Critical Infrastructure Vulnerable in Cyber-Attacks

Buzzing from the generator’s fans grew steadily louder before a grinding snap from within the 27-ton steel giant rippled through its frame, shaking it like a hunk of plastic. The buzz grew louder and another snap echoed through the room. A hiss of white smoke began pouring out, followed by a billowing black cloud as the turbine tore itself apart from the inside. The experiment was a success.

The 2007 Aurora Project came as a shock to scientists and engineers monitoring it at the Idaho National Labs, winning its place as a reference on the need to secure critical infrastructure in a report available on the White House website by cybersecurity company, Wurldtech.

The experiment, launched in a controlled environment by a hacker with an Internet connection, proved that a cyber-attack could cause generators and turbines used in the power grid to destroy themselves.

Videos of the project, viewable online, stand as a reminder of the dawn of a new age of vulnerabilities—one where a computer carries the power once reserved to military force. Talks of “securing critical infrastructure,” now underline security discussions the world over, as countries rethink the definition of national defense.

A slide image at a presentation given by the U.S. Cyber Consequences Unit shows a hulking turbine used in large dams to produce hydro-electric energy. “Such turbines are deployed all over the world,” said John Bumgarner, chief technology officer of the U.S. Cyber Consequences Unit, an independent research institute on cyber-attacks, in a phone interview.

He adds, “If you look at the design these turbines are similarly in nature to the one destroyed in the Aurora project.”

In addition to being incredibly expensive, shipping times during normal business cycles on such turbines often take months and even years. If a large turbine is destroyed by a cyber-attack this has the potential to be a major economic problem, as Bumgarner states, “If a 172-ton generator is destroy, you cannot go to Walmart to buy a new one.”

If the generators are down, the nation—and its military—that rely on the generators for power are likewise without electricity for months. A coordinated attack could disable not only an economy, but also critical capabilities of its military.

Still, as Bumgarner notes, carrying out such an attack isn’t easy, as “If this type of attack was easy terrorist groups and others would have already done them.”

Vulnerabilities demonstrated during the Aurora Project are still present. According to a report fromcomputer network security engineer Frank Saxton, the vulnerability shown by Aurora is due partly to power companies moving to SCADA systems to boost efficiency and allow workers to remotely operate equipment.

“But this access to the Internet exposes these once-closed systems to cyber-attacks. So far, incidents of hackers breaking into control systems to cause damage or outages have been scarce although there have been a few,” Saxton states. “However, the threat of such damage makes control systems an alluring target for extortionists, terrorists, unfriendly governments and others.”

A History of Attacks

Cases of attacks on critical infrastructure have dotted headlines over the past decade, repeatedly highlighting such vulnerabilities.

In 2001, 49-year-old Vitek Boden hacked into the waste management system in Maroochy Shire, Queensland, Australia, and released millions of gallons of raw sewage, which then spilled over into the local parks and rivers.

“Marine life died, the creek water turned black, and the stench was unbearable for residents,” Janelle Bryant of the Australian Environmental Protection Agency, told The Register.

A cyber-attack in 2003 on the U.S. power grid caused blackouts across the Northeast part of the country. The attack is suspected to have been caused by the Blaster worm, one of the largest computer worms in history that was wreaking havoc on computer networks at the time.

In the same year, the SQL Slammer Worm, another computer virus, shut down the bulk of Bank of America’s 13,000 ATMs across the United States.

The cyberconflict between Georgia and Russia, where Russia pummeled Georgian critical infrastructure with cyber-attacks, further highlighted the potential impact of a cyberwar.

“Malicious cyber-activity is occurring on an unprecedented scale with extraordinary sophistication,” said Dennis Blair, director of National Intelligence, in the Annual Threat Assessment of the U.S. Intelligence Community for the Senate Select Committee on Intelligence.

“We cannot be certain that our cyberspace infrastructure will remain available and reliable during a time of crisis,” Blair said.

Read the full story here.