Home A Criminological Perspective on Power Grid Cyber attacks: Using Routine Activities Theory to Rational Choice Perspective to Explore Adversarial Decision-Making
Article
Licensed
Unlicensed Requires Authentication

A Criminological Perspective on Power Grid Cyber attacks: Using Routine Activities Theory to Rational Choice Perspective to Explore Adversarial Decision-Making

  • Aunshul Rege EMAIL logo
Published/Copyright: June 13, 2014

Abstract

The US power grid has been identified by security experts as a prime target for terrorist-based and state-sponsored cyber attacks. In addition to downing the grid, cyber attacks can also destroy and manipulate data systems, obtain sensitive intellectual property and steal trade secrets. Existing research has addressed the technical factors, such as vulnerabilities and poor intrusion detection systems, which lead to cyber attacks. However, it remains silent on the human factors in the cyber attack equation. This study uses a criminological framework, specifically Routine Activities Theory and Rational Choice Perspective to capture intelligent adversaries who plan and execute attacks based on their analysis of target suitability and guardianship efficacy. It uses a two-step methodology to identify adversary-, target-, and guardianship-specific factors that collectively impact decision-making processes. First, a document analysis of existing literature reveals nine factors (PARE RISKS) that influence adversarial decision-making: Prevention measures, Attacks and Alliances, Results, Ease of Access, Response and Recovery, Interconnectedness and Interdependencies, Security Testing, Assessments and Audits, Knowledge, Skills, Research and Development, and System Weaknesses. Second, surveys and interviews conducted between 2010 and 2012 with various hackers, penetration testers, and power grid representatives helps validate and refine the PARE RISKS framework. This study identifies (i) adversary-specific factors as resources (skills, money, and time), and research (targets and techniques); (ii) target-specific factors as accessibility (electronic and physical) and weaknesses (outdated architecture and inadequate testing/updates); and (iii) guardian-specific factors as prevention (quality of prevention and intrusion detection measures). It argues that altering each of these three elements of Routine Activities Theory can impact adversarial decision-making, which may help reduce the likelihood of power grid cyber attacks.


Corresponding author: Aunshul Rege, Temple University – Criminal Justice, Gladfelter Hall, 5th floor 1115 Polett Walk, Philadelphia, PA 19122, USA

Appendix A: Publicly-Known Power Sector Threats, Intrusions and Cyber attacks

Mid-1990s

Case 1: On several occasions, hackers targeted IT systems in an unknown power grid seeking credit card information (Oman et al. 2001; SANS 2001).

Case 2: A radical environmental group hacked into the IT system of an undisclosed electric utility company (Oman et al. 2001; SANS 2001).

2000

Case 3: In 2000, a letter written by a disgruntled ex-employee of an unnamed electric utility in Texas appeared in the hacker magazine Phrack. The author claimed to know “quite a bit about the systems and hinted that his knowledge would be helpful if someone wanted to attack [the] utility’s systems” (NSTAC 2000; SANS 2001).

Case 4: At another unnamed power company, hackers subverted the company’s server to play games. The intruders gained access to the servers by exploiting vulnerability in the company’s file storage service. They consumed about 95% of the company’s internet bandwidth to store and play interactive games. The compromised bandwidth threatened the company’s ability to conduct bulk power transactions, resulting in a denial of service attack on the servers’ legitimate users (Lemos 2000; Oman et al. 2001; SANS 2001).

Case 5: The largest Russian pipeline system in Siberia was targeted. Attackers used a Trojan to gain backdoor access and control the gas pipelines. The pipeline software, which ran the pumps, turbines, and valves was reprogrammed to go haywire, “reset pump seeds and valve settings to produce pressures far beyond those acceptable to pipeline jolts and welds,” resulting in a large blast in Siberia (Cornish et al. 2010; The Economist 2010; Wueeston 2014).

2001

Case 6: California Independent System Operator (Cal-ISO), which oversaw most of the state’s massive electricity transmission grid, was targeted on 25 April 2001. The attacks remained undetected until May 11. It was routed through China Telecom from someone in the Guangdong province of China. Investigators found evidence that the hackers were trying to write software that would have allowed them to bypass any firewalls protecting the more sensitive parts of the computer system. They also found evidence that a rudimentary rootkit had been installed, which would have given the attackers complete control of the system. Fortunately, the attacks were stopped before any damage could occur (Morain 2001; ZDNN 2001; Wueeston 2014).

