Water Plants, Cyberwar, and Scenario Fulfillment

René Pfeiffer/ December 1, 2011/ High Entropy, Security, Stories

While we refuse to add a Cyberwar category to this blog, we want to explore this shady topic with a story. Do you recall the water plant hack a few weeks ago? According to news floating around in the Internet an US-American water plant in Illinois suffered from a security breach together with a failed water pump. Apparently attackers took the pump out by applying a well-tried IT technique called „Have you tried to turn it off and on again?“. So in theory this is a full-scale Cyberwar incident that puts all of our infrastructure at risk – plus you can add the magical acronym SCADA when talking about it, thus lowering the room temperature a few degrees and imposing the well-tried fear and awe effect on your audience.

While industrial control systems remain a part of the infrastructure that can be attacked with or without being networked, the water plant hack has turned out to be lacking some facts. So what has happened? Why did the incident change from being an attack to becoming a slightly confused story about a defective piece of hardware? Well, have you ever heard of scenario fulfillment? The term was used in reports about the Iran Air Flight 655 incident where the Aegis guided missile cruiser USS Vincennes shot down a civilian jet airliner over the Strait of Hormuz. The crew of the cruiser assumed to be under attack by an approaching F-14 fighter jet. A review of the incident led to a psychological explanation published in a BBC documentary.

When questioned in a 2000 BBC documentary, the U.S. government stated in a written answer that they believed the incident may have been caused by a simultaneous psychological condition amongst the 18 bridge crew of the Vincennes called ‘scenario fulfillment’, which is said to occur when persons are under pressure. In such a situation, the men will carry out a training scenario, believing it to be reality while ignoring sensory
information that contradicts the scenario. In the case of this incident, the scenario was an attack by a lone military aircraft.

What are the implications if you combine wisdom from the 1980s with the Internet, new military doctrines and scenes from the film War Games? Let’s hope we’re not in for a decade of speculation, packet firings squads and unbridled and irrational fear about the threat of cyber war. Make sure you remember to look for facts, especially when dealing with security and incidents.

Side note: Actually there is a tool for the protection of water plants, and it’s called Crypto. If you manage to sneak this tool into a talk and base your presentation on it, then our CfP team might just accept you for DeepSec 2012 without asking any questions.

Share this Post

About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.