Page 11 - index
P. 11
experienced a compromise of their supervisory control and data acquisition (SCADA) software -
the technology that controls industrial equipment. As a result, the hacker, a vengeful former
contractor, was able to take command of the 142 pumping stations, equipped only with a laptop
and radio transmitter. Over a 3-month period, he released over one million litres of untreated
sewage into a stormwater drain that flowed directly into local water ways. Consequent
contamination was estimated to have affected ‘many people’. A second example of critical
system sabotage can be found and signposted to the Stuxnet attack. Widely accepted to be the
first kinetic cyber attack, the self-propagating computer worm infiltrated industrial control
systems used to operate equipment, including nuclear centrifuges at the Iranian Natanz
Uranium Fuel Enrichment Plant (FEP). The efficacy of the worm caused a depletion in uranium
enrichment production, the destruction of 10% of the centrifuges and succeeded in infiltrating
fifteen additional industrial sites worldwide. No longer fiction, cyber has begun to reach its
potential of inflicting real-world consequences and it is this reality that requires international
attention.
You don’t need to be poindexter to recognise that counter-proliferation efforts are required to
service the ubiquitous risk of kinetic cyber aggression. Recently, it has become apparent that
‘we’re in a [cyber] arms race’ in what is a largely unregulated domain - the cyber wild west.
Already, ‘the U.S. has poured billions of dollars into an electronic arsenal’ whilst the ‘stockpile of
exploits runs into the thousands, aimed at every conceivable device’. This exponential growth of
cyber arms is particularly dangerous considering the lack of rules and conventions governing
the fifth arena of warfare. Dr. Richard Forno, University of Maryland, concedes ‘there is no
international agreement over what level of cyber warfare is acceptable’. He further recognises
that national systems such as power grids, water treatment plants and medical facilities ‘do not
have adequate protection from hackers’. Clearly, ‘principles and agreements on cyberwarfare
must designate sensitive infrastructure as red lines’. It is necessary to afford our critical
organisations the same level of protection from cyber hostility as we do from the multitude of
other tangible threats.
As states wilfully neglect counter proliferation efforts, it becomes clear that they are simply
whistling past the cyber graveyard. With nine new pieces of malware discovered every second,
governments have done little to adapt and secure their national systems or defensive
capabilities (95% of U.S. military communications still travel over the civilian internet). As a
recent report by the 9/11 Commission notes, the United States is ‘at September 10th levels in
terms of cyber preparedness’. Col. Professor Mark Hagerott recently stated that ‘if our [U.S.]
SCADA systems on our east coast were attacked and we could not restore them within about a
month… we would be talking tens of millions of people dead’. Due to the standardised nature of
national systems, ruinous and cascading network attacks have the capability to bring down
multiple infrastructures at once, striking at the heart of our public facilities. If left unchecked and
without agreed international restriction, the sinister tentacles of the ethernet may well be the
straw that breaks the backs of nations.
In response to the politicians’ lag on the cyber front, researchers have made a concerted effort
to bring its hazardous consequences to the fore. Most notably, with the U.S. Department of
Energy’s (DoE) 2007 experiment: the ‘Aurora Test’. The study operated a series of cyber attacks
against an industrial generator, exploiting the variation in tolerance the machine allowed for
frequency, voltage and phase rotation in order to maintain a consistent power supply. As the
short intervals in variation occurred, the attacks placed the generator out of sync with the power
grid causing a short period of stress but reconnected it to avoid disconnection. Repeated over
multiple iterations, the collective stress caused the machine to vibrate irregularly, discharge
11 Cyber Warnings E-Magazine – January 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide