The admission by former FBI Director James Comey that the Russians had tried “systematically” to influence the 2016 US presidential election brings a number of things into focus. Perhaps primus-inter-pares in consideration is the way the Russians used cyberspace to try and influence the outcome. But this could also have a more sinister overtone. Could this be seen as a prelude to an even more threatening use of cyberspace — one that takes it to a new height in which people die?
When it comes to the world of cyber headline writers, they are prone to exaggerate. When something happens in cyberspace they tend to fall back on the tried and tested mantra that each event is somehow an act of cyber-terrorism. In reality, they are not. Terrorism, by definition, has to have people die in order to achieve impact on society. To date, no one has died as a result of anyone using so-called cyber-weapons.
But, that does not mean it might be possible in the future for a cyber-attack to kill people. In Ukraine, just before Christmas 2015, over 80,000 homes suddenly lost power. With average temperatures well below freezing at the time, it is remarkable that the authorities, who were quick to blame Russia, did not cite specific people dying as a result of the cyber-attack.
Could an attack like this occur in the West? Would terrorists be able to penetrate the information systems of those running aspects of the Critical National Infrastructure to potentially cause situations harmful to life? The recent ransomware attacks across the globe that also affected many older information technology systems in the UK’s National Health Service suggested vulnerabilities might exist. But, could this result in people dying? That is unlikely.
What is far more likely is something different — an attack on a mass-transit system. This is certainly a possibility. But not all mass-transit systems are easily attacked. For terrorists, with their preoccupation with attacking airlines, Air Traffic Control (ATC) systems would be an ideal target. But these are difficult to access. It would require someone to be operating within the ATC system to conduct an attack, and they would be quickly exposed. reducing the chances that an attack would be successful.
So, how might terrorists attack mass-transit systems? The answer is through the Wi-Fi networks that are increasingly used to control railway signalling systems. Any lack of security in these networks, such as in the encryption of the data passing between nodes, could make them vulnerable to attack. The actions of a water treatment company employee in Queensland, Australia in March and April 2000, revealed what is possible.
Vitek Boden, a former employee of a company that supplied the telecommunications and Supervisory Control and Data Acquisition (SCADA) systems used to control waste management in Queensland, tried 46 times to break into the local Very High Frequency (VHF) communications networks used to pass data from outstations to a central management facility. He was eventually successful.
In conducting his attack, he exploited a crucial advantage. Hisinside knowledge of the communications protocols helped him to penetrate the networks, generating false messages. This enabled him to open sluice gates and spill more than a million tons of raw sewage into an environmentally sensitive area in the Maroochydore District. Large fish kills, toxic sewage polluting rivers and the ground of a major hotel and other long-term damage to the environment resulted.
Imagine if that attack had been directed against a dam. What if a dam could be attacked and programed to release water? In America, fears of such an attack were raised when an Iranian group (called SOBH Cyber Jihad) claimed to have attacked the Bowman Dam in Rye Brook, New York in 2013.
At the time, this raised fears cyber-attacks could be mounted against other facilities whose operations depend upon SCADA systems. After all, it is alleged that the Americans and Israeli’s undertook the single most ambitious cyber-attack in history when they were able to hinder Iranian progress towards creating a nuclear device.
That cyber-attack also involved an attack against a SCADA system – the one that controlled the centrifuges creating the highly enriched Uranium required to make a nuclear weapon. The timing of the attack by the Iranian group is clearly a reprisal for the attack on the Iranian nuclear program.
SCADA systems are now almost universally in use across the world to help organizations control their operations. They are a ubiquitous element of all major information technology systems for organizations that need remote control of their facilities – and hence vulnerable to being attacked. But to conduct such an attack requires significant resources — those available to a state, not a terrorist group.
For terrorists to be able to conduct a similar attack against a mass-transit system they would need to have a similar degree of insider knowledge. Each SCADA system that controls the networks has bespoke communications protocols. There are not universal standards that yet apply. Many systems are outdated, affording them what is known as “protection by antiquity.” So, they are not easily hacked.
For terrorists, this all makes the work of planning and conducting a terrorist attack using cyber-based approaches complicated. It drives them towards tried and tested approaches, such as suicide bombing and armed attacks. The dreadful attack in Manchester, England and the much simpler attack on Westminster Bridge highlight the point. These at least achieve results for terrorist groups with minimum of investment. Getting into cyber-space and using that as a means to create the conditions where lots of people die is not easy. But, it is possible.
