Cyber(in)security: An Environmental Calamity Lying in Wait?

Summary: Cyberattacks pose obvious threats to infrastructure and financial institutions, but they also create major environmental threats. Any dam, chemical plant, or nuclear power plant that uses computers is a savvy hacker away from being an environmental disaster.

__________________________________________

By Mark Latham

Cyberattacks occur today with alarming frequency. They can happen anywhere a computer performs some function, which today means any and everywhere. The recent revelation that the control system for a small dam outside New York City had been hacked by a group possibly associated with the Iranian Revolutionary Guard is chilling evidence that nothing which is even remotely computer-dependent is immune from a cyberattack. Fortunately, the dam was offline for maintenance and the hack discovered before any harm occurred. Cyberattacks, too, have implications for the so-called critical infrastructure that we rely upon for our energy, industrial operations and environmental protection.

 

The exact purpose of the dam cyberattack is not clear. It could have been, though, a penetration test to see if a small component of our infrastructure could be breached as a precursor to larger, more sophisticated attack. Instead of a small dam, next time a hack could occur within a portion of our critical infrastructure, such as the electric grid.

 

What havoc might a cyberattack wreak if it shutdown power for a few weeks or months in the major population centers of the East coast? If a cyberattack targeting a portion of the U.S. electrical grid were successful in the summer then scores could die from the heat, similar to what occurred in Chicago during a brief but particularly brutish hot spell in 1995. That blast of intense Midwest heat directly caused hundreds of deaths. A grid shutdown coinciding with the depths of the winter cold would be equally lethal. Not only would the human toll likely be substantial if a determined cyber-foe successfully attacked the grid but the adverse financial consequences would be painful as well. And this type of malicious hack has occurred. Late last year a cyberattack occurred that left tens of thousands of Ukrainians in the dark.

 

Might a nuclear plant be subject to a successful cyber siege? Perhaps that sounds like a far-fetched, bad disaster movie plot, but perhaps not. According to the London-based policy institute Chatham House in its 2015 report, Cyber Security at Civil Nuclear Facilities, investigators alarmingly found that “the nuclear industry is beginning – but struggling – to come to grips with this new, insidious threat.” They also found that the risk of a damaging cyberattack at a nuclear plant is also heightened because off-the-shelf, commercial software programs are frequently used at these facilities and the vulnerabilities that are inherently a part of those programs could be exploited with the potential for truly horrific consequences. At the recently completed Nuclear Summit convened in Washington, D.C. by President Obama, cybersecurity experts recognized that, while the risk may be low, the age of U.S. reactors, virtually all of which were constructed before the digital revolution, also increased their vulnerability to cyberattacks.

 

Moreover, we must not forget that a nuclear facility has already been subjected to a remarkably successful cyberattack. In the first reported use of a true cyber weapon, the home of Iran’s illicit nascent nuclear program was stricken by a never seen before highly sophisticated piece of malware named Stuxnet. Likely the handy work of United States and Israeli computer scientists, Stuxnet was unleashed as a counterattack targeting the Iranian nuclear enrichment program. Despite the fact that the facility was intentionally kept free from the web as a defensive measure, this remarkable bit of cyber-prestidigitation halted Iran’s nuclear ambitions for years.

 

Because so many industrial processes heavily rely upon SCADAs—supervisory control and data acquisition devices, which are essentially mini-computers that run a wide variety of industrial operations ranging from the mundane to the critical—virtually any industrial facility is at risk of a cyberattack. In fact, at Iran’s Nantanz nuclear facility, Stuxnet specifically targeted SCADAs manufactured by the German industrial giant Siemens that controlled the hundreds of centrifuges located deep within the facility essential to produce weapons-grade nuclear material.

 

Other cyberattacks offer further compelling evidence that the critical components of our infrastructure, including sewage treatment plants, air pollution control systems, pipelines, refineries, and chemical plants, among others, are at risk. If, for instance, a sewage treatment plant’s cyber defenses were successfully breached, treatment operations could be brought to a halt resulting in the discharge of untreated sewage into the receiving stream with resulting harm to aquatic life and potential adverse consequences for the public health. Technically, this type of attack is certainly possible. Iran, for instance, reportedly retaliated in response to Stuxnet by hacking into a number of American banks. A more alarming and relevant example is that Iran also reportedly responded by accessing one of Saudi Arabia’s massive Aramco oil facilities compromising data and destroying thousands of computers. As 2014 came to a close, the German Federal Office for Information Security announced that an unidentified steel mill in that country had been hacked. As a result of this cyberattack, plant personnel couldn’t shutdown a blast furnace, which resulted in major damage to the plant.

 

Numerous financial institutions have been victims of hacks, of course, given that is where the money is to paraphrase Willie Sutton. But so far the adverse effects of those cyber attacks have not had far-reaching consequences. That may not be the case if cyber-thugs successfully gain access to the computers essential for the operation of our energy and environmental protection critical infrastructure.

LathamProfessor Mark Latham, deputy vice dean for academic affairs, joined the Vermont Law School faculty in 2005. He specializes in a range of environmental issues that arise in corporate and commercial real estate transactions and brownfields redevelopment. His research focus includes the intersection of business and environmental law, and also issues under the federal Clean Water Act.