It can threaten a nation’s core security, cause mass casualties and weaken the economy, according to the Government Accountability Office, the US Congress’ research arm.
Assailants “could gain control of critical switches and derail passenger trains, or trains loaded with lethal chemicals. ... They could contaminate the water supply in major cities,” then-US Defense Secretary Leon Panetta said last October. Foes could take down electric or water systems, fomenting public panic, reaping high death tolls and causing high physical and economic costs.
It might not even be immediately clear who was behind the attack, or where it was coming from. This devastating power could be wielded with comparatively few operatives, or without the support of a national government. And the massive kinetic strength of the US military would be essentially helpless in thwarting it.
For more than two decades, internet-based attacks have been relatively infrequent and mostly low level. Now, many experts caution that the specter of cataclysmic cyber war is upon us.
Not everyone agrees with the perilous scenarios; prominent dissenters contend that governments are peddling a trumped-up digital disaster threat to justify privacy intrusions.
But US officials use phrases like “cyber-Pearl Harbor” to describe the threat hackers pose to the critical infrastructure — electricity, water, trains, oil and gas pipelines — and the information networks that run the economy.
World governments have begun taking the threat of cyber war seriously. New specialized military units like the US Cyber Command, South Korea’s Cyber Warfare Command and NATO’s Computer Incident Response Capability have all begun preparing cyber soldiers.
Responding to the founding of US Cyber Command, China established the now infamous division of the People’s Liberation Army dedicated to “defense” against cyber threats.
Cyber war 101
One factor that sets cyber assault apart from other forms of warfare is the relative ease in launching it. Inducing a catastrophic infrastructure failure may only demand one small change in a line of code.
“We don’t even know if you have to have really good network intelligence, be sustainable in your attacks or have persistent access,” said Timothy Junio, a research fellow at Stanford University’s Center for International Security and Cooperation.
In a nightmare scenario cited by US President Barack Obama, trains carrying hazardous chemicals could derail, contaminating water supplies. Obama last year wrote an op-ed for the Wall Street Journal cautioning, “The lack of clean water or functioning hospitals could spark a public health emergency. And as we've seen in past blackouts, the loss of electricity can bring businesses, cities and entire regions to a standstill.”
Despite the magnitude of the threat, experts contend that the US is woefully under-protected.
They say computer systems that manage critical infrastructure are plagued by security vulnerabilities that would shock anyone with a rudimentary understanding of how to secure a personal computer, let alone a power grid.
A surprising number of systems use passwords hardcoded by the manufacturer — available to hackers via Google search. Other systems use unchanged default username and passwords like “admin/admin.”
If passwords aren’t publicly available, other glaring vulnerabilities often remain, such as systems “connected to the internet that shouldn’t be; people using a workstation that handles physical control at a plant to access their [email],” said Junio.
Users casually browsing the internet on infrastructure workstations need only download a malicious email attachment or click a single malicious link to compromise the security of an entire infrastructural system.
“All technical experts agree that critical infrastructure in the US is highly vulnerable,” said Junio. “I can’t think of any technical study where someone has done penetration testing against a critical infrastructure site and came back saying ‘yes this is fine.’”
Part of the reason why systems are so vulnerable is because they were created before widespread use of the internet, and were never designed to be secure in the first place.
“You’re taking a system that wasn’t meant to be available and now you’re making it available, everywhere,” said Kevin Albano, a manager of security firm Mandiant’s Threat Intelligence division.
Given that infrastructure systems are remarkably unguarded, the other major hurdle for cyber warriors to surmount is finding the right networks.
There are plenty of readily available tools that can help.
One of the most effective is called SHODAN. It’s available to anyone with web access. SHODAN is used by information security experts to assess whether networks are secure. Consequently, penetration testing tools can be used by hackers in security breaches.
“SHODAN is a search engine for machines connected to the internet. It could be anything from a webcam to a photocopier. It scours the internet looking for IP addresses associated with machines,” Junio said. “SHODAN enables hackers to look for targets worldwide, in an automated way, and it’s perfectly legal.”
Junio noted that during a trip to Taiwan, he discovered that more than 6,000 Taiwanese infrastructure control systems were found in SHODAN — without the government knowing this was a security problem.
In addition to SHODAN, one of the simplest, most common methods used by hackers to gain access to critical infrastructure is a spear phishing attack.
Spear phishing is often successful because it needs to fool only one employee to grant hackers access to an entire system. It works like this: Posing as a colleague, hackers send emails to employees of a utility, asking them to log in to a linked site, using their company username and password. When the unwitting employee logs in, the hacker harvests their password.
Because most people use only one or two passwords for all of their online or company accounts, a single password could give the hacker a way into a system controlling the utility.
Spear phishing attacks are incredibly difficult to defend against because they exploit the likelihood that at least one employee will be fooled.
Once inside, a small change in a system can potentially cause cascading failures, just as a bird can disrupt electricity for thousands by flying into a transformer.
That’s because infrastructure systems “are extremely intertwined,” said Robert Bea, risk assessment expert and professor at the University of California at Berkley. “Should one piece of a system fail, you end up with these cascades, sort of like a game of dominos.”
“It doesn’t take anything horribly catastrophic to initiate an infrastructure disaster. Using cyber attack methods, individuals with malicious intent could determine the most efficient way to trigger multiple infrastructure failures,” Bea added.
What would a cascading failure brought on by a cyber attack look like?
According to Bea, it would be very similar to those brought on by natural disasters. To estimate the damage that could be inflicted by a cyber attack triggering a cascading failure, look no further than New Orleans.
“The best reference for me will be Hurricane Katrina and the flood protection system for the Greater New Orleans Area ... Katrina caused a cascade of infrastructure failures that affected the city for months, years. Some are still not working properly,” Bea said.
The catastrophic failure of the New Orleans flood levee led to the deaths of more than 1,500 people, in addition to untold billions in economic and environmental damage.
If the catastrophic failure had stemmed from a cyber attack on the systems that controlled the flood levees, the aftermath in New Orleans may have been similar to the failure caused by the hurricane.
While cyber security vulnerabilities in infrastructure systems may only be one problem among many concerning aging infrastructure — the power to unleash another Katrina may rest with hackers, state sponsored or independent, wielding powerful pieces of malware.
That might sound abstract, at least until a major assault occurs. But in 2012, US computers were the target of nearly 9 million malware attacks. And more recently, an attack in South Korea took banks down for days.