Topic - Many cyber security professionals believe the likely application of ‘cyber terrorism’ to be an asymmetric attack against some portion of this nation’s critical infrastructure. Which critical infrastructure do you think to be a likely target and why? Who should be responsible for protecting that infrastructure and why? Would this vary based on who the attacker is – if it is a state actor, a non-government organization, or an individual?
The electric grid is a very visible target and the loss of it is very noticeable. Just this past summer those of us in Maryland got to experience a (natural) disruption to the grid. No air conditioning, no lights, no traffic lights (come on, Maryland. No traffic light means a four way stop, not ‘Ehmagawd!’) and no refrigeration. Obviously an attack on the grid is significant.
An attack on the grid is even possible, at least for those well funded shops that can afford to spend the time and manpower to research industrial equipment. Critical infrastructure has been under assault since before late 2010 when Fleming reported on Stuxnet sabotaging Iranian centrifuges.(2010) The worm is reported to target Siemens SCADA (supervisory control and data acquisition) systems. A look at job postings for Baltimore Gas and Electric (BGE) shows that they use SCADA systems, “...integration of the various BGE Supervisory Control and Data Acquisition (SCADA) systems such ...” (BGE, 2011) If Iranian SCADA systems are targetable, it stands to reason our electric grid ones could be to.
Who should be responsible for protection is a complicated issue. As our utilities are run by private companies, the current responsibility falls to the utility companies to protect their infrastructure. They have to protect their infrastructure because it is protecting their investment and their bottom line profitability. On the other hand, a disruption of the electric grid may hurt the utility company’s bottom line, but it literally means life and death for the diabetic customer that needs to keep their insulin refrigerated during a heatwave. When it comes to protecting the general populace from bodily injury and death, that responsibility falls to the government. Outsourcing the security concerns to DHS though would provide such a budgetary windfall to the utilities though that the reasonable next step would be full government control over the utility in question. That option is rarely considered a good idea with the US population.
Since an interruption of power would be so devastatingly disruptive, it would most definitely be a target for a military, or nation state organization supporting the military, to attack as an immediate lead-up to a kinetic action.
If the goal was to just be human death, which is the likely goal of an infrastructure attack from an independent actor or organization, then [thoughts on a specific way that cyber mass murder could be possible]. If, like Stuxnet, the compromises also affected the monitoring reports, then it wouldn’t get caught until the first few victims showed symptoms. Which would be far too late for many others. (Fleming, 2010)
Matthew
BGE (June, 7 2011) BGE Job Descriptions. Retrieved 26 September 2012 from: http://www.bge.com/myaccount/billsrates/ratestariffs/Documents/BGEJobDescriptions.pdf
Fleming, R. (December 2, 2010). Bits before bombs: How Stuxnet crippled Iran’s nuclear dreams. Retrieved 26 September 2012 from: http://www.digitaltrends.com/computing/bits-before-bombs-how-stuxnet-crippled-irans-nuclear-dreams/
No comments:
Post a Comment