Earlier this month, President Obama spoke of a devastating wave of cyber attacks that could soon strike the US in what Washington insiders are calling a "Doomsday Warning".
There is growing concern in the US and the UK that organised cyber criminals and terrorists are about to take computer hacking to a new and terrifying level. In addition to fears of economic chaos were hackers to bring down a major financial institution or the New York Stock Exchange, there are also growing concerns that cyber terrorists are now plotting attacks on crucial infrastructure such as electricity, water oil and gas. There are even concerns being quietly spoken of in some circles that the US's nuclear arsenal could also soon become a target of cyber terrorists.
So far, the people who control power and utility supplies in countries like the US and the UK have believed that the antiquated nature of the IT systems they use is their best defence against cyber criminals and terrorists. This has been largely true as few hackers have bothered to acquaint themselves with industrial control systems such as Scada. Some control systems also rely on software that is decades old and also well below the radar of most cyber criminals, who prefer to access flaws in more widely used software such as recent versions of Windows.
Crucially, the industrial control systems managing and maintaining utilities and power supplies have not traditionally been connected to the Internet. While this would not prevent a terrorist who managed to infiltrate a power station or similar facility from hacking a power station or similar facility in situ, this would demand a physical presence. For the most part, cyber hackers and terrorists prefer the remote access available on line.
But in recent years, there has been a growing tendency for contractors and staff to push for remote access to their control systems for convenience and increased efficiency. A power engineer, for example, might wish to remotely manage a sub-station throughout the year without having to drive through the snow.
This has created some potentially dangerous access points for cyber hackers. Having gained remote access to a control system, it is simple enough for the intruder to shut down the system entirely for a period or cause sufficient damage to stop it functioning entirely. In 2007 the Department of Homeland Security reportedly released a video demonstrating how a power-generating turbine self-destructed in an exercise that illustrated what an attacker could do after gaining access to a control system.
The reason this type attack has not yet taken place on any great scale is because cyber terrorists are still developing the skills needs to take over running of the West's industrial control systems. There is, however, growing evidence that terrorist groups are now assembling precisely those skills to break into and control the West's antiquated industrial control systems, the bulk of which are not adequately secured.
A group of Syria-based hackers known as Project Viridium is already understood to have taken down the website of Syria's stock exchange in Damascus and the group with the intention of holding the government to ransom. Another group of hackers based in Iran called Parastoo is also known to be actively recruiting IT engineers with knowledge of industrial control system software. Parastoo has already been linked to a “military-style” attack on an electric power station, the PG&E Metcalf substation, in California, U.S.A. on April 16, 2013. Parastoo claims that it has been testing national critical infrastructures using cyber vectors. Both Project Viridium and Parastoo are known to have the US and UK as prime targets.
A cyber attack orchestrated by terrorists could result in entire cities in Europe or the U.S. being left without light or heating, with the all the ensuing economic and social chaos that would inevitably follow. What is also eliciting even more concern in Washington and Westminster is that the antiquated control systems managing the West's nuclear arsenal also run on antiquated and increasingly vulnerable software.
Stuart Poole-Robb is chief executive and founder of one of the world’s leading strategic intelligence and risk companies, KCS Group.