1. Introduction

Cyber warfare is becoming a powerful option for sovereign nations to exert their will on their opponents. Cyber warfare is the use of computers and their connection to the World Wide Web to attack adversaries' systems and critical infrastructure that are connected. One of the most powerful cyber attacks is an attack on critical infrastructure. Critical infrastructure is defined as systems and assets, both physical and virtual, which are so vital to the nation that their disruption or destruction will degrade the security, economy and public health and safety. Those systems include the energy, telecommunication, banking, water, and wastewater systems. Over the years, there have been many studies by the government and scholars to assess the nation's critical infrastructure vulnerability. Of particular issue is the lack of security attached to the infrastructure control systems that monitor and control processes in the aforementioned infrastructure systems. Infrastructure control systems are employed by infrastructure managers to conduct reliable and efficient operations. As infrastructure systems, originally designed as standalone entities, are integrated into business systems, they have become more exposed cyber threats. The studies involving this subject have sounded the alarm on the vulnerability of critical infrastructure, but the owners of those assets have been slow to react. Recent events including the intrusion of the nation's electrical grid and denial of service attacks in Georgia and North Korea have demonstrated the susceptibility of industrialized nations to cyber attacks. In this paper, we highlight the use of infrastructure control systems in physical assets, identify vulnerabilities and offer some recommendations on actions that the infrastructure owners should take to reduce the nation's vulnerability.

2. Infrastructure control systems

Infrastructure control systems are used by infrastructure and industry managers to control and monitor sensitive processes and physical functions. These computer based systems collect and process operational data and sensor measurements from system components in the field, displays the information and transmits control commands to system components both local and remote (GAO, 2007). Infrastructure control systems are used extensively in infrastructure systems such as electric power, water, petroleum and natural gas, as well as in manufacturing processes. These systems enable quicker and more coordinated system management when compared to human operation and in most cases, there is no alternative to the use of such a system (Stamp, Dillinger, Young, & DePoy, 2003). These systems control a vast array of processes from managing the complex activities of a nuclear power plant to simply monitoring the environmental conditions in a single building. Infrastructure control systems manage the generation, transmission, and distribution of power for electric companies. They can be used to open and close circuit breakers and to automatically shut the system down when thresholds are surpassed. In the oil and gas industry, systems control and control refining operations and pipeline flow and pressure. Water utility companies use the systems to monitor wells, control pumps, and manage storage tank information, such as water turbidity, chlorine level and pH level. These systems are also prevalent in chemical processing and manufacturing process, safely controlling chemical production operations and quickly adjusting manufacturing output requirements (GAO, 2007).

There are two primary types of infrastructure control systems, supervisory control and data acquisition systems (SCADAS) and distributed control systems (DCS) (GAO, 2007; Smith, 2006). SCADASs are usually employed in large, complex, and geographically separated operations (GAO, 2007; Shea, 2003). They are basically software toolkits used to develop infrastructure control systems. Used primarily to monitor and control processes over vast distances, SCADASs process little data internally. These systems provide data to central control systems that must be processed and transmit commands to system components (Shea, 2003). DCSs are typically used in single manufacturing and production operations in which software and hardware components are provided by a single vendor. They usually perform a high level of internal data processing when compared to SCADA systems. DCSs normally supply processed information to a control center and distribute commands from the control center (Shea, 2003). The distinction between systems has faded in the past few years as SCADASs and DCSs have been linked, providing infrastructure control systems with the advantages of both (Hildick-Smith, 2005).

Infrastructure control systems were originally developed and designed in the 1970s as standalone, semi-isolated, non-networked packages that used proprietary software and hardware components to conduct specific functions (Hildick-Smith, 2005; Smith, 2006). The original systems were designed with only enough processing capability to perform their intended functions and communication protocols were designed to transmit command and control information to system components in deterministic time. The isolated nature of these systems provided their security. These systems were developed before the proliferation of the internet and lack security features common today such as encryption, firewalls, or antivirus software. As communication systems improved, organizational management increased the requests for real-time operational status information. These requests drove the necessity to connect the infrastructure control systems and to link them to corporate networks containing common operating systems such as Windows and Linux. Most infrastructure control systems that were designed to be isolated are now connected to the world.

3. Threats

There is a rising unease throughout the country about the safety and security of infrastructure control systems in terms of awareness, lack of protection, and vulnerabilities (Hentea, 2008). The systems were originally viewed as secure systems, controlled by unique software packages, which protected remotely located system components from misuse (Shea, 2003). Their connection to the internet, inability to be secured using available technology and the proliferation of commercial off the shelf systems provide the three biggest threats to infrastructure control systems.