2003

Case 7: In 2003 the safety monitoring systems of Ohio’s Davis Besse nuclear power plant went offline for several hours due to a Slammer worm infection. Fortunately, the systems had redundant analog backups that were unaffected by the worm, their unavailability was taxing for the operators (Poulsen 2003; Wueeston 2014).

Case 8: At the beginning of 2003 a marine terminal in Venezuela was targeted by a sabotage attack. Details of this attack are scarce and vague, but it seems that during a strike an attacking group managed to get access to the SCADA network of the oil tanker loading machinery and overwrote programmable logic controllers (PLCs) with an empty program module. This halted machinery, preventing oil tankers from loading for eight hour till the unaffected backup code was reinstalled on the PLCs. The attack was not too sophisticated as it was easily spotted. A small modification of the PLC code instead would probably have gone unnoticed for a long time (Wueeston 2014).

2008

Case 9: In 2008, cyber attacks had resulted in blackouts across multiple cities outside the US. Attackers tried to extort money from the energy companies, threatening them with further downtime (Wueeston 2014).

2009

Case 10: In 2009, Chinese and Russia cyberspies penetrated the US electrical grid and left behind malware that could be used to navigate the US electrical system and its controls. The espionage did not target any particular utility company or region and was pervasive across the US (Gorman 2009).

2010

Case 11: Stuxnet first appeared in July 2010 and approximately 60% of its reported infections were inside Iran. Stuxnet was used to target Iran’s machinery that enriched uranium for both nuclear power and weapons. It only kicked into gear when it detected the presence of specific systems within the plant. Stuxnet was a “dual warhead” as it had two major components. The first was designed to lie dormant for long periods, then sped up the machines to “send Iran’s nuclear centrifuges spinning wildly out of control,” leading to its eventual destruction. The second component, the “man in the middle,” was a computer program that secretly recorded normal plant operations, then played those readings back to plant operators, “like a pre-recorded security tape in a bank heist,” to make it appear that everything was operating normally, when in fact, the “centrifuges were actually tearing themselves apart.” Stuxnet is the first publicly known autonomous threat to target infrastructure systems to such an extent (BBC 2011; Broad et al. 2011; Wueeston 2014).

Case 12: Discovered in 2010, operation Night Dragon had been in progress for less than a year. Here, global oil companies were targeted to find project details and financial information about oil and gas field exploration and bids. Hackers used publicly available tools to gain access to passwords, which then allowed them to extract valuable information (Wueeston 2014).

2011

Case 13: US Department of Energy labs and research facilities were also targets of cyber attacks. In April 2011, the Oak Ridge National Laboratory, which conducts applied research, was forced to shut down internet and email access after unknown system vulnerability had been exploited. In July 2011, two energy department research facilities were taken offline by a sophisticated cyber attack. The Pacific Northwest National Lab (PNNL) worked mostly in the areas of national and homeland security research and the Jefferson Lab dealt with nuclear physics and technology. These labs had computers that stored intellectual property, unpublished scientific results, classified information, and other sensitive information, making them prime targets for cyber attacks (Cary 2011; Jackson 2011a,b).

2012

Case 14: The largest oil producing company in Saudi Arabia, Aramco, was targeted in August 2012. Approximately 30,000 workstations were impacted by a computer virus “Shamoon” that erased documents, spreadsheets, e-mails, and files, replacing them with an image of a burning American flag. The main objective was to render the Aramco computers unusable by wiping all records, causing disruption and downtime at the company. Two weeks later, RasGas, the Qatari natural gas giant, experienced a similar subsequent attack (Perlroth 2012; Wueeston 2014).

Appendix B: Abridged Survey Instrument Using PARE RISKS Framework

Appendix C: Abridged Interview Guide

  1. What do you think “attacking” electricity ICS entails (theft/denial/disruption of service)?

  2. What types of people or groups are most involved in hacking electricity ICS? And why would they target these systems? Do they need to be technologically adept?

  3. How do potential offenders become aware of ICS vulnerabilities?

  4. When potential offenders are deciding which system to attack, what would possibly be going on in their minds in-terms of a cost-benefit analysis? What do they want to see and what do they don’t want to see?

  5. How would cybercriminals deal with industry responses? Are there certain strategies with respect to reassessing the situation, revising the attack, forming new alliances, etc.?

  6. How persistent would cybercriminals be in their attacks? What factors would influence their decision to be persistent?

Case Example

Current events: Stuxnet

  1. Stuxnet has been discussed in-depth already by the technological community. But I would like to have your take on it. Could you tell me about Stuxnet?

  2. How many people do you think were involved in the design and implementation of Stuxnet? How did they find each other?

  3. What skills were necessary to design this malware? How expensive would it have been to recruit individuals with these skills?

