IT security firm Mcafee’s recent protection report In the Dark: Crucial Industries Confront Cyberattacks [PDF] highlights the ever growing threat of digital attacks on the nation’s core infrastructure systems.
At one time, proprietary and locally controlled computers were responsible for monitoring and maintaining everything from electricity distribution to water treatment. But, as companies look to reduce costs and simplify command and control operations, critical infrastructure systems are being connected directly to the internet, making it much easier and much more likely that they could be attacked by foreign governments, hackers, or criminals.
This year, in a sequel report, we focused on the critical civilian infrastructure that depends most heavily on industrial control systems. As with the first report, we used survey data, research, and interviews to obtain a detailed picture of cyber risks in these sectors. The sectors on which this report focuses — power, oil, gas, and water — may well be the first targets for a serious cyberattack.
What we found is that they are not ready. The professionals charged with protecting these systems report that the threat has accelerated — but the response has not. Cyberexploits and attacks are already widespread. Whether it is cybercriminals engaged in theft or extortion, or foreign governments preparing sophisticated exploits like Stuxnet, cyberattackers have targeted critical infrastructure.
We found accelerating threats and vulnerabilities. For the second year in a row, IT executives in the critical infrastructure sector told us that they perceive a real and growing cyberthreat. Denialof- service attacks on energy networks increased. Extortion attempts were also more frequent in the CIP sectors. And hostile government infiltration of their networks achieved staggering levels of success.
Despite these vulnerabilities, many power companies are doubling down on the danger; they are implementing “smart grid” technologies that give their IT systems more control over the delivery of power to individual customers — or even to individual appliances in customers’ homes. Without better security, this increased control can fall into the hands of criminals or “hacktivists,” giving them the ability to modify billing information and perhaps even control which customers or appliances get electricity. But security is not a priority for smart grid designers; according to Woolsey, who two years ago chaired a group that published a report for the Department of Defense on grid vulnerabilities. Ninety to ninety-five percent of the people working on the smart grid are not concerned about security and only see it as a last box they have to check.
One of the more startling results of our research is the discovery of the constant probing and assault faced by these crucial utility networks. Some electric companies report thousands of probes every month. Our survey data lend support to anecdotal reporting that militaries in several countries have done reconnaissance and planning for cyberattacks on other nations’ power grids, mapping the underlying network infrastructure and locating vulnerabilities for future attack.
More than 40 percent of the executives we interviewed expect a major cyberattack within 12 months — an attack, that is, that causes severe loss of services for at least 24 hours, a loss of life or personal injury, or the failure of a company.
Up until a couple years ago, the threat of total infrastructure failure existed only in the sphere of science fiction. Recently, however, the vulnerabilities of the physical hardware on power grids, water utility grids and other important infrastructure elements were made perfectly clear with the spread of the Stuxnet virus, which wrecked havoc on Iranian nuclear facilities. The virus, often referred to as malware, literally destroyed the physical centrifuges responsible for the enrichment of uranium by forcing them to spin out of control. All the while monitoring stations reported perfectly normal conditions.
The scary thing? Stuxnet isn’t isolated to just Iranian nuclear facilities:
Our data indicates that the Stuxnet virus did indeed have a global reach. Around 40 percent of respondents found Stuxnet on their computer systems. Stuxnet was more likely to appear in the electricity sector, where 46 percent of respondents found the malware.
Stuxnet was an extraordinary advance in sophistication over the kinds of malware used by the criminal underground. The Belarusian security firm that initially identified Stuxnet at first believed it to be a backdoor for hackers. But closer inspection revealed the complex nature of the virus. It features multiple exploits that were previously unknown, has Microsoft Windows driver modules that had been signed using genuine cryptographic certificates stolen from respectable companies, contains about 4,000 functions, and uses advanced anti-analysis techniques to render reverse engineering difficult. It is almost certainly the work of a government, not a criminal gang.
In fact, Stuxnet was the work of a government – reportedly two of them. It is believed that intelligence agencies within the United States and Israel are responsible for its conception.
What this shows is that advanced computer scripts and malware target not just personal computers, but highly advanced, purportedly secure critical systems. Those who would attack the nation’s infrastructure could bring these systems down for not just 24 hours using traditional denial-of-service attacks, but potentially weeks and months by executing programs that directly attack the grid’s hardware .
A cyberattack on the US grid would be devastating.
Imagine, for a moment, what such an attack on our water utility plants might look like. While water safety conditions monitored by engineers on remote computer systems attached to the internet might look perfectly normal on the surface, a malicious virus may be at work behind the scenes, controlling the delivery (or lack thereof) of water treatment chemicals into an entire city or region’s water supply.
