Over the last four years, foreign hackers have stolen source code and blueprints to the oil and water pipelines and power grid of the United States and have infiltrated the Department of Energy’s networks 150 times.
So what’s stopping them from shutting us down?
The phrase “cyber-Pearl Harbor” first appeared in the 1990s. For the last 20 years, policy makers have predicted catastrophic situations in which hackers blow up oil pipelines, contaminate the water supply, open the nation’s floodgates and send airplanes on collision courses by hacking air traffic control systems.
“They could, for example, derail passenger trains or, even more dangerous, derail trains loaded with lethal chemicals,” former Defense Secretary Leon E. Panetta warned in 2012. “They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.”
It is getting harder to write off such predictions as fearmongering. The number of attacks against industrial control systems more than doubled to 675,186 in January 2014 from 163,228 in January 2013, according to Dell Security — most of those in the United States, Britain and Finland.
And in many cases, outages at airports and financial exchanges — like a computer outage that took down computers at airports across the country late Wednesday, including Kennedy International Airport in New York and Logan Airport in Boston — are never tied to hacks.
But it’s clear hackers are trying.
The Department of Homeland Security last year announced that it was investigating an attack against 1,000 energy companies across Europe and North America. In 2012, 23 gas pipeline companies were hacked by online spies, according to a Homeland Security report. Private investigators later linked the attack to China.
Last year, in a disclosure overshadowed by the news of the attack on Sony, a German federal agency said that in an attack at an unnamed steel mill, hackers had managed to jump from the company’s corporate network to its production systems, causing significant damage to a blast furnace.
And in an extensive attack at Telvent, an information technology and industrial automation company now owned by Schneider Electric, Chinese hackers made off with its product source code and blueprints to facilities operated by its customers, which include 60 percent of the pipeline operators in North America.
For now, dire predictions of destructive online attacks on American targets ignore the fact that the actors with the ability to cause the gravest harm to America’s critical infrastructure — China and Russia and allies like Israel and Britain — are sufficiently deterred from doing so by fear of retaliation or because of longstanding trade and diplomatic relationships. And attacks by those aggressively trying to get such a capability — Iran, North Korea and Islamic militant groups — are still several years off.
“Despite all the talks of a cyber-Pearl Harbor, I am not really worried about a state competitor like China doing catastrophic damage to infrastructure,” said Michael V. Hayden, former head of the National Security Agency. “It’s the attack from renegade, lower-tier nation-states that have nothing to lose.”
Just how far off are they? That is the question troubling policy makers at the National Security Council and intelligence and law enforcement agencies. Federal officials have repeatedly warned that Islamic State militants have been exploiting social media for recruitment, and are developing tools to break into their enemies’ systems.
Those capabilities were sufficient to prompt the assassination of Junaid Hussain, the chief of the Islamic State’s cyberarmy, who was killed by an airstrike in Syria in August. But for now, federal officials say, the Islamic State does not have a significant ability to cause damage through online attacks.
“It’s not easy to pull off a spectacular attack,” said James A. Lewis, a security expert at the Center for Strategic and International Studies in Washington. “People are always saying in theory they can do something, but it’s not at the level of a Pearl Harbor or a 9/11.”
Mr. Lewis added: “Could someone acquire the ability to cause a blackout? That’s something to worry about, but the only people who could pull it off don’t have any interest in doing so.”
Most security experts point to the attacks last year at Sony — where hackers leaked internal documents and destroyed the company’s servers — as an example of the destruction that is possible now, and a harbinger of what may come.
There were warnings the year before the Sony hacking that such an incident was possible. In a carefully planned attack in 2013, North Korean hackers knocked out almost 50,000 computers and servers for several days at South Korean banks and media companies.
Less sophisticated attackers are more likely to continue to pursue social media campaigns and isolated attacks, rather than take down parts of the power grid, said Ralph Langner, an independent security expert who was the first to attribute Stuxnet, a virtual weapon used against Iranian nuclear centrifuges, to the United States and Israel.
But the attacks that have rattled American government officials the most were similar attacks at Saudi Aramco, the world’s largest oil company, and RasGas, the Qatari oil giant, in 2012.
At Aramco, the hackers replaced the data on employees’ hard drives with an image of a burning American flag. United States intelligence officials say Aramco’s attackers were hackers in Iran, although they offered no specific evidence to support the claim. Mr. Panetta, then secretary of defense, called the Aramco sabotage “a significant escalation of the cyberthreat.”
Forensics specialists who were called in to analyze the Aramco attack said there was evidence the attackers probed the network that connects the company’s pipelines but were never able to cross from Aramco’s corporate network to its production systems. The same was true for a similar attack at RasGas two weeks later. Hackers tried and failed to hit the Qatari petroleum company’s production systems, but successfully took its corporate networks and servers offline.
But the attack on the German steel mill, disclosed last year, suggests that hackers are increasingly finding ways to cross that threshold. Just last week, it was announced that a group of hackers penetrated the Snohomish County Public Utility District in Washington State. The hackers, members of the Washington State National Guard, had been invited to test the utility’s defenses, and the results were frightening. They were able to break in with an email in under 22 minutes.
Joe Weiss, a crusader for industrial control security and founder of Applied Control Solutions, a consulting firm, is not surprised. He manages a database of 750 incidents that affected control systems and said he was most disturbed that most of them were not classified as attacks at all.
“What that tells you is that not only do we not have the mitigation, we don’t even have any type of adequate forensics to know this is happening, and whether it was intentional or unintentional,” he said.
The Department of Homeland Security tweeted late Wednesday evening that the computer outages at airports were due to a “brief outage that lasted 90 minutes” on the United States Customs and Border Protection’s computer processing systems.
But Mr. Weiss said in most cases, forensics investigations were still not adequate enough to nail down the real source of such incidents. He said the same was true across the electric, water, oil, gas, and nuclear industries.
“It’s not like with weapons, where you know where it’s coming from,” Mr. Weiss said. “With cyber- and control systems, you don’t necessarily know.”
“Will there be a cyber-Pearl Harbor? Most likely,” Mr. Weiss added. “Will we know it’s cyber? Most likely not.”