I Was Wrong: There Probably Will Be an Electronic Pearl Harbor
Ira Winkler says the emerging smart grid makes doomsayers' unlikely predictions more likely
By Ira Winkler
November 29, 2009 — CSO —
For 15 years now, I have been publicly lambasting all of those people who have made their careers, or at least made fleeting news headlines, based on their declaration of an imminent Electronic Pearl Harbor. My disdain is based on several factors, but predominantly the lack of accountability for such statements. One industry analyst, for example, stated that there will be such an event by the end of 2003. Six years later, I didn't see anyone revisit the utter lack of such an event.
However, I now see things developing to the point where there can be a strategic attack on computer infrastructures. The key word is Strategic.
Another major issue I have with the people who stake their fame in information warfare is the lack of apparent understanding in the concept of military and geopolitical issues. Specifically, strategy implies long term impacts, generally at least 3-6 months. Tactical attacks have short term impacts. Yes, we have had many tactical attacks against different infrastructures. However, comparing these attacks to Pearl Harbor is insulting.
Pearl Harbor was a preemptive strike against the US Pacific Fleet. It significantly degraded the US Naval capability for several years. If the aircraft carriers were in Pearl Harbor as the Japanese expected, it could have been a complete knockout blow. So the question becomes, what can make a computer attack strategic?
Also see Robert Lemos' report from the 2009 Cyber Warfare conference in Estonia
Over the last 15 years, it now appears that the electrical grid is not only extremely vulnerable, they are in the process of exponentially increasing its vulnerability. At this point, the vulnerabilities in the power grid are well documented. I highlight how there are many points where control networks overlap business networks. The GAO published a report a month later highlighting this problem at the Tennessee Valley Authority [pdf link]. The Wall Street Journal highlighted how Russian and Chinese intelligence agencies have already planted malware in the power grid. Then there was the Idaho National Lab Aurora video, where they demonstrated that a generator SCADA system can be remotely hacked to blow up the generator. Then there was the recent 60 Minutes piece.
I have to admit that even with all of the above, I wasn't convinced that there could be a true strategic attack. You can probably blow up a few generators, but the fact is that the power grid itself is resilient enough to withstand the effects. Another issue is that while Russia and China could potentially coordinate a much more devastating attack, they do not have the motivation to cause such damage. While terrorists and some other parties might want to try, it is unlikely that they have the coordination and resources to accomplish a truly strategic attack.
electronic pearl harbor
- Smart Techniques for Application Security
- The Business Case for Data Protection
- Survival Guide: Overcoming the Obstacles to Effective Risk Management
- Utility Mandate: Software Security for the Smart Grid
- Risk-driven Compliance and Security Management
- CyberAttacks ... Are you protected or prepared to pay?
- Defend Against Cyber Attacks: Session-Level Network Security
- Log Mangement in a Cyberworld
- Take the Cost, Complexity and Frustration Out of Two-factor Authorization
- Conquering Compliance for Dummies
- Practical Approaches for Securing Web Applications
- Maintaining Trust: Protecting Your Website Users from Malware
