If you missed the news, in mid-November 2011, that an alleged cyber attack had been carried out against critical infrastructure in the United States, it’s understandable. At about the same time, a far more mysterious and ominous case of rumored cyber war was occurring in Iran, at a missile base 25 miles from Tehran. As a sophisticated Sejil-2 missile was being either “transported” (the official Iranian version) or tested in front of a crowd of high-level military observers, it exploded, killing at least 17 members of Iran’s Revolutionary Guard, including Maj. Gen. Hassan Moqqadam, the man who had pioneered the country’s missile development since the 1979 revolution.
The explosion occurred a week after the United Nations’ International Atomic Energy Agency (IAEA) reported that Iran had experimented with placing nuclear-capable warheads on its missiles, leading to speculation about how it had happened. Iranian nuclear facilities and infrastructure had already suffered three known cyber attacks. Could the explosion have been due to an infiltration of the missile’s control systems?
Meanwhile, in the United States, an equally murky series of events unfolded near Springfield, Ill., where a water pump at the Curran-Gardner Township Public Water District facilities failed. According to a leaked report by the Illinois Statewide Terrorism and Intelligence Center with the provocative title “Public Water District Cyber Intrusion,” the pump had been controlled by one or more hackers who had accessed the facilities’ supervisory control and data acquisition (SCADA) systems from IP addresses based in Russia, using usernames and passwords stolen from a software vendor.
The alleged attack was described in several sensational stories in the press and around the Web as the first-ever destruction of U.S. infrastructure by a hacker – America’s own Stuxnet attack. But within a week, the report was slapped down by the FBI and the Department of Homeland Security (DHS). As it turned out, the pump had simply burned out a few months after the contractor who had set up the utility’s control system had accessed it remotely while on vacation in Russia.
To some in the computer and control systems industry, the Springfield farce was unfortunate not only because it indicated serious flaws in the state’s homeland security bureaucracy, but also because the ensuing public derision obscured an opportunity to realize the vulnerability of industrial control systems. To prove this point, a hacker calling himself “pr0f” took to the Internet, posting images that suggested he had accessed the SCADA system for the water supply network in the city of South Houston, which used the same front-end software. His purpose in hacking the utility was not malicious, but simply to prove a point, he wrote in a post: “I don’t really like mindless vandalism. It’s stupid and silly. On the other hand, so is connecting interfaces to your SCADA machinery to the Internet.”
Revelations of wholesale fraud and massive data thefts – cases resolved in 2010 and 2011 included a $9 million hack of Royal Bank of Scotland bank card PIN numbers, a criminal botnet that enslaved computers in 172 countries, and the theft of 25 million usernames and passwords from Sony Online Entertainment – have become a seemingly everyday occurrence and have lost the ability to surprise many people. But cyber attacks on critical infrastructure – the facilities and networks associated with public necessities such as power, water, communications, and transportation – have long been the hypothetical “Big Scare,” used to urge action on securing networks and infrastructure.
Events in Iran and elsewhere have proven that cyber war is no longer theoretical; it’s here. Cyber attacks on industrial control systems are real and dangerous – perhaps even lethal in the extreme.
What is the U.S. government doing to protect the nation’s computer networks and industrial control systems? That question, like many involving cybersecurity, is complicated.
Who’s in Charge?
In recent years, independent assessments have repeatedly assailed the federal government’s failure to develop a coherent approach to cybersecurity. 2011 began with two such reports. The National Security Cyberspace Institute (NSCI), a private company offering cyberspace research, analysis, and education to public and private entities, issued a report card on the White House’s progress toward meeting its own near-term goals. The grades were nothing to brag about: four Bs, four Cs, and two Ds. The Center for Strategic and International Studies (CSIS), a bipartisan Washington, D.C., foreign policy think tank, also detailed a lack of progress in its report, “Cybersecurity Two Years Later,” in which it concluded: “The energy in the national dialogue on cybersecurity has not translated into progress.
… In our view, we are still not prepared.”