The destruction Superstorm Sandy wreaked on the infrastructure of the U.S.’s most populous metropolitan area has brought the threat of cybersecurity attacks on industrial control systems to the fore. Two days after the storm, Department of Homeland Security Director Janet Napolitano warned that “If you think that a critical systems attack that takes down a utility even for a few hours is not serious, just look at what is happening now that Mother Nature has taken out those utilities.” Her statement was quickly criticized by many in the media as opportunistic, a gross exaggeration and unnecessary distraction.
I live in a part of Manhattan that was flooded by Superstorm Sandy, though, amazingly, it just missed my street (NYU Hospital, around the corner and across the street took on more than 13 feet of water, lost its backup generators, and had to be evacuated until February of next year). My family and thousands of others nearby lived without any utilities—electricity, heat, water—for the better part of a week. I also witnessed personally the shocking devastation wrought on the shore areas of Staten Island and of course saw the same news footage much of the nation saw of the equivalent or worse devastation in the Rockaways and Coney Island sections of Brooklyn, Long Island, and Jersey shore.
It’s certainly difficult to imagine any cyberattack that could cause damage that widespread and destructive, but that doesn’t take anything away from the real dangers posed by cyberattacks on the systems that control critical infrastructure. To understand this threat it’s important to understand a few things about the supervisory control and data acquisition (SCADA) systems that are crucial to the proper monitoring and operation of many of the nation’s power plants, water systems, rail transportation systems, refineries, and other critical infrastructure.
They run on Windows. I’m joking, right? No. Most SCADA systems around the country run on some version of the same Windows operating system you run at home and at work–the same operating system that hackers have used for target practice for decades.
Many are connected to the Internet. Even if there isn’t direct connectivity, many of these systems sit on networks that have paths to the Internet, paths that could easily be discovered and exploited by clever hackers or cyber soldiers working for a hostile foreign government. Even those that aren’t are potentially vulnerable to malware contained on USB drives, the method of infection used to deliver the famous Stuxnet worm that disrupted and delayed Iran’s nuclear program via infection of Windows based SCADA systems.
They’re often not patched. That’s right, many of the utilities and other entities running these systems shy away from applying security and other patches out of fear of glitchy updates disrupting the operation of the very same critical systems they’re meant to protect. For the same reasons they shy away from running intrusion detection and other security software on the same networks. Vulnerabilities are found in these systems regularly, as they are in most other software systems.
Many are freely downloadable. Several SCADA vendors offer the same types of free trials offered by many other entertainment and business software vendors. Just about anyone can download one of these systems and spend hours looking for vulnerabilities to exploit. In 2011, an Italian researcher with no previous SCADA experience published 34 vulnerabilities he discovered in a matter of hours using a free SCADA software download.
The employees running these systems do really stupid things just like you and me. In 2011 a southern California water system hired a well known hacker to discover vulnerabilities in its infrastructure. Within a day he managed to take over the systems adding chemical treatments to drinking water after discovering that employees were logging into the network from unsecured home computers.
It may surprise you to know that the great Northeast Power Blackout of 2003 resulted in large from a SCADA system failure that prevented control room operators from understanding and responding to changes in the electrical grid after a few trees hit some transmission lines in Ohio. The problem wasn’t addressed and so an overload cascaded across the grid until it was too late. While it’s not an example of cyber terrorism, it shows the potential of what a knowledgeable hacker might be able to accomplish.
The upside is that a hacker would have to understand in depth not only the SCADA software and network but the complex, sophisticated control systems they monitor and manipulate in order to do significant damage, which makes a truly damaging attack less likely. However, everyone knows that the perpetrators of targeted, advanced persistent threats get more and more organized and sophisticated each year and government sponsored cyberterrorism is inching closer and closer to reality. Not to mention the threat from a hostile, knowledgeable insider. A sophisticated, widespread, devastating attack is certainly not inconceivable and is the reason why taking the opportunity to raise awareness is not necessarily a bad thing.