Joint Special Assessment
- 54 pages
- For Official Use Only
- April 23, 2008
(U//FOUO) Under the National Infrastructure Protection Plan, the Department of Homeland Security’s Homeland Infrastructure Threat and Risk Analysis Center (HITRAC) has the responsibility to produce assessments that support the strategic planning needed to enhance the protection and preparedness of the Nation’s critical infrastructure and key resources (CIKRs). HITRAC analyzed information about terrorist attack capabilities, goals, and objectives to assess the potential terrorist attack methods that might be used against CIKRs.
(U//FOUO) This paper is complementary to the 2007 Strategic Homeland Infrastructure Risk Assessment (SHIRA). The SHIRA analysis is based on a defined set of 15 attack methods that were identified based on known terrorist capabilities, analysis of terrorist tactics, techniques, and procedures, and intelligence reporting on assessed, implied, or stated intent to conduct
an attack. This assessment discusses the attack methods in alphabetical order and implies nothing about the probability of
one attack method being chosen over another.
(U//FOUO) This attack method compendium provides a broad overview of methods
terrorists might use in attacks against Homeland critical infrastructure. Innovation is a
hallmark of terrorism, and an actual attack may not mirror past attacks. The compendium
offers a basic description of each of the 15 attack methods, including definition,
background, key components, and possible methods of employment. The compendium is
not intended to provide an all-encompassing or in-depth look at terrorist intent and
capability to conduct attacks against specific CIKRs, but rather to provide general
overviews to further inform DHS critical infrastructure protection partners of the
potential threats they could face.
(U//FOUO) DHS understands that each infrastructure asset is unique and has different
vulnerabilities to various types of terrorist threats. It is likely that only a subset of the
15 attack methods presented will be pertinent to any particular site. Alternatively,
additional attack methods or threats not addressed in this paper may be of higher concern
to an individual infrastructure asset.
(U) Identified Terrorist Attack Methods
(U) Aircraft as a Weapon
(U) Biological Attack: Contagious Human Disease
(U) Biological Attack: Noncontagious Human Disease
(U) Biological Attack: Livestock and Crop Disease
(U) Chemical Attack
(U) Cyber Attack
(U) Food or Water Contamination
(U) Improvised Explosive Device
(U) Maritime Vessel as a Weapon
(U) Nuclear Attack
(U) Radiological Dispersal Device
(U) Standoff Weapons: Guided
(U) Standoff Weapons: Unguided
(U) Vehicle-Borne Improvised Explosive Device
(U) Cyber Attack
(U//FOUO) Severe cyber attacks could disrupt, deny, destroy, or allow hackers to exploit
systems and networks essential to the functioning of critical U.S. infrastructure with
potentially devastating effects on economic security, the environment, national security,
and public health and safety. For example, attacks on control systems (Supervisory
Control and Data Acquisition [SCADA] or process control) could disrupt electric power
distribution or cause the loss of control of chemical processes. Other examples include
creating confusion or panic by degrading Internet traffic to such a degree that critical sites
(U//FOUO) A cyber attack comprises the actions taken through computer networks to
disrupt, deny, degrade, destroy, or manipulate information in computers or computer
networks, or the computers or networks themselves. This attack method can be used to target cyber infrastructure that, as defined in the National Infrastructure Protection Plan,
includes electronic information and communications systems and the information
contained in those systems. Computer systems, control systems (SCADA), and
networks—such as the Internet—are part of cyber infrastructure.
(U//FOUO) Cyber attacks occur in directed and nondirected forms. Directed attacks
target specific computer systems or networks or use those systems or networks to attack
other targets. Nondirected attacks are not targeted at a particular entity or sector, but can
cause widespread disruptions to systems and networks. Both directed and nondirected
attacks can degrade availability of critical cyber infrastructure and information,
confidentiality, or integrity. They also can manipulate or cause malfunctions in critical
infrastructure that rely on computerized control systems.
(U//FOUO) The increasing reliance on cyber infrastructure makes cyber attacks
potentially attractive for adversaries (terrorists, criminals, foreign intelligence services, or
corporate competitors) who wish to harm U.S. interests and cause mass disruption.
Typical cyber infrastructure systems include business systems used to manage or support
common business processes and operations; control systems that monitor and control
sensitive processes and physical functions (chemical processing, electricity generation
and distribution, and natural gas and oil production), and other specialty systems—such
as safety, security, and support systems.
(U) Key Components
(U//FOUO) The key components of a cyber attack are a vulnerable target and a capable
attacker with intent. Attackers may have the technical capability to understand the
characteristics and vulnerabilities of the systems they are targeting and knowledge and
expertise in cyber attack methods, they may make use of freely available tools that enable
them to take action without an in-depth knowledge of architecture, configuration, or
design, or they may partner with other like-minded or willing actors who possess the
missing skills or knowledge.
