There are three things you need to know about the threat of a cyber attack.
First, the threat
is real. Second, there won't be just one attack. And third, attacks will be directed against physical , critical infrastructure. And, if even one attack gets through, it'll hurt. A typi cal SCADA system has an illlerface to the human operator. It 's through thi s interface that operators control the system. Now, however, many of these interfaces are also accessible remotely, oft en to save operators the tri p into the fac ility and for night or off-hours maintenance. Let's think for a moment about what constitutes critical infrastructure. In broad strokes (which is all I'm willing to discuss in an open article), critical infrastructure elements include electricity generation and distribution, petrochemical production and distribution, telecommunications, the water supply, food and agriculture, hospitals and other healthcare services, the transportation network, law enforcement, and, as we've recently come to know and love, the financial system. SCADA systems also have remote termi- nal units whi ch convert a faciliti es sensor data to di gital data and scnd that data to a supervisory systcm. Oft en, the supervisory system will make cal cul ati ons based on sensor data and then send out a control signal. One good example of thi s is food refri ge ration. I f a freezer gets too cold, the supervising SCADA system ra ises the temperature a few notches. T o an extent , our current financial cri s is gives li S a good pi ctu re of what an infrastructure attack could feel like. In the current situati on, the attack wasn' t the result or an outside force via a computer network. Instead, our financia l system has been brought to its knees by greed and poor man- agement. Even so, we' ve seen hundreds of thousands of j obs lost per month, enormous wealth lost by everyone from the uber- wealthy to the retired mi ddle class, and a complete redi recting of nati onal attenti on. Now imagine if we had a nati onwide fail ure of, say, the electrical grid. Some emergency services would have their own generators, but as someone who lives in Florida, I can tell you that two weeks wi thout electrical power is no picni c. In homes and supem1arkets, food won' t stay at safe temperatures. Gas stations that might be able to get gasoline deliveries can' t power the pumps necessary to get the gas in and out of tanks. Telecommunicati on degrades rapidly. Pati ence drops and citizen violence increases. It isn' t pretty. You can extend this scenario to any of the other infrastructure clements. Whm about a month without clean water? What hap- pens if the food supply is tai nted? How will a massive failure of air traffi c control or rail road management impact the nati on? And on and on and all . How Big is the Problem? Cyberterrori sl11 is getting more and more scary because it has such a long reach. In the olden days before the 111lemet, if a well-trained terrori st cell wanted to di smpt, for example, power di stribution, they' d somehow have to gain physical access to a power station, plant a bomb, and if they' d pl aced it just right, they mi ght take out one power station. But with access to the Internet, a si ngle ter- rori st hacker operating on the other side of the world could take a lit the entire power grid. The Internet becomes a force-mul tipl i- er for terrori st organi zati ons because there's virtuall y no personal , physical ri sk incurred by an Internet attacker, and that one attacker could attack multiple faciliti es. The phrase "Army of Onc" takes on a much more terrifying mean- ing whe n appl ied to cybert er- rori s m attac ks aga inst infrastructure targets. You can imagine what mi ght happen if the sensor data were intercepted and changed. A re fri gerati on unit mi ght keep food at a much hi gher temperature than is safe, but report data back to the supervisory moni- toring systems (and the people who watch them), mi srepresenting temperatures as well within safe limits. Thi s sort of data mi srepresentati on could cause bacteria to form in the food and potenti all y cause sick- Many of our SCADA (Su- pervisory Control And Data Acquisiti on) systems that control critical infrastructure elements are vulnerabl e. Much of our infrastructure was put in place years ago, either before the days of computer conu'ol or, at the very least, before the days where computer network security was sllch an issue. Fo r conve ni e nce, cos t manage ment , and even remote monitoring, many of our infrastructure SCA- But with access to the Internet, a single terrorist hacker operating on the other side of the world could take out the entire power grid. The Internet becomes a force-multiplier for terrorist organizations because there' s virtual ly no personal , physical risk incurred by an Internet attacker, and that one attacker could attack multiple facilities. DA systems have been retrofitted with some level ofIllt ernet connccti vity. Un- fortunately, the quality of network securi ty on these retrofits runs all over the map, from relati vely secure to no security whatsoever. ww'v. the' ournalofcounterterrorism.or