We often forget about the human factor in our critical infrastructure assessments. Our infrastructure and the technology that drives it is only as good as the human managers. Even with critical infrastructure components that we may view as mundane (dams providing electrical power might be one good example), there are critical human management requirements. Are these at risk of exploitation? If so, how and why?

To me the greatest risk to critical infrastructure is the human factor.  Time and time again this problem is exposed and not just from a standpoint of error but also from the risk of manipulation and exploitation.  One of the greatest examples of this issue occurred years ago in the energy sector with Enron.  Enron used and manipulated the supply of power to California to raise the value of investments in energy.  Enron was:

responsible for the critical shortage of electricity which triggered rolling blackouts and massive price increases during 2001…”It’s Enron’s own attorneys admitting that Enron is manipulating the California market.” (BBC, 2002)

This situation cost Californians billions of dollars and created high risk situations for hospitals and many other critical systems.  The reason it occurred was due to Enron executives attempting to cover massive amounts of debt within the company.  From this example, we can see that security practices need to be in place that provide oversight to systems where money or other factors can be used to manipulate the people in charge of critical systems.

References

BBC. (2002). Enron ‘manipulated energy crisis’

 

Participation

These systems are relatively safe from cyber attacks at the moment because they do not operate on the internet. However, there is still a great deal of risk with these systems because if someone knows the type of hardware that is being used in power grids they can modify malware to penetrate the system once it has been delivered via email or flash drive. The larger threat stems from the development of new types of viruses and malware which do not target the operating systems but rather the components such as controllers. In 2010, a malware called Stuxnet would be used as a form of weaponized malware.  It was used to target and destroy a Uranium enrichment plant in Iran. Five months later the weapon would appear again in an Iranian security firm in Belarus.  Unlike malware which is designed to infiltrate and steal or manipulate, Stuxnet targeted specific components in computers to make the equipment malfunction and destroy itself.  The malware was successful in destroying over 900 machines and reducing the capability of the uranium enrichment facility to 50% of its normal capacity. In order to deliver this malware, the malicious code had to be loaded onto the specific companies which program and build the targeted controllers. This was done by infiltrating the company networks and USB devices. The difference between Stuxnet and other malware is that it attacked components rather than the system which conceivably can be used on any critical infrastructure if the attacker knows what components to target (Langner, 2011).

References

Langner, R. (2011). Stuxnet: Dissecting a Cyberwarfare Weapon. IEEE Computer and REliability Societies .

Participation

I agree, there are many more supporting systems that make for effective targets to disrupt critical infrastructure. One of the more critical is fuel supply. We can see this issue in oil. When oil delivery is disrupted by problems such as natural disasters this can have sever impacts on efficiency of transportation. This problem extends to the countries that supply oil to the US and makes their stability our issue.  For these reasons, I think it is a bad idea for any critical infrastructure to be dependent on trade resources.

Participation

What are three potential motives terrorists or other malicious actors have for exploiting humans and property assets? What are some security measures in place to protect these assets?

The most important motives would seem to be exploiting assets for the purpose of causing direct damage, creating disruptions in order to camouflage activities, or obtaining information that can be used for future operations. Most common, I would believe that terrorists use human and property assets to prepare for attacks. For instance, terrorists may get jobs at companies that deal with military in order to obtain information or necessary access to assets for the purpose of carrying out an terrorist attack.