Can hackers really cause as much bloodshed as 353 Imperial Japanese Navy fighters, bombers and torpedo planes launched from six aircraft carriers? Can hackers really kill 2,402 U.S. citizens, leave 1,282 wounded, lose 65 of their own attackers in the process, and plunge the United States into a World War?
Heaven only knows. Maybe they can. The lack of security around Supervisory Control And Data Acquisition (SCADA) systems is scary.
And unsecured SCADA systems are everywhere. They control nuclear and chemical plants, gas pipelines, dams, railroad switches, water treatment plants, air traffic control, metropolitan transportation networks, and the cash flow via financial transaction systems.
At any rate, the lack of security around infrastructure has been the cause of hand-wringing in the 12 years since former counter-terrorism czar Richard A. Clarke coined the term “digital Pearl Harbor.”
The term has been trotted out most recently in the wake of a report from Bloomberg Government and the Ponemon Institute.
Bloomberg Television has been comparing an electronic attack with a surprise strike that slaughtered thousands, and assuring us that spending by government and industry on cybersecurity has to increase by a factor of almost nine to prevent digital Pearl Harbor from “plunging millions into darkness, paralyzing the financial system or cutting communications.”
Cybersecurity spending must increase by a factor of nine?! Bonus!! Upgrade your champagne stock for RSA, security peeps, cuz the good times are here again!
That estimate is based on Bloomberg/Ponemon interviews with technology managers from 172 U.S. organizations in six industries and the government. Survey respondents were granted anonymity, Bloomberg said, owing to “the sensitivity of discussing cybersecurity weaknesses.”
In other words, one assumes that we’ll have to take that mind-boggling figure on faith.
Mind you, SCADA hacks, and hacks in general, are nothing to sneeze at.
But how much bloodshed have we seen, exactly? How does it compare to a surprise military attack like Pearl Harbor?
Well, there was the November 2011 attack on the South Houston water supply, in which a hacker going by the name pr0f penetrated the water supply network.
Terrible! How many people did we lose?
0, that’s right, we lost zero. All pr0f did was post images showing that he had access to the water supply SCADA.
Embarrassing to U.S. government security people? Yes. Resulting in carnage? No. Here’s what pr0f had to say about his choice to keep South Houston hydrated:
I'm not going to expose the details of the box. No damage was done to any of the machinery; I don't really like mindless vandalism. It's stupid and silly. On the other hand, so is connecting interfaces to your SCADA machinery to the internet. I wouldn't even call this a hack, either, just to say. This required almost no skill and could be reproduced by a two year old with a basic knowledge of Simatic.
Gosh, that sounds so, let’s see, what’s the word?
Why do security experts choose to terrorize people with a culture of fear in which terms such as “Armageddon” and “digital Pearl Harbor” get tossed about and blazoned across headlines? Why do we instead not substitute a reasoned discussion of the threat and how to secure the systems in question?
SCADA threats are real. They could, indeed, result in a body count. But let’s keep the rhetoric sane. Let’s be mindful of the fact that there has been no “digital Pearl Harbor” in the 12 years since we first heard of it.
Let’s concentrate on making improvements instead of cooking up apocalyptic metaphors.
3 comments on “Is Digital Pearl Harbor THE most tasteless term in IT security?”
"Embarrassing to U.S. government security people? Yes."
Not exactly new… just ask the guys chasing Gary McKinnon – 10 years and counting – and are the systems any more secure? I doubt it…
The phenomena is known as "Threat Inflation." Read "Loving the Cyber Bomb?" (April 2011) for a great summary.
Since PDD-63 was signed on May 22, 1998 the cyber security vendors (and wannabees in the defense industrial base) have whined about how all the Critical Infrastructures are woefully unprotected and vulnerable, and how if ONLY new program funding from the Government were forthcoming (or, alternatively, new regulatory/compliance mandates from the Government that forced CI owners to pony up) then THEY could come in and provide security solutions.
Yawn. Cyberwar Chicken Little's don't understand that security is more than just cyber, that "attack vectors" include physical, that weather events and the infamous "backhoe fade" are just as threatening but actual happen, and that (1) control systems tend to have layers of belt-and-suspenders redundant checks and balances, and (2) the underlying controlled infrastructure tends to be extraordinarily resilient.
Bottom line: all the defense contractors who face cutbacks are hoping the Congress will force CI providers who can't keep off the future DHS List of Doom to buy their "3rd party verification" services, and remediation based on all the wonderful Defense in Depth design capabilities they've honed (well … really just copied from the open source NSA-provided Global Information Assurance portfolio of guidance, NIST pubs, etc.).
The media doesn't like rational discussion though, that's boring. Far better to get LIGATT on the line to talk about some issue…