The nation’s critical infrastructure and industrial-control systems have become such potential high-value targets for terrorists that their vulnerability threatens the fabric of society. And, as they increase in both importance and vulnerability, these systems cannot be protected using conventional information security measures.
The targets are electrical grids, transportation networks, water systems, oil/gas pipeline operations and other vital resources that serve in the interests of the U.S. economy and the public good—not to mention public safety—every day. Concerns are rising about reported increases in compromise incidents within these systems, coupled with advancements in the “sophistication and effectiveness of attack technology,” according to the Government Accountability Office (GAO). The number of incidents reported by federal agencies to the U.S. Computer Emergency Response Team has surged 782 percent from 2006 to 2012, the GAO reports.
Such attacks can “cause major economic losses, contaminate ecological environment and, even more dangerously, claim human lives,” according to a research report from the University of California, Berkeley. And, industrial control systems (ICS) lie at the heart of this vulnerability.
Global events have triggered the cautionary warnings. Among the most notorious was Stuxnet in 2010, which damaged uranium-enrichment centrifuges in Iran by infecting the country’s nuclear ICS network. In 2012, the Shamoon virus attacked Saudi Arabia’s state oil company, Saudi Aramco, replacing crucial system files with an image of a burning U.S. flag and overwriting essential data with what then-U.S. Defense Secretary Leon Panetta described as “garbage data.” Panetta added that the incident was the most destructive attack the business sector has seen to date, as more than 30,000 computers were rendered useless.