Network News

Sandy turned off the lights, the phones, and the heat. A cyber attack could make it all happen again.

BY JOEL BRENNER | NOVEMBER 7, 2012

In fact, government policies actually encourage such risk-taking. Insurers play an important role in reducing risk because they have a direct interest in reducing claims, but this market dynamic works poorly when government shields shareholders from liability. Consider how government-subsidized flood insurance prevents markets from requiring people to assume the risk of their own choices. More significantly, the U.S. government currently indemnifies the owners of nuclear power plants on a no-fault basis for damage in excess of $12.6 billion. That limit is derisory compared to the potential damage from a nuclear meltdown. Raising or eliminating that limit would require higher insurance coverage, which in turn could lead insurers to play a tougher role in setting and enforcing their own security standards.

To be fair, the big, private-sector electricity generators and transmission companies are serious about security. But their security officials are no match for a state-sponsored attack. The Department of Homeland Security has Industrial Control System Response Teams, known as ICS-CERT. These fly-away teams respond to advanced cyber threats at the urgent request of system owners, and they reportedly spend most of their time dealing with power systems -- electricity and gas. So the threat is real, yet many players in this industry still don't understand it. In some cases, employees of grid operators can reportedly access remote field equipment through Bluetooth connections to the Internet. These practices are rash. An attacker doesn't care whether he gets into the grid through a big company's main generator or a carelessly connected municipal field station. Once he's in, he's in; and if the electricity goes out, everything stops.

That's why isolating the key control systems of our critical infrastructure from the Internet should be a national goal. But the trend is in the opposite direction. If you have an iPhone, try this experiment: Search "SCADA" in the app store. (SCADA stands for "supervisory control and data acquisition.") You'll find a handful of free or cheap mobile apps for accessing industrial control systems through their programmable logic controllers, or PLCs. As an ad for one of these apps puts it, "Plant engineers, PLC software developers, maintenance people, and in general anyone dealing with PLC based systems will be able to connect to them at any time, from anywhere." This is convenient, but it's a security nightmare.

The Internet is porous and insecure, and if you can penetrate a publicly accessible network to steal information, you can also corrupt or wipe the information on the network, or shut the network down, or destroy the equipment that runs on it. Sound melodramatic? It isn't. The Stuxnet cyber attacks on centrifuges in the Iranian nuclear program resulted in the physical destruction of centrifuges. If Saudi Aramco can wake up and find 30,000 of its computers wiped, the same thing can happen to your bank or your power company. The "Shmoon" virus apparently didn't reach the control systems on the Saudi company's extraction and refining operations -- but only because the attackers couldn't get to those systems. In North America, many of our electric grids operating systems are exposed to the public Internet and therefore penetrable.

Matt Cardy/Getty Images

 

Joel Brenner is the former national counterintelligence executive, the former inspector general of the National Security Agency, and the author of America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare (Penguin 2011). He practices law in Washington, DC.