Remembering Pearl Harbour
In last month's "Pearl Harbor" exercise, Gartner analysts playing the role of attackers reinforced that observation. "It is very hard to attack something that you don't have a specific knowledge of," said David Fraley, an analyst who simulated an attack on telecommunications networks.
Even in a successful attack on a metropolitan power grid, many critical systems--such as hospitals and prison operations--would continue running because they have independent generators. In addition, utilities and infrastructure operators have elaborate backup measures to protect the public even if a system is breached.
For example, if a hacker were to dramatically raise the chlorine levels of a reservoir, the contaminated water would probably never make it to the public because such supplies are typically tested up to five times before entering public pipelines. The Environment Protection Agency requires utilities to look for more than 90 regulated contaminants in these tests. An easier attack, and one that such agencies spend more to prevent, is a terrorist dumping chemicals into a reservoir directly.
Federal authorities are also concerned about computer systems that control the nation's transportation systems, including trains, trucks, buses and barges. The railroad industry's networks alone are massive, with more than 500 small railroads to supervise.
"The railroad industry today is one of the biggest users of computer systems in the country," said Nancy Wilson, senior vice president of the Association of American Railroads and point person on the Surface Transportation ISAC. "We were early users of technology and we are big users of technology. If we lose computer capabilities, we would kind of grind to a halt."
For that reason, most rail companies have extensive safety measures and backup systems. Sensors tell when the track has been tampered with, and security mechanisms provide early warning alerts for possible intrusions.
"We have had our share of little hacker problems, but they have never been serious," Wilson said. "I'm not saying we are perfect, but I am saying that we have come a long, long way toward identifying our vulnerabilities."
Redundant safety measures are also taken in manufacturing companies, many of which use SCADA systems. But that hasn't stopped the proliferation of popular urban legends.
In one such myth, a hacker breaks into a food company's network through a Web connection and manipulates a breakfast cereal recipe to add vastly higher levels of iron, threatening children who have a low tolerance for the mineral. Another rumor had a hacker gaining entry to a tank-manufacturing company and changing the temperature specifications for armor used in the vehicles, making the metal more brittle and vulnerable. Neither story is true.
Security experts generally agree that the infrastructure most susceptible to hacking alone is the Internet itself. They often point to the Nimda worm, which caused as much as US$3 billion in estimated damages and lost productivity by some estimates.
Some Internet vulnerabilities have been exposed without any attacks. At least one serious weakness was discovered in 1997 when a technician changed two lines of code and nearly brought down the global network for three hours.
The change occurred to one of the hundreds of thousands of routers that form a key part of the Internet infrastructure. Because of the two-line mistake by the technician at the McLean, Va.-based MAI Network Services, one of its routers indicated that it provided the best path to the entire Internet. Other routers then began sending all their data to the ISP's small leased line, crashing MAI's network and clogging systems around the world.
"Within minutes you had most of the routers throughout the Internet going down," said Craig Labovitz, director of network architecture and lead border gateway protocol researcher for security firm Arbor Networks. "It was absolutely the most massive Internet outage we've seen."
Here again, however, the consequences were neither disastrous and nor interminable.
"This wasn't a catastrophe. It was a brownout that sporadically hit providers at various strengths," said one network technician to the North American Network Operator's Group following the outage. He noted that at least one network service provider saw a drop of only 15 percent in traffic.
To law enforcement agencies, the Internet's largest threat is simply the ease of international communication and the ability to hide among the seemingly infinite volume of traffic it carries. In an effort to track down terrorists electronically, the FBI has waived several requirements for new recruits who have technical training.
"The worry right now is not so much a cyberterrorism event," said Don Cavender, a special agent and instructor with the FBI's Computer Training Unit at Quantico, Va., "but when the terrorists use the Internet to facilitate the planning of these attacks."
To talk of threats to data and infrastructure only is to miss the soft targets threatened by something like 'assassination politics."
People are always the weakest link and they might easily be stampeded away from all Govt by a few net arranged contract killings.Anarchy.