Over the past five years, and particularly since the September 11, 2001, attacks on the World Trade Center and the Pentagon, the U.S. Homeland Security Department and Information Technology security experts have devoted their talents to debating how to best thwart a cyber Apocalypse—a cyber attack that could wreak havoc on the nation by bringing down critical information infrastructures. The debate seems to move from ways of protecting critical infrastructures—telecommunications trunk lines, power grids, and gas pipelines—to how to best protect the software on computer systems operating the critical infrastructures. The software under discussion includes that driving the computer systems operating the physical infrastructures as well as that maintaining private sector operators’ business records.
To help individuals better understand the apocalyptic potential of cyberterrorism, in 1998 Robert Rief developed a passage whose nightmarish particulars mimic in some respects those of the September 11, 2001, attack on the World Trade Center. The Wall Street computer systems crash and the financial system network is brought to a halt. In buildings, the emergency lights dim and chaos peaks on streets. Subways and trains fail to support the usual masses, and at the airport, the computers fail—though no bugs are immediately apparent. In short, the usual tempo of life in “the Big Apple” grinds to a halt amid a backdrop of massive chaos.
It is interesting to note that a cyber Apocalypse could occur, for hundreds of times daily, crackers attempt to invade critical infrastructure facilities in the United States. One such place of attack is the computer network of Constellation Energy Group, Inc., a Maryland power company having clients across the United States. Though to date crackers have not caused serious damage to the network that feeds the U.S. power grid, the experts caution that terrorists could engineer a crack that triggers a widespread blackout and victimizes power plants, producing an extended outage. The U.S. power grid system has become more vulnerable to cracks in recent years since control of the electric generation and distribution equipment was moved from private, internal networks to SCADA (Supervisory Control and Data Acquisition) systems, accessible through the Internet or by telephone. Though the SCADA technology allows employees to operate equipment remotely, without question it is more vulnerable to crack attacks.
Of further interest, in February 2005 guards placed at the Nevada Test Site to protect the nuclear weapons complex north of Las Vegas failed a test in which they were to combat a mock terrorist attack. A spokesperson for the National Nuclear Security Administration, the group responsible for operating the complex, said that deficiencies had been identified during the test. Though the numbers of guards and particulars about the Test Site are classified information, weapons-grade plutonium and very enriched uranium are apparently stored there. In 2004, the United Nations’ International Atomic Energy Agency (IAEA) cautioned about an increasing international concern regarding the potential for cyber attacks on nuclear facilities. Though no public reports regarding successful attacks against nuclear plants have surfaced to date, in 2001 the Slammer worm cracked a private computer network at Ohio’s nonactive Davis-Besse nuclear plant, bringing down a safety monitoring system for almost five hours—and creating concerns regarding a potential cyber Apocalypse. Apparently, the worm got in through an interconnected contractor’s network that bypassed the nuclear plant’s firewall.
Because of these concerns, the United States Nuclear Regulatory Commission (NRC) began a public comment phase in January 2005 regarding a 15-page updated regulatory guide entitled “Criteria for Use of Computers in Safety Systems of Nuclear Power Plants,” which will supersede the previous 1996 three-page version that had absolutely no mention of such security issues. The updated version not only advises against network interconnections such as the one that brought down the Davis-Besse plant for an extended period of time but also suggests that plant operators should take into account the impact that each new computer system has on the entire plant’s cyber security. The updated version also speaks to the development of response plans for coping with cyber attacks and presents ways for reducing the risks of Black Hats “planting” back doors and logic bombs in the safety system software when it is being designed and, later, implemented.
Blum, J. Hackers Target U.S. Power Grid. [Online March 11, 2005.] The Washington Post Company Website. http://www.washingtonpost.com/wp-dyn/articles/ A25738-2005Mar10.html; Manning, M. Test Site Guards Failed Attack Drill. [Online, February 3, 2005.] Las Vegas Sun, Inc. Website. http://lasvegassun.com/sunbin/stories/1v-other/2005/ feb/03/518233054.html; Porteous, H. Some Thoughts on Critical Information Infrastructure Protection. Canadian IO Bulletin, Vol. 2, [Online, October, 1999.] Canadian IO BulletinWebsite. http://www.ewa-canada.com/Papers/IOV2N4.htm; Poulsen, K. U.S. to Tighten Nuclear Cyber Security. [Online, January 26, 2005.] Reg Seti Group Website. http://www.theregister.co.uk/ 2005/01/26/nuclear_cyber_security/; Schell, B.H., Dodge, J.L., with S.S. Moutsatsos. The Hacking of America: Who’s Doing It, Why, and How. Westport, CT: Quorum Books, 2002.