The stage is set for the world to find out what might happen if petrochemical, gas and power plant safety systems designed to prevent catastrophic accidents are disabled by malicious hackers.

In summer 2017, a security consultant discovered malware that was set to deliberately override safety systems in a Saudi Arabia chemical facility. The malware, named Triton, exploited vulnerabilities in industrial “internet of things”-connected systems and has since been linked to probing attacks more recently seen in U.S. power grids.

In October, security firm FireEye Inc. disclosed that it believed the malware had been developed by Russia, which previously disabled the power grid in the Ukraine using a similar approach. Meanwhile, security researchers at Dragos Inc. recently published findings that Triton was replicating new strains of code with the goal to disable a wider range of global systems.

In the face of mounting evidence that nation states have begun to infiltrate critical industrial systems, attention among security experts is no longer focused on defense. It’s now become a discussion of what the response should be when safety systems are damaged and, potentially, lives are lost.

“It’s pretty clear that any nation of size that wants to get into a certain network will get in,” said Mark Anderson (pictured, second from right), chief executive officer of Pattern Computer Inc. and CEO of Strategic News Service/Future In Review Conference Corp. “The question isn’t can they; it’s why have they not? My guess is that there’s human restraint in this, but technically, it’s already game over.”

Anderson spoke with John Furrier, host of theCUBE, at SiliconANGLE Media’s livestreaming studio in Palo Alto, California. He was joined by Phil Lohaus (far right), visiting fellow at the American Enterprise Institute, and Evan Anderson (second from left), chief executive officer of the Inventing Nations vs. Nation-Sponsored Theft of IP, a Strategic News Service initiative. They discussed conflicts between societal openness and the malicious intent of others, a shift in approach among adversaries from military attacks to economic disruption, potential legislation to encourage cyber response by the private sector, and a need to recognize when the country is truly at war (see the full interview with transcript here).

Control systems at risk

Anderson’s remarks regarding technology vulnerability was recently underscored by a report issued earlier this month by McAfee LLC. The security software firm released findings that documented exploitable weaknesses it found in IT-connected building management systems widely used by hospitals, factories and businesses. Just a few days following McAfee’s release, an independent security researcher disclosed how the protocol for other building control and automation networks was also vulnerable to compromise by malicious actors.

In addition to weaknesses in building controls, McAfee also documented security issues it found in open-source software installed in a popular line of Voice over Internet Protocol phones used by corporations around the world.

The problem, at least for the U.S., is that a society committed to openness of communication using an internet medium designed to facilitate that has played into the hands of adversaries seeking to exploit vulnerability and gain advantage.

“They looked at our weaknesses, and one of those biggest weaknesses that we’ve always had is that an open society is also unable necessarily to completely defend itself from those who would seek to exploit that openness,” Evan Anderson said. “Everything is now a battlefield and a much grayer area and IoT certainly isn’t helping.”

Information is money

That battlefield is increasingly an economic one. INVNT/IP is a private sector effort designed to safeguard U.S. businesses against the theft of intellectual property. INVNT/IP has published reports documenting security concerns around China’s buying spree to acquire major properties in the hospitality industry and hostile attempts by nation states to dominate critical industries, such as steel.

“When you’re bleeding information, you’re really bleeding money,” Evan Anderson noted. “If you have an adversary that’s consistently removing intellectual property from our business ecosystem, we’re losing a lot of economic value there and that’s what wars are fought over.”

The notion of war takes on new meaning when missiles and tanks are taken out of the equation and replaced by malware and data theft. Much of the U.S. military advantage has been focused on building sophisticated hardware and weapons systems using state-of-the-art technology.

Yet the balance of power could shift if suddenly real economic damage could be inflicted through disruption of the financial system, or an attack on a power grid for a major U.S. city.

“The adversaries that we’re facing now, let’s say China, Russia and Iran, they think about war very differently. They think about the information space more broadly,” Lohaus said. “Perhaps because they’ve been so used to catching up to America in terms of technology, they found other ways to compete.”

Iran targets economic security

An example of this can be found in nation-state hacking directed in recent years by Iran. Between 2011 and 2012, Iranian hackers successfully led a series of distributed denial of service attacks against 46 major companies and financial institutions in the U.S.

After the U.S. government re-imposed economic sanctions on Iran in 2018, three cybersecurity firms have recently found evidence that the country has implemented new phishing campaigns targeting a mix of government agencies and private sector firms in the U.S.

“When you said security, that meant military,” Mark Anderson said. “Now all the rules have changed. Most major nations equate economic security with national security and that wasn’t true 10 years ago.”

How much longer can nation states, given the likelihood that they have already infiltrated critical public and private networks, restrain themselves? This central question has given rise to renewed calls in Congress for resurrecting previously considered legislation to allow “hacking back.”

Under the Computer Fraud and Abuse Act of 1986, passed the same year that IBM Corp. announced its first laptop computer, companies were prohibited from accessing computers that belonged to someone else. However, a bipartisan coalition of congressional representatives have introduced a bill that would allow a company to go outside of its own network to identify and disrupt attackers.

“You’re seeing a change in realization in Washington about this,” Lohaus said. “It’s important that we selectively demonstrate what costs we could impose on different actors for different kinds of actions, especially knowing that they’re already inside our networks.”

For some security experts and analysts, the challenge lies in convincing the U.S. government and much of the private sector that the nation is indeed at cyberwar, especially when other nation states fired the first shots a long time ago.

“We have a very black and white conception of warfare in this country,” Lohaus said. “A lot of times, companies are going to think we’re at peace. In reality, even though we aren’t technically at war, all of these other actors view this as a real conflict.”

Here’s the complete Power Panel, part of a continuing series of CUBE Conversations from SiliconANGLE and theCUBE:

Photo: SiliconANGLE