It is not that difficult either, Weiss said, noting that much of the hardware in ICS has passwords that are hard-coded and can't be changed. "This is not to say your next-door neighbor could do it," he said. But smart people could. There are "metasploits" on the web that you can buy that are meant to go after control systems."
Learn from cyberskirmishes
Why, then, hasn't something on the level of a "cyber 9/11" happened already?
In some nations it has, said Francis Cianfrocca, pointing to the brief war in 2008 between Russia and Georgia, in which Russia used cyberattacks in advance of, and during, it's more conventional kinetic operations. "A key aspect of that was massive destabilization of Georgia's financial structure," Cianfrocca said. "It included financial, telecom and critical infrastructure and was very successful."
Weiss said another complication is that it may be difficult to tell if damage to critical infrastructure is caused by cyber activity, and even more difficult to tell who actually did it.
Given all that, some experts say there is still reason for some optimism.
"There has been a lot of progress in the last five years," said Chris Petersen. "There are a lot of good people in Washington who are focused on it."
Chris Larsen, malware research team leader at Blue Coat, points to attacks on banks in South Korea several months ago and notes, "it didn't cause the end of the world. I haven't read anything since then that says South Korea is back in the Stone Age."
Larsen said there is plenty of reason for concern about vulnerabilities, but he doubts that attackers could take down the nation's entire infrastructure in any sector for months at a time.
"I think there is some redundancy built into those systems," he said.
At present, however, Cianfrocca said the nation's preparedness, "is not equal to the threat." While he said there is a lot of "very good work being done" in cyber defense, "an attacker only has to be right once, and defenders have a very broad perimeter to protect. I'd say there is a two- to three-year gap between the capabilities of the attackers and defenders."
Sign up for Computerworld eNewsletters.