A similar attack could occur on the electrical grid, sending surges to vital transformers across the nation. Because many of our systems are decades’ old, they could be overwhelmed, much like Iran’s Siemens-built centrifuges. In such a scenario, because of the lack of availability of the damaged equipment and the sheer size of such a widespread attack, it could take weeks or months to repair.
There are roughly 150 oil refineries in the United States, and most of them are likely running on similar hardware, from well known industry manufacturers. Is it that much of a stretch to consider the possibility that a coordinated attack on these systems could send pressure and a host of other control mechanisms in our refineries out of control – all the while engineers monitoring the systems notice nothing out of the ordinary? Such an attack, even if partially successful, could cripple the entire country.
As infrastructure is further centralized, our exposure to potentially catastrophic events continues to increase. Not only is much of our nation’s infrastructure hardware outdated, but the security on newly integrated 21st century smart-grids is lax at best.
We’ve seen coordinated attacks on our stock trading systems. We’ve seen that high security nuclear control systems can be compromised. We know that governments, cyber criminal extortion gangs, hackers and shadow intelligence agencies are actively working on viruses, malware and gaming scenarios designed specifically to crush utility infrastructures on a national scale.
The threat is real. It is present. If such an attack were ever executed there will be nothing emergency responders could do, especially in the case of a widespread, coordinated onslaught of the grid.
900 Seconds: Cyber Attack Wouldn’t Take Long to Bring Down the USA
Cyber Attack on U.S. Grid Would Be Devastating
Threat: ‘Within One Year 9 Out of 10 Americans Would Be Dead’
References: Steve Quayle, Security News Daily, Mcafee [pdf]
Pfff more fear and propaganda. Why would you “expect” to be attacked? Are you setting expectations, advance warning, setting the stage?
I think cyber-tech is coming back to bite us in the butt???
Isn’t that in the Bible somewhere??
It’s Hillary’s fault! Good thing I have Life Lock & Kaspersky…… I could give you my s.s., but then I have to kill you.
Ha…they say this like its a bad thing
guess who else wouldnt be able to function
Comments…..Scott I agree that the stage is being set. Though I believe that there are those abroad that would like for us all to spend August without electric, or February for that matter, I don’t put it past this administration to orchestrate something like this to get pesky civilians to submit.
Scott…..I didn’t even read past the headline….and don’t need to. I scrolled down immediately to post, but you had already posted exactly almost word for word what I was going to say “how the hell is it that you can “expect” to be attacked” Yes this is setting the stage for a false flag attack IMO
Don’t look for buses with bars on the windows taking the sheeple to Camp FEMA after they have been rounded up by armed Mongolian goons & thugs wearing blue helmets and then forced onto the buses. Look for the dimwits fighting to get to the head of the line waiting to get on the buses of their own free will. The elites will stage something like this that will make Camp FEMA look like Disney Land, Sea World and Busch Gardens all rolled into one.
Gee, I wonder if Camp FEMA is anything like Camp Kitchiewamma?? I really enjoyed the arts & crafts program there at good ol’ Kitchiewamma.
God Bless and good luck to all.
Probably a life time pass there somewhere for the first 2 million people.
Looks like I owe you one there meat head. Come out to coast, we’ll have a few laughs.
“but officer, if it’s a lifetime pass, why do we only get one issue of clothes and stuff? Oh well, come along kids, we don’t want to be late…Timmy, help your sister into the bus…”
Still hoping for the slow collapse to continue, but since I’m already in paranoia mode today–What if we get several false flag ops, maybe with some actual unplanned events too, all at once? Like a huge power outage, wall street crash, couple of “terrorist” attacks on populous areas, and maybe throw in an accidental sinking of a chinese freighter (followed by a US military plane or ship going down) causing a major diplomatic panty-wadd escalting into threats of retaliation from us or against us? Plus the Chicoms decide it’s time to retake Taiwan and the Syrians/Iranians/et al move against Israel. Now wouldn’t that be a real bummer. All that’s left is the little green men from space to land and start eating us! Damn I hate to wake up and teotwawki has started without me!
If I post my cell phone # would somebody here please call me when it’s time to start peeing my pants? It’s kind of embarassing and I don’t want to do it before I really have to.
Pittle pac or depends time. Is the H20 warming up below 6′? Time for noodling.
U don’t have the balls to post your #. 1-800-dial-a- prayer. Permission to pee pants Houston, over. I’ll call you.
I’ll wear the depends as soon as they start making them with kevlar. I’d hate to get shot in a “sensitive area.” Do they make them in camo?… Wait, scratch the pissing the pants idea. I’ll just run through the streets yelling “it’s a cookbook! it’s a cookbook!”
