Members of Osama bin Laden's al-Qaida terrorist network have sought
information on the Web about the networks that U.S. utility companies use to
remotely control water supply distribution and treatment systems, according
to a bulletin issued by the FBI's National Infrastructure Protection Center
"U.S. law enforcement and intelligence agencies have received indications
that Al-Qaida members have sought information on Supervisory Control And
Data Acquisition (SCADA) systems available on multiple SCADA-related Web
sites," reads the bulletin. "They specifically sought information on water
supply and wastewater management practices in the U.S. and abroad."
SCADA systems allow utility companies and municipalities to monitor and
direct equipment at unmanned facilities from a central location. Dedicated
communications channels link a control center to hundreds of "remote
terminal units," which in turn control water pumps and other equipment.
The NIPC bulletin went to some 3,000 members of the center's InfraGard
program, an information-sharing partnership between the NIPC and private
An FBI spokesman emphasized that the bulletin is not a full blown alert.
"It just says be on the lookout," says FBI supervisory special agent Steven
Berry. "There's some information that suggests that they [al-Qaida] are
looking at this... There are potential interests in water supplies, and
Automated water supply control systems have long been a subject of concern
from U.S. infrastructure protection specialists, who fear that they could
be hacked by foreign governments or terrorists. A 1997 report by the Clinton
administration's Presidential Commission on Critical Infrastructure
Protection noted, "Cyber vulnerabilities include the increasing reliance on
SCADA systems for control of the flow and pressure of water supplies."
If terrorists are able to penetrate such a system, the danger could extend
beyond merely interrupting water flow.
"If they had the time to infiltrate and get the knowledge, certainly they
could create havoc," says Brian Brewer, a senior engineer at ECS
Engineering, a Pacific Northwest company that specializes in building SCADA
systems for water utilities. "Other than turning pumps off, typically there
are chemicals that are injected, like chlorine or fluoride. If you overdose
any of that into a water system, it can affect it, and you can hurt people."
But Brewer says such an attack is far-fetched, and would require much more
specialized knowledge than could be obtained from surfing the Web. "It would
be a lot harder than learning to fly a plane," says Brewer. Moreover, while
some utilities have moved their SCADA monitoring to the Internet, the far
more critical control channels remain on dedicated leased lines and radio
links that are not as easily accessed remotely.
"Breaking into where a water source exists, and physically dropping whatever
the contaminate would be, is the real concern," Brewer says.
In addition to the cyber terror warning, the NIPC bulletin noted al-Qaida
interest in "insecticides and pest control products at several Web sites."
Also according to the bulletin, a computer belonging to a bin Laden
associate was found to contain structural architecture computer programs,
including AutoCAD, CATIGE, Microstran and BEAM, "that suggested the
individual was interested in structural engineering as it related to dams
and other water-retaining structures."
The same unnamed individual had a program used to identify soil types using
the Unified Soil Classification System, according to the bulletin.
Earlier this month the NIPC issued a public advisory urging organizations to
review what critical infrastructure-related information is available on
their public Web sites, after the center "received reporting that
infrastructure related information, available on the Internet, is being
accessed from sites around the world." By Kevin Poulsen