There are three things you need to know about the threat of a cyber attack.

First, the threat

is real. Second, there won't be just one attack. And third, attacks will be directed against
physical , critical infrastructure. And, if even one attack gets through, it'll hurt.
A typi cal SCADA system has an illlerface
to the human operator. It 's through thi s
interface that operators control the system.
Now, however, many of these interfaces
are also accessible remotely, oft en to save
operators the tri p into the fac ility and for
night or off-hours maintenance.
Let's think for a moment about what constitutes critical infrastructure. In broad strokes
(which is all I'm willing to discuss in an open article), critical infrastructure elements
include electricity generation and distribution, petrochemical production and distribution,
telecommunications, the water supply, food and agriculture, hospitals and other healthcare
services, the transportation network, law enforcement, and, as we've recently come to
know and love, the financial system.
SCADA systems also have remote termi-
nal units whi ch convert a faciliti es sensor
data to di gital data and scnd that data to a
supervisory systcm. Oft en, the supervisory
system will make cal cul ati ons based on
sensor data and then send out a control
signal. One good example of thi s is food
refri ge ration. I f a freezer gets too cold,
the supervising SCADA system ra ises the
temperature a few notches.
T
o an extent , our current financial
cri s is gives li S a good pi ctu re
of what an infrastructure attack
could feel like. In the current
situati on, the attack wasn' t the result or an
outside force via a computer network.
Instead, our financia l system has been
brought to its knees by greed and poor man-
agement. Even so, we' ve seen hundreds of
thousands of j obs lost per month, enormous
wealth lost by everyone from the uber-
wealthy to the retired mi ddle class, and a
complete redi recting of nati onal attenti on.
Now imagine if we had a nati onwide fail ure
of, say, the electrical grid. Some emergency
services would have their own generators, but
as someone who lives in Florida, I can tell
you that two weeks wi thout electrical power
is no picni c. In homes and supem1arkets, food
won' t stay at safe temperatures. Gas stations
that might be able to get gasoline deliveries
can' t power the pumps necessary to get the
gas in and out of tanks. Telecommunicati on
degrades rapidly. Pati ence drops and citizen
violence increases. It isn' t pretty.
You can extend this scenario to any of the
other infrastructure clements. Whm about
a month without clean water? What hap-
pens if the food supply is tai nted? How
will a massive failure of air traffi c control
or rail road management impact the nati on?
And on and on and all .
How Big is the Problem?
Cyberterrori sl11 is getting more and more
scary because it has such a long reach. In the
olden days before the 111lemet, if a well-trained
terrori st cell wanted to di smpt, for example,
power di stribution, they' d somehow have to
gain physical access to a power station, plant
a bomb, and if they' d pl aced it just right, they
mi ght take out one power station.
But with access to the Internet, a si ngle ter-
rori st hacker operating on the other side of
the world could take a lit the entire power
grid. The Internet becomes a force-mul tipl i-
er for terrori st organi zati ons because there's
virtuall y no personal , physical ri sk incurred
by an Internet attacker, and that one attacker
could attack multiple faciliti es.
The phrase "Army of Onc" takes
on a much more terrifying mean-
ing whe n appl ied to cybert er-
rori s m attac ks aga inst
infrastructure targets.
You can imagine what mi ght happen if the
sensor data were intercepted and changed.
A re fri gerati on unit mi ght keep food at a
much hi gher temperature than is safe, but
report data back to the supervisory moni-
toring systems (and the people who watch
them), mi srepresenting temperatures as
well within safe limits. Thi s sort of data
mi srepresentati on could cause bacteria to
form in the food and potenti all y cause sick-
Many of our SCADA (Su-
pervisory Control And Data
Acquisiti on) systems that
control critical infrastructure
elements are vulnerabl e.
Much of our infrastructure
was put in place years ago,
either before the days of
computer conu'ol or, at the
very least, before the days
where computer network
security was sllch an issue.
Fo r conve ni e nce, cos t
manage ment , and even
remote monitoring, many
of our infrastructure SCA-
But with access to the Internet, a
single terrorist hacker operating
on the other side of the world could
take out the entire power grid. The
Internet becomes a force-multiplier
for terrorist organizations because
there' s virtual ly no personal ,
physical risk incurred by an Internet
attacker, and that one attacker
could attack multiple facilities.
DA systems have been
retrofitted with some level
ofIllt ernet connccti vity. Un-
fortunately, the quality of network
securi ty on these retrofits runs all
over the map, from relati vely secure
to no security whatsoever.
ww'v. the' ournalofcounterterrorism.or
ness among consumers across a
wide territory.
Given the scale of Internet pen-
etration into SCA DA systems
within our critical infrastructure,
the potential risk is quite wor-
risome.
How Real
is the Problem?
