Cyberthreats loom large over Pyeongchang and beyond
The risk of cyberattacks on crucial infrastructure and essential services is rising across Asia
Behind the security measures to protect participants at the upcoming Winter Olympics in Pyeongchang, South Korea, lies a second layer of defense aimed at safeguarding critical infrastructure from a more clandestine threat: cyberattacks.
South Korea has been beefing up a specialist cyberwarfare agency for the past year in readiness for the games, with 1,000 personnel added to a response team that now numbers 6,000.
Japan has taken similar action as it builds toward the 2020 Tokyo Olympic Games, bolstering the Ministry of Defense’s Cyber Defense Unit by an additional 1,000 backroom technicians.
A breakthrough on North Korean participation in the Pyeongchang games may have lowered the threat status a few notches, but the rogue state is still perceived as the most likely source of an attack on power, transport, water, healthcare, telecommunications and other essential services.
Responding to a surge in cyberattacks from the North in the past year, the South Korean government allocated US$218 million to the National Cyber Security Center, the agency responsible for identifying threats, in its mid-term defense plan.
The Korea Internet & Security Agency and the Cyber Terror Response Center handle prevention and retaliatory actions. There is also a school specializing in cyberwarfare constantly training experts.
North Koreans were blamed for a successful cyberattack on the Korea Hydro and Nuclear Power plant in December 2014 that used malware to steal blueprints, details of support systems and the personal records of more than 3,000 employees. Several subsequent raids appear to have failed.
In late 2016, North Korean hackers managed to gain access to a “secure” South Korean military computer network, extracting a large volume of highly sensitive documents and data. These included contingency plans for a strike against the North’s leaders in the event of a border war.
Cyber-experts say that the intranets of large installations are generally well-shielded from targeted attacks, but hackers have found a back door through their suppliers and other companies providing support services.
An official inquiry into the infiltration of the nuclear plant found that the hackers avoided security firewalls by sending “phishing” to employees of third parties, including the company’s subsidiaries and corporate partners. Criminal gangs, already active in Gangwon province where the Pyeongchang games will be staged, use similar techniques.
Security company McAfee reported on January 6 that hackers operating from Singapore had been sending out emails infected with malware since late December to companies providing infrastructure and other support at the Winter Olympics, with hockey so far getting most of the attention.
The games aside, online security agencies say that “exploratory” attacks are being launched constantly on infrastructure networks in Asia, mostly to test automated control systems that operate essential services. About 40% of systems are thought to be vulnerable, putting millions at risk.
ABI Research has forecast that Asia-Pacific countries will spend US$22 billion on critical infrastructure security by 2020. Much of this will occur in Southeast Asia, where recent rapid internet growth has exposed it to attacks.
Yet a study of cyberwarfare governance frameworks in 25 Asia-Pacific nations by the International Cyber Policy Center (ICPC) suggests that not all comprehend the risks.
The center, which is run by the Australian Strategic Policy Institute, found that only China, Japan, South Korea, Singapore, Taiwan, Australia and New Zealand had adequate safeguards. These countries are also most at risk, as they have the highest levels of internet penetration and rely most on digital control systems.
It is also more likely those systems will be in the hands of private firms, which are vulnerable to both external and internal attacks: Australia, with 90% of essential infrastructure controlled by private firms, is particularly exposed.
Myanmar, Pakistan, Cambodia, Bangladesh and Laos, the least-developed nations in the ICPC index, have the worst organizational structures for cyber-matters, including infrastructure and security, scoring 3-4 out of 10.
North Korea did equally poorly in this category; although the country has minimal internet penetration, it has a widely used intranet. Still, North Korea rated an “8” for its cyberwarfare, conducted through its Reconnaissance General Bureau, an asymmetric warfare command which bundles the North’s spies and commandos with its online warriors.
India, Malaysia, Thailand, Brunei, Vietnam and the Philippines were rated in the middle of the index, with a strong recognition of cyber-threats but inadequate responses. Poor coordination of agencies was one criticism.
Less is known about Central Asian cyber-defenses, as their activities are mostly shrouded in secrecy. However, it is believed that Saudi Arabia was the location of a critical infrastructure facility owned by Schneider Electric SE that was infiltrated in December by hackers, reportedly from Iran.
The French firm, which supplies management and automation systems to the power sector, including nuclear plants, said the hackers gained entry by breaching software that affects plant safety.
The first incident of this type, it revealed how easily hackers could take remote control of critical infrastructure and modify its operations, with potentially deadly results.