Monday, August 29, 2011

Cyber Weapons of Mass Destruction


There is an interesting article over on SecurityDebrief.com by Steven Bucci that takes an interesting look at ‘weapons of mass destruction’. He would like to extend the definition of WMD to include cyber and economic attacks. I’ll leave the general discussion of ‘economic’ WMD to other, but I would like to expand on his idea of some cyber-attacks being included under the mantle of WMD.

Bucci does not want to include every kind of cyber hack/attack as part of the arsenal of potential WMDs. In fact, he’s not even sure that an APT hack that steals information should be called an attack (that’s a totally separate discussion). He does note, however, that with the advent of Stuxnet (and I would add the Beresford and Luigi vulnerability disclosures and the GLEGG tool as obvious enabling events) there now exists the demonstrated capabilities to use cyber controls as a means to cause destructive events.

He provides one clear example of how a cyber-attack could achieve WMD effects:

“One can imagine the elegance (for a terrorist or rouge state) of hitting the “enter” button on one continent and having all the valves in a chemical plant next to an American city open simultaneously? We would suddenly have a “Bopol [Bhopal], India-like” disaster that kills a multitude.”

I can add a number of other examples just to keep things interesting. They would include:

• Doctoring flow meter reporting so that large containers (storage tanks, rail cars, tank wagons, etc. are overfilled resulting in a large scale release;
• Opening a series of valves so that two incompatible chemicals are introduced into the same tank at the same time (results could include fire, explosions, toxic release, etc. depending on the chemicals involved); or
• Doctoring pressure reporting devices so that hazardous chemical or gas pipelines are over-pressured (ala San Bruno) resulting in explosion or toxic release.

Of course all of these could also be considered to be chemical attacks with the cyber component being just the initiator. It could be argued that including these types of incidents in the discussion of WMD would be similar to calling a cell phone a WMD because it was used to detonate an IED. I think that such an argument would be shortsighted and oversimplified, the scale of skill necessary to implement the above attacks alone would justify calling the cyber component a weapon.

Outside of the chemical industry I could think of a couple other areas where cyber attacks could be raised to the level of WMD effects. Messing with the controls of a a large municipal water system so that the system was over-pressurized could lead to multiple large scale main ruptures which could essentially shutdown the water system for a prolonged period. Shutting down the automatic sterilization controls at a food packaging operation could result in subsequent illnesses.

In short, there are a number of ways that a control system could be manipulated to cause a significant impact on the community. If the results were catastrophic or physically impressive enough, the cyber attack could certainly be considered to be a WMD attack.

No comments:

 
/* Use this with templates/template-twocol.html */