In Cyber security world a significant area of concern is protection of “Critical National Infrastructure”. This is commonly interpreted to mean preventing online sabotage against utilities such as electricity, oil and gas, water, and sewage – including pipelines, refineries, generators, storage depots and transport facilities such as tankers and terminals.
Some one might think industrial control systems operate in a different world from Cyber systems i.e. physically secured rather than based on network effects. But that is not totally true. Modern industrial societies are highly dependant on a small number of utilities that provide power, water, and fuel.
In times of conflict, attacks are carried out on enemies generators, transformers, dams and pipelines; In June 1982[1] during the cold war, for example, the CIA inserted a Trojan into pipeline control software that the Soviets bought covertly, which caused the pumps, turbines and valves to malfunction and resulted in "the most monumental non-nuclear explosion and fire ever seen from space”.
More recently, the US-led coalition knocked out much of Iraq’s generating capacity in 2003. These attacks can have serious consequences – in Iraq, for example, delays in restoring electric power were a significant factor in the discontent that led to insurrection against the occupying forces.
Terrorist groups have also targeted critical utilities. Perhaps the worst ‘near miss’ in recent history was an IRA attempt in 1996 to blow up the four electricity substations that supply London with much of its electricity. That project was thwarted by the police and intelligence services (it later turned out that a senior IRA commander was a British agent) but had it succeeded it would have wrecked electricity supplies to the south-east of England for many months [2].
A power outage such as that planned by the IRA, which would have blacked out millions of people and businesses accounting for perhaps a third of Britain’s GDP, would have done immense economic damage.
In that the USA is regulating cyber security in the electric power industry, but not in oil and gas, while the UK is not regulating at all but rather encouraging industry’s own efforts. In that the BSI (British Standard Institute) is playing the biggest part developing standards & certification. (http://www.bsi-global.com). Some European governments are intervening, while others are leaving cyber security entirely to plant owners to worry about.
The wake-up call came ten years ago when it was realised that critical control systems might be disrupted by sending carefully chosen commands to the right IP address [3].
The concerns have mainly focused on the energy and water sectors, although very similar systems are in use in railways, manufacturing and elsewhere and there are separate but comparable issues with telecoms.
At the same time, in the late 1990s there was a lot of talk about ‘information warfare’ in which experts predicted that the combination of computer- and network-based attacks with propaganda (political/wartime propaganda) would enable combatants to dominate the ‘information battle space’ and gain an advantage comparable to that given by air power in previous generations [4].
Today, we are still not immune from these threats, indeed the threat is greater as ever and at this time intelligence sources are unsure the number of countries developing or acquiring cyber weapons nor the size and capabilities of their cyber arsenals. Many questions remain unanswered.
References
[1] “The Farewell Dossier”, W Safire, New York Times, February 2 2004
[2] “Britain Convicts 6 of Plot to Black out London”, W Hoge, New York Times, July 3 1997
[3] “Network Secures Process Control”, E.J. Byres, in Tech Magazine, Instrumentation Systems and Automation Society, Research Triangle Park, NC, October 1998
[4] “Information Warfare and Security'’, D Denning, Addison-Wesley (1999)
Dr. Naser Awad, Senior Security Consultant
