health care and banking.

The digitization of our infrastructure has made

our daily lives more convenient, but it's also

opened us up to the threat of cyberattacks.

Yahoo's hack of over 500 million accounts will

make it the biggest data breach ever.

Equifax, which, as you know, is a very large

supplier of credit information, has announced a

cybersecurity incident that they say potentially

impacts about 143 million U.S.

consumers. Marriott announcing that up to 500

million guests with reservations at Starwood

Properties could have had their data compromised.

But it's not just companies under attack.

Increasingly, power plants and other critical

infrastructures are also becoming a target.

Critical infrastructure is really anything that

makes up the backbone of society.

Everything from transportation and airlines to

banks. Cyberwarfare is the new weapon of choice.

You can run a cyberattack remotely, shut down the

critical infrastructure of other countries,

create massive destruction of refineries and

chemical plants without ever shooting a gun.

Electricity is so prevalent in our lives that we

often don't even think about it until it fails to

work. All electricity starts at a generator,

which can be powered by wind, water, coal or even

nuclear fission. After it is generated, the

electricity travels from the power plant to

transmission substations, which convert it to a

very high voltage so that it can travel long

distances. From there, the electricity travels

along power lines to another transformer, which

again converts the power, this time to a lower

voltage, before it goes into our homes and

businesses. Often people think of the power grid

as "the grid."

It's really not. It's a quilt made up of 3,000 or

so power companies that are owned by

investor-owned utilities.

But most of them are rural electric associations,

or maybe a few owned by the government.

But generally it's a mixture.

This ownership disparity also means that

utilities are regulated differently.

The focus of the regulation is to prevent the

bulk electric system from suffering a widespread

outage. So it may not affect the smaller

companies that are serving smaller cities or

rural areas. On one hand, smaller power companies

in the United States may not be as juicy of a

target because they have a small amount of

customers, say 25,000.

But on the other hand, they may be more

susceptible to cyberattacks because they don't

have a big as security team or a big as security

budget to focus on protecting their critical

systems. That's where Sistrunk comes in.

As a consultant for cybersecurity firm, FireEye,

part of Sistrunk's job involves teaching a

digital forensics class for people who want to

learn how to defend the control systems running

our power plants. And to learn how to defend

against an attack, you first have to learn to

hack. This is a small PLC, programmable logic

controller. This particular device is made by

Phoenix Contact and it's basically easy to for an

attacker to get into.

There's a lot of vulnerabilities in it.

Sistrunk demonstrated how a hacker may alter the

functions of "stop" and "go" buttons that in a

power facility may control something like a motor

or a pump. This is a web page of this PLC and

it's been hacked. You can see whenever I try to

click on the red stop button, the green start

button comes on.

So an attacker can go download the software and

change things if they wanted to.

And that's what we do in the class.

In a conventional warfare attack, the first thing

that is hit is the infrastructure, the

refineries, the electrical systems, the chemical

plants, those things that fuel the war machine.

You can simply do the same thing remotely with

cyberweapons. It seems like attackers have

crossed the Rubicon or they've crossed the red

line in the sand.

You know, that they are going after control

systems, whereas once no one cared.

Today, there are more than 9,700 power plants in

the US. Many of them were built decades ago when

operating a plant required a lot of manual labor

and cybersecurity was not a consideration.

But that's changing. Starting in the mid '80s and

early 2000s, the industry started connecting

these control systems through the enterprise

networks to the internet, for the benefit of

remote access, information sharing, etc..

Fantastic for productivity improvement and

business enhancements, but that exposed us to

cybersecurity threats.

The heart of a power plant is what is known as a

SCADA system. SCADA stands for supervisory

control and data acquisition.

These systems are made up of a combination of

software and hardware that allow operators to

monitor and control plant processes in one

central location. Besides power generation

plants, SCADA systems are ubiquitous in the

manufacturing, telecommunications and

transportation sectors, among others.

Today, a typical SCADA system is made up of

thousands of components and runs on several

different kinds of operating systems.

Because of this wide spread of operating systems,

it creates a very complex surface that security

experts have to understand before they can defend

against the many different types of exploits used

against those specific operating systems.

Since 2010, the number of attacks have increased

exponentially. The reason for it is that it's a

lucrative business for ransom attackers as well

as for nation states.

A 2015 risk report put out by the University of

Cambridge and Lloyd's, a large insurance company,

posed a hypothetical scenario in which a

cyberattack plunged 15 U.S.

states into darkness, leaving 93 million people

without power. The report estimated that the loss

to the U.S. economy would range between $243

billion to $1 trillion.

