A scary scenario hangs over the head of every nation equipped with power grids, nuclear facilities, water treatment plants, commuter trains, or any of a multitude of other society-sustaining infrastructures—cyber takeover.
The storyline may have appeared in movies and books for decades, but recently it became all too real when a computer super worm called Stuxnet took control of centrifuges in an Iranian nuclear power plant last year. The worm leveraged a weakness in a device known as a controller, which electronically directs machinery. In the Iranian case, the worm-commanded controller caused the centrifuges to spin too fast.
The implications of a worm that could control the machines that control our infrastructure—imagine if one caused electric generators to spin out of control, opened flood gates, or released too many treatment chemicals into drinking water—have resounded ever since.
Iran blamed the United States and Israel for the attack, and although they denied culpability, the belief at the time was that it was a military-grade act of aggression, according to the Associated Press. That theory, however, is shakier now that security researcher Dillon Beresford was able to create similar controller breaches by himself with less than $20,000 in equipment.
“What all this is saying is you don't have to be a nation-state to do this stuff. That's very scary," Joe Weiss, an industrial control system expert, told the AP. “There's a perception barrier, and I think Dillon crashed that barrier.”
Even if Stuxnet could be the product of a lone hacker or a low-level group, that doesn’t mean it was. Did the United States unleash this monster on itself and the rest of the world? According to cyber experts, that action would be consistent with U.S. policy but wouldn’t sync with past actions, which have been to avoid using cyberweapons that could come back to haunt us. Still, the prospect of nuclear weapons in the hands of Iran might have been enough to breach that protocol, said cybersecurity expert Michael Assante.
“That is probably one of the largest national security challenges I can envision,” he’s quoted as saying in an online National Public Radio report. “In that context, you can make a pretty strong argument that the benefit of using a cyberweapon to slow down or delay [a nuclear weapon program] or to achieve a specific objective might absolutely outweigh the risk.”
Regardless, there will be no un-ringing of the Stuxnet bell. Most recently, malware has appeared with a fingerprint similar to Stuxnet's and Idaho National Laboratory, which protects critical U.S. infrastructure, has seen a tripling of computer attacks over past year, according to the AP. It seems the time has come for covering assets.
“Some of these [systems] can't be protected,” Weiss told NPR. “We're going to have to figure out how to recover from events that we simply can't protect these systems from.”
Jolie Breeden is the lead editor and science communicator for Natural Hazards Center publications. She writes and edits for Research Counts; the Quick Response, Mitigation Matters, Public Health, and Weather Ready Research Award report series; as well as for special projects and publications. Breeden graduated summa cum laude from the University of Colorado Boulder with a bachelor’s degree in journalism.