National critical infrastructure, such as power, telecommunications and transportation will be the new battleground in the war against cyber crime, according to Kaspersky Lab founder and CEO, Eugene Kaspersky.
During his keynote presentation at the CeBIT business technology conference in Sydney on 23 May, Kaspersky warned that critical infrastructure systems – many of which are based on legacy supervisory control and data acquisition (SCADA) systems and have IP addresses – are vulnerable because the majority do not have inbuilt cybersecurity features.
The current size of the cybercrime industry is $600 billion per year, according to Kaspersky Lab estimates, which its founder said was 40 per cent of the country’s GDP, or enough to pay all the salaries of all players in the AFL for 2600 seasons.
He said these kinds of attacks have already occurred, citing one attack on a Siberian coal mine, and another hitting an oil refinery by breaching the SCADA controllers.
Although both of these incidents involved theft of commodities, Kaspersky said this is not the worst we can expect in the near future.
He said there are three sub-sections of critical infrastructure that are the greatest risk to the general population – first and foremost is power.
“If we don’t have electricity, that is the end of civilisation,” he said. “Last year and in 2015 there were full-blown cyber attacks against the Ukrainian power grid.”
“They switched the power off via accessing the SCADA and they also wiped all the SCADA firmware.”
He warned that this is an issue for many such installations around the world – including in Australia – and both government and the private sector were not effectively addressing this issue.
Kaspersky then went on to cover transportation and the possible broarder implications of a cyber attack on these systems, saying that this would be almost as catastrophic as an attack on a power grid.
“We have not seen any reports on cyber attacks on transportation infrastructure yet, but we know at least that cars are vulnerable," he said.
Referring to the highly-publicised Wired car hacking story from the US in 2015, he said that while many think this was a gimmick, all modern cars are run by computers and therefore had potential vulnerabilities which could be important.
“Any good cyber criminal with a USB and physical access to a vehicle can own it,” he said.
WikiLeaks revealed in 2016 that the CIA had been working on technologies to breach car systems and gain control remotely.
Kaspersky said this threat was not just an issue for individual transportation, but also for mass transit systems such as planes, trains or shipping.
The third threat, according to Kaspersky, was telecommunications infrastructure.
“If there is no internet and no mobile network, that’s the end of our civilisation, even if the power grid and transport system still works,” he said.
Kaspersky – who himself uses an old Sony Ericsson phone with no internet connectivity – said that our reliance on modern telecommunications means that failure of one of these systems would have a huge economic and social impact.
He went on to warn that these sorts of attacks would not be limited to nation state actors with a goal to disrupt a foreign entity, but would be under threat from cyber criminal gangs with financial motivation.
This is an issue which has mainly been the purview of a select number of partners, such as Western Australia-based partner, Hivint, but more will be needed if the threat of these attacks increases.
Speaking to ARN in 2016, The Hivint's principal consultant, Tom Jreige, said this was an issue that needed immediate attention as many local critical infrastructure systems were vulnerable.
“It is quite a critical topic now and people should be scared, especially those running the organisation if they are not being proactive," he said.
Jreige explained the approach Hivint takes in dealing with these vulnerabilities is founded in risk assessment.
“Risk management is one of the key things and it has to be done properly to understand the context of the system," Jreige said.
“Once you have the correct context, then you are able to understand what are the current controls in place, if there are any, how to enhance them, how to provide new technology without disrupting the current service and providing a protection that is adequate for that environment.
“Monitoring and logging of events is one of the biggest things which can be done to give visibility to the environment,” he added.