By Kevin G. Coleman
The frequency and sophistication of terrorist attacks increase with each passing year. So does the likelihood of another terrorist attack on the United States. Some believe we are living on borrowed time with each day that passes without terrorists attempting another attack. Recently, multiple intelligence experts have warned of a new phenomenon--the blended or combination terror attack. This type of attack is comprised of traditional methods used by terrorists--commonly thought of as bombs and bullets--with cyberattacks. The objective is to enhance the impact and losses that result from the physical forms of terror.
How real is the threat? In October 2012, U.S. Secretary of Defense Leon Panetta bluntly disclosed that there has been a sudden escalation of cyberterrorism and that cyber attackers have managed to gain access to control systems for critical infrastructure. He went on to say that our intelligence organizations have recently became aware of activities that have increased their concerns that a cyberterrorism attack might be combined with other physical forms of attack and result in an incident that would be on par with what we experienced due to the 9/11 attacks.
Recently, security expert Amos Guiora, a former officer of the Israeli defense forces, was quoted as giving the following advice: "Don't treat cyberterrorism lightly, because though it doesn't leave a crater as a physical attack might, its consequences can be more devastating." That is sound advice for all those in fire, EMS, and emergency management.
General warnings like the ones above are one thing, but actual evidence of our risk is quite another. In November 2011, a hacker who identified himself as "pr0f" posted computer screen snapshots of the supervisory control and data acquisition (SCADA) system control screens he took online that managed the water infrastructure in South Houston, Texas. He did this to draw attention to what he believed were efforts to minimize such risks by government authorities. With that level of access, the hacker could have caused a fair amount of disruption or destruction.
A common question asked by all those in emergency services is what a hybrid physical/cyberattack might look like. That is difficult to say given the numerous vulnerabilities that exist today. First of all, it is extremely difficult to replicate actual threat scenarios for training purposes for a number of reasons. The best advice I ever received about doing so was to talk to all those that would be involved in an actual incident and get their input, then script the scenario and include a timeline of events. Below is a very high-level view of one scenario.
Blended Terrorist Attack Scenario
Just prior to a terrorist bombing of a building and the resulting fires (the physical attack), a distributed-denial-of-service (DDoS) cyber attack would be launched using Internet phones/voice over Internet protocol (VoIP) phones to generate malicious 9-1-1 phone calls that overload the system so that legitimate reports of the actual terrorist bombing would be delayed or not get through. Every second counts in an emergency and such a delay could cost lives. If that aspect is not bad enough, the terrorists attacked the control systems of the municipal water supply, reducing water volume. That would require a tanker water shuttle to replace or augment the limited water supply that is available. This would significantly add to the complexity of the emergency response for firefighting efforts. The delay in aggressive firefighting operations (offensive or defensive) would undoubtedly increase the loss of property and potentially even the loss of life.
I have to share with you a tidbit that took place in a scenario I was involved with. A city fire department was forced to use dump tanks and a tanker water shuttle in an exercise. A senior fire department officer said, "I have never actually seen water sucked up through those black tubes (hard sections)." During his career he had always had fire hydrants available and did not need to draft water. When was the last time you practiced water shuttles and drafting?
So how big of a threat is this? That depends on who you ask. In one report, Kevin Helmsley, a leader in the emergency response effort in the Control Systems Security Program (CSSP) at Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which operates under the U.S. Department of Homeland Security (DHS), said the number of incident tickets related to reported incidents at water and power-generating utilities is going up. Last year, this increased by more than 40 percent in the water sector utilities area alone! Remember, we have to get cyber-defense right 100 percent of the time to be safe, whereas terrorists only have to get it right once to be successful. This is just one of the many scenarios I have used in training programs.
We can't afford to miss the opportunity to be proactive rather than reactive. Here are a few ideas on how to get prepared.
- Take a class or attend a briefing on this threat.
- Research the topic and look at your specific vulnerabilities.
- Talk with your Information Technology (IT) department about the current level of cyber-security and the current threats.
- Integrate a cyberterrorism attack on one of your areas of vulnerability into a training exercise.
Most city, state, or county offices of emergency services conduct an annual disaster exercise. Work with the exercise planners and integrate a cyberattack on the 911 system, radio/mobile data terminal system, water supply or water treatment system, or other related scenario into the basic terrorist attack exercise. Make it as realistic as possible, learn from the experience, and plan for what many say is becoming a likely event. Too often we are reactive in our approach to new threats. Let's take a proactive approach and integrate a blended terrorist attack into our training now--before it happens.
Kevin G. Coleman is a seasoned security professional and instructor with a comprehensive background in emergency response. He was chief of an ISO class 4 volunteer fire department and is a former International Society of Fire Service Instructors George D. Post - Fire Instructor of the Year. He has 18 years of success in the development and implementation of cutting-edge security and training strategies and continues to work with innovative leaders in business, government, and the military on strategic issues of critical importance such as cyberattacks.