Homeland security experts are conducting drills to gear up for a potential combined physical-cyber attack.
A plume of radiological contaminants has been released in New York. Police scramble to evacuate anyone in the contamination zone, using software that analyzes weather patterns to predict where the plume will travel.
But terrorists have hacked the system and sent spoofed weather data in place of the real-time reports. Unbeknownst to the first responders, the evacuation plan is generated based on the spoofed data, and instead of evacuating away from the plume, civilians are moved directly into its deadly path.
This scenario, played out during an exercise with the Port Authority of New York and New Jersey , underscores the catastrophic potential of a combined physical and cyber terrorist event, says Susan Lambert, vice president of new initiatives for Innerwall, which played a key role in the event. Lambert and many other experts believe that terrorists could dramatically increase the lethality of a physical attack by combining it with a cyber attack that could disrupt first-responder communications and create confusion.
A cyber attack could be as complicated as hacking into the software system controlling operations at utilities (called the SCADA system) or as simple as sending spoofed e-mails. Homeland security experts are trying to conduct drills to address the various possibilities.
In another exercise involving Lambert’s company and the Huntington Beach (California) Police Department, for example, the scenario assumed that the police department network was breached and a false message was sent. It requested that all police officers report directly to the chief’s office, taking the officers away from their assigned posts. “You could easily divert police to a response area to basically divert them from an incident,” says Lambert.
“If you can erode the network’s ability to send information along with other physical attacks, it can start being a force multiplier,” says J. Michael Gibbons, vice president of enterprise security services for Unisys.
So far terrorists have focused on more typical physical events, like bombings, says David Mussington, a political scientist at the RAND Corporation. That may be because they see these types of attacks as a way to instill fear that outlasts the attack itself. Even a large-scale cyber attack may not by itself trigger the same type of reaction that a physical attack does.
“We know physical attacks are quite effective in provoking terror. It remains to be seen whether terrorist would choose cyber means over physical means,” he says. That’s why Mussington says the real threat is in the form of a combined attack.
Assuming that terrorists want to launch a cyber attack, the next question is whether they can do so. Gaining access to critical IT systems is complicated, but entirely plausible, maintains Charles Kaplan, chief security strategist with Mazu Networks, Inc., which creates network monitoring products. One method involves targeting an individual employee with access to these systems.
According to Kaplan, if a terrorist did his or her homework, it would not be difficult to find out personal information about a high-level employee, such as where that person went to college.
Using this information, the terrorist could then employ techniques of what is called “spear phishing,” which means sending an e-mail to the targeted employee. If the e-mail is opened, a highly targeted piece of malware that might be in an attachment could be placed on the person’s machine.
Because the virus would be targeted specifically for the individual machine and would not attack the network, it’s possible that it could fly under the radar of an antivirus program, Kaplan says. “Now I’m basically a credentialed employee for all practical purposes and my ability to launch a real attack dramatically goes up.”
There are ways to guard against this type of intrusion. One is network profiling, which evaluates an individual employee’s typical behavior on the network and identifies when that person’s network activity seems abnormal. If, for example, a user typically works from 9 a.m. to 5 p.m. but the network shows that his machine was doing file transfers at 4 a.m., a red flag would be raised.
As Mussington points out, however, “It’s not so much a question of hardening as it is making sure you have enough redundancy within these infrastructures so that no single vulnerability can bring down the entire system.”
Like any successful security plan, effective cyber security comes down to a layered approach, says Ted Demopoulos, a security consultant. “You don’t want to put all your eggs in the same basket. So if there is something critical, that one vulnerability should have other layers of protection surrounding it.”
Training employees on the technology policy and having good network security practices are also critical.
But the difficulty is that the majority of critical infrastructure is operated by the private sector, and companies may be tight-lipped when it comes to discussing security procedures (and failures). Thus weaknesses may exist that federal, state, or local government agencies don’t know about.
The Department of Homeland Security has made progress, however. Many experts are encouraged by efforts such as the recent Cyber Storm exercise, which brought together 115 public and private groups to combat simulated cyber attacks directed against critical infrastructure.
“The private sector is the pointy end of the spear” when it comes to protecting against cyber attacks, says Andrew Macpherson, assistant research professor at the University of New Hampshire. “Private industry can really be seen as the front line for cyber attacks because they’re seeing a lot of these things, they’re seeing a lot of the new attacks.”
But, says Innerwall’s Lambert , “It really comes down to the fact that there has to be some incentive for private industry to implement security. It would either have to be regulated, or it would have to see a cost benefit.”