(U//FOUO) General Vulnerabilities: Vulnerabilities can exist within a spectrum of
targets in the cyber infrastructure. The increasing connectivity and integration of cyber
systems, many of which can enhance business interoperability and reduce costs, can
create multiple cyber points of entry that, if penetrated, would allow an attacker to extract
proprietary or operational information or manipulate system controls to disrupt or
degrade performance. For example, control systems are now frequently implemented
with open connectivity (with remote access, and through business networks with
subsequent connections to the Internet) and are potentially more vulnerable to various
(U//FOUO) Security experts discover and report numerous hardware and software flaws
daily. According to a major information technology security firm that tracks
vulnerabilities, the release of patches for known vulnerabilities may lag days or months,
leaving information and control systems vulnerable in the absence of effective protective
(U//FOUO) Capable attacker: An attacker must have the intent and capability to
conduct the attack. Individuals and small groups—generally motivated by money,
politics, religion, or self-gratification—routinely conduct attacks against the
U.S. cyber infrastructure. Islamic terrorist groups such as al-Qa‘ida, HAMAS, and
Hizballah have a growing appreciation of information technology to support their
operations, and could parlay their cyber knowledge into attacks on U.S.-based
information infrastructure. These organizations have expressed interest in capabilities
that could exploit cyber vulnerabilities to disrupt provision of services, exact economic
costs, and undermine public confidence. Terrorists also have the option of hiring hackers
or organized criminal groups to launch attacks.
— (U//FOUO) In October 2005, British authorities arrested well-known cyber
terrorist Younis Tsouli, known as Irhabi 007 (“terrorist 007”). Tsouli taught
hacking techniques and discovered server vulnerabilities. He demonstrated his
expertise by hacking a website run by a U.S. State Government and a
U.S. academic institution. Tsouli maintained contacts with jihadists worldwide,
possibly in the United States, the Bahamas, Sweden, and Tunisia, and including
Bosnia, Canada, Denmark, Iraq, and the United Kingdom.
— (U) In 2005, an organization that tracks terrorist activity reported that a known
jihadist website had posted an extensive beginner’s guide to hacking websites and
countering network security. The guide detailed methods on how to penetrate
computer security and locate target computers and information on popular
programs used to penetrate security.
(U) Potential Targets
(U//FOUO) The complexity of computing and communications systems in use in CIKRs
coupled with their dependencies on those systems can create a number of possible
options in attacking cyber infrastructure. Attacks could be directed at the control systems
themselves, attacks on data or data processes, or attacks on the network communications
mechanisms and networks.
(U//FOUO) Attacks directed at control systems: Attackers could exploit the computer
control systems used to automate industrial processes and to generate and distribute
power, manage transportation systems, treat water, and manage or deliver other critical
infrastructure functions. Sophisticated attackers may attempt to gain access to an
infrastructure asset’s computer control system to create economic disruption, hazardous conditions, or general mischief and specific terror. Attackers have gained access to
control networks through connections to business management networks that were
connected to the Internet. They also have exploited default vendor configurations on
hardware and software. The effects are dependent on the type of operation controlled by
the particular control system and the access level attained by the attacker. To cause
specific types of effects, the attacker must be familiar with the network protocols and the
configuration of the system. Many of these systems are in use globally, thus making their
architectures, protocols, and default configurations broadly available. However, specific
implementations can be highly sophisticated and difficult to understand. Even without
in-depth knowledge, an attacker using basic methods could cause random failures or
(U//FOUO) Attacks on data or data processes: The information contained in a
computer system is a vital asset to the business owner. The information asset owner must
be able to trust the data’s availability, confidentiality, and integrity. By simply gaining
access to a data set, an adversary has successfully attacked the confidentiality of
information. In addition, trust in the data’s integrity is degraded, and the asset owner can
no longer be sure that data are accurate and reliable. Finally, an intruder with access to a
data set can prevent the information owner’s access to it. Attackers have stolen and sold
data, and they have extorted money from information owners by holding systems hostage
(by encrypting data until ransom is paid).
(U//FOUO) Attackers can inject modifications to database application software or inject
incorrect data, causing the systems to perform unpredictably. The injections could use
physical media such as a compact disk or a Universal Serial Bus drive (flash, stick, or
thumb drives), or use a data transfer that occurs over a network. Possible effects include
erratic or incorrect performance, physical damage to the operations or facility, or the
system ceasing to communicate. If this is done stealthily over an extended time, backups
could also be affected, resulting in loss of confidence in restoration processes and causing
the information owner to have to rebuild databases from scratch—an extremely
expensive and time-consuming process.
(U//FOUO) Attacks on the network communications mechanisms and networks:
The cyber attack methods used to compromise communications and computer networks
are as diverse as the targets at which they are aimed. Attacks that affect the Internet
either by directed or nondirected means can impede the ability of an infrastructure asset
to function properly. Some attacks include packet crafting, in which specially crafted
data packets are placed on a network to exploit vulnerabilities in applications, allowing
the attacker access to the computer or network. In addition, an attacker can use a number
of tools and techniques to gain access to a computer or network through broadband
connections, wireless access points, and modems. Consequences include denial of
service, which can deprive access by users to network resources and exploitation of data
as detailed above.
(U//FOUO) Methods of Employment
(U//FOUO) Use of malicious software: Malicious software (malware) is software
designed to infiltrate or damage or use the resources of a computer system without the
owner’s consent. Attackers use malware to obtain unauthorized access to information,
alter information, or damage the targeted system or network. Common types of malware
include Trojan horses, viruses, and worms—often delivered through the use of botnets.