  4. How long do you think it took to develop Stuxnet? What stages were involved in its development?

Past events

  1. Can you tell me about past publicized attacks against the electricity ICS?

References

BBC (British Broadcasting Corporation) (2011) “US and Israel were behind Stuxnet Claims Researcher,” BBC, March 4. Available at: http://www.bbc.co.uk/news/technology-12633240 (accessed August 17, 2011).Search in Google Scholar

Bernard, Thomas, Jeffery Snipes and Alexander Gerould (2010) VOLD’s Theoretical Criminology – 6thedition. North Carolina: Oxford University Press.Search in Google Scholar

Broad, William, John Markoff and David Sanger (2011) “Israeli Test on Worm Called Crucial in Iran Nuclear Delay,” New York Times, January 15. Available at: http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html. (accessed August 17, 2011).Search in Google Scholar

Bumiller, Elizabeth and Thom Shanker (2010) “Panetta Warns of Dire Threat of Cyber attack on U.S.,” New York Times, October 11. Available at: http://www.nytimes.com/2012/10/12/world/panetta-warns-of-dire-threat-of-cyberattack.html?pagewanted=all&_r=0. (accessed November 28, 2012).Search in Google Scholar

Cary, Annette (2011) “PNNL still recovering from cyber attack,” Tri-City Herald, July 9. Available at: http://www.tri-cityherald.com/2011/07/09/1560790/pnnl-still-recovering-from-cyberattack.html. (accessed August 17, 2011).Search in Google Scholar

Cohen, Lawrence and Marcus Felson (1979) “Social Change and Crime Rate Trends: A Routine Activity Approach,” American Sociological Review 44:588–608.10.2307/2094589Search in Google Scholar

Cornish, Derek and Ronald Clarke (1986) The Reasoning Criminal: Rational Choice Perspectives on Offending. New York: Springer-Verlag.Search in Google Scholar

Cornish, Derek and Ronald Clarke (2008) “The Rational Choice Perspective.” In: (Richard Wortley and Lorraine Mazerolle, eds.) Environmental Criminology and Crime Analysis, Oregon: William Publishing, pp. 21–47.Search in Google Scholar

Cornish, Paul, David Livingstone, Dave Clemente and Claire Yorke (2010) “On Cyber Warfare.” Chatham House. Available at: http://www.chathamhouse.org/sites/default/files/public/Research/International%20Security/r1110_cyberwarfare.pdf. (accessed January 5, 2012).Search in Google Scholar

Costello, Anna and Jason Osborne (2005) “Best Practices in Exploratory Factory Analysis: Four Recommendations for Getting the Most From Your Analysis” Practical Assessment, Research & Evaluation, 10:1–9.Search in Google Scholar

Dantzker, Mark and Ronald Hunter (2006) Research Methods for Criminology and Criminal Justice – 2ndedition. MA: Jones and Bartlett Publishers.Search in Google Scholar

DHS (Department of Homeland Security) (2011) “Common Cybersecurity Vulnerabilities in Industrial Control Systems.” Available at: http://www.us-cert.gov/control_systems/pdf/DHS_Common_Cybersecurity_Vulnerabilities_ICS_2010.pdf. (accessed January 15, 2012).Search in Google Scholar

Dodrill, Tara (2013) “Napolitano Warns Downed Power Grid Is Inevitable Due To Cyber Attack,” Off The Grid News, September 9. Available at: http://www.offthegridnews.com/2013/09/09/napolitano-warns-downed-power-grid-is-inevitable-due-to-cyber-attack/. (accessed December 10, 2013).Search in Google Scholar

Falliere, Nicolas, Liam Murchu and Eric Chien (2011) “W32.Stuxnet Dossier, Version 1.4,” Symantec, February. Available at: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf. (accessed August 18, 2011).Search in Google Scholar

Field, Andy (2005) Discovering Statistics Using SPSS. London: Sage Publications, Ltd.10.53841/bpspag.2005.1.56.31Search in Google Scholar

GAO (General Accounting Office) (2003) “Critical Infrastructure Protection: Challenges in Securing Control Systems.” Available at: http://www.gao.gov/new.items/d04140t.pdf. (accessed March 20, 2010).Search in Google Scholar

Gorman, Siobhan (2009) “Electricity Grid in U.S. Penetrated by Spies,” The Wall Street Journal, April 8. Available at: http://online.wsj.com/article/SB123914805204099085.html. (accessed December 10, 2013).Search in Google Scholar

