Cyber-Attacks by Al Qaeda Feared

To sabotage the system, he set the software on his laptop to identify itself as "pumping station 4," then suppressed all alarms. Paul Chisholm, Hunter Watertech's chief executive, said in an interview last week that Boden "was the central control system" during his intrusions, with unlimited command of 300 SCADA nodes governing sewage and drinking water alike. "He could have done anything he liked to the fresh water," Chisholm said.

Like thousands of utilities around the world, Maroochy Shire allowed technicians operating remotely to manipulate its digital controls. Boden learned how to use those controls as an insider, but the software he used conforms to international standards and the manuals are available on the Web. He faced virtually no obstacles to breaking in.

Nearly identical systems run oil and gas utilities and many manufacturing plants. But their most dangerous use is in the generation, transmission and distribution of electrical power, because electricity has no substitute and every other key infrastructure depends on it.

Massoud Amin, a mathematician directing new security efforts in the industry, described the North American power grid as "the most complex machine ever built." At an April 2 conference hosted by the Commerce Department, participants said, government and industry scientists agreed that they have no idea how the grid would respond to a cyber-attack.

What they do know is that "Red Teams" of mock intruders from the Energy Department's four national laboratories have devised what one government document listed as "eight scenarios for SCADA attack on an electrical power grid" -- and all of them work. Eighteen such exercises have been conducted to date against large regional utilities, and Richard A. Clarke, Bush's cyber-security adviser, said the intruders "have always, always succeeded."

Joseph M. Weiss of KEMA Consulting, a leading expert in control system security, reported at two recent industry conferences that intruders were "able to assemble a detailed map" of each system and "intercepted and changed" SCADA commands without detection.

"What the labs do is look at simple, easy things I can do to get in" with tools commonly available on the Internet, Weiss said in an interview. "In most of these cases, they are not using anything that a hacker couldn't have access to."

Bush has launched a top-priority research program at the Livermore, Sandia and Los Alamos labs to improve safeguards in the estimated 3 million SCADA systems in use. But many of the systems rely on instantaneous responses and cannot tolerate authentication delays. And the devices deployed now lack the memory and bandwidth to use techniques such as "integrity checks" that are standard elsewhere.

In a book-length Electricity Infrastructure Security Assessment, the industry concluded on Jan. 7 that "it may not be possible to provide sufficient security when using the Internet for power system control." Power companies, it said, will probably have to build a parallel private network for themselves.

The U.S. government may never have fought a war with so little power in the battlefield. That became clear again on Feb. 7, when Clarke and his vice-chairman at the critical infrastructure board, Howard A. Schmidt, arrived in the Oval Office.

They told the president that researchers in Finland had identified a serious security hole in the Internet's standard language for routing data through switches. A government threat team found implications -- for air traffic control and civilian and military phone links, among others -- that were more serious still.

"We've got troops on the ground in Afghanistan and we've got communication systems that we all depend on that, at that time, were vulnerable," Schmidt recalled.