Emory Corporate Governance and Accountability Review


Roy Balleste


The story of cybersecurity begins in land. By land, a cyber operations expert would mean the land mass on the surface of the Earth. The great monuments to human achievement surround our daily lives, every hour of every day. These testaments to human ingenuity are not the usual ones known to be appreciated as works of art. The monuments of concern for cybersecurity include, among others, power plants, electrical substations, water dams, water processing plants, auto assembly factories, and satellite ground stations. On January 10, 2014, Australia’s IT News reported that Russian researchers Sergey Gordeychik and Gleb Gritsai discovered vulnerabilities in industrial control systems that granted them “full control of systems running energy, chemical and transportation systems.” The researchers spent a year prying into the supervisory control and data acquisition (SCADA) systems that controlled critical national infrastructure and, in particular, noted vulnerabilities in the Siemens WinCC software for industrial control systems. The Siemens SIMANTIC WinCC refers to one of the SCADA components. In this case, the WinCC serves as a human machine interface portal for the use of the operator to control remote operations. Siemens did eventually release security updates for its SCADA products to patch critical vulnerabilities. One of the vulnerabilities would have allowed an attacker “to remotely execute arbitrary code on a Siemens SIMATIC WinCC SCADA server by sending specially crafted packets to it.” This vulnerability received a score of 10 in the Common Vulnerability Scoring System—the maximum—since it would have allowed a full system’s compromise.