Washington, May 14 (Reuters): Attacks on US computer networks could escalate from mere inconveniences to disasters that ruin companies or even kill people, according to the head of a cyber-security unit working with the US government.
Scott Borg, director of the Cyber Consequences Unit ( CCU), a department of Homeland Security advisory group, said increasing intelligence “chatter” was pointing to possible criminal or terrorist schemes to destroy physical infrastructure such as power grids.
The CCU is considering how to prevent attacks beyond ubiquitous e-mail hoaxes or computer viruses, with concerns rising about plots to cause power blackouts, tamper with pharmaceutical products or reprogramme machinery to build dangerously defective products.
“Up to now, executives and network professionals have been worrying about what adolescents and petty criminals have been doing. They need to start worrying about what grown-ups could do,” Borg said.
Attractive targets include vital “supervisory control and data acquisition” (SCADA) systems, like those in a power plant that open and close valves or adjust temperature and pressure.
“Chatter on SCADA attacks is increasing,” Borg said, referring to patterns of behaviour his unit has observed suggesting that criminals and militant groups like al Qaida are becoming capable of carrying out such attacks.
Borg’s CCU, a small independent unit funded by Homeland Security, spends its time trying to imagine how technology could be used to cripple the US. It also holds cyber-security exercises for US corporations and investigates reports of attacks on computer.
A major crisis could be triggered, for instance, by shutting down critical computer systems for as little as four days. “If you shut down longer than three days, supplies begin to run out. After three days, costs begin to take off,” Borg said
While everyday hackers may target credit card or other personal information, more sophisticated attackers concentrate on “data at rest”, which could cause far greater damage. This kind of data might include a pharmaceutical company’s drug development databases, or software programmes that manipulate data, such as formulas for generating financial statements.
In one hair-raising scenario, Borg describes how attackers might change specifications at an automobile plant and cause a car to “burst into flames after it had been driven for certain weeks or months”.
Another potential attack could involve infiltrating hospitals or pharmacies to change medical data such as dosages or treatment schedules.
“An attack, if well planned, could run for months without being detected,” Borg said. “Now, imagine if they go public on a website and announce what they have done. Stocks would go into a free fall. Liability lawsuits would pile up.”
Based on discussions with banks and other industries, the CCU has prepared a security checklist for companies identifying 16 potential avenues of attack.