By Kevin Coleman
As if fire investigations were not complex enough and the pursuit of arson charges against a suspect were not already extremely challenging, indications are that things are getting worse. A new method of committing the crime of arson has been brought to light. This method leverages computers and computer-related equipment and peripherals. There are so many products and services that use computers and automated controls that it is difficult to find some that don’t. Most of those devices are connected to the Internet for a number of reasons. This Internet connection can be exploited to turn these common pieces of equipment into tools for arsonists. These possibilities represent very real risks and have caught the attention of top officials.
President Obama recently discussed the threat the United States faces from cyber attacks in an 800-word column in the Wall Street Journal entitled “Taking the Cyber Attack Threat Seriously.” He is not the only high-ranking U.S. official concerned about this 21st century threat. Just recently, General Keith Alexander, the leader of U.S. Cyber Command, said, “What I’m concerned about is the transition from disruptive to destructive attacks.” These and other ominous-sounding comments should be considered a warning about what lies around the corner for fire investigators.
Two techniques have recently emerged and have become public about the use of cyber attacks as a destructive mechanism. The first one was discovered by researchers at Columbia University, who discovered a new group of computer security flaws in laser printers that, if exploited, could cause a fire. Based on generally available laser printer market statistics, more than 125 million units are sold each year–a target-rich environment for cyber arsonists. The researchers found that laser printers can be hacked and remotely controlled and manipulated over the Internet. The software /firmware flaws allow hackers access to these devices and give them the ability to cause physical damage. Cyber attackers could remotely access the connected device and continuously turn on the fuser unit (which melts toner onto the page), causing the unit to overheat to the point of catching fire. During their analysis of this threat, researchers conducted a quick scan; within minutes, they were able to identify 40,000 devices connected to the Internet that were vulnerable to this type of attack. This was a far from exhaustive search. Even worse, researchers determined that this security vulnerability is so fundamental that it may impact tens of millions of printers, multifunction copiers, and other hardware that use hard-to-update software/firmware where the vulnerability resides. Since this vulnerability was reported, a few printer manufacturers have taken action and mitigated this risk. Although the actual number of vulnerable printers is not available, it is pretty much a sure bet that many of these devices remain open to this type of exploitation.
The second area of concern focuses on factory automation and industrial control systems, often referred to as supervisory control and data acquisition (SCADA) systems. These controllers are used in everything from the power grid to water treatment facilities to commercial heating, ventilating, and air-conditioning (HVAC) systems as well as the complex processes in the chemical and materials production industries. The global annual market for these systems has been estimated at nearing $50 billion, which indicates the expansiveness of this threat environment. Researchers have warned and actually published multiple SCADA system vulnerabilities that allow remote access and control. These warnings became public prior to the SCADA system vendors were informed about this issue. Thus, there was an immediate risk that these vulnerabilities could be exploited since vendors did not have any time to develop patches. If taken advantage of, cyber attackers could exploit these published vulnerabilities, modify settings, and cause the equipment or process to operate outside specified parameters, which could result in an explosion and a fire.
The concerns raised by this research were so great that federal agencies were privately briefed on the matter. In April 2012, the National Institute of Standards and Technology (NIST) conducted the two-day workshop “The Cyber Security for Cyber-Physical Systems.” This informative workshop addressed the informational needs of engineers and information technology security specialists who design and maintain these control systems, but what about fire investigators? Research was unable to identify where cyber attacks and hacking were a part of the curriculum for fire investigators, but, put simply, would you as an investigator ever consider the possibility of a cyber attack being the underlying cause of an incident?
The arsonist could be half way around the world and start a fire by continuously cycling the fuser unit of a printer, causing it to overheat or improperly adjust setting on SCADA controllers, causing a volatile reaction, explosion, and fire. As if it was not difficult enough to investigate and prove arson given that most of the evidence is destroyed in the fire, now investigators must add the complexities and challenges of cyber attacks, intrusions, and attack attribution to their activities. The clock is ticking until we encounter arson by cyber attack. Experts have expressed their concerns over the growing likelihood that cyber attacks would result in physical implications and damage. That time looks to be just around the corner. Or is it? Could a cyber attack have already resulted in a fire? It is possible that an origin and cause investigation could have missed this and pointed to a control system or printer malfunction. Clearly, this is an area that must be kept in that back of fire investigators’ minds when looking into the cause of a fire.
Kevin G. Coleman is a seasoned security professional and instructor with a comprehensive background in emergency response. He was chief of an ISO class 4 volunteer fire department and is a former International Society of Fire Service Instructors George D. Post – Fire Instructor of the Year. He has 18 years of success in the development and implementation of cutting-edge security and training strategies and continues to work with innovative leaders in business, government, and the military on strategic issues of critical importance such as cyber attacks.
