As the Stuxnet affair demonstrated, remotely engineered disruption of industrial control systems is now a reality. That episode involved the successful electronic attack on the centrifuges in the Iranian nuclear program. Only a first-class intelligence agency could have pulled that off, but the blueprint for doing it -- the code itself -- is now public. Many American industrial control systems run on the same kind of equipment the Iranians were using, but unlike the controls on the Iranian centrifuges, the controls on the U.S. grid are now being connected to the Internet, making them easier to disrupt. Stuxnet was a watershed; there will be copycats.
Other industrial control systems will also be targets. Some already are. Air traffic control, railroad switches, and water and sewage systems are all electronically controlled now, and many are vulnerable. If an intruder can break into the right server electronically, he can remotely shut down production, send your goods to the wrong destination, and even unlock your doors -- and delete your log entries so he leaves no record of ever having been there.
The United States does not lack enemies who would attack it this way. Seized al Qaeda computers contain details of U.S. industrial control systems. In 2003, a group affiliated with the Pakistani terrorist organization Lashkar-e-Taiba -- the same gang that engineered the 2008 terrorist assaults in Mumbai -- plotted to attack the Australian grid. Other groups conspired to attack the British grid in 2004, 2006, and 2009. Yet the owners and operators of the North American grid continue willy-nilly to expose their control systems to the Internet instead of isolating and hardening it. This is folly of a high order.
Important conclusions for public and corporate policy follow from this vulnerable state of affairs. First, cyber insecurity has operational consequences. In the current and foreseeable states of technology, a high degree of assurance against electronic penetration of anything connected to the Internet is not achievable. Large, efficient, electronically connected organizations and nations are therefore vulnerable to remotely engineered disruption as well as information theft.
Second, this risk cannot be eliminated -- but it can be reduced and managed. As a nation, the United States should start by isolating the grid's controls from the Internet. Undoubtedly, there are marginal efficiencies to be gained by seamless connectivity over a publicly accessible infrastructure, but these gains are usually exaggerated and the risk this connectivity creates is staggering. The government and the major telecommunications carriers must also make the investment required to re-create the massive redundancies that made the wired telephone network so robust. Resilience and swift recovery should be the goal. If the consequences of cyberattacks were reduced, penetration would cease to matter.
Third, companies that wait for the government to "solve" their own security problems do so at their peril. The government is broke and the IT backbone is 85 percent private, so the government doesn't control it. The government's role in altering the status quo will be limited to setting standards, using its purchasing power to move vendors toward better security, and getting its own house in order. The government can neither secure corporate intellectual property nor protect firms against operational disruption.
Fourth, in a world in which everything cannot be protected, companies must determine for themselves what intellectual property and physical assets to isolate and safeguard. Those that approach this task seriously will quickly learn that technology is only one aspect of their insecurity and, in many cases, the easiest to deal with. Unless technology is integrated with personnel practices and operational security, it opens vulnerabilities that its users rarely understand. This kind of integration requires the automated enforcement of reasonable security policies and systematic workforce training; and that occurs only when management, the lawyers, and the technologists work closely together. This is an old-fashioned management challenge -- not a technological one. For their part, corporate boards need to take IT security seriously and launch audits that examine how their systems are actually implemented and used, not merely how they are designed. Because as the techies like to put it, the weakest link in any system is not the silicon-based unit on the desk; it's the carbon-based unit in the chair.