“We’ve got a spillover!” shouted the supervisor. “Call the hazmat team!”
This frantic but entirely simulated attack last week on a chemical plant demonstrated what U.S. officials and industry experts say is a little-understood national and economic security threat: the ability of malicious computer code to cripple critical systems that millions of people rely on for food, fuel, safe water and more.
“We’re connecting equipment that has never been connected before to this global network,” said Greg Schaffer, acting deputy undersecretary of the Department of Homeland Security’s National Protection and Programs Directorate. “As we do, we have the potential for problems. That, indeed, is a space our adversaries are paying attention to. They are knocking on the doors of these systems. In some cases, there have been intrusions.”
In the extreme, officials and experts fear a digital attack that causes death, destroys critical machines and sows anxiety about what could come next. The threat exists, they say, because machines running the nation’s plants and other crucial systems are increasingly interconnected.
Meanwhile, the skills of nations and hackers are growing, even as more infrastructure vulnerabilities are detected.
“That’s our concern of what’s coming in cyberspace: a destructive element,” said Gen. Keith B. Alexander, National Security Agency director and the head of U.S. Cyber Command, which is set up to protect the military’s networks. “We have to defend our country better,” he said in September at an InfoWarCon conference Linthicum Heights.
Here in Idaho, the DHS in partnership with Idaho National Labs runs the government’s largest program to research and test the ability of companies to control systems for vulnerabilities, train personnel to mitigate threats and, if requested, dispatch “flyaway” teams to respond to events.
The wake-up call that a physical attack could happen came last year when the world learned about Stuxnet, a sophisticated computer virus that in 2009 had infected controllers in a uranium enrichment plant in Iran, causing about 1,000 centrifuges to spin out of control and delaying Iran’s nuclear enrichment program. No one was killed, but the event marked the first targeted attack against an industrial control system. It was also the first documented use of a military-grade weapon built entirely from code.
A “game-changer,” said Marty Edwards, DHS Control Systems Security Program director, who led a team of analysts researching Stuxnet.
A “digital warhead” was how Ralph Langner, a German security researcher who helped decipher Stuxnet’s intent, described it. The virus had two parts: a virus-delivery vehicle and a payload.