Its been a while since I’ve posted here, much less had the time to get online at all. Incidentally, I just finished working a 7 week shutdown today at Southern Power‘s: “Plant Watson” (Electric Generating Station) in Gulfport, MS. and prior to that I worked an 8 week shutdown at Southern Power’s, “Plant Daniels” located north of Pascagoula, MS. While, I do not have even the slightest amount of knowledge regarding Southern Power’s vulnerabilities to the aforementioned threats, I find it hard to believe that they have any of their plants control systems tied to the internet. I definitely don’t doubt the possibility of an attack on our critical infrastructure, but it seems there has been a concerted effort by the Corporate Media to propagate these fears for several years now. The stuxnet worm DID NOT infiltrate Iran’s facilities via internet, but rather it was introduced on an employee’s flash drive, which is just as feasible here in the US.
Here’s an article regarding the Hyped up Cybersecurity propaganda : Cybersecurity Lie Exposed: Powerplants Are Not Connected to the Internet
I think these people expect an attack to be successful within 12 months. There are numerous entry points for malware. Most employees could be bribed easily and the trail obscured by liquidating them. Maybe watch for a sudden death or disappearance of someone who works near these systems. It is amazing what low level employees are entrusted with. Look at most private “security guards”. They are more like doormen with keys to almost everything.
When it comes to events spiraling out of control, I suspect that in WWII Germany did not set out to take on the whole world. Things often take on a life of their own.
The whole “smart grid” thing sounds like another pie in the sky feels good idea like “zero emission vehicles” (aka emissions elsewhere vehicles). We cannot possibly conserve our way out of our energy problems with an ever expanding population.
The people who like the idea of population control are best suited to decide who gets to stay on mother Earth (imagine that).
My favorite response to rabid environmentalists is that the kindest thing they can do for the planet is commit suicide (or maybe I should help them in the name of saving the planet).
I also would expect to see people willingly get on buses bound for camp FEMA. The sheeple will do anything to get their next handout. They will still think that the gubmint cares about them. I guess that it would not totally be a bad thing to have these genes removed from the pool. I would only feel bad for the children whose parents bring them along for the ride. What a sight–stolen tour buses racing down the highways with the occupants chanting “YES WE CAN!!!”.
Anonymous-you never fail to make me LMAO! As uncle Jed would say “hoo doggies”
As for the power grid vulnerabilities: I’ts probably more likely to suffer saboatge using someone on the inside, like some here have mentioned. Certainly, individual power companies could get hacked and really screwed up for a time but the idea of the whole electric grid, or multiple refineries etc going down by way of a cyber attack is pretty far fetched I think. The bigger point to consider is this: what are YOUR options if the power goes out? Are you prepared to get by without grid electricity, or water, or gas from the corner station? Anyone north of florida or sandiego should at least be ready for a winter storm caused outage. Or high winds knocking down the power poles. In cases like this the outage is usually fixed in a few days. Now, take that kind of preperedness thinking that got you through the storm, and stretch it out a lot further. Can you provide yourself with water, heat, light and fuel for weeks? How about months? Then work toward that end. Personally I’m not there yet either. But we’re working on it. Wood stove for heat and cooking, hand and power saws and lots of trees available, 2 water wells, 7kw generator, 200 gal fuel storage that we use from and replenish weekly, solar currently provides only about 10% of our use so that’s what we’re focusing on now, plus a big garden(2acres and expanding), fair amount of food storage, a few shiny metal trinkets, chicks for the new chicken coop, good neighbors, good dogs and some “noise makers” for protecting all of the above. Plus enough ammo to supply 2 and 1/2 central american armies.
It aint paradise, more like a pain in the butt most days. But having even a bit of a start toward self sufficiency sure does lower the stress level.
The American do over by sovereigns are terrorists according to the f b i
Hey, wheres the story on the Unionizing of the TSA?
its out for bid , right now…four different unions bidding for the seat.
Here we go folks, this is where they fuck us.
Cant get rid of a bad cop due to the unions, now we’ll have it in the TSA,
the unions found that the car companies, and the parts factories and such, can move..or leave the country to get away from the union control…But our Municipalities cant…Think about this long and hard folks..
Here is where your liberties are going to get hammered..and hard.
guess who is funding all of this..and who will be giving money to their union, and who they will be using that money to get into power?
all brought to you by your tax dollars..working agains6t you and your future and your own rights.
I work for a local municipality in the waste water department…we are currently having to pull emergency shifts due to our alarm system being down…at best it’ll be another 2 months to fix…and this is just from a single thunderstorm’s effects…tho’ I cannot imagine a terrorist hitting backwater places like ours it is scary just how vulnerable we truly are.
STUXNET IS AN AMERICAN WEAPON. Look to DoD for the attacks when they come.