The arsenal of modern weapons that terrorists might someday use to disrupt power grids, gas lines and other parts of the nation’s critical infrastructure includes conventional weapons as well as bits and bytes — in other words cyberterror attacks. The cyberthreat to the electricity we use and the water we drink is real, experts say, but there’s no need to panic — at least not yet.
“Our research shows that terrorist groups are definitely interested in attacking critical infrastructures,” said Eric Byres, research director at the Internet Engineering Laboratory of the British Columbia Institute of Technology in Burnaby. “The good news is that we don’t think they have the technical ability yet — in other words, the combined IT and control system skills needed to penetrate a utility network. The bad news is that they’re beginning to acquire some of these skills.”
Confidential documents about supervisory control and data acquisition (SCADA) systems, for instance, have been found in al Qaeda hiding places in Afghanistan, while the Irish Republican Army has said it plans cyberattacks on crucial supply systems, according to Justin Lowe, principal consultant with PA Consulting Group.
Equally disturbing, talented hackers in many parts of the world are willing to peddle their expertise for the right price or political cause, according to DK Matai, chairman of Mi2g Ltd., a London security service provider. “We have evidence of Russian hackers selling their skills to radical Islamic groups,” he said.
Few, if any, of the industrial control systems used today were designed with cybersecurity in mind because hardly any of them were connected to the Internet. For the most part, these companies viewed their infrastructures as secure from cyberattacks because of their isolated structure.
However, utilities and factories are now using the Internet to carry SCADA messages from an increasing number of Web-enabled, remote-control systems, according to Joe Weiss, who served as security director at the Electric Power Research Institute in Palo Alto, Calif., and its Enterprise Infrastructure Security Initiative before joining KEMA Consulting.
Not only that, but also many of their “private” networks now are built with the help of competitively priced fiber-optic connections and transmission services provided by telecom companies, which have become the frequent target of cyberattacks.
Last year, a power utility crash that was caused indirectly by the Slammer worm paralyzing a leased telecom service. For its SCADA communications network, the utility used a frame relay service, which a carrier provided over its ATM backbone. The ATM network was overwhelmed by the worm, blocking SCADA traffic to substations.
“In some sense, we’re always under attack,” said Vint Cerf, senior vice-president of technology strategy for MCI Inc. “The wonderful thing about the Internet is that everything is connected. The horrible thing about the Internet is that everything is connected.”
And if terrorist groups fail to mount an attack from the outside, they can always take the insider approach, finding disgruntled employees who know the vulnerablities, say, of a power grid control network, according to PA Consulting’s Lowe.
That’s why Cerf insists on access controls at every host in every internal network. “The notion of inside and outside shouldn’t confer a great deal of authority on anybody,” he said. “My recommendation: every host should have its own firewall and require authentication that should be very strong.”
Byres said protection varies in critical infrastructures around the world, but the level isn’t directly linked to the national economy. In other words, it isn’t necessarily better in rich countries and worse in poor countries. For instance, deregulation of the energy market in the U.S. has led to cost-cutting that has affected investments across the board, including security systems and services, he said.
In Canada, the Office of Critical Infrastructure Protection and Emergency Preparedness was launched in February 2001, and network security and cyber incident analysis strategies were subsequently updated to.
And what about the Internet, which is a critical infrastructure all of its own?
“Sure, if gangsters are using cyberattacks as weapons, why shouldn’t terrorists?” said Steve Cocke, director of the security and stability advisory committee at the Internet Corporation for Assigned Names and Numbers. But Cocke argues that the distributed architecture of the Internet makes it a difficult target to bring down. “When the World Trade Towers came down, local telephone service was severely impaired but disruption of the Internet was minimal,” he said.
The disturbing fact is that the world’s utility and industrial infrastructures remain vulnerable to cyberattacks not only by terrorists but also by disgruntled employees and even script kiddies, experts agree. The challenge now, they say, is to minimize this vulnerability — before it’s too late.