When the FBI's Steven Chabinsky spoke recently to Congress, he shared a harrowing message, reports Angela Moscaritolo.

Individuals with ties to al Qaeda are interested in attacking United States critical infrastructure systems, Steven Chabinsky, the deputy assistant director of the FBI's Cyber Division, told the Senate Judiciary Committee in Nov. 2009. Terrorists have recognized vulnerabilities in the computer systems that control critical U.S. infrastructure systems, which could be leveraged to launch a devastating attack against our country, he said.

The FBI knows about and is investigating these individuals, he added, and have found that, currently, terrorist organizations do not have the high level of cyber-sophistication needed to launch such an attack. However, they are interested in developing their hacking skills.

“Should terrorists obtain such capabilities, they will be matched with deadly intent,” Chabinsky warned.

But, while terrorist organizations may lack the capabilities to launch a cyberattack against the nation's critical infrastructure now, there are others who don't. An increasing number of individuals, some working on behalf of foreign countries, have the resources to, in a worst-case scenario, manipulate the process control systems that regulate U.S. critical infrastructure systems, causing widespread outages and catastrophic effects.

A primary risk the nation faces is that many of the Supervisory Control and Data Acquisition (SCADA) systems – used to manage electric power generation plants, water systems, oil and gas pipelines, and other systems – are becoming interconnected with enterprise networks, making them accessible from the internet, says Alan Paller, director of research at computer security training organization SANS Institute.

“The vulnerability is that there is a bridge between the business systems and the systems that control the power, distribution and production,” Paller says.

Moreover, these process control systems were not engineered to operate as part of a corporate network, experts say. They are often 10 to 20 years old and are not regularly patched like typical computer systems, says Robert Brammer (right), vice president for advanced technology and CTO at Northrop Grumman Information Systems.

Others in the field concur. “Security was never built into the systems that manage our critical infrastructure,” says Steve Santorelli, a former Scotland Yard detective who is the director of global outreach at Team Cymru, a Chicago-based nonprofit IT security research company. Also, certain parts of process control systems are accessible through wireless connections and other unencrypted communication channels, which can be tapped into, Paller adds.

In the energy sector, for example, many of the systems that are required for power, production, transmission and distribution of energy are computerized, says Amit Yoran, chairman and CEO of network security monitoring vendor NetWitness. Adding to the risk factor, the computer systems that run physical cable plants, turbines and other equipment, have, over the past decade, become increasingly interconnected in ways for which they were not originally designed.

The owners of critical infrastructure systems, approximately 85 percent of which are companies in the private sector, have a good business reason to connect process control systems to their enterprise networks, experts say. Connecting them to corporate billing systems, for example, can make the organization more efficient. But since the systems are interconnected, an attacker could access a system by first making their way into the enterprise network.

To achieve that, an attacker would most likely use a socially engineered ploy to infect an end-user's computer with malware, which would provide the initial entryway into the enterprise network, says Eddie Schwartz, CSO of NetWitness. The primary objective of an attacker is to get an initial foothold into the enterprise network, he says. From that point, owing to the interconnectivity of systems, that intrusion can eventually lead into a SCADA system.

However, the scenario is not all doom and gloom. Should an attacker gain remote access to a process control system, total calamity is not guaranteed, says Levi Gundert, a former U.S. Secret Service agent who is the director of fraud cyber intelligence at Team Cymru. It may be possible to completely shut off electricity remotely, he says, but doing so would require detailed knowledge of the control system.

In its favor, the various controls in SCADA systems are very granular. Each piece of hardware performs a specific function and is generally responsible for a small percentage of the overall electric output. So, if a remote intruder were able to shut down one control system, the overall impact to electricity delivery may be relatively manageable, Gundert says.