WASHINGTON - The critical infrastructure that keeps this country running is surprisingly, and some would even say shockingly, vulnerable.
It is vulnerable not so much to physical attacks, but to cyber attacks that can be just as lethal.
Why? Because complex computer systems control almost all of what keeps America powered and functioning. These systems are best-known by their acronym SCADA.
"Everything is now controlled by Supervisory Control and Data Acquisition systems - a system of systems," said Retired U.S. Army Lt. Col. Tony Shaffer, a cyber defense expert at the Center for Advanced Defense Studies.
These systems control nuclear and chemical plants, gas pipelines, dams, railroad switches, water treatment plants, just to name a few.
"The electrical grid is a SCADA system. The aviation system, the air traffic control system, has a SCADA system. All your metropolitan transportation networks are run on a SCADA system," explained James Carafano, a national security analyst at the Heritage Foundation.
And most of America's cash flow runs because of them.
"Nine trillion dollars a day moves through the Internet. And SCADA systems - almost all of which are connected to the Internet for ease of use - power the financial system," Shaffer told CBN News.
"So if you have literally the lifeblood of the economy plus the brain synapses that control your networks on this Internet, you may want to think about how you protect that," he added.
Most of these systems are controlled by civilians. Since they are not tasked with the defense of the nation's infrastructure, they often do not secure their SCADA systems from hackers that may be able to access their data.
Hackers can hit these systems with cyber viruses and false commands that can inflict real damage in the physical world, causing machinery and other systems to break down, blow up, or shut down.
U.S. News and World Report editor-in-chief Mort Zuckerman wrote in the Wall Street Journal that modern cyber-warriors "can tap into our computer networks and move money, spill oil, vent gas, blow up generators, derail trains, crash airplanes, cause missiles to detonate, and wipe out reams of financial and supply chain data."
Shaffer said this is a real weak link in America's defenses.
"It concerns all of us in the defense community that people just aren't taking this seriously," he said.
A Digital Pearl Harbor?
Accidents and snafus that have led to incidents like major blackouts have shown if even a part of the grid is knocked out, much of the rest of it can go down because so much of it is interconnected.
So hackers might be able to launch small cyber attacks on one part of the system that could lead to a major disaster over a much wider area.
"A lot of people talk about a digital Pearl Harbor," Carafano said. "Where you'd go in and you'd have a cascading series of systems in failure, and you'd take down the electrical grid and everything starts to cascade from that, and essentially the whole country goes black."
Why would a foreign power intent on conquering America or defeating it in a future war target the country's SCADA systems?
Shaffer explained such an enemy would likely want to use America's riches and resources if it could conquer the United States.
"You don't want to lob a nuclear bomb on a location if you can actually defeat it -- functionally defeat it -- by taking out the power grid, the control measures or anything else," he said.
Shaffer explained the Chinese certainly have complex plans for waging such cyber warfare. The Russians, too.
"They have a term called 'infrastructure warfare,' where they look at a foreign country's infrastructure. The Chinese, as well. The Chinese have been very good on developing doctrine based on ours," he noted.
The U.S. government has been testing and readying its own plans for cyber warfare, using a concept called "functional defeat."
"There've been tests we've done. I can't get into them because they're classified. But,you can get into a foreign power's infrastructure and if you basically turn, say, a generator, a power generator on and off rapidly, you're going to destroy it," Shaffer explained.
"So the idea is if you can actually get inside his web, you can do this," he said.
Cyber War Consequences
Carafano doubts a global power would be foolhardy enough to start up a cyber war.
"For the Chinese or the Russians or someone to say, 'Well, let's take down the American Internet.' Okay fine, so then Walmart can't order any goods from China anymore," he said. "Well then, China, you're kind of out of business. So there is this kind of mutual assured destruction there."
Also, in this brave new cyber world, no one can be sure of nasty unintended consequences. Stuxnet, the first cyber attack that did real damage in the real physical world, is one example.
"Stuxnet we now know was a malicious software that somebody did which was specifically designed to penetrate Iranian nuclear materials facilities. Well, that thing went global," Carafano pointed out.
"It actually got all over the world. And I don't think the people who designed that expected that," he said.
Almost half of IT security executives in the U.S. electric industry say they've found Stuxnet in their systems, according to a recent survey.
But hackers do keep launching probing cyber attacks on SCADA systems, worrying America's IT defenders.
The Federal Bureau of Investigation revealed at an international conference in November that three small cyber attacks were recently launched on three American cities.
Speaking at the Fleming Cyber Security Conference in London, England, Michael Welch, the FBI's deputy assistant director in the cyber division, said the attacks were part of the hacker's ego.
"Essentially it was an ego trip for the hacker because he had control of that city's systems and he could dump raw sewage into the lake, he could shut down the power plant at the mall -- a wide array of things," Welch said.
Shaffer believes the FBI is underplaying the actual amount of cyber attacks on U.S. systems that occur every year.
"I hear it is far worse, and that there is a constant and expanding reconnaissance of our control networks," he told CBN News.
A hacker who calls himself "pr0f" blogged in late November about easily breaking into a SCADA system for a South Houston, Texas, utility.
"This required almost no skill and could be reproduced by a two-year-old," he wrote.
Shaffer agrees it's far too easy to hack into these crucial systems, explaining they're programmed to be easily accessible and easy to control for the wide range of workers who usually have to interact with them.
"This is not like you're trying to break into the SAC (Strategic Air Command), targeting computers for bombers," he said.
"A 15-year-old with a really good understanding and a few tools from Anonymous or any other hacker group you want to think of can figure it out pretty quick," Shaffer added.
Therefore, it would be even easier for a superpower to launch devastating cyber attacks, especially when America's power grid by the year 2015 will have more than 440 million points of entry hackers can worm into.
Shaffer worries the agency that should be protecting America from such threats, the Department of Homeland Security, isn't competent enough to wage an effective cyber defense.
"DHS is kind of the dumping ground for all the people who can't cut it in the Department of Justice, Department of Defense, or any other government agency," he said. "See, that's where they all went."
And as for the private sector which owns and operates so many of the SCADA systems, a recent study found only five percent of utility and energy company executives have as a main goal preventing cyber attacks on their SCADA systems.
More than a third say they're not prepared for such attacks.
Some small operators can't afford the cost of cyber defenses and many larger operators don't want to spend the money. Most spend 10 times more on physical defenses than cyber defenses.
"This is bordering on criminally negligent when you are responsible for our water, power, gas, and other sensitive utilities," Chester Wisniewski, a top security adviser at Sophos Canada, recently blogged.
*Original broadcast December 14, 2011.