In his book @War: The Rise of the Military-Internet Complex, journalist Shane Harris describes how some of America’s top hackers came up with Stuxnet, a cyber-weapon that was to be the “first-of-its-kind.” (Harris is a fellow at New America, where I work; Future Tense is a partnership of Slate, New America, and Arizona State.) Stuxnet was discovered in 2010 after it had degraded an estimated 1,000 centrifuges in Iran’s Natanz uranium enrichment plant. It was widely considered the first such digital weapon. But a new report from Bloomberg, published Wednesday, suggests that at least one cyber attack beat Stuxnet to the technological punch.
In 2008, two years before Stuxnet was noticed, a Turkish oil pipeline mysteriously caught fire without triggering any sensors or alarms. Although Kurdish separatists claimed the attack, according to Bloomberg, a number of U.S. intelligence officials credit Russia, which was opposed to the Baku-Tbilisi-Ceyhan pipeline.
“The timing really is the significance,” said Chris Blask, chairman of the Industrial Control System Information Sharing and Analysis Center, which works with utilities and pipeline companies. “Stuxnet was discovered in 2010 and this was obviously deployed before that. This is another point on the timeline” in the young history of cyberwar.
Investigators found that the hackers used the security camera system’s vulnerable software to gain entrance to the pipeline’s control network and get to work. Bloomberg writes:
The central element of the attack was gaining access to the operational controls to increase the pressure without setting off alarms. Because of the line’s design, the hackers could manipulate the pressure by cracking into small industrial computers at a few valve stations without having to hack the main control room.
The presence of the attackers at the site could mean the sabotage was a blended attack, using a combination of physical and digital techniques. The super-high pressure may have been enough on its own to create the explosion, according to two of the people familiar with the incident. No evidence of a physical bomb was found.
Beyond damaging the pipeline, the attack cost BP, the State Oil Fund of the Republic of Azerbaijan, and others millions of dollars, and also caused thousands of barrels of oil to spill close to a water aquifer.
Security experts are increasingly convinced that America needs to prepare for an inevitable cyber-attack on its own energy, transport, or financial infrastructure (though as my New America colleagues Emily Schneider and Scott Janz recently wrote in Slate, there’s debate over what counts as “super-critical infrastructure”). NSA Director Admiral Michael Rogers has called America’s energy sector our “Achilles heel,” and in 2012, former Defense Secretary Leon E. Panetta warned of a pending “cyber-Pearl Harbor.” The incident in Turkey is particularly worrisome, because, as Bloomberg notes, there are thousands of pipelines throughout the United States: “182,000 miles of pipelines that carry oil, chemicals and other hazardous liquids, 325,000 miles of pipelines that transmit natural gas in bulk between states, and 2.2 million miles of pipelines that distribute natural gas to homes and businesses.”
Any cyber-attack against American infrastructure able to be credited to a foreign country could well be considered an act of war. The real perpetrators of the 2008 pipeline explosion remain a mystery, but the incident demonstrates that the rules of play in this new era of cyber warfare are far from settled.