Five scenarios for IT apocalypse

But what if instead of simply a denial-of-service attack against select websites, the entire Internet suddenly stopped working. What if instead of a mere data breach, our financial institutions were attacked by a weapon that could instantly neutralise all electronic transactions? Or if hackers wormed their way into the systems that control the power grid?

Share

Technology drives just about everything we do, and not just at our jobs. From banks to hospitals to the systems that keep the juice flowing to our homes, we are almost entirely dependent on tech. More and more of these systems are interconnected, and many of them are vulnerable. We see it almost every day.

But what if instead of simply a denial-of-service attack against select Websites, the entire Internet suddenly stopped working - or for that matter, Google could not be reached. What if instead of a mere data breach, our financial institutions were attacked by a weapon that could instantly neutralise all electronic transactions? Or if hackers wormed their way into the systems that control the power grid?

Heck, what if God decided she'd had enough of us and decided to send a solar storm our way?

If you think these things can't happen, think again. Some already have occurred on a smaller scale. But we thought it might be fun to turn up the volume and see what might happen -- how likely a "tech doomsday" scenario might be, how long it would take us to recover, and how we might prevent it from coming to be.

What could possibly go wrong? Try these scenarios for starters.

Tech doomsday scenario No. 1: America goes dark

News flash: A coordinated hack attack on our nation's power grid caused massive blackouts across the United States, leaving more than 300 million people without electricity for days.

The Supervisory Control and Data Acquisition (SCADA) systems that run US power plants were built some 40 years ago, when the Internet was just a handful of university computers connected via 300-baud modems.

"Back then every power grid system in the world was considered its own island," says Robert Sills, CEO of RealTime Interactive Systems, which provides security solutions for industrial control applications. "There wasn't technology available to connect them. Now there is."

And the downside of all this connectivity is that once a local grid gets overloaded, others connected to it may tumble like dominoes. That's what happened in August 2003, when overgrown trees and human error triggered a power outage at Ohio's FirstEnergy. That failure caused a cascade that ultimately left 55 million people in the United States and Canada without power.

It doesn't take an act of God or Homer Simpson at the controls to cause a cascading power failure. It could be a rogue employee seeking revenge - like the software engineer who hacked into an Australian water treatment plant's SCADA system in 1991, releasing 264,000 gallons of raw sewage.

Or it could be an external attacker who gains entry into a SCADA system's maintenance ports via war-dialing, and then uses social-engineering or spear-phishing attacks to gain entry into the network.

Sills says the vast majority of power substations are vulnerable to such an attack. From there, the attacker simply needs to change a few settings and let the grid's automated fail-safe systems do the rest.

"Right now it's a system that's pretty wide open," says Sills. "There are any number of ways someone could make unauthorised transactions via routine maintenance. You could create an outage simply by pushing the wrong key."

What could happen: Like the grid itself, other failures tend to cascade when the lights go out. In 2003, landline and cellular phone systems still worked but were so overloaded with calls that they effectively shut down. Electric railways stopped in their tracks, flights were canceled, and gas pumps would no longer pump. Water supplies that relied on electric filtering systems got contaminated. Food and medicine got spoiled; looting occurred; people died. On the positive side, residents of large cities were able to see the stars for possibly the first time in their lives.

How long would it take to recover: From hours to days, depending on how many generators have been affected and how long it takes to restart them, says Sills. Nuclear facilities can take several days, gas- and coal-fired generators require around 24 hours, but plants that use hydroelectric power may be able to get back online almost immediately. If an adjacent grid is still operating, the dark one may also be able to tap into its reserves.

Likelihood: Low. Electricity is supplied to the United States and Canada by eight separate, regional entities, so for the United States to go entirely dark would require a coordinated attack of key substations in each grid, says Sills. That makes a worldwide blackout even less likely. Still, regional blackouts are well within the grasp of knowledgeable attackers.

How to avoid this: The technology to secure the power grid is readily available. Sills says his firm has installed protective measures for a utility serving a major metro area, but declined to name it, lest it become a target. The problem? The Federal Energy Regulatory Commission is still hammering out security guidelines for the diverse systems used by power plants, and no public utilities are reluctant to invest in costly retrofits until their solution gets Uncle Sam's stamp of approval.

Tech doomsday scenario No. 2: Wall Street gets e-bombed

News flash: In what authorities suspect was the aftermath of an electromagnetic pulse weapon, a rogue attacker took down much of lower Manhattan today -- causing equipment failures and power outages on a massive scale and shutting down financial markets across the country.

Though most commonly associated with nuclear explosions, you don't need a nuke to create an electromagnetic pulse strong enough to do serious damage. EMP devices emit extremely high-frequency signals that fry electronics to a crisp, rendering them useless. An EMP will also wipe out or corrupt any data not stored on magnetic or optical devices. Worse, EMPs are largely untraceable, because the weapon itself destroys any evidence of its use.

A van with an EMP device in the back could effectively shut down big chunks of the US economy simply by driving down Wall Street with the signal turned up, says Gale Nordling, CEO of Emprimus, a company that helps enterprises protect against threats from non-nuclear EMP.

If you wanted to take out the entire continent, though, you'd need a nuke and a missile delivery system. "One bomb exploded 300 miles over Kansas could take out most of the electronics in the United States," says Nordling.

What could happen: Workstations? Dead. Data centres? Gone. Mobile phones might still work, but the cell towers probably won't, rendering them useless. Your car won't start. A large enough attack will also shut down automated controls at power substations, leaving everyone in the dark. Think pre-industrial revolution days. In our scenario the New York Stock Exchange shuts down, causing shock waves to reverberate throughout worldwide markets.

How long to recover: How long it takes organisations to bounce back depends on how serious they were about disaster recovery before hell broke loose. Backup power generators, fuel supplies, alternative work facilities, redundant data centers in multiple locations, and a well-rehearsed plan for making it all work together are the key elements to disaster recovery, says Richard Rees, security solution director for disaster recovery and business continuity specialists

Fortunately for our scenario, the financial sector is better prepared than most, says Rees.

"The best recent example are the financial institutions after 9/11," he says. "They had solid disaster recovery plans, they'd invested in their infrastructure and rigorously tested it, they knew what to do. They were back and open for business within three days. Their results were dramatically different than other organisations who'd tested their plans maybe once or twice. They could be out of commission for up to six months. There aren't too many businesses who can really withstand that."

Likelihood: Higher than you might think. You can buy a small EMP device over the Internet or download plans for building your own, says Nordling, who says he's been approached by a number of companies who believe they've already suffered an attack.

"There's a tremendous proliferation of information about EMP devices and the barriers to entry are extremely low," he says. "It's not just a tool for terrorists -- it could be disgruntled employees, criminals, extremists, competitors, or college kids who want to build one simply for the heck of it. From talking with members of Congress, they believe an EMP attack will happen. It's not a question of if, but when."

How to avoid this: One option is to install welded-steel shielding on all six sides of any room containing critical electronics, and put filters on all power and communications lines to siphon off high-frequency radio signals. A less costly option is to put your critical systems into a modular data center that's protected against EMP attacks, which you can fail over to when needed. Emprimus Director of Security Jim Danburg adds that some, but not all, Wall Street institutions are already protected.

Find your next job with computerworld UK jobs