DDoS Attacks on Critical Infrastructure

The global economy relies heavily on the Internet, therefore Internet service is widely regarded as a component of critical infrastructure (CI) for the vast majority of nations. Large-scale distributed denial of service (DDoS) attacks on government sites have been relatively few, but there is evidence to suggest that trend may be changing for the worse. A few days ago the European Commission was hit by a large-scale DDoS attack that knocked the EC website offline for hours and slowed down connection speeds even after the website was restored. A couple of weeks earlier, Liberia’s Internet was crippled by a DDoS attack.

This spate of attacks has raised questions and concerns; if the Internet is vulnerable to DDoS, how reliable is our critical infrastructure, such as utility systems? Network World magazine recently addressed the potential problem of DDoS attacks on critical infrastructure in the U.S., such as electrical grids. The main question is: could a DDoS attack cause a long-term disruption of Industrial Control Systems (ICS), which operate or monitor much of the nation’s CI? The article is fairly in-depth, but it falls short of discussing current DDoS mitigation technology solutions, and the role that Internet Service Providers can play in mitigating DDoS attacks. What’s troubling is that there is no consensus among experts regarding the likelihood of a major DDoS attack crippling critical infrastructure.

The U.S. Department of Homeland Security is concerned enough about the possibility of cyberattacks on CI; it launched a nationwide campaign early in 2016, which alerted utility providers about the danger of potential cyberattacks. The DHS campaign was sparked in part by the cyberattack on Ukraine’s power grid in December 2015.

One thing experts do agree on is that DDoS attacks are increasingly fueled by the slew (i.e., millions) of devices connected to the Internet of Things (IoT). (The Liberia attack, like many other recent DDoS attacks, was fueled by the Mirai botnet.) Reportedly, there are two factors that provide some assurance: 1) utility companies take security very seriously and are aware of cyber threats, and 2) the elements of a utility grid are usually not connected to the IoT. Some experts warn, however, that the grid is vast and constantly evolving, with some new technologies that are connected to the IoT. And it does not matter whether a utility’s own IoT devices are secure; a DDoS attack typically uses outside IoT devices to send junk traffic to overload a network.

We’ve said all along that even government or industry-led regulations cannot ensure that every IoT device in the world is secure and immune from becoming recruited into a botnet. There are simply too many IoT devices, and too many IoT manufacturers around the world to provide that kind of assurance, not to mention the fact that end-users would have to change the default password and in some cases apply manufacturing security patches/upgrades. Should there be better security built into IoT devices from the get-go? Absolutely. Would that stop DDoS attacks? Definitely not.

The only approach that can stop DDoS attacks is to deploy automated network threat protection at the top of the Internet pipe, at the Internet Service Provider level. Thus far, most ISPs have been agnostic in their approach to traffic, but as DDoS attacks have reached record levels of 1 Tbps, it’s time for them to be more nuanced in their approach, to protect their downstream customers (which include at least some utilities that rely on the Internet). Some ISPs have already adopted modern DDoS mitigation strategies, but for the sake of our nation’s critical infrastructure, more need to get on board.

For more information, contact us.