Outsourced IT offers hackers access to key control systems

In the course of a morning, Professor Alan Woodward and colleagues offer a glimpse of a dystopian future, one filled with exploding dams and water reservoirs, electricity plants shutting down and aircraft falling from the sky.

Each, and many other critical elements of modern life, are dependent on IT systems and the internet, leading to a degree of inter-connection that would have been unimaginable to engineers and designers just a decade ago. "The increasing trend is to move control systems onto the internet," says Woodward of the University of Surrey. "Twenty years it was dedicated leased lines. They were difficult to break into: nation states might have been able, but hackers, no."

Vulnerabilities
Today, however, the vulnerabilities are everywhere: a disgruntled water company employee in Queensland, Australia hacked into his firm's IT, sending sewage exploding up pipes in homes and offices.

In the US, security experts tore a test water plant apart by sending contradictory, destructive messages, while, in the real world, a panic began when sluice-gates in a water-plant there were closed because of messages that originated in Russia.

“It turned out to be a legitimate work by an engineer who happened to be in Russia at the time dialling back in to fix a fault,” says Hugh Boyes, who heads work on cyber-security at the Institution of Engineering and Technology in London.

Too much IT, he argues, is being outsourced “to all sorts of interesting parts of the world where quality control can be quite questionable” and ends up in critically important infrastructure: “It appears to work when it is delivered.”

The North Koreans have been blamed for interrupting websites run in South Korea by banks, newspapers and TV companies in "a show and tell" warning about what they are capable of during a conflict, warns Sally Leivesley of Newrisk. The South Koreans have taken the warning seriously, upgrading security at their nuclear plants – including disabling every USB port in every computer at the plants lest they be used to breach defences.

States initially used internet hacking for espionage, or intellectual property thefts, but warns Prof Woodward, they are using it for "aggressive" attacks: "This is the cool war, as some people have put it, not the cold war. Why invest in bombs and bullets when, potentially, in a shooting match you can turn out the lights, turn off the water. Some countries are really punching above their weight. They don't need a huge nuclear weapons programme."

Commonplace attacks
Denial of service attacks have become commonplace, while rumours have abounded in the UK that one significant firm was put out of business after plans for a new product were stolen in a cyber-attack.

“Many are being stopped. They [IT security] are kept busy day in, day out. Theft of IP, that is kept very quiet, but we know that there have been very successful attacks. But companies don’t want to admit that it has been stolen,” said Boyes.

International rules are lacking, even though a lot is being done on a case-by-case basis, says Prof Kenny Paterson of Royal Holloway,  the University of London.

In the UK, a denial of service attack can bring a 10-year prison sentence while if you go to California “you can argue that it is an electronic sit-in and, therefore, one of your rights”, says Prof Woodward.

“Some of the US courts are listening to the argument that a denial of service attack is the same as putting 100 people sitting at the door outside a bank staging a sit-in,” he says.For some, the warnings will be taken as an echo of the Millennium Bug, which threatened to bring every IT system to its knees on New Year’s Eve, 1999 because software designers had never thought of life after 1999 – a threat that did not materialise.

However, Woodward argues: “It wasn’t an issue is because an absolute fortune was spent on it. If we hadn’t done thaten there wouldn’t have been a problem. It was a success; therefore people think it was a hoax.”