3.1 Networked systems

Due to utility deregulation and the money making mentality of utility corporations, real-time information on infrastructure operations is very important for marketing purposes. Infrastructure control systems have been networked on a large scale to increase synergy and efficiency (Shea, 2003). Systems have been interconnected to each other and connected to the internet. The problem with this action is that some the systems, the legacy systems, were designed to be isolated. The other, more modern systems have become exposed to the same cyber threats as anyone connected to the internet. Legacy systems containing unique software are often integrated in an ad hoc manner. The imperfect fit between different software applications generates more vulnerabilities in the code than would be found in a single application (Shea, 2003). More modern systems are exposed to the traditional threats experienced by other information technology systems and many are not protected with proper safeguards. New systems are utilizing web applications such as Active X and Java which lacks security. Web worms are also a threat to these new systems as they exploit vulnerabilities in web applications ( (Hentea, 2008). In addition, information technology professionals are not clear on what they need to protect. Many systems are sensitive to normal vulnerability and discovery scans conducted on modern networks (Smith, 2006).

3.2 Inability to secure systems

Many infrastructure control systems have difficulty supporting security features such as antivirus, encryption, intrusion detection systems, and firewalls. Some systems were not designed to require the use of passwords and those that were usually only require simple passwords (Smith, 2006). The passwords were designed to be simple as a safety feature, allowing the password to be easily guessed in a crisis situation. Some systems also allow multiple users to share passwords (Stamp, Dillinger, Young, & DePoy, 2003). The installation of intrusion detection software, firewalls and antivirus software are not common on most systems in which most processing capabilities are dedicated to information transfer (Hildick-Smith, 2005). The antivirus software and patch management activities that are necessary for network security is often not possible on legacy systems and requires careful evaluation when executed on modern systems. The modern systems are intended to run continuously and any downtime to update security measures or changes caused by those updates could negatively impact the infrastructure operations (Smith, 2006).

3.3 Common off the shelf systems

The increased use of standardized technology is one of the most common reasons that federal and industry experts believe threatens critical infrastructure (GAO, 2007). Infrastructure control systems are shifting from proprietary platforms to modern computers running Windows or Linux operating systems. These platforms are desired by vendors for ease of development (Stamp, Dillinger, Young, & DePoy, 2003). Commercial off the shelf systems have been designed for functionality and operational speed, rather than security. The addition of security measures on the systems can reduce the performance of the software below acceptable levels. Additionally, some developers use open source software (Shea, 2003). The knowledge of infrastructure control systems vulnerabilities is not a secret, designs for common systems are readily available, and commercial off the shelf systems are available overseas and can be probed for vulnerabilities by adversaries (Smith, 2006).

4. Protection measures

There are several measures implemented by all interested parties to address the nation's vulnerability. Contributors include system vendors, consultants, academia, system owners, independent organizations and government entities. Vendors are developing better systems with an emphasis on security. Consultants publish papers, make presentations, conduct funded research, and provide expert services to customers to educate and alert system owners to the threats. Academic institutions publish papers and educate students who will become the experts in the field. System owners have participated in vulnerability assessments and provided critical information to other contributing partners. Independent organizations provide conduits to share information throughout the industry and to standardize security requirements. Government entities around the world have provided funding for research, established critical infrastructure protection centers, regulated industry and coordinated the control of infrastructure security (Hildick-Smith, 2005).

5. Infrastructure and warfare

The nation's physical infrastructure is critical to its peaceful existence. The protection of critical infrastructure has been a focus throughout the history of the nation. During the Cold War, contingency plans to deal with threats to infrastructure were developed and included provisions for electricity, oil and gas, and telecommunications. Throughout the past three decades, the infrastructure involved in the nation's economy has morphed. The nation relies on its high technology economy and service sector, which heavily relies on computers, electronic data storage and transfers, and highly integrated communications networks to conduct business (Cordesman & Cordesman, 2001). As a result of the interconnectedness of the nation's infrastructure, it has become a target of adversarial factions. Terrorists attacked the financial center of the nation in 2001 to shut the nation down. It worked in the short term. The nation's power emanates from its economy, and thus its ability to conduct war.

The nation also possesses one of the highest standards of living in the world. With that high standard, comes the associated technology and infrastructure needed to sustain the society. The infrastructure is highly reliant on information systems to decrease the burden on individual workers. Infrastructure and technology have become integrated in most aspects of day to day living. The nation is heavily reliant on its telecommunications networks, electrical grid, roads, water systems and fuel systems. Any attack on these critical facilities will degrade the nation's way of life.

