Critical U.S. infrastructures are being penetrated by foreign states in preparation for devastating future cyber attacks designed to cripple electrical power, communications and financial networks, the commander of the U.S. Cyber Command told Congress on Thursday.
Adm. Mike Rogers, Cybercom chief and director of the National Security Agency, said foreign states have broken into the networks that control industrial systems for a range of what the U.S. government considers 16 critical infrastructures, ranging from electrical power, water, telecommunications and financial systems.
"We have seen instances where we’re observing intrusions into industrial control systems," Rogers told the House Permanent Select Committee on Intelligence.
"What concerns us is that access, that capability, can be used by nation-states, groups or individuals to take down that capability," he said, noting that hackers believed linked to Iran destroyed 3,000 computers at the Saudi state oil company Aramco.
Cyber Command is tasked with protecting critical infrastructure from attacks by sophisticated hackers, whether from China, Russia, Iran or other states to criminals and hacker groups.
"We clearly are seeing instances where nation-states, groups and individuals are aggressively looking at acquiring that capability," Rogers said.
"What we think we’re seeing is reconnaissance by many of those actors in an attempt to insure they understand our systems so that they can then, if they choose to, exploit the vulnerabilities within those control systems."
The comments followed reports from the Department of Homeland Security that industrial control systems used to operate critical water and energy infrastructure were targeted in cyber attacks that succeeded in planting malicious software.
The DHS Industrial Control System-Cyber Emergency Response Team stated in a notice to the private sector that it has uncovered "a sophisticated malware campaign that has compromised numerous industrial control systems environments using a variant of the BlackEnergy malware."
BlackEnergy is a software that security researchers say has been used by Russian government cyber attackers.
Rogers said controls systems are "fundamental to how we work most of our infrastructure across this nation."
"They are foundational to almost every networked aspect of our life, from our water to our power to our financial segment to the aviation industry just as examples," he said.
Rogers said one trend in escalating cyber attacks over the next year is the danger that hackers will penetrate industry control systems.
"It’s among the things that concern me the most because this will be truly destructive if someone decides that’s what they want to do," he said.
Rogers declined to specify the nation states that are mapping U.S. networks but acknowledged that Russia and China are among them.
For example, an attack on electrical power control systems could order power turbines to stop operating thus cutting off electricity. "I mean, it enables you to shut down very segmented, very tailored parts of our infrastructure that forestall the ability to provide that service to us as citizens," he said.
Committee Chairman Mike Rogers, (R-Mich.) said during the hearing that Chinese government hackers have penetrated some U.S. critical infrastructure networks, and the Cyber Command chief said in addition to China "one or two" other nations are working on infrastructure cyber attacks.
"We’re watching multiple nation states invest in this capability," Adm. Rogers said. "We see them attempting to do reconnaissance on our systems, attempting to generate insight about how our networks are structured. We see them doing research in this area. We see them attempting to steal information on how our systems are configured, the very specific schematics of most of our control systems, down to engineering level of detail so they can look at where the vulnerabilities, how are they constructed, how could I get in and defeat them."
Chairman Rogers said Chinese economic cyber espionage has "grown exponentially in terms of volume and damage done to our nation's economic future."
"Chinese intelligence services that conduct these attacks have little fear, because we have no practical deterrence to that theft," Mr. Rogers said.
Iran also has conducted "very challenging" denial of service cyber attacks on financial networks in 2012, Mr. Rogers said.
"Trojan horse malware" linked to Russia was detected on industrial control software used in a wide range of critical American infrastructures, Mr. Rogers said.
"Our critical infrastructure networks are extremely vulnerable to such a damaging attack, and we can't count on a deterrence if we're already in an adversarial position with a nation like China or Russia," Mr. Rogers said.
"Most of our critical infrastructure providers are doing their best to better secure their networks," he added. "But if they get attacked by an adversary with the resources and capabilities of a nation state like China or Russia or Iran, it certainly isn't a fair fight.
Adm. Rogers said he has told his troops and employees that "I fully expect that during my time as the commander we are going to be tasked to help defend critical infrastructure within the United States because it is under attack by some foreign nation or some individual or group.’
Recent cyber attacks against critical infrastructure "leads me to believe it is only a matter of the ‘when,’ not the ‘if’ that we are going to see something traumatic."