do? You reboot it. If worse comes to worst, you wipe it clean and reload it. But imagine if your turbine breaks down due to a cyberattack.
You can’t just go to a local turbine store. For example, MIT’s co-generation facility had a turbine failure recently — not because of
a cyberattack, but because of mechanical failure due to a simple
defective nozzle. Still, it took three months to repair the turbine;
these things are huge, and many of the parts aren’t readily available.
Let me tell you about the attack on the Ukraine power grid in
2015, because it’s a fascinating story. The Ukraine is divided into
a number of separate power grids, much like the U.S. Three of
the power grids were attacked and went down, and about 225,000
people lost power for several hours.
I attended a briefing about the attack; there were a number of
people, particularly from the U.S., who went over to Ukraine to
understand exactly what happened. And I was surprised by two
of the investigators’ conclusions.
The first conclusion had two parts:
1. The attack was low in sophistication. The attackers used seven different techniques to down the grid, but all of them were readily
available for sale on the internet. No new weapon had to be created;
there is a huge cybercrime ecosystem operating on the internet.
2. But the attack was high in organization. The hackers had to go
and assemble the seven weapons together. And they did some
very clever things. Not only did they down the power grid, they
also shut down the backup system, so even the power company
had difficulty getting back online. They also erased all the
disks, so it was hard to track down what they had done.
And then to add insult to
injury, they overloaded the
power company’s call center
so that customers couldn’t call
in to tell the power company
that they lost power. How is
that for being malicious? This
was not a teenager doing a casual hack.
The second conclusion that
investigators came to as they
looked into the attack was:
This was only a demonstration.
The hackers could have done
much, much more damage.
This was a political statement,
saying in effect: “We’re here.
We’re not going away.” And, in
this case, the finger is pointing
to the Russians.
But we can’t be sure about
that. I met someone who does
hacking for governments. He happens not to work for the U.S.,
Russia, or China. He says that, in all of the software he and his
colleagues develop, they make sure that all of their comments are
in Chinese. The point being: If you’re really good at hacking,
you’ll make sure all the evidence points to someone else. So if
you think you know who is behind a hacking attack, most likely
that isn’t who it is.
What are the most important things business executives can
do to decrease their companies’ cybersecurity vulnerabilities?
MADNICK: If you don’t address the managerial, organizational,
and strategic aspects of cybersecurity, you’re missing the most
important parts. A lot of people are working on developing better
hardware and software, and that’s good. That’s important. But
that’s only a piece of the puzzle.
Estimates are that between 50% and 80% of all cyberattacks
are aided or abetted by insiders, usually unintentionally — typically through some kind of “phishing” expedition [involving
emails containing a link or attachment to click on]. Untargeted
mass phishing emails have an open rate of 1% to 3%. But highly
targeted “spear phishing” is much more effective, with an open
rate of about 70%. With spear phishing, you’d get an email that
appeared to come from a high-ranking executive at your company, that referred to you personally and that asked you to take
some specific action consistent with your job, such as authorizing
a new employee or transferring funds to a new vendor.
So if you don’t address the people issues, you’re missing the
really hard cybersecurity problems. A lot of the vulnerabilities
that exist in organizations come from the corporate culture we
create and the practices we have. I’ll give you some examples.
We work with energy companies. I was talking to someone
who had visited the headquarters of one of them, and he said that
if you’re going up or down the stairs and not holding the railing,
someone will actually stop you and say, “Please hold the railing,
for safety.” That’s how ingrained they have gotten the idea of
safety. I was told that if you’re walking down the hallway texting
on your phone, someone will say, “Stop. Either do your texting, or
do your walking. Don’t do both.” Because they understand that if
they do something wrong in oil refining, plants can blow up, and
people die. That safety mindset permeates the organization.
Another example is: When you walk into an industrial plant,
you will often see a sign that says, “520 days since the last indus-
trial accident.” If you walk into a data center, do you ever see a
sign that reads, “520 milliseconds since the last successful cyber-
attack?” Do you even know how many attempted cyberattacks
there are on your company on a typical day?
Companies need to develop that kind of safety culture and mindset
about cybersecurity. Think of it this way: I could put a stronger lock on
my door, but if I’m still leaving the key under the mat, have I really
“If you don’t
— STUART E. MADNICK