Grant, Naomi and Leandre Fabrigar (2007) “Exploratory Factor Analysis.” In: (Neil Salkind, ed.) Encyclopedia of Measurement and Statistics. California: Sage Publications, Inc, pp. 332–335.Search in Google Scholar

Jackson, William (2011a) “Cyber Attacks Take Two Energy Labs Offline,” GCN, July 6. Available at: http://gcn.com/Articles/2011/07/06/Cyber-attacks-take-2-energy-labs-offline.aspx?s=secur. (accessed August 10, 2011).Search in Google Scholar

Jackson, William (2011b) “Energy Lab Back Online after Cyber Attack,” FCW, July 15. Available at: http://fcw.com/articles/2011/07/15/pnnl-back-online-after-hack.aspx. (accessed August 17, 2011).Search in Google Scholar

King, Nigel and Christine Horrocks (2010) Interviews in Qualitative Research. California: SAGE Publications Inc.Search in Google Scholar

Kuvshinkova, Svetlana (2003) “SQL SLAMMER Worm Lessons Learned for Consideration by the Electricity Sector.” MyItForum. September 5. Available at: http://www.myitforum.com/articles/15/view.asp?id=5985. (accessed September 21, 2011).Search in Google Scholar

Lemos, Robert (2000) “Power Play: Electric Company Hacked.” ZDNet. December 15. Available at: http://www.zdnet.co.uk/news/emerging-tech/2000/12/15/power-play-electric-company-hacked-2083210/. (accessed September 20, 2011).Search in Google Scholar

Luiijf, Eric (2008) “SCADA Security Good Practices for the Drinking Water Sector.” TNO Defense. March. Available at: http://www.tno.nl/content.cfm?context=markten&content=publicatie&laag1=194&laag2=1&item_id=404&Taal=2. (accessed April 3, 2009).Search in Google Scholar

Mason, Jennifer (2002) Qualitative Researching – 2ndedition. London: Sage Publications Inc.Search in Google Scholar

Maxfield, Michael and Earl Babbie (2005) Research Methods For Criminal Justice and Criminology – 6thedition. California: Wadsworth Cengage Learning.Search in Google Scholar

McAfee (2009) “In the Crossfire: Critical Infrastructure in the Age of Cyber War.” Available at: http://www.mcafee.com/us/resources/reports/rp-in-crossfire-critical-infrastructure-cyber-war.pdf. (accessed December 1, 2012).Search in Google Scholar

McAfee (2010) “Advanced Persistent Threats.” Available at: http://www.mcafee.com/in/resources/solution-briefs/sb-advanced-persistent-threats.pdf. (accessed December 1, 2012).Search in Google Scholar

Morain, Dan (2001) “Hackers Victimize Cal-ISO,” Los Angeles Times, June 9. Available at: http://articles.latimes.com/2001/jun/09/news/mn-8294. (accessed August 18, 2011).Search in Google Scholar

Nakashima, Ellen (2012) “Cybersecurity should be more Active, Official Says,” Washington Post, September 16. Available at: http://articles.washingtonpost.com/2012-09-16/world/35494752_1_topcyber-private-sector-crowdstrike. (accessed May 03, 2013).Search in Google Scholar

NERC (North American Electric Reliability Corporation) (2012) “2011 NERC Grid Security Exercise: After Action Report.” Available at: http://www.nerc.com/pa/CI/CIPOutreach/Documents/NERC%20GridEx%20AAR%2016Mar2012%20Final.pdf. (accessed December 10, 2013).Search in Google Scholar

Neuman, William (2003) Social Research Methods: Qualitative and Quantitative Approaches. Massachusetts: Allyn & Bacon.Search in Google Scholar

Newsom, Jason (2005) “A Quick Primer on Exploratory Factor Analysis.” Portland State University. Available at: http://www.upa.pdx.edu/IOA/newsom/semclass/ho_efa.pdf. (accessed October 21, 2011).Search in Google Scholar

Nicholson, Rick (2008) “Critical Infrastructure Cybersecurity: Survey Findings and Analysis.” Energy Insights, November 2008.Search in Google Scholar

NSTAC (National Security Telecommunications Advisory Committee) (2000) “Information Assurance Task Force: Electric Power Risk Assessment – Executive Summary.” Available at: http://www.solarstorms.org/ElectricAssessment.html. (accessed August 17, 2011).Search in Google Scholar

Oman, Paul, Edmund Schweitzer III and Jeff Robert (2001) “Safeguarding IEDS, Substations, and SCADA Systems Against Electronic Intrusions.” Schweitzer Engineering Laboratories. Available at: http://www.selinc.com/techpprs/6118.pdf. (accessed August 11, 2011).Search in Google Scholar