What would define cyber-terrorism, moving it from fiction to reality, would be an attack that penetrated a mass-transportation system. Where technology, with someof its inherent vulnerabilities, is in use to control signalling systems, an attack could create the conditions where – for example — trains collide, or are derailed.
Concerns over cyber-terrorists seizing control of an aircraft have also been raised causing even senior Boeing officials to express concerns publicly. While the fate of Malaysian Airlines Flight 370 remains unknown, such concerns will always linger in the background.
Yet, this is not the only way cyber-terrorists could kill. It is all a question of imagination and capability. To date, while terrorists have relied on tried and tested approaches to terrorism, there is little reason to believe they haven’t fantasized about using novel mechanisms to try and achieve a mass casualty event.
Nightmare visions of SCADA systems in nuclear power stations being attacked are often the subject of discussion and featured in novels. They are, in fact, less likely. These systems simply do not have an external interface that cyber-terrorists could try and enter. That would need an insider.
In France, in 2015, a person of interest to French authorities, known in court proceedings as Rida E., was allowed to continue working in the Tricastin Nuclear Plant up the point of his arrest and eventual conviction last December for having conspired to commit acts of terrorism. In Belgium, arrests were made of two individuals who had been following and documenting the pattern of life of a senior official in the Belgian nuclear program in April 2016.
Clearly, nuclear plants are of interest – a concern echoed by British authorities in April 2017 when the UK issued a press release saying, “Nuclear power stations and airports have been told to remain resilient to evolving cyber threats.” The UK’s 15 nuclear power stations generate a quarter of the country’s electricity requirements.
Similar concerns have also been raised in Japan and Germany over potential vulnerabilities of their nuclear reactors. One specific plant in Armenia, the Metsamor facility, has been flagged as being at risk. This is a plant whose design is based on the infamous Chernobyl plant. It has been described by the European Union as the “oldest and least reliable reactor.” It was cited in National Geographic Magazine as the “most dangerous nuclear plant in the world.”
The danger of its vulnerability is heightened due to its location in the Caucasus. At the height of the Chechen conflict, Islamic extremists are known to have looked at various ways of using nuclear material to create a new exaggerated form of terrorism.
A potential cyber-terrorist would have to be accepted into the workforce of the plant and find a way of entering software into systems that control the fuelrods that control the degree of nuclear reaction or the water coolant system. It is not impossible. It might take time to establish their bone-fides, but an insider terrorist threat like this could happen. It is an attack vector that cannot be ruled out. But there are safety systems built into the plants to ensure that another Chernobyl does not occur. Lessons from the Three Mile Island incident, which came so close to a catastrophe, have been learned the hard way.
It is not that terrorist groups lack expertise. Clearly, they have recruited people who are familiar with cyber-space – their principle recruitment mechanism. But that does not mean they have people who can attack a SCADA system.
That requires a significant degree of expertise in communications protocols, such as that processed by Vitek Boden in Australia. To gain that expertise, terrorists would have to recruit people from universities who have studied communications systems, and who understand how to get into such networks using relatively simple radio equipment.
But, unwittingly, recent developments on the international stage might make conducting such attacks easier. Efforts to harmonize the development of standards for communications protocols, addressing issues that are importantin SCADA systems such as latency, may ironically make future cyber-attacks more likely.
Bespoke communications protocols do at least offer a form of inherent security that would force a terrorist group to place someone into an organization to get access to the form of their messaging systems. If standards emerge that become internationally agreed upon, then this reduces a barrier to terrorists and may make such an attack vector more attractive; as it becomes easier to execute.
So, those advocating the benefits from developing communications standards need to be aware. Should these standards emerge, however, and be in the public domain, we may not have to wait long before a real world cyber-attack results in mass casualties. And that would be another dreadful day.
Dave Sloggett is an authority on international terrorism with over 42 years of experience in the military and law enforcement sectors working in a variety of roles, specializing in intelligence analysis and human behavior in the context of hybrid and asymmetric warfare. He is an authority on counterterrorism and his work has taken him to Afghanistan, Iraq, the Balkans, West Africa and Northern Ireland where he has studied the problems of insurgencies, terrorism and criminality on the ground, often working closely with NATO. His research work at Oxford University in the United Kingdom focuses on the prevention of acts of terror.
