In the late 1990’s six members of the IRA were jailed for plotting to bomb six national grid electricity sub-stations. Had the attacks been successful, London would have suffered widespread loss of electricity for several months, and the damage to the UK economy would have been inestimable.
Historically, critical infrastructure has had a very physical feel – it could be seen. And physical security was usually the remedy to security threats. But now the protection of critical infrastructure has moved from defending “things” to defending “processes”. And many of the most potent threats have migrated to domains outside the traditional security management arena.
The US Government Accountability Office concludes: Critical infrastructure control systems face increasing risks due to cyber threats, system vulnerabilities, and the serious potential impact of attacks as demonstrated by reported incidents. Threats can be intentional or unintentional, targeted or non-targeted, and can come from a variety of sources including foreign governments, criminal groups, terrorists, and disgruntled organization insiders. Control systems are more vulnerable to cyber attacks than in the past for several reasons, including their increased connectivity to other systems and the Internet.
Critical infrastructure owners face both technical and organizational challenges to securing control systems, and significant security vulnerability exposures exist largely due to lack of user awareness of how easy it is for those with malicious intent to break into and take control of such systems.
Click here for a copy of a recent US Government report on the subject.