Critical infrastructure vulnerable to simple cyber-attacks

Malicious emails don't only harm personal computers, they could bring down national infrastructure

Published January 18, 2013 3:47PM (EST)

    (Wikimedia/David Brodbeck)
(Wikimedia/David Brodbeck)

Spearphishing -- the technique by which hackers gain access to computer networks through sending misleading, malicious emails which users click on -- is a risk to more than just small computer networks. According to the New York Times' "Bits" blog, critical infrastructure like "watersheds, power grids, oil refineries and nuclear plants" are vulnerable to spearphishing attacks.

"Spearphishing is so easy to deploy and effective that 91 percent of targeted attacks start with malicious e-mails, according to TrendMicro, a computer security firm with headquarters in Tokyo. But that same method could be used to harm utilities, power plants, gas pipelines and watersheds," wrote Nicole Perlroth.

In a demonstration to test the vulnerability to such an attack at power plants and oil pipelines, Tyler Klinger, a security researcher at Critical Intelligence sent targeted emails -- the sort that might conceal a spearphish --  to control room supervisors and engineers. The emails were easily accessible through LinkedIn and sales team contact sites.

"The hit rate was enough to make you shudder: Some 26 percent of employees who work closely with industrial control systems fell victim to the attack... among their job titles were: a control room supervisor, a pipeline controller, an automation technician, a process controls engineer and a senior vice president for operations and maintenance." An attacker would then have the ability to observe all the actions -- passwords, codes and all -- carried out on the computer of these employees who regularly access aspects of the nation's critical infrastructure.

Klinger's experiment, demonstrated at a recent security conference in Miami, is not the only evidence that major infrastructure could fall prey to these simple attacks. "Night Dragon, a series of computer attacks that hit oil, gas and chemical companies in the United States two years ago, used spearphishing. So did Shady Rat, another extensive digital espionage campaign discovered in 2011 that went after 70 government agencies, corporations and nonprofits in 14 countries," Perlroth noted. Just this week, as Reuters reported, the Department of Homeland Security noted that last year a spearphishing attack successfully infected the turbine control system at a power company, "keeping a plant off line for three weeks."

Last October, Defense Secretary Leon Panetta warned that the U.S. could possibly face a “cyber-Pearl Harbor,” in which "an aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches." Panetta did not highlight just how simple those tools might be.


By Natasha Lennard

Natasha Lennard is an assistant news editor at Salon, covering non-electoral politics, general news and rabble-rousing. Follow her on Twitter @natashalennard, email nlennard@salon.com.

MORE FROM Natasha Lennard


Related Topics ------------------------------------------

Cyber Attacks Hacking Infrastructure Pipelines Power Grids Spearphishing