JIM URQUHART/REUTERS - Mark Fabro, a training consultant working with
the U.S. Department of Homeland Security, explains how systems can be
exploited at a cyber
By Ellen Nakashima, Published: October 2
IDAHO FALLS, Idaho — Screens glowed, mice clicked and lines of code
scrolled on the laptop monitors of a hacker team hired by Barney
Advanced Domestic Chemical Co. — or BAD Company — to break into a rival
firm’s computer network.
In another room here at Idaho National Laboratory, a computer operator
noticed something wrong. “They’re hitting one of our servers!” he said.
The lights in the control room soon failed, and liquid gushed from a set
of tanks as green and red lights flashed.
“We’ve got a spillover!” shouted the supervisor. “Call the hazmat team!”
This frantic but entirely simulated attack last week on a chemical plant
demonstrated what U.S. officials and industry experts say is a
little-understood national and economic security threat: the ability of
malicious computer code to cripple critical systems that millions of
people rely on for food, fuel, safe water and more.
“We’re connecting equipment that has never been connected before to this
global network,” said Greg Schaffer, acting deputy undersecretary of the
Department of Homeland Security’s National Protection and Programs
Directorate. “As we do, we have the potential for problems. That,
indeed, is a space our adversaries are paying attention to. They are
knocking on the doors of these systems. In some cases, there have been
intrusions.”
In the extreme, officials and experts fear a digital attack that causes
death, destroys critical machines and sows anxiety about what could come
next. The threat exists, they say, because machines running the nation’s
plants and other crucial systems are increasingly interconnected.
Meanwhile, the skills of nations and hackers are growing, even as more
infrastructure vulnerabilities are detected.
“That’s our concern of what’s coming in cyberspace: a destructive
element,” said Gen. Keith B. Alexander, National Security Agency
director and the head of U.S. Cyber Command, which is set up to protect
the military’s networks. “We have to defend our country better,” he said
in September at an InfoWarCon conference Linthicum Heights.
Here in Idaho, the DHS in partnership with Idaho National Labs runs the
government’s largest program to research and test the ability of
companies to control systems for vulnerabilities, train personnel to
mitigate threats and, if requested, dispatch “flyaway” teams to respond
to events.
The wake-up call that a physical attack could happen came last year when
the world learned about Stuxnet, a sophisticated computer virus that in
2009 had infected controllers in a uranium enrichment plant in Iran,
causing about 1,000 centrifuges to spin out of control and delaying
Iran’s nuclear enrichment program. No one was killed, but the event
marked the first targeted attack against an industrial control system.
It was also the first documented use of a military-grade weapon built
entirely from code.
A “game-changer,” said Marty Edwards, DHS Control Systems Security
Program director, who led a team of analysts researching Stuxnet.
A “digital warhead” was how Ralph Langner, a German security researcher
who helped decipher Stuxnet’s intent, described it. The virus had two
parts: a virus-delivery vehicle and a payload.