6. Impact of potential attacks

The potential for a devastating attack on the nation's infrastructure exist in part because of an ill prepared private sector and lack of government regulation in the use of infrastructure control systems. Because most of the utility, oil and wastewater companies are owned privately, cost effective business practices have degraded the state of security for critical infrastructure (Tesnow, 2008). The impact of an attack on infrastructure control systems can vary widely. On the low end of the probability scale lies the catastrophic infrastructure failure. In this scenario, the failure of one part of the infrastructure leads to the collapse of other parts, resulting in widespread denial of vital services. An example would be of an attack on an electric grid in which distribution was interrupted. A widespread blackout could cause the failure of other systems such as oil refineries, water and wastewater systems, resulting from the incapacitation of the electrical equipment in the facilities. Another potential attack is the cascading attack, where an adversary is able to use the infrastructure control systems to cause catastrophic failure. Cascading attacks cause widespread utility outages. One of the most threatening attacks is an attack on a system combined with a physical kinetic attack. An example would be the bombing of a heavily occupied facility, combined with the disruption of electrical service to the area. Emergency response would be degraded until back up utilities are supplied, exacerbating the casualties caused by the bombing. On the high end of the probability scale is the infrastructure control system attack that causes little damage or denies service for a short period of time (Shea, 2003). The spectrum of consequences resulting from an attack on the critical infrastructure control systems is vast.

7. Examples of attacks

Examples of actual attacks and their impact can help decision makers grasp the consequences of not securing the nation's infrastructure. The GAO (2007) compiled a list of recent attacks the make their point. There is currently no comprehensive source for reporting cyber attacks, but this report covers the vast array of attacks on different infrastructures.

Worcester air traffic communications. In March 1997, a teenager in Worcester, Massachusetts, disabled part of the telephone network using a dial-up modem connected to the system. This disabled phone service to the airport control tower, airport security, the airport fire department, the weather service, and the carriers that use the airport. Also, the tower's main radio transmitter and another transmitter that activates runway lights were shut down, as well as a printer that controllers use to monitor flight progress. The attack also disrupted phone service to 600 homes in a nearby town.

Maroochy Shire sewage spill. In the spring of 2000, a former employee of an Australian organization that develops manufacturing software applied for a job with the local government, but was rejected. Over a 2-month period, this individual reportedly used a radio transmitter on as many as 46 occasions to remotely break into the controls of a sewage treatment system. He altered electronic data for particular sewerage pumping stations and caused malfunctions in their operations, ultimately releasing about 264,000 gallons of raw sewage into nearby rivers and parks.

Los Angeles traffic lights. According to several published reports, in August 2006, two Los Angeles city employees hacked into computers controlling the city's traffic lights and disrupted signal lights at four intersections, causing substantial backups and delays. The attacks were launched prior to an anticipated labor protest by the employees.

CSX train signaling system. In August 2003, the Sobig computer virus was blamed for shutting down train signaling systems throughout the East Coast of the United States. The virus infected the computer system at CSX Corporation's Jacksonville, Florida, headquarters, shutting down signaling, dispatching, and other systems. According to an Amtrak spokesman, 10 Amtrak trains were affected. Train service was either shut down or delayed up to 6 hours.

Davis-Besse power plant. The Nuclear Regulatory Commission confirmed that in January 2003, the Microsoft SQL Server worm known as Slammer infected a private computer network at the idled Davis-Besse nuclear power plant in Oak Harbor, Ohio, disabling a safety monitoring system for nearly 5 hours. In addition, the plant's process computer failed, and it took about 6 hours for it to become available again.

Northeast power blackout. In August 2003, failure of the alarm processor in the control system of FirstEnergy, an Ohio-based electric utility, prevented control room operators from having adequate situational awareness of critical operational changes to the electrical grid. This problem was compounded when the state estimating program at the Midwest Independent System Operator failed due to incomplete information on the electric grid. When several key transmission lines in northern Ohio tripped due to contact with trees, they initiated a cascading failure of 508 generating units at 265 power plants across eight states and a Canadian province.

Zotob worm. In August 2005, a round of Internet worm infections knocked 13 of DaimlerChrysler's U.S. automobile manufacturing plants offline for almost an hour, leaving workers idle as infected Microsoft Windows systems were patched. Zotob and its variations also caused computer outages at heavy-equipment maker Caterpillar Inc., aircraft maker Boeing, and several large U.S. news organizations.