Pedhazur, Elazer and Liora Schmelkin (1991) Measurement, design, and analysis: An integrated approach. Hillsdale, NJ: Erlbaum.Search in Google Scholar

Perlroth, Nicole (2012) “In Cyber attack on Saudi Firm, U.S. Sees Iran Firing Back,” New York Times, October 23. Available at: http://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-us.html. (accessed December 10, 2013).Search in Google Scholar

Poulsen, Kevin (2003) “Slammer worm Crashed Ohio Nuke Plant Network,” Security Focus, August 19. Available at: http://www.securityfocus.com/news/6767. (accessed August 10, 2011).10.1016/S1353-4858(03)00310-6Search in Google Scholar

QSR International (2011a) “What is Qualitative Research?” Available at: http://www.qsrinternational.com/what-is-qualitative-research.aspx. (accessed December 19, 2011).Search in Google Scholar

QSR International (2011b) “NVivo 9 – Features and Benefits,” Available at: http://www.qsrinternational.com/products_nvivo_features-and-benefits.aspx. (accessed December 19, 2011).Search in Google Scholar

Rantala, Ramona (2005) “Cybercrimes Against Businesses.” Bureau of Justice Statistics. Available at: http://www.ojp.usdoj.gov/bjs/pub/pdf/cb05.pdf. (accessed February 19, 2009).Search in Google Scholar

Sanger, David and Nicole Perlroth (2013) “Cyber attacks Against U.S. Corporations Are on the Rise,” New York Times, May 12. Available at: http://www.nytimes.com/2013/05/13/us/cyberattacks-on-rise-against-us-corporations.html?_r=0. (accessed December 10, 2013).Search in Google Scholar

SANS (System Administration, Networking, and Security Institute) (2001) “Can Hackers Turn Your Lights Off? The Vulnerability of the U.S. Power Grid to Electronic Attack,” SANS Institute. Available at: http://www.sans.org/reading_room/whitepapers/hackers/hackers-turn-lights-off-vulnerability-power-grid-electronic-attack_606. (accessed August 30, 2011).Search in Google Scholar

Sloane, Stanton (2009) “The U.S. Needs a Cybersecurity Czar Now,” Bloomberg Businessweek, August 13. Available at: http://www.businessweek.com/technology/content/aug2009/tc20090813_393090.htm. (accessed November 28. 2012).Search in Google Scholar

The Economist (2010) “Cyberwar: War in the Fifth Domain,” The Economist, July 1. Available at: http://www.economist.com/node/16478792. (accessed January 5, 2012).Search in Google Scholar

Tinnel, Laura, O. Sami Saydjari and Dave Farrell (2002)“Cyberwar Strategy and Tactics: An Analysis of Cyber Goals, Strategies, Tactics, and Techniques.” Paper presented at the Proceedings of the 2002 IEEE Workshop on Information Assurance, United States Military Academy, West Point, NY June 2002.Search in Google Scholar

Weiss, Joseph (2010) Protecting Industrial Control Systems from Electronic Threats. New York: Momentum Press.Search in Google Scholar

Whitehouse (2012) “The Comprehensive National Cybersecurity Initiative.” Available at: http://www.whitehouse.gov/cybersecurity/comprehensive-national-cybersecurityinitiative. (accessed May 03, 2013).Search in Google Scholar

Wingfield, Brian (2012) “Power-Grid Cyber Attack Seen Leaving Millions in Dark for Months,” Bloomberg, February 1. Available at: http://www.bloomberg.com/news/2012-02-01/cyber-attack-on-u-s-power-grid-seen-leaving-millions-in-dark-for-months.html. (accessed November 28, 2012).Search in Google Scholar

Wueeston, Candid (2014) “Security Response: Targeted Attacks Against the Energy Sector.” Available at: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/targeted_attacks_against_the_energy_sector.pdf. (accessed January 14, 2014).Search in Google Scholar

ZDNN (2001) “Humans Opened the Door for Power Hack,” ZDNN, June 14. Available at: http://www.zdnet.com/news/humans-opened-the-door-for-calif-power-hack/117607. (accessed August 18, 2011).Search in Google Scholar

Published Online: 2014-6-13
Published in Print: 2014-12-1

©2014 De Gruyter

Downloaded on 22.9.2025 from https://www.degruyterbrill.com/document/doi/10.1515/jhsem-2013-0061/html
Scroll to top button