ness among consumers across a wide territory. Given the scale of Internet pen- etration into SCA DA systems within our critical infrastructure, the potential risk is quite wor- risome. How Real is the Problem? These potential ri sks aren 't just theori es. In an unprecedented reve lation, the CIA re leased some shocking data. Speaking at the SANS Institute in January 2008, CIA senior ana lyst Tom Donahue spoke to a gathering of 300 US, UK, Swedish, and Dutch government officials and engineers and security managers from electric, water, oi I and gas and other crit ical industry asset owners from all across North Amer ica. He said: " We have information, from mUltipl e regions outside the United States, of cyber intru- s ions into uti liti es, fo llowed by exto rtion demands. We suspect, but cannot confirm, that so me of th ese attack- ers had the benefi t of ins ide knowledge. We ha ve informati o n that cyber att acks have been used to di srupt powe r equipment in seve ral regions outside the Uni ted States. In at least one case, the di s- ruption caused a power outage affecting multipl e citi es . We do not know who exec uted these attacks or wh y, but a ll involved intrus ions through the Internet. " Accord ing to Donahue, th e CIA actively and thoroughly cons ide red the benefi ts and risks of making thi s informa- tion public, and came down on the s ide of di sc losure. 10 COUNTER Eve n til e Penta- gon it se lf is n' t safe. In Nove m- ber 2008, the Pen- tagon report ed to Fox News that it had bee n h it by an a la rmin g cyber attack, in the form of a vi- rus or worm that spread ra pidl y throug h a num- ber of military networks. I mme- diat e ly fo llow- ing the attack, the Pentagon banned th e use of ex- ternal ha rdware devices, s uch as flas h dri ves . Who is the Enemy? Make no mi stake about it. Terro ri s t organi za- tions are a threat here. But our ad versa r ies a re n' t just terrori st organizat ion s or even nation states. Angry emp loyees and kids bent on counting coup are a lso seri- Oll S threats . Popular Mechanics Magazine te ll s the story o f Vit ek Boden . Back in 2000, Boden was an angry computer geek with a hankering for revenge. He' d been turned down for a job in Marooc hy Shire, located about a thousand kil ometers from Queens land, on the east- ern coast of Australia. Boden tied hi s computer to a wireless transceiver and digi- tall y burrowed hi s way into the city's wastewater management system. He jacked into the sys- tem 46 times over two months, and instructed the wastewater system to dump hundreds of thousa nds of ga ll ons of raw Vo1.l5 , No.2 Even the Pentagon itself isn't safe. In November 2008 , the Pentagon reported to Fox News that it had been hi t by an alarming cyber attack, in the form of a virus or worm that spread rapidly through a number of military networks. Immediately following the attack, the Pentagon banned the use of external hardware devices, such as flash drives. sewage into ri vers, parks, and public areas. Because he had wired hi s gea r into hi s car and moved around wit h each at- tack, it took law enforcement months to track him down. The fact that he was caught at all was mostl y luck. He was pu ll ed over one day and an officer noti ced a pil e of com- puter gear in the car. What's to be Done? As with all issues of digital de fen se, we' re dealing with asymmetric warfare, There's a lot more of them and a lot less of us -- and whi le our infra- structure resou rces are located in fixed , hi gh-visibility loca- tions, cyber attackers could be anywhere in the world. First and foremost, for every in- stallati on with Internet connec- tivity, security pro- fessionals should be sure they' re follow- ing best practi ces, securing firewalls , updating systems to known vulnera- biliti es, conducting penetration testing, bann ing portabl e digital devices in- s ide the firewall , implementing vir- tual pri vate network tunnel s, and on and on and on. The best thing you can do, however, is to insulate your sys- tems from the grid. Keep onl y what 's necessary on the net- work and make sure you've got some good, old-school ana log plans for ho w to manage your systems if the digital systems are attacked or di sabled. Be careful. Be smarl. And pay attenti on to the ri sks inherent to being online. About the Author For more 'han 20 years. David Gewirtz. th e allthol' of Wh ere lIaveA/I The Emails Gone '! and The Flexible Ellfe rprise has analyzed c urrent . hi s t o rical. and emerging issues rel{lfing 10 lec hnology. comp etifivell ess. and poli cy. David is the Ed itor-ill -Chief of ZA TZ Publishing, regularly cOlI/menfary and analysis for CNN's AI/dersoll Cooper 360. alld ha s wrirren more rhall 70 0 articles abolt t t ec hllology. David is a former professor o[ compilier science, has lee tl/red ar Pri'l ce toll. /Jerkeley . UCL A. and Stanfol'd. has been a W(ll'ded rit e pl'est ig i oll s S i g ma Xi R esea r ch Award i ll "gi"eer illg . alld ( I c alldidat e[or the 2008 Pulitzer Prize ill Le tt e rs . He i s fhe Cyberfe r rorislII Advisor [or IACSP. TERRORISM Journal of Counterterrorism & Homeland Security International