Beneath our streets and above our heads, in the power lines and the satellite links that criss-cross our cities, a constant war is being waged between the forces of malicious hacking and the cyber-security defence systems that must stay one step ahead to keep society running.
Targets everywhere: Australia and its cities are just as vulnerable as any developed nation to cyber attacks that can shut them down, says Dr Jolfaei.
Cyber attacks like the one on Colonial Pipeline that brought half the US to a halt this month after shutting down petrol supplies for six days, are a constant threat to our digitised infrastructure – and Australia is just as vulnerable as any developed nation to these kinds of attacks, a Macquarie University cybersecurity expert warns.
Later this year, Dr Alireza Jolfaei will set loose a new generation of ethical computer hackers known as ‘white-hat’ hackers, to cut city-wide power supplies, immobilise trainlines, freeze traffic light systems and even bring water and sewage works to a standstill.
These mock attack exercises will take place in the Department of Computing’s lab-based model ‘smart city’, where researchers will use scenarios to test system vulnerabilities within Australian infrastructure ranging from our rail networks, road networks and traffic signalling controls, to our electricity grid, our satellite communications, and even water automation and control systems.
It is likely that many of our water, power, rail and traffic systems currently harbour lurking hackers who are waiting for an opportunity to strike.
“Our smart city model within Macquarie University’s cybersecurity lab will let us explore not just how cyberattacks could happen in a smart city, but also what the physical impact of these cyberattacks would be,” he says.
These techniques are called ‘offensive security,’ he says, and they play an important role in our defence against malicious hackers.
“By testing these weaknesses, we will be better able to detect and mitigate attacks, lift our security and also bring in operational resilience, so we can keep running these essential services as we defend against these kinds of attacks,” he says.
Research puts experts ahead of the hackers
On May 7, a ransomware attack led to more than a week of shutdowns for the Colonial Pipeline, which transports fuel 8850 kilometres from Texas to New York. The company paid attackers close to $5 million for a data decryption key.
Running on empty: Out of action bowsers in North Carolina in the US after hackers shut down the country’s largest fuel pipeline.
Other major infrastructure attacks include the 2013 ‘Stuxnet worm’ which sabotaged nuclear centrifuges used in Iran’s uranium enrichment program; a 2014 attack which took control of the blast furnace of a German steel mill; and a 2015 attack on three energy companies in Ukraine which left most of the targeted city without power.
Cybersecurity experts are immersed in a constant round of breaches and patches, and Jolfaei has published more than a hundred peer-reviewed journal articles, chapters and manuscripts addressing these topics over the past decade.
His most recent research looks at how small spikes in energy use within networks can be used to detect hacker activity.
In many cyber attacks, the hacker has been present within the system for a long time, sometimes years, slowly opening up different pathways before they act.
He says that it is likely that many of our water, power, rail and traffic systems currently harbour lurking hackers who are waiting for an opportunity to strike.
“In many cyberattacks, the hacker has been present within the system for a long time, sometimes years, slowly opening up different pathways before they act,” he says.
He is also working with the Department of Defence, CSIRO and a cyber security company Cybentus under the D.Start program to develop security mechanisms for smart water systems to stop hackers from disrupting water supply and wastewater systems, as well as recovery programs that help water facilities return to normal operations as soon as possible following a breach.
“As we develop more complex and effective smart systems that allow us to remotely control large-scale infrastructure, we also become more vulnerable to cyber attack because these industrial control systems rely on the power grid and communications networks to operate,” he explains.
‘Google dorking’ is a hacker’s best friend
Jolfaei says that many cyber attacks are opportunistic and use unsophisticated techniques like ‘Google dorking’ – where a search query can find unprotected web servers with weak security, unrestricted live webcams, even usernames and passwords for sensitive sites.
Worst-case scenarios: Dr Alireza Jolfaei, whose ‘smart city’ model developed with adjunct lecturer Milton Baar will enable the researchers to explore how cyberattacks could happen in a smart city and what their impacts would be. Photo credit: Michael Amendolia
“Hackers can potentially use Google to find out the location of the server for an item of critical infrastructure, such as an electricity substation, then send information to that server and check what response they get,” he explains .
“Depending on how the firewall has been set up, they could get error codes that tell them about the operating system, and whether the latest security patch hasn’t been applied – they find these codes on a public site listing ‘common vulnerability exposures’, which anyone can access.”
In the making: The ‘smart city’ model takes shape before it’s pressed into action in the Department of Computing’s cyber security lab later this year.
The next step will depend on the sophistication of the hacker; Jolfaei says that cyber attacks can start with the subtle introduction of innocuous-looking code which leaves a door open for future attacks.
But simple attacks can still have devastating consequences; in 2016, an Iranian hacker used Google dorking to access a computer that controlled the sluice gates on a dam in the small town of Rye Brook in New York.
The gates were fortunately offline for maintenance at the time, but the breach could otherwise have caused major flooding and widespread damage.
Who commits cyber-attacks – and why?
Jolfaei says that many cyber-attackers are criminals who seek financial information, steal identities or who demand a ransom before restoring access to essential data or services.
In the shadows: Many cyber attackers are criminals who seek financial information, steal identities or demand a ransom, says Dr Jolfaei.
Others are politically motivated groups (including ‘black ops’ groups within foreign governments) who seek to damage a government or organisation they disagree with, to spread disinformation, or to commit acts of espionage or cause political upheaval including the disruption of elections.
For example, the Russian intelligence service APT29 is suspected of links to a serious hack into the US Treasury and other US and UK government agencies and businesses last year via Solar Winds security software.
Government-backed espionage hackers from various countries have stolen industrial secrets, political plans and even made attempts on coronavirus vaccine research, including the suspected theft of ASIO headquarter blueprints in 2013.
“Australia has not experienced the same level of threat as certain other nations such as the US or China, but we are still very vulnerable,” he says.
Cyber security incidents are estimated to cost the Australian economy $29 billion each year.
Last June, Australia’s Cyber Security centre reported a sustained cyber-attack targeting governments and companies in Australia by a ‘sophisticated state-based actor’.
Two months later, the government announced a 10-year, $1.66 billion cyber-security package to boost cybersecurity for critical infrastructure, strengthen police resources to shut down criminal activity and raise community awareness for business and households, along with additional funding to help the Australian Signals Directorate thwart foreign attacks.
Ultimately, Jolfaei says, we need to continue to support and train cybersecurity experts and make sure their skills are deployed widely.
“Being able to understand and predict the actions of our opponents and install self-defence mechanisms to guard against these, is the key to protecting our critical infrastructure.”
Dr Alireza Jolfaei is a Lecturer in the Department of Computing at Macquarie University.