Quick takes // by Ben FrankelCyber attacks on critical infrastructure reach U.S.

Two recent cases of debilitating cyber attacks on control systems of infrastructure assets made the headlines:

• In the spring and summer of 2010, Israel unleashed the Stuxnet malware on uranium-enriching centrifuge farms in Iran, causing about a third of Iran’s active centrifuges to explode, disrupting the others, and slowing down Iran’s march to the bomb.
• Last week, Israel sent another malware, the Duqu, into Iran’s military-industrial complex to disrupt Iran’s military programs. This time, on 12 November, the malware caused the sophisticated Sejil-2 ballistic missile to explode while it was being shown to a group of scientists and top military commanders, among them Gen. Hassan Tehrani Moghaddam, the founder of Iran’s missile programs. The explosion, which killed sixteen other members of the Islamic Revolutionary Guard Corps, occurred at the Alghadir military complex near city of Bidganeh. Reports say that missile exploded while Gen. Moghaddam was describing to the group gathered around the missile the features of a new warhead for the missiles, a warhead that could carry a nuclear payload. The New York Times reports that the explosion was so powerful, it was heard twenty-five miles away in Tehran and shook windows  in many towns in the area, leading some Iranian to believe that and Israeli or American attack on Iran’s nuclear facilities had began (for more on the Alghadir explosion, see this report in the not-always-reliable Debka. “May there be more like it,” Israeli defense minister Ehud Barak said obliquely when asked last Sunday about the explosion).

For a good discussion of Israel cyberwar efforts, see Eli Lake, “Israel’s Secret Iran Attack Plan: Electronic Warfare,” Daily Beast (16 November 2011)

Note that the Mossad’s killing of Moghaddam was a coup equal in its audacity and operational brilliance to the killing of Hezbollah’s military leader Imad Moughnia in Damascus in February 2008. Both stayed out of the public eye and were surrounded by very tight security (the New York Times reports that “Because of his important role, General Moghaddam had one of the strongest protection details in the country, and it was supervised by Ayatollah Khamenei”).

Most critical infrastructure is civilian, not military, and events in Springfield Illinois should give us a taste of what a cyber attack on civilian critical infrastructure can do.

At the beginning of November, a water pump in Springfield, Illinois burnt out and stopped functioning. The pump was destroyed after it was turned on and off repeatedly, by remote commands, over a 1-day period. The utility operating the pump noticed that pump was behaving strangely in the weeks leading to its destruction.

Joseph Weiss of Applied Control Solutions, and author of Protecting Industrial Control Systems from Electronic Threats, told the Register that a report, issued on 10 November by Illinois authorities, said that the hackers who took control of the pump and then destroyed it used an IP address in Russia. The hackers managed to penetrate the water district’s SCADA systems (Weiss provided more details in ControlGlobal.com).

“This is really a big deal, and what’s just as big a deal is what isn’t being said or isn’t being done,” Weiss said. “What the hell is going on with DHS? Why aren’t people being notified?”

Weiss also said that the hackers who attacked the Illinois water utility could have obtained passwords for many other customers of the SCADA manufacturer, possibly leading to other industrial facilities now being susceptible to attack. Some of these facilities may already have been breached.

In this light it is unsettling to note these two stories: a report in InfosecIsland that a water supply network in South Houston, Texas, has been successfully hacked recently. and a report in NorthJersey.com that water and sewage facilities in West Milford, New Jersey, have been sibjected to repeated cyberattacks recently.

Which brings us back to Stuxnet. “Despite [DHS’s] reassurances, online security specialists are already drawing parallels between the Illinois attack and the Stuxnet virus that impacted Iranian nuclear facilities in 2010,” Slashgear reports.

These security experts are right. Most of the U.S. critical infrastructure – both the 85 percent of that infrastructure which is in private hands, and the 15 percent which is run by government agencies – is run by computers which are connected to the Internet. This makes them susceptible to cyber attacks. Stuxnet and Duqu prove that cleverly designed malware can take over control systems of infrastructure assets, and then sabotage the assets these control system run and monitor.

A few days ago, the control system of a water pump in Illinois was taken over by a hacker’s remote command, and then deliberately destroyed. What critical infrastructure facilities will hackers – nerdy teenagers, terrorists, or intelligence operatives of other nations – target next?

Ben Frankel is the editor of the Homeland Security NewsWire