Government may not be taking the risk of cyber attack on critical infrastructure seriously enough.

So says Veronica Schmitt, academic and Lead Forensic Analyst at DFIR Labs. Speaking at the ITWeb Security Summit 2019 in Sandton today, she said governments tended to react after the fact instead of taking strong proactive measures to protect critical national infrastructure from cyber attacks.

However, she also noted that the critical national infrastructure which often runs older, simple systems not designed to withstand sophisticated attacks, is challenging to take offline to upgrade.

Schmitt’s talk, ‘Total wipe out: What could happen if cyber criminals successfully attacked a country’s critical infrastructure systems’, assessed the cyber war risks facing countries. “The key to cyber war isn’t to cripple key infrastructures one by one – it’s to take them all down strategically and simultaneously,” she said.

What would I take down first?

Schmitt outlined the approach she would take if she were a nation state or activist seeking to cripple a country.

First, she said she would take down healthcare systems, water infrastructure and facilities such as food reserve storage. Then, as people tried to flee, she would lock down transport and logistics infrastructure to prevent them from leaving and prevent aid from being sent in. “I’d leave the telecommunications and electrical infrastructure on, to keep my attack alive,” she said.

Schmitt said that because critical infrastructure was no longer ‘air gapped’, it was vulnerable.She noted that the air gaps that used to exist between IT and operational technologies had closed, with even a memory stick or single connection presenting a risk.

“In some cases, the attackers gained access via the single connection that had to be left open to allow third party vendors to install updates. Crucially, the attackers watched and waited for some time before actually launching their attack,” she said.

She cited high profile attacks on infrastructure, such as the 2003 US Northeast blackout and 2011 Stuxnet attack on Iranian nuclear infrastructure, pointing out “These types of attacks have happened, just not simultaneously against the same country.”

Schmitt said it was possible that a country coming under a systematic and strategic cyber attack could experience total blackout and be crippled within a month.