There is a belief that every system could be

compromised, especially these control systems,

since they were not originally designed for

cybersecurity, unlike computers that we use at

home and at work that are regularly patched and

protected from cyberattacks.

As reported in this "60 Minutes" episode on CNBC

from December 2014, the first cyberweapon to

cause physical damage was used in Iran in 2010.

We begin with the story of Stuxnet, a computer

virus considered to be the world's first

destructive cyberweapon.

It was launched several years ago against an

Iranian nuclear facility, almost certainly with

some U.S. involvement.

Stuxnet infected SCADA systems that were running

Windows and Siemens software within the nuclear

facility. It was used to spin centrifuges too

fast until they basically destroyed themselves.

This was the first time a virus of this type was

used to physically destroy something within a

power facility. In December 2015, hackers cut

power to around 225,000 people in Ukraine.

The incident became the first successful hack on

utilities. It was believed to have been done

through a tactic called spearphishing, where

hackers sent emails with malicious attachments to

I.T. staff and system administrators that helped

to steal the recipients' credentials.

Almost exactly a year later, hackers again shut

off power to a large part of the Ukrainian

capital. Some have blamed the attacks on Russia.

While the attacks were short lived, it showed the

world that Russia had the will and the ability to

conduct cyberwarfare in this way.

Another attack shook the cybersecurity world in

2017, this time in the Middle East.

In the past year, researchers have spotted a new

family of industrial control malware.

It's called Triton. Triton was a really alarming

piece of malware. It affected facilities in the

Middle East. And what was most alarming about it

was that it disabled what essentially was the

kill switch for a catastrophic disaster.

The metaphor I use here is relying on the police

to come help you out when your house is broken

into. But the police is asleep in his police car.

That is a metaphor of that safety system being

bypassed. Though there's not been a cyberattack

in the U.S. that has shut off power to the grid,

hackers have still gone after utility companies.

In 2016, an electric power and water utility

company paid $25,000 in bitcoin ransom after

hackers locked the utility out of its computer

systems. In 2018, the Department of Homeland

Security and the FBI issued a joint alert,

warning that Russian cyberactors had been

targeting U.S. government entities and critical

infrastructure sectors since 2016.

And in 2017, the Department of Energy disclosed a

hack at an electric utility in the western U.S.

Though the hack did not cause outages, it did

show that our power grid was vulnerable.

Most countries that the United States has an

adversarial relationship with don't actually want

to go to war with the United States.

It makes more sense for them to conduct

reconnaissance missions against our electrical

grid. For that reason, it's more realistic that

the types of attacks we see are in the name of

gathering information or opening back doors, then

some sort of catastrophic attack or an attack

similar to the one that we saw in Ukraine.

Protecting our energy grid is essential to our

national security. But there are a few reasons

why it is difficult to do.

For one, it's hard to even gauge how many cyber

attacks there are. The reason we don't have good

numbers around how many cyber attacks there are

against utilities is that most of these companies

simply don't report them.

There's not much of an incentive for utilities or

the companies that provide them with equipment to

tell the public about every cyberattack they've

had. They would risk panicking the public and

they might also even open themselves up to

further attacks if attackers know what's working

against them. That's changing.

In early 2019, the Federal Energy Regulatory

Commission updated cybersecurity standards for

electric grids.

The new standards require electric companies to

report any incidents that either compromise or

attempt to compromise electronic security

perimeters, electronic access control or

monitoring systems and physical security

perimeters associated with cyber systems.

The new reliability standard also encompasses

disruptions or attempts to disrupt the operation

of a bulk electric system or cyber system.

Like with Stuxnet, hackers may try to subvert

security measures by targeting suppliers as

opposed to going after the big utility companies.

Companies are becoming very careful about

checking the software that comes from their

suppliers. In fact, they have a test environment

whereby the updates for the software is tested to

make sure that the software they're getting from

their automation vendor is not infested with

malware. Another best practice is what is known

as PEN or penetration testing.

PEN testing is a process through which you

intentionally attack your own system, whether

with your own people or bring people from the

outside to see how well your defenses are.

But finding someone to perform this test is often

difficult. There is a shortage of over 1.5

to 2 million cybersecurity experts in our

industry, and that is something that's going to

harm us if we don't address it more proactively.

Despite these obstacles, experts stress that

there are steps we can take to mitigate the risk

of cyberthreats. Knowing what you have is the