Cyber Security: A "Virtual" Reality
simple matter of calling the number. If the caller hears, "Hello, gas company," then it's not a SCADA number. But, Rush says, if the caller hears buzzing and hissing, he or she may have hit an entrée point into the company's SCADA system.
Yet, even with all this information, a terrorist still would not be able to attack a utility's SCADA system. To infiltrate, one needs to know the secret communications protocol.
As Terry Tyler, a partner in business consulting services at IBM, points out, the fact that the majority of SCADA systems pre-date the Internet offers a layer of protection. The older SCADA and EMS facilities are programmed in BASIC or FORTRAN. These languages are proprietary, while most hacking tools utilize Java, C++, or Microsoft-inspired programming languages. "Terrorists may find a way in, but once inside, their [hacking] tools don't work," Tyler maintains.
Assuming that terrorist hackers can navigate past the programming language for a particular SCADA system, they would still need to know a company's naming nomenclature to know how to trip a breaker or shut down a high-voltage feed. Terrorists would need to have a great deal of system understanding once inside to really cause a lot of damage, Tyler says. "There are simpler ways to get the same consequences," he observes. "It's too much learning to go through to actually get at a SCADA system," Tyler says. "Bombs are easier."
Rush concedes that if the intent of terrorists is to simply close down a few valves, critics like Tyler are absolutely right. But, he argues, the industry needs to think about what the objective of terrorists might be. "As tragic as 9/11 was, it was not fundamentally a strategically damaging event," Rush says. "But in terms of economic impact, I don't think we're over it yet."
The Myth and Reality of a Coordinated Cyber Attack
It's certainly not a stretch to think that lasting economic damage could be a goal of al-Qaida and other terrorist organizations, as well as hostile nations. Rush says that terrorists likely would aim to inflict a large amount of technical damage. What would be particularly crippling, Rush adds, is to focus on destroying very old equipment critical to system operation that would be difficult to repair. It could take weeks or month to repair or repace such equipment.
Damage to critical components at one or two companies would not affect the entire nation, says Rush. But what if there were a coast-to-coast, simultaneous, co-ordinated attack on multiple utilities? In this kind of attack, some have suggested as many as 40 companies could be targeted. If that happened, many companies would be in the same line waiting for new equipment-some would have to wait several years, assuming the same manufacturing rate. "That's the sort of attack that could be crippling to the economy," Rush argues.
Yet Tyler dismisses the likelihood of such a coordinated attack. "It would have to be a very well-coordinated terrorist attack, to go in and seize control of enough transmission, SCADA, and EMS, to really cause the kind of widespread