Taum Sauk Water Storage Dam failure. In December 2005, the Taum Sauk Water Storage Dam, approximately 100 miles south of St. Louis, Missouri, suffered a catastrophic failure, releasing a billion gallons of water. According to the dam's operator, the incident may have occurred because the gauges at the dam read differently than the gauges at the dam's remote monitoring station.

Bellingham, Washington, gasoline pipeline failure. In June 1999, 237,000 gallons of gasoline leaked from a 16-inch pipeline and ignited an hour and a half later, causing three deaths, eight injuries, and extensive property damage. The pipeline failure was exacerbated by poorly performing control systems that limited the ability of the pipeline controllers to see and react to the situation.

Harrisburg, Pennsylvania, water system. In October 2006, a foreign hacker penetrated security at a water filtering plant. The intruder planted malicious software that was capable of affecting the plant's water treatment operations. The infection occurred through the Internet and did not seem to be an attack that directly targeted the control system.

Browns Ferry power plant. In August 2006, two circulation pumps at Unit 3 of the Browns Ferry, Alabama, nuclear power plant failed, forcing the unit to be shut down manually. The failure of the pumps was traced to excessive traffic on the control system network, possibly caused by the failure of another control system device.

The threats to the nation's critical infrastructure have increased as the capabilities of infrastructure control systems increase and the systems are linked to networks and the internet.

8. Security improvements

Byres and Lowe (Byres & Lowe, 2004) reported that cyber attacks to industrial control systems are on the rise. From 1980 up until 2000, only 31% of adverse incidents originated from external sources. Most of the incidents were caused by disgruntled employees, inappropriate employee activity, and accidents. From 2000 until 2003, nearly 70% of incidents were originated externally. The victims reported that these attacks caused a 41% loss of production and a 29% loss of control. These attacks have provided case studies to allowed researchers to develop security improvements.

Security experts have begun to develop security measures the counter the cyber threats. Because of the variation in infiltration paths that attackers pursue, a defense in depth strategy is suggested. This method calls for multiple layers of protection, from the network's internet connection, down to the control device itself. This method seeks to close as many points of entry as possible. Another technique that is being developed is a low-latency cryptographic protection measure, specifically for SCADA communications (Wright, Kinast, & McCarty, 2005). This measure uses cryptographic protocols to retrofit SCADA communications links. The links are protected through the leveraging of Cyclic Redundancy Checks. The NERC has recently developed cyber security standards to address the vulnerabilities of the electrical grid. Companies are allowed to access their vulnerabilities, evaluate the risk and select the best and latest cyber defense mechanisms, such as firewalls, authentication, intrusion detection systems and peer-to-peer overlay routing (Davis, Tate, Okhravi, Grier, & Nicol, 2006). Okhravi and Nicol (2009) suggest that the existing architectural standards and security measures are based on older architectures and do not leverage the latest technological advances. They suggest that new software and hardware technologies should be used to design highly reliable security architectures for infrastructure control systems. The implementation of new technology has the potential to reduce the magnitude of the cyber threat to the nation's critical infrastructure. As cyber attacks highlight the vulnerabilities of the nation's critical infrastructure and Congress provides funding for research in this area, the technologies developed to combat cyber attacks will continue to improve.

9. Conclusions and recommendations

In this paper we have highlighted the susceptibility to and the implications of a cyber attack on the nation's critical infrastructure control systems. The existing legacy systems are simplistic and the modern systems are complex, yet they are both prone to exploitation. Existing measures are insufficient and pose a potentially devastating point of attack for an adversary. Based on our findings, it is clear that major players in infrastructure management are not concerned with security, but rather economic gain. We propose the following actions be taken:

Red Teams should be hired penetrate the infrastructure control systems. These teams should penetrate as deep as possible into the system to determine the nature of the threat that these intrusions pose. The teams should determine if they can alter or disrupt operations. These exercises can go a long way to classifying the threat level posed by system penetrations.

Before the Smart Grid is launched in the nation, proactive security features must be designed into the system.

Systems should be treated as threats to national security and classified appropriately. The knowledge of these systems is critical the continued prosperity of the nation. Such systems should not be available on either the domestic or international markets.

Existing systems should be removed from the network and operated as standalone systems until a proven procedure is developed to incorporate the system into a business's network. The government should fund research to develop these systems.

Extreme security features must be included on any system that is used to control the nation's critical infrastructure. Security must become a priority for both venders and owners and all new technologies used to manage operations must ensure safety.

Disclaimer: The views expressed in this article are those of the authors and do not reflect the official policy or position of the United States Air Force, Department of Defense, or the United States Government.