"Are Our Critical Systems Safe from Cyber Attack?"

National Infrastructure Systems Vulnerable

Newspaper article

By: Daniel Thomas

Date: April 21, 2005

Source: "Are Our Critical Systems Safe from Cyber Attack?," as published in the United Kingdom-based magazine Computing (U.K.)

About the Author: Daniel Thomas is a contributor to the weekly newspaper Computing, written primarily for those interested and working in information technology. Computing also publishes online and digital versions that have featured articles written by Thomas.

INTRODUCTION

Computers and electronic devices have become essential parts of most organizations and are necessary to provide transportation, financial services, medical services, and emergency services. The necessity of computers and electronic devices in providing everyday services makes cyber (computer-related) attacks a potential terrorist action. While as of July 2005, there have not been any major terrorist actions involving cyber attacks, they remain a potential threat.

Of particular concerns are attacks that would affect the critical national infrastructure (CNI). The CNI refers to the assets, systems, and services that support economic, political, and social life to the extent that their complete or partial loss could either cause loss of life, have a serious impact on the economy, have significant social consequences, or be of major concern to the government.

The CNI in the United Kingdom is recognized as covering ten sectors. These are communications, emergency services, energy, finance, food, government, health, public safety, transport, and water. It is recognized that because these assets, systems, and services are necessary to society and everyday functioning, they become a potential target for terrorists. These systems, services, and assets are almost always controlled and operated by some type of computer or electronic device. The necessity of these systems combined with their reliance on computers or electronics makes cyber attacks a significant risk.

[This text has been suppressed due to author restrictions]

[This text has been suppressed due to author restrictions]

SIGNIFICANCE

Several computer viruses have swept around the world, creating serious problems in a range of countries. The Sasser worm, which spread worldwide and affected air flights, hospitals, and train systems, is one example. While the Sasser virus was not introduced as a terrorist act, its impact does show the potential threat that viruses and similar cyber attacks pose.

One of the significant problems of cyber attacks is related to managing the risk to CNI and protecting CNI from cyber attacks. This issue is a difficult one to manage because the majority of the organizations providing critical services are privately owned. This means that security for these systems is not regulated, which makes it difficult for the government to identify and minimize risks and take protective actions.

Another related issue is that cyber attacks are not widely publicized. Privately owned companies generally do not want to admit to shareholders, employees, the public, or competitors that their company has security problems. In addition, cyber attacks can easily be kept quiet, which is not true of more obvious forms of terrorism. This results in a general silence about cyber attacks—even if they are occurring, they tend not to be widely publicized. This creates problems in regard to assessing and understanding the risks and threats, while also making many organizations unaware that they are at risk from particular threats. Without knowledge of the potential threats or the risk level, organizations cannot recognize the need for protective action.

Even though data are limited due to the general silence regarding cyber attacks, cyber attack rates are increasing and attacks are becoming more sophisticated. At present, viruses are the major threat, while hacking and denial of service (DoS) attacks are becoming more common.

Hacking is a particular concern in regard to supervisory control and data acquisition (Scada) systems, which automate various processes by measuring data, inputting the data, and having the software make changes and adjust processes based on the data. Scada is commonly used in power plants, transportation, water control, and waste control. Scada systems are potential terrorist threats because hacking does not just change data, but has the potential to change the processes that occur. This could involve entering incorrect data to cause an explosion in a power station or a nuclear power plant. This could also involve inputting incorrect commands so that all trains increase speed or so that all water supply ceases. Since 2000, cyber attacks on Scada systems have increased by ten times. Successful cyber attacks have involved critical services including electricity, nuclear power, water, and transportation.

DoS attacks refers to criminal actions aimed at preventing users of a certain service from using the service. DoS attacks have the potential to crash computers, systems, or entire organizations.

Another concern is the possibility that terrorist groups will combine physical attacks with cyber attacks. An example would be detonating bombs to cause fires in a certain area while a simultaneous cyber attack prevents water from being available in that area. If a cyber attack were to be combined with a physical attack, the cyber attack might not involve disabling a major system, yet still cause major problems. This highlights the need to protect all systems from cyber attacks.

FURTHER RESOURCES

Books

Lukasik, S. J., S. E. Goodman, and D. W. Longhurst. Protecting Critical Infrastructures against Cyber-Attack. New York: Oxford University Press, 2003.

Verton, Dan. Black Ice: The Invisible Threat of Cyber-Terrorism. New York: McGraw-Hill/Osborne, 2003.

Web sites

Byrnes, Eric, and Justin Lowe. "The Myths and Facts behind Cyber Security Risks for Industrial Control Systems." <http://www.tswg.gov/tswg/ip/The_Myths_and_Facts_behind_Cyber_Security_Risks.pdf> (accessed June 22, 2005).