Speculating Creatively About Dastardly Attacks (SCADA)

Rob Rosenberger, Vmyths co-founder
Tuesday, 5 February 2002

KEVIN POULSON^[1] (SECURITYFOCUS) scooped his convicted colleagues when he reported on a confidential FBI advisory meant for the U.S. water utility industry.

"You can't poison people by overchlorinating water," asserts Vmyths' resident Ph.D. microbial biochemist and editor-at-large. "And that's even if we compumetrically pretend it can be controlled by a cyber-terrorist in Yemen or wherever."

FBI NIPC believes Osama bin Virus surfed the web — I repeat: "surfed the web" — to study a widespread technology known as "Supervisory Control and Data Acquisition" (SCADA). Osama probably visited websites like this one maintained by the U.S. Department of Energy and this one maintained by Motorola Corporation.

To put it simply, SCADA devices help to control the water purity in your toilet bowl tank reservoir. They also help to control the water purity of Budweiser beer.

(Uh, let me explain. Anheuser-Busch uses the Mississippi River as a free water supply. Drunks on the Casino Queen riverboat return beer to the Mississippi in a process known as "rail standing." The used beer flows under the Poplar Street bridge to a SCADA-controlled water pump. From there it flows into a vat and comes out again as Budweiser. Trucks eventually haul it back the Casino Queen riverboat. SCADA plays an important role in the never-ending cycle of beer.)

SCADA technology explains in part why a large consumer market exists for bottled water and home purification systems. And Budweiser. I mean, let's face it: who in Los Angeles wants to drink purified toilet water?

Poulson^[1] quoted a potential cyber-terrorist who recognizes SCADA's underexploited threat potential:

"If they had the time to infiltrate and get the knowledge, certainly they could create havoc," says Brian Brewer, a senior engineer at ECS Engineering, a Pacific Northwest company that specializes in building SCADA systems for water utilities. "Other than turning pumps off, typically there are chemicals that are injected, like chlorine or fluoride. If you overdose any of that into a water system, it can affect it, and you can hurt people."

I call Brewer a potential cyber-terrorist because he seems to know more about the threat of chlorine & fluoride than George C. Smith, our resident Ph.D. microbial biochemist and editor-at-large. Smith slammed Brewer's claims:

You can't poison people by overchlorinating water. Trust me, I ran a half-million gallon swimming pool for four years in college during summer breaks. Without going into a longish discussion on the relativity toxicity and nature of the solubility product of a chlorine complex, or its half-life in a very large, changing water system, the practical obstacles can be encapsulated by just saying that even with the valve on the chlorine bubbler left unattended and wide open overnight about the best one could hope for was to make the color in the swimming suit fade after a couple weeks. And that's even if we compumetrically pretend it can be controlled by a cyber-terrorist in Yemen or wherever.
A cyber-terrorist could add fluoride, perhaps, compumetrically. Too much fluoride can make your teeth look speckled after awhile. The condition is called fluoridosis.

In other words, a deadly cyber-terrorist could at best make dihydrogen monoxide taste like pool water. This leads me to a horrifying revelation — my toilet bowl already smells like an overshocked YMCA center! Is Brewer one of those lurking cyber-terrorists we hear so much about?

Water utilities suffer non-cyber overdoses and contaminations on a regular basis. Even if a cyber-terrorist could do the same thing, why should we fear it?

The FBI should find out if this guy ever lived in Yemen.

IF BREWER PASSES a background investigation, then perhaps he just suffers from false authority syndrome. Smith had this to say:

It's so great to live in a country where people are fundamentally ignorant of how even the simplest things work but who, by the same token, accept unquestioningly the assessments of others similarly mystified by basic science — one example being the chemistry of water and chlorine — as long as the uninformed informer comes packaged as a symbolic analyst and announcer of vital public truths. We can have purportedly newsy information like the definition of the acronym, SCADA, but to ask for even a little common-sense judgment through the lens of a high-school level science course — that's really out of the question.

Given the sheer number of chlorine & fluoride injectors attached to the world's potable water supply ... and given the sheer volume of chlorinated & fluoridated potable water flushed down our toilets every day ... it would only make sense to believe water utilities suffer non-cyber overdoses and contaminations on a regular basis. And in fact they do occur on a regular basis.

This leads us to ask a now-obvious question. Even if a cyber-terrorist could cyber-overdose or cyber-contaminate a water supply, why should we fear it?

I wish Brewer would go back to installing SCADA systems and stop Speculating Creatively About Dastardly Attacks. Consider what he told Poulson^[1] here:

Brewer says such an attack is far-fetched, and would require much more specialized knowledge than could be obtained from surfing the Web. "It would be a lot harder than learning to fly a plane," says Brewer. Moreover, while some utilities have moved their SCADA monitoring to the Internet, the far more critical control channels remain on dedicated leased lines and radio links that are not as easily accessed remotely.
"Breaking into where a water source exists, and physically dropping whatever the contaminate would be, is the real concern," Brewer says.

Good grief! Brewer controls the fate of our toilet water for a living and he spends time in aircraft flight simulators. Danger, Will Robinson! This guy definitely needs an FBI background check.

Anyway, Brewer seems to think a cyber-terrorist must fly to Iowa to remotely contaminate or overdose the water supply in my town. FBI NIPC, on the other hand, fears a 14yr-old wannabee hacker in Yemen can speckle my teeth just by visiting a website. Who do you trust?

I don't know about you, but I trust FBI NIPC. I think people who work with SCADA equipment should undergo a federal background investigation just like our airline ~~pilots~~baggage screeners. Congress should nationalize SCADA installation crews just like they nationalized our airline ~~pilots~~baggage screeners. Anyone who works with SCADA equipment should hold a U.S. passport and a high school diploma.

I don't know if these measures will stop SCADA cyber-terrorism and I don't care. We need to do something! We should likewise demand FBI background checks and high school diplomas and U.S. citizenship for all Evian employees and all Budweiser employees. Especially Budweiser. Did you see all the beer drinking going on at the Supertoiletbowl?

"We can have purportedly newsy information like the definition of the acronym, SCADA, but to ask for even a little common-sense judgment through the lens of a high-school level science course — that's really out of the question."

By the way, my condolences to Rams fans on their devastating loss. Go ahead, drown your sorrows in Mississippi River beer. FBI NIPC guards its purity from the ravages of underage Yemen cyber-terrorists.

LET'S NOT FORGET about PepsiCo and the Coca Cola Corporation, either. We once lost the critical infrastructure known as Mello Yello^Ž in a repeat of the New Coke fiasco and I can't afford to lose it again to a deadly Yemen cyber-terrorist living in his parents' basement.

If I had my way, we'd even nationalize the drunks who stand at the rails of the Casino Queen riverboat. ("The loosest slots and the loosest zippers. Pee-riod." Ha! You gotta hail from St. Louis to get that joke.)

Now if you'll excuse me, I need to visit a local Amana dealer. The water filter in my fridge needs replacing...