In the realm of cyber terrorism, separating fact from fiction remains a difficult task. This task is made all the more difficult by those who hype the threat versus those who downplay and dismiss the threat. Both of these positions are irresponsible. Unfortunately, there is an adequate and growing amount of evidence to support the claim that terrorist or criminal elements will conduct a cyber attack on a piece of critical infrastructure. However, this evidence must be taken in context and balanced against the motives and the goals of terrorist and criminal organizations.
Evidence of the evolving threat of cyber terrorism and the threat to critical infrastructure can be found from a number of sources. According to the British Columbia Institute of Technology (BCIT) Industrial Security Incident Database (ISID), a database that monitors cyber security incidents that affect industrial control systems, there have been 34 documented incidents between 1995 and 2003. Moreover, there has been a marked increase in reported incidents since 2001. However, it is unclear whether this spike is a result in an increase in attacks or a result of an increased in attentiveness by system administrators wary of potential attacks.
In one instance, US law enforcement officials investigated a suspicious pattern of cyber surveillance against a San Francisco Bay utilities company. The investigation traced the surveillance to switches in Saudi Arabia , Indonesia , and Pakistan . It should also be noted that during the invasion of Afghanistan , the US military found laptops thought to be left behind by al-Qaeda . These abandoned laptops contained information on how to program Supervisory Control and Data Acquisition (SCADA) systems, which are used to monitor and control chemical, physical, or transport processes. For example, a SCADA system may be used to monitor and control the transport of oil through a pipeline.
In another incident, the Slammer worm, while not designed to target components of critical infrastructure, had a deleterious impact. The North American Electric Reliability Council (NERC) noted in a June 20, 2003 report that the Slammer worm was able to infiltrate critical systems “through corporate networks until it finally reached the critical SCADA network via a remote computer through a VPN connection.” As the worm proliferated, it saturated these critical networks and blocked SCADA traffic at a power station. While the worm did not shut off the power station, it ?essentially shut off the control system.?
Finally, in an extreme case in the spring of 2000, a disgruntled ex-contractor of Maroochy Shire broke into the sewage and wastewater system, gained control of SCADA infrastructure, and leaked hundreds of thousands of pounds of sewage onto the grounds of a Hyatt Regency hotel in Queensland, Australia . The ensuing investigation discovered that the ex-contractor, Vitek Boden, was intent on exacting revenge on Maroochy Shire for failing to award him a more lucrative contracting position.
On the whole, the above evidence presents a troubling trend. However, the evidence must be disaggregated to better understand which groups are interested in and capable of carrying out a cyber attack on critical infrastructure.
The above evidence does not point to any specific instance of a criminal organization’s involvement in a cyber attack on critical infrastructure. However, it is unclear how many of the documented incidents in the BCIT ISID can be attributed to organized criminal elements. It would seem logical that organized criminal elements would carry out a cyber attack against components of the critical infrastructure if those elements believed they could profit from the attack. It is conceivable that a cyber criminal could conduct a form of extortion against an operator of a component of the critical infrastructure. For example, a cyber criminal may demand payment from a pipeline operator in exchange for a promise not to attack the SCADA system controlling the operator?s pipeline. However, TRC has not uncovered any evidence to date to support this scenario.
In contrast, the above evidence indicates that terrorist groups like al-Qaeda have an interest in conducting a cyber attack on critical infrastructure but do not appear to be capable of succeeding. The evidence recovered in Afghanistan indicated that al-Qaeda was more than likely researching the possibility of this type of attack. Moreover, according to the US Naval War College, to carry out a cyber attack of this nature successfully, five years of preparation and a $200 million budget would be required. Therefore, it appears that the threat from terrorist groups is still immature at this point.
However, as shown by the attack on the Maroochy Shire sewage and wastewater system, a malicious insider has the capability of conducting a cyber attack successfully. Therefore, a terrorist group may be able to short circuit the planning and preparation process of a complex cyber attack by simply recruiting a disgruntled insider.
Unfortunately, when Scott Borg, Chief Economist of the US Cyber Consequence Unit, and others warn of other more exotic and less realistic attacks, all of the legitimate cyber terrorism warnings tend to be dismissed. For example, Borg discusses the possibility that a terrorist or cyber criminal may hack into an auto manufacturer?s system and alter a car?s design specifications, causing the car to “burst into flames after it had been driven for a certain number of weeks.” Borg claims as a result of this type of attack ?people would stop buying cars.” Not only is the claim doubtful, as people continued to buy cars after a major manufacturing defect was revealed in the Ford Pinto in the early 1970s, but it serves to de-legitimize the other, more likely threats of cyber attacks.