Custom Search

Saturday, January 19, 2008

Cyber Attacks Black Out Cities Outside The U.S.--Cyber Terrorism

Cyber Security experts have warned us previously about cyber attacks and the vulnerability of our utilities, like power, water, transportation and more, as much of our critical infrastructure is dependent on computers.

We have seen warnings about internet "chat", cyber terrorism, that is geared at attacking via the that infrastructure.

On January 18, 2008, Friday, those concerns became reality as CIA analyst Tom Donahue, at the SANS security trade conference in New Orleans, disclosed recently declassified information about such attacks saying that hackers have, indeed, penetrated power systems in regions outside the U.S. and in some cases causing power outages that affected multiple cities.

Donahue said in a statement "We do not know who executed these attacks or why, but all involved intrusions through the Internet. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge."

Donahue did not give out details such as how many were affected, when the attack occurred or what elements of the system had been attacked.

In recent months, security researchers have emphasized long-standing security vulnerabilities in the Supervisory Control and Data Acquisition (SCADA) systems that control U.S. critical infrastructure systems ranging from power plants to dams to public transit (See " America's Hackable Backbone").

At the DefCon hacker conference in August, researcher Ganesh Devarajan of the security firm Tipping Point gave a presentation showing techniques that hackers can use to find points in SCADA systems that are vulnerable to hijacking and sabotage. The next month, the Associated Press obtained a U.S. Department of Homeland Security video, known as the "Aurora Generator Test," demonstrating how a cyber-intrusion could be used to physically destroy a large power generator. (Source)


According to Alan Paller, director of the SANS Institute, an organization that hosts a crisis center for hacked companies "Hundreds of millions of dollars have been extorted, and possibly more. It's difficult to know, because they pay to keep it a secret. This kind of extortion is the biggest untold story of the cybercrime industry."

He also says that he expects those attacks to increase and that there has been "active" and "sophisticated" chatter while hackers trade information about how to break through the security of these systems.

He concludes by saying "That kind of chatter usually precedes bad things happening."

Bruce Schneier, chief technology officer for security firm BT Counterpane, warns that the U.S. has no immunity, despite the fact that the recently disclosed attacks happened outside the U.S.and states "There's nothing magical about a system being in the U.S. The same vulnerabilities are everywhere."

The Washington Post reports that on Thursday the Federal Energy Regulatory Commission approved eight cyber security standards for electric utilities and that hey involve identity controls, training, security "perimeters," physical security of critical cyber equipment, incident reporting and recovery.

The U.S. electricity grid has always been vulnerable to outages. "Cybersecurity is a different kind of threat, however," Joseph T. Kelliher, the commission's chairman, said in a statement this week. "This threat is a conscious threat posed by a single hacker, or even an organized group that may be deliberately trying to disrupt the grid."

One memorable previous cyber attack was in 2002 when a denial of service (DOS) attack hit 13 servers and the top five viewed sites went down temporarily.

That attack flooded the 13 domain-name service root servers around the world with 30-40 times the normal amount of data. Seven of the servers were affected enough to have periods of "zero-reachability," according to Web security firm Matrix NetSystems.

You can see for yourself how the Internet structure works here.

In researching what a worst case scenario would look like I ran across a two page article in Newsweek, written in November of 2003.

As I have mentioned before, one specific quote from that article could be labeled as disturbing, from Paul Vixie, president of the Internet Software Consortium, a nonprofit group that helps maintain the Internet, where he said "I'm terrified if I think too hard about it, This isn't so much a threat to national security as a threat to civilization."

When the experts are "terrified" andstarts talking in terms of threats to our civilization, it is worrisome to say the least, for us laymen.