SophosLabs: Can hackers really cause as much bloodshed as 353 Imperial Japanese Navy fighters, bombers and torpedo planes launched from six aircraft carriers? Can hackers really kill 2,402 U.S. citizens, leave 1,282 wounded, lose 65 of their own attackers in the process, and plunge the United States into a World War?
Heaven only knows. Maybe they can. The lack of security around Supervisory Control And Data Acquisition (SCADA) systems is scary.
And unsecured SCADA systems are everywhere. They control nuclear and chemical plants, gas pipelines, dams, railroad switches, water treatment plants, air traffic control, metropolitan transportation networks, and the cash flow via financial transaction systems.
At any rate, the lack of security around infrastructure has been the cause of hand-wringing in the 12 years since former counter-terrorism czar Richard A. Clarke coined the term “digital Pearl Harbor.”
The term has been trotted out most recently in the wake of a report from Bloomberg Government and the Ponemon Institute.
Bloomberg Television has been comparing an electronic attack with a surprise strike that slaughtered thousands, and assuring us that spending by government and industry on cybersecurity has to increase by a factor of almost nine to prevent digital Pearl Harbor from “plunging millions into darkness, paralyzing the financial system or cutting communications.”
Cybersecurity spending must increase by a factor of nine?! Bonus!! Upgrade your champagne stock for RSA, security peeps, cuz the good times are here again!
That estimate is based on Bloomberg/Ponemon interviews with technology managers from 172 U.S. organizations in six industries and the government. Survey respondents were granted anonymity, Bloomberg said, owing to “the sensitivity of discussing cybersecurity weaknesses.”
In other words, one assumes that we'll have to take that mind-boggling figure on faith.
Mind you, SCADA hacks, and hacks in general, are nothing to sneeze at.
But how much bloodshed have we seen, exactly? How does it compare to a surprise military attack like Pearl Harbor?
Well, there was the November 2011 attack on the South Houston water supply, in which a hacker going by the name pr0f penetrated the water supply network.
Terrible! How many people did we lose?
0, that's right, we lost zero. All pr0f did was post images showing that he had access to the water supply SCADA.
Embarrassing to U.S. government security people? Yes. Resulting in carnage? No. Here's what pr0f had to say about his choice to keep South Houston hydrated:
I'm not going to expose the details of the box. No damage was done to any of the machinery; I don't really like mindless vandalism. It's stupid and silly. On the other hand, so is connecting interfaces to your SCADA machinery to the internet. I wouldn't even call this a hack, either, just to say. This required almost no skill and could be reproduced by a two year old with a basic knowledge of Simatic.
Gosh, that sounds so, let's see, what's the word?
Why do security experts choose to terrorize people with a culture of fear in which terms such as “Armageddon” and “digital Pearl Harbor” get tossed about and blazoned across headlines? Why do we instead not substitute a reasoned discussion of the threat and how to secure the systems in question?
SCADA threats are real. They could, indeed, result in a body count. But let's keep the rhetoric sane. Let's be mindful of the fact that there has been no “digital Pearl Harbor” in the 12 years since we first heard of it.
Let's concentrate on making improvements instead of cooking up apocalyptic metaphors.