three of the country’s regional power authorities.

Yet it transpired the attackers were not even there. It was a cyber crime, in which hackers shut down the power supply using malicious Microsoft Office email attachments. Tens of thousands of Ukrainian buildings were without power for up to six hours, in the first recorded incident of hackers shutting down a power supply.

When we think of large-scale cyber-attacks, most of us remember incidents where corporate or personal data was exposed: the leaked emails that emerged in the Sony hack, or last year’s mass publication of user details from extramarital affair website Ashley Madison.

We rarely hear of the risk of cyber-attacks on companies providing critical infrastructure; our power, gas, water and telecommunications. Yet according to information security researchers at the University of Melbourne’s School of Engineering, this is a cyber threat that is very real and potentially catastrophic. It is something that Dr Atif Ahmad and Dr Benjamin Rubinstein and their team at the Department of Computing and Information Systems are working to combat.

Critical infrastructure is increasingly vulnerable

In 2000, Australia was the scene of one of the first ever cyber attacks on physical infrastructure. Then, a million litres of raw sewage was released into waterways by Vitek Boden, who hacked into Queensland’s Maroochy Shire’s network of sewage pumping stations after he was angry at failing to land a job with the council.

“It was one of the earliest incidents cited universally by researchers as evidence of the potency of cyber physical attacks, and it took place in our own backyard,” says Dr Ahmad.

Dr Rubinstein says that most would assume that if a hacker brought down critical infrastructure such as a power supply, the worst they could do is simply turn it off.

“If cyber attackers can exert influence over the grid’s control systems, physical infrastructure can be intentionally destroyed by being subject to loads that it cannot cope with,” says Dr Rubinstein.

The physical damage of infrastructure due to cyber crime hit the headlines in late 2014 when the control systems of a German steel mill were hacked by external attackers. A blast furnace at the steelworks suffered ‘massive damage’ in the incident, leading to parts of the plant failing.

Dr Ahmad says a shutdown of critical infrastructure such as a power supply for more than 24 hours could start a ‘domino effect’ on other infrastructure – for example, gas and water companies that require power for turbines and pumps. He says that while hospitals have back-up power systems to cover outages, these systems are often untested when it comes to more sustained network failures.

Dr Rubinstein says a large cyber attack on critical infrastructure would also affect public safety and the economy.

“There are things that a normal person would think would be affected in an attack on the electricity supply, like public transport and traffic lights,” he says.

“But it’s much more than that. It would hit consumer confidence and the stock exchange, which would impact the economy.”

Better information to safeguard against cyber-threats

Dr Ahmad was inspired to combat this threat following his work as a cyber security consultant in the energy sector. He says that the private business mindset of maintaining service availability at the lowest possible cost competes with the need for a high-security environment that provides adequate protection from an increasingly complex and evolving threat landscape.

“From a security point of view, critical infrastructure operators need situation awareness through real-time visibility into what is happening on control networks. Are we being attacked? On what fronts? Are servers going down and is this just accidental or is it due to an attack? What security tactics should we employ?”

Dr Ahmad and Dr Rubinstein say the first part of their research project aims to collect and visualise security data from a network in order to give human operators at power companies the most accurate information about what is happening on their networks. This will enable operators to make better decisions, particularly in the face of potential attacks.

The second part of the project, with University of Melbourne colleagues Associate Professor Tansu Alpcan, Dr Andre Gygax and Professor Chris Leckie, would make use of machine learning and the economic concepts of game theory to model potential adverse situations and the best way an operator should approach them, using the data that had been gathered on the network.

“It tries to model what the attacker is attempting to do, as well as the cost of taking actions for both the attacker and the defender. Then it performs an optimisation to figure out what is the right choice. It’s a quantitative evidence-based approach to decision making,” says Dr Rubinstein.

The team recently received seed funding for the project from the Melbourne Networked Society Institute and are in talks with potential industry partners to further the research.

The University of Melbourne project comes at the same time as a significant Victorian push for improved cyber security.

Oxford University recently announced a new Melbourne office of its Global Cyber Security Centre, bringing together eight universities, including the University of Melbourne.

“Alongside the recent announcement of NBN’s new Cyber Security Operations Centre, this demonstrates the significant local expertise in the field of information security going forward, and a growing awareness of the importance of these issues,” says Dr Rubinstein.

Banner image: Pixabay