If ISIS managed to hack UK infrastructure, what could they actually do?

Chancellor George Osborne has warned that ISIS is directing its cyber-security hacking power at key UK infrastructure facilities.

Nation state behind malware attacks on European ICS systems?
Nation state behind malware attacks on European ICS systems?

According to Chancellor George Osborne, so-called Islamic State operatives are trying to develop the ability to carry out cyber-attacks on key UK infrastructure with a bid to actually kill people.

Targets such as air traffic control towers, hospitals, schools, energy/water plants and rail links are all at risk.

As a result, the Chancellor announced he is set to double UK funding to fight cyber-crime to £1.9 billion over five years.

The speech was given in response to the Paris attacks last Friday where 129 people were killed in bars, restaurants, a concert hall and at a stadium across Paris.

Highlighting ISIS' use of the internet for "for hideous propaganda purposes", Osborne said it uses the internet for radicalisation and operational planning and is now seeking to hack key UK infrastructure in a bid to kill people.

According to Osborne, GCHQ is actively monitoring 450 key UK infrastructure facilities, air traffic control stands, hospitals, schools, energy/water plants and rail links.

"From our banks to our cars, our military to our schools, whatever is online is also a target," Osborne said. "The stakes could hardly be higher. If our electricity supply, or our air traffic control, or our hospitals were successfully attacked online, the impact could be measured not just in terms of economic damage but of lives lost."

He added: "They do not yet have that capability. But we know they want it, and are doing their best to build it."

The news comes just as the Anonymous hacking group has declared cyber-war on ISIS in retaliation for the attacks, organised through the @opparisofficial Twitter handle.

Last month SCMagazineUK.com reported on a 4SICS conference session where Dewan Chowdhury, chief executive officer of MalCrawler, a Washington DC based cyber-security consultancy, said that hackers don't know what to do when they access the operational technology level of power grid SCADA systems.

Chowdhury told the audience at the 4SICS Summit in Stockholm, Sweden, about his experiences of setting up power grid honeypots to lure hackers and then allow them to operate unhindered in an environment built to emulate the control system for a working power station, but warned that there is some truth to the scare stories that government and the media tell about terrorists and nation states wanting to hack power systems.

Speaking to SCMagazineUK.com, Chatham House's Caroline Baylon, editor of the Journal of Cyber Policy, backed these claims and said that “....ISIS has been trying to hack the US power grid as well”.

She describes ISIS as a credible threat, but said that, “The good news though is that they are not very good at attacks on critical infrastructure -- for the moment. Their attacks on the US power grid have not been successful to date.”

“But what we do need to be worried about is that (a) it is likely that their capabilities will continue to increase in the coming year(s), or (b) they could buy the capability, by hiring a hacker-for-hire group.”

When asked of the damage ISIS could cause, ie could they actually kill someone by hacking infrastructure, Baylon said, “In a worst case scenario, you could certainly cause loss of life through a cyber-attack (if an attacker were sophisticated enough). For example, you could take out the power grid in significant parts of the country, affecting all systems dependent on electricity. Or you could could cause trains or planes to collide."

According to Baylon, some experts have speculated that a hack like this has happened before - “... a series of blackouts in the US were caused by cyber-attacks, but the information has not been shared”.

Craig Young, security researcher at Tripwire commented on the topic saying: “The growth of the Internet has greatly outpaced the growth of critical infrastructure leaving a great deal of exposure for anyone looking to do harm. Many of the systems that were traditionally connected with hard wires have gradually migrated onto IP networks to improve reliability and reduce cost but security is not always considered in a meaningful way.”

“One of the biggest threats to critical infrastructure is probably the prevalence of password-less VNC servers running on industrial control systems and connected directly to the Internet. In a matter of seconds, anyone can use services like Shodan or tools like masscan to identify these unprotected systems and start interacting with devices as if they were physically in front of them. While I am unaware of any real-world attacks publicly attributed to this vector, research presented at various security conferences has revealed controls within electric plants, water treatment facilities, and many other systems which, if tampered with, could have devastating consequences. My only hope is that many of these systems are actually honey pots intended to attract aspiring terrorists with the end goal of disrupting their activities before they can create real harm.”

When asked, National Grid, the company that manages large parts of the UK energy infrastructure said that they don't discuss cyber-security at all. But a spokesperson did say that: “National Grid has robust monitoring systems in place that are aligned with industry best practice and assessed by government and regulatory agencies. The IT systems we use to operate our gas and electricity networks are isolated from our everyday business systems to ensure our networks remain safe and reliable”.

Speaking to SCMagazineUK.com an EDF Energy spokesperson said: “Nuclear is subject to very high standards of regulation and control over cyber-security – whoever runs and operates the plants. But security does not just come from the regulator. EDF Energy's nuclear plants are safe by design.”

“Operational technology which includes reactor control systems is isolated from the internet. Where nuclear plants do use software, it is designed specifically for its purpose and in accordance with the highest standards and controls.”