The physical security of the United States' critical infrastructure, which includes the electrical power grid, water supply and sanitation systems, oil and gas refinery operations, transportation, and telecommunications systems, is under attack on a daily basis by SCADA, the system that controls many of these vital areas. SCADA, or Supervisory Control and Data Acquisition, is "a category of software application program for process regulate, [and] the gathering of data in real time from remote locations in order to control equipment and conditions," according to Rouse (2005). SCADA is comprised of hardware and software components which work together to gather, store, and react to data fed to it from remote sites and alerts users to emergent situations. In the past decade, SCADA has also come under increasing threat of compromise from the Industrial Internet of Things (IIOT) which are devices that connect autonomously to the Internet and help perform some of the functions in the SCADA system.
Compromise of SCADA systems, once isolated from external threats by independent infrastructure, is becoming more and more prevalent and threaten the physical security and safety of the citizens of the United States. The main threat to SCADA systems recently comes from the cyber space where attackers are using ransomware to take control of systems and shut them down and using hacking techniques to infiltrate systems and control their operations. Per Israeli cyber security firm SCADAfence, “cyber-attacks on critical infrastructure and manufacturing industries can no longer be considered to be fictional or hypothetical” (as cited in Ashford, 2016b, para. 2). This trend is especially worrying because of the vulnerability of key U.S. infrastructure nodes such as the electrical power grid. As noted, such attacks are no longer hypothetical as demonstrated by the attack on the Ukrainian power grid in December 2015 where hackers “were able to access production control systems, infect workstations and servers with malware, damage control system hosts on work stations and servers, and block calls to customer call centers” (Ashford, 2016a). The actions taken in this attack frustrated power company officials’ efforts to restore systems because as noted by Ashford (2016a), “there is evidence that there was direct interaction from the attackers and that the attack included denial of view to system controllers and attempts to deny customer calls that would have reported the power out.” This attack was fairly limited in scale as compared to a similar attack which might happen on U.S. systems. Without quick action, entire sections of the power grid, affecting millions of homes, could be taken out with dire consequences to the physical security of cities and towns across a specific region.
Because SCADA and other industrial control systems are so intertwined by the Internet these days, the potential for devastating effects to national, as well as local, and state-wide populations are enormous. However, individual hackers’ main motivation in attacks on SCADA or other industrial control systems is “to be able to cause persistent economic damage” (Ashford, 2015) and to remain in the system undiscovered because “targeted companies will be willing to pay large sums of money to stop it [continued economic damage] from happening” (Ashford, 2015). This contrasts with non-state and state actors who would be interested in causing disruption to patterns of daily living, causing irreparable damage to infrastructure and instilling fear or terror in a selected population. These types of actors would also not be concerned with whether they were detected or not so long as the damage they wanted to inflict was accomplished.
Regarding the physical security risks to targets within the United States, as mentioned above many of the systems which we rely upon in our daily lives are vulnerable to attack. For example, in Texas where there is an abundance of oil and refinery capacity, an attacker could gain control of and shutdown such vital nodes as a refinery or the pipelines used to transport oil to the refinery or cause an environmental catastrophe which could lead to loss of life. Regarding this case, Rick Moy, chief executive at U.S. computer security research firm NSS Labs noted in 2011 that attacks such as this are “a global problem” and “There are no fixes to this right now” (as cited in Ashford, 2011, para. 2).
It is clear from the evidence presented here that there are plenty of potential vulnerabilities in U.S. SCADA and information control systems’ architecture that could be exploited by forces wishing to do harm to the United States. Recent hacks of the Ukrainian electrical grid may just be warning shots in an upcoming cyber war which has the potential for devastating harm to everyday living in the United States as well as other places around the world. When you consider the burgeoning growth of the IIOT in U.S. industrial settings and the rapid expansion and use of the Internet by automated devices for a plethora of civilian uses, the potential for harm to critical U.S. infrastructure nodes is, now more than ever before, a matter of great concern. Hackers, whether individuals or state-sponsored, are constantly finding new ways to infiltrate and exploit vulnerabilities in systems to further whatever cause they might be working towards. These efforts often run years, if not decades, ahead of the efforts of those whose job it is to protect systems against attack. In this writer’s opinion, the risk of attack on the critical infrastructure of the United States is a stark reality which must be given number one priority status by those entities in the government and the private sector charged with protecting sensitive infrastructure. If this is not done, then a devastating attack is not only a probability but can be counted on to happen, if not now then definitely sometime in the future.
References
Ashford, W. (2016a). Cyber Attacks Caused Ukraine Power Outages, Report Confirms. Computer Weekly website. Retrieved from http://www.computerweekly.com/news/4500270434/Cyber-attacks-caused-Ukraine-power-outages-report-confirms
Ashford, W. (2016b). Industrial Control Systems a Growing Target for Cyber Attack. Computer Weekly website. Retrieved from http://www.computerweekly.com/news/4500272123/Industrial-control-systems-a-growing-target-for-cyber-attack
Ashford, W. (2015). BlackHat 2015: Industrial hacking - The Untold Story. Computer Weekly website. Retrieved from http://www.computerweekly.com/news/4500251365/BlackHat-2015-Industrial-hacking-the-untold-story
Ashford, W. (2011). US Security Firm Uncovers SCADA Threats to Power Plants and Oil Refineries. Computer Weekly website. Retrieved from http://www.computerweekly.com/news/1280095923/US-security-firm-uncovers-SCADA-threats-to-power-plants-and-oil-refineries
Rouse, M. (2005). SCADA (Supervisory Control and Data Acquisition). TechTarget.com website. Retrieved from http://whatis.techtarget.com/definition/SCADA-supervisory-control-and-data-acquisition
We will email this sample to you with pleasure!
Type your email