Inside Cyber Warfare - Jeffrey Carr [9]
FUTURE SCENARIO INVOLVING CRITICAL INFRASTRUCTURE
October 19, 20**
Chairperson
House Permanent Select Committee on Intelligence
Washington, DC
RE: Establishment of North American Urgent Radiological Information Exchange
Madame Chairperson:
While we do not believe that this is a matter that rightfully falls under the province of your Committee, in the interest of cooperation, this letter will address the events leading up to the establishment of the North American Urgent Radiological Information Exchange (NAURIE).
As you know, on the nth year anniversary of 9/11, all of our nation’s nuclear power plants were targeted in a massive distributed denial of service attack orchestrated by the Conficker D botnet, which had grown to a heretofore unheard of 30,000,000+ infected hosts.
While US CERT teams as well as regional DOE cyber security personnel were focused on combating this external threat, each plant’s internal firewall separating the Command and Safety System Networks from the Site Local Area Network was breached from the inside due to the use of pirated hardware with malicious embedded code that passed server control to external users.
Of even more concern is the fact that all of these plants were targets of a carefully planned, long-term social engineering attack that relied on human error and the broad-based appeal of social network sites. As DOE employees broke protocol and downloaded phony social software apps, malicious code worked its way into secure networks and lay dormant until activated by the attacking force.
This led to a number of consecutive failures in our safety mechanisms resulting in partial to complete core meltdowns at 70% of our plants. When these plants went offline, the nation’s power requirements couldn’t be met. Grids were overwhelmed and blackouts began occurring in our most heavily populated urban areas. Once criminal gangs realized that overburdened police departments were unable to respond to every 911 call, looting of businesses began in earnest as did home invasions in the wealthier neighborhoods.
One year later, we still do not have a final count on the number of deaths and casualties but most responsible estimates place them in the tens of thousands. If we extrapolate out for the as yet unknown future effects of radiation poisoning on the victims, the count goes into six figures.
While this is clearly a tragedy on every level, I feel I must point out that the NNSA, as late as 2009, in a letter to the Los Alamos National Laboratory, did its part in improving security by determining that the loss of 83 LANL laptops should no longer be considered just a “property management” issue, but a cyber security issue as well.
Also, our G3 physical security model (Gates, Guards, Guns) was not compromised, and cyber security compliance has never been a mandatory policy; instead it is an ongoing negotiation among various other considerations.
v/r,
Director, National Nuclear Security Agency
This scenario is perfectly plausible given what we know today about software exploits driven by social engineering; the availability of counterfeit hardware such as routers, switches, Gigabit Interface Converters, and WAN interface cards; and Conficker-type botnets that consist of millions of infected PCs.
Combine those threats with a motivated, patient, and well-financed hacker crew and any number of doomsday scenarios become possible.
If this scenario sounds far-fetched or seems to overstate the risk, the following news stories represent a sampling of actual cyber security events that have occurred at nuclear power plants since 2003:
“NNSA wants more funding for cyber security” (Federal Computer Week, February 6, 2008)
“Numerous cybersecurity problems at the department have come to light over the past few months. A recently released report by the department’s inspector general report said Energy had 132 serious security breaches in fiscal 2006.”