These potential ri sks aren 't just
theori es. In an unprecedented
reve lation, the CIA re leased
some shocking data. Speaking
at the SANS Institute in January
2008, CIA senior ana lyst Tom
Donahue spoke to a gathering
of 300 US, UK, Swedish, and
Dutch government officials and
engineers and security managers
from electric, water, oi I and gas
and other crit ical industry asset
owners from all across North
Amer ica. He said:
" We have information, from
mUltipl e regions outside the
United States, of cyber intru-
s ions into uti liti es, fo llowed
by exto rtion demands. We
suspect, but cannot confirm,
that so me of th ese attack-
ers had the benefi t of ins ide
knowledge.
We ha ve informati o n that
cyber att acks have been used
to di srupt powe r equipment
in seve ral regions outside the
Uni ted States.
In at least one case, the di s-
ruption caused a power outage
affecting multipl e citi es . We
do not know who exec uted
these attacks or wh y, but a ll
involved intrus ions through
the Internet. "
Accord ing to Donahue, th e
CIA actively and thoroughly
cons ide red the benefi ts and
risks of making thi s informa-
tion public, and came down on
the s ide of di sc losure.
10
COUNTER
Eve n til e Penta-
gon it se lf is n' t
safe. In Nove m-
ber 2008, the Pen-
tagon report ed to
Fox News that
it had bee n h it
by an a la rmin g
cyber attack, in
the form of a vi-
rus or worm that
spread ra pidl y
throug h a num-
ber of military
networks. I mme-
diat e ly fo llow-
ing the attack, the
Pentagon banned
th e use of ex-
ternal ha rdware
devices, s uch as
flas h dri ves .
Who is
the Enemy?
Make no mi stake about
it. Terro ri s t organi za-
tions are a threat here.
But our ad versa r ies a re n' t
just terrori st organizat ion s
or even nation states. Angry
emp loyees and kids bent on
counting coup are a lso seri-
Oll S threats .
Popular Mechanics Magazine
te ll s the story o f Vit ek Boden .
Back in 2000, Boden was an
angry computer geek with a
hankering for revenge. He' d
been turned down for a job
in Marooc hy Shire, located
about a thousand kil ometers
from Queens land, on the east-
ern coast of Australia.
Boden tied hi s computer to a
wireless transceiver and digi-
tall y burrowed hi s way into the
city's wastewater management
system. He jacked into the sys-
tem 46 times over two months,
and instructed the wastewater
system to dump hundreds of
thousa nds of ga ll ons of raw
Vo1.l5 , No.2
Even the Pentagon itself isn't
safe. In November 2008 , the
Pentagon reported to Fox News
that it had been hi t by an alarming
cyber attack, in the form of a
virus or worm that spread rapidly
through a number of military
networks. Immediately following
the attack, the Pentagon banned
the use of external hardware
devices, such as flash drives.
sewage into ri vers, parks, and
public areas. Because he had
wired hi s gea r into hi s car and
moved around wit h each at-
tack, it took law enforcement
months to track him down.
The fact that he was caught at
all was mostl y luck. He was
pu ll ed over one day and an
officer noti ced a pil e of com-
puter gear in the car.
What's to
be Done?
As with all issues of digital
de fen se, we' re dealing with
asymmetric warfare, There's a
lot more of them and a lot less
of us -- and whi le our infra-
structure resou rces are located
in fixed , hi gh-visibility loca-
tions, cyber attackers could be
anywhere in the world.
First and foremost, for every in-
stallati on with Internet connec-
tivity, security pro-
fessionals should be
sure they' re follow-
ing best practi ces,
securing firewalls ,
updating systems
to known vulnera-
biliti es, conducting
penetration testing,
bann ing portabl e
digital devices in-
s ide the firewall ,
implementing vir-
tual pri vate network
tunnel s, and on and
on and on.
The best thing you
can do, however, is
to insulate your sys-
tems from the grid.
Keep onl y what 's
necessary on the net-
work and make sure you've
got some good, old-school
ana log plans for ho w to
manage your systems if the
digital systems are attacked
or di sabled.
Be careful. Be smarl. And pay
attenti on to the ri sks inherent to
being online.
About the Author
For more 'han 20 years. David
Gewirtz. th e allthol' of Wh ere
lIaveA/I The Emails Gone '! and
The Flexible Ellfe rprise has
analyzed c urrent . hi s t o rical.
and emerging issues rel{lfing 10
lec hnology. comp etifivell ess.
and poli cy. David is the
Ed itor-ill -Chief of ZA TZ
Publishing, regularly
cOlI/menfary and analysis for
CNN's AI/dersoll Cooper 360.
alld ha s wrirren more rhall
70 0 articles abolt t t ec hllology.
David is a former professor o[
compilier science, has lee tl/red
ar Pri'l ce toll. /Jerkeley .
UCL A. and Stanfol'd. has
been a W(ll'ded rit e pl'est ig i oll s
S i g ma Xi R esea r ch Award
i ll "gi"eer illg . alld ( I
c alldidat e[or the 2008 Pulitzer
Prize ill Le tt e rs . He
i s fhe Cyberfe r rorislII
Advisor [or IACSP.
TERRORISM
Journal of Counterterrorism & Homeland Security International