Unauthorized access to a system or network enables attackers with malicious intent to
view, copy, change, or delete any data contained on the system. The damage an attacker
can inflict depends on the level of access gained. Once malicious code has infected a
system, the attacker can then run rootkits to obtain higher levels of access and install
“backdoors” to gain future access covertly, potentially appearing as an authorized user.
Malware also may exploit the compromised system’s resources to gain access to the
systems of trusted partners who use the network.
(U//FOUO) Denial-of-Service attacks: A Denial-of-Service (DoS) attack denies or
impairs the authorized use of applications, networks, or systems by preventing access or
exhausting resources. The three most common types of DoS attack are consumption of
scarce, limited, or non-renewable resources, destruction or alteration of configuration
information, and physical destruction or alteration of network components. The most
common DoS attack involves dispatch of malformed packets (units of data routed over a
network) or large volumes of packets. A single malformed packet can be used to cause a
DoS; however, to generate the necessary volume of attack traffic to overwhelm a site,
attackers typically use a distributed network of compromised hosts (botnet).
(U//FOUO) Botnets: A “bot,” short for robot, is an automated software program that can
execute certain commands. A botnet is an aggregation of compromised computers or
bots that are connected to a central controller. Botnet operators typically offer a variety
of malicious services, including anonymous proxy services, Distributed Denial-of-
Service (DDoS) attacks, spam-for-hire, and others by issuing instructions to one or more
botnets under their control. Botnets also serve as a focal point for collecting confidential
and personally identifiable information from unsuspecting bot-infected systems. Botnets
are available for sale or lease over the Internet, and versions controlling tens of thousands
of compromised hosts are not uncommon. Botnets have grown in size and complexity in
recent years and may fuel an underground economy in which compromised systems,
credit cards, pirated media, personal information, and software license keys are bought
and traded. Over the past several years, attackers have shifted their focus away from
performing random DDoS attacks to generating revenue for their operators.
(U//FOUO) Social engineering: Attackers are increasingly using social engineering
techniques to gain key information about the target that they can subsequently use to gain
access to the target’s computer or network. Some of the research methods involve simple
telephone calls or elaborate e-mail ruses to elicit information or open an exploitable
vulnerability (referred to as phishing). Other methods include accessing public financial
records, dumpster diving, Google Hacking, requesting sunshine law information, sending phony e-mails, and Who Is lookups (a means for finding or identifying an individual’s or
organization’s Internet address).
(U) Nuclear Attack
(U//FOUO) The detonation of a nuclear yield producing device would cause mass
fatalities and infrastructure damage from the heat and blast of the explosion and
significant consequences from both the initial nuclear radiation and the subsequent
radioactive fallout. In addition, the economic and psychological impacts from such an
attack would be significant. The Federal Government has placed a high priority on
preventing terrorist groups from acquiring nuclear weapons or developing an improvised
nuclear device. If terrorists acquired a nuclear weapon or improvised nuclear device, and
had the flexibility to choose a target, their most likely primary target would be a
population center that includes banking, finance, or commercial districts, government
facilities, or national icons and monuments. Large areas surrounding the primary target
would be affected to some extent by the radioactive fallout from a nuclear attack.
(U) A nuclear weapon is a device with explosive power resulting from the release of
energy unleashed by the splitting of nuclei of a heavy chemical element, such as
plutonium or uranium (fission), or by the fusing of nuclei from a light element, such as
hydrogen (fusion). Fusion (thermonuclear) bombs can be significantly more powerful
than fission bombs, but are at this point believed to be beyond the capability of terrorists
to construct. This paper will focus on the fission bomb.
(U//FOUO) Categories: The types of nuclear weapons a terrorist may use fall into two
general categories: illicitly acquired weapons produced by nation-states and improvised
nuclear devices (INDs).
— (U//FOUO) Nuclear weapons produced by sovereign nations are designed,
constructed, and usually tested using financial, manufacturing, and technical
resources of the nation. The weapons of nation-states typically produce high
yields with high reliability and designed for a delivery vehicle, such as an aircraft
or missile. The weapon likely would be lighter and smaller than an IND.
— (U//FOUO) An IND would be a crude nuclear device built from the components
of a stolen weapon or from scratch using nuclear material, with untested yield and
reliability. The greatest obstacle terrorists face when attempting to build an IND
is obtaining enough fissile material to create a nuclear explosion. Crude nuclear
weapons typically are heavy, ranging from a few hundred pounds to several tons.
Specially designed small nuclear weapons, including the so-called suitcase
nuclear weapons are much lighter, but they have never been acquired by terrorist
organizations and are technically difficult to produce.
(U//FOUO) Configurations: Two basic nuclear weapon configurations exist. The first,
called the gun assembly, incorporates two separate subcritical masses of fissile material
that, when driven together by a propellant at detonation, form a supercritical mass
resulting in an explosive fission chain reaction. The second, called an implosion system,
uses a single subcritical mass of fissile material that compressed to a supercritical density
by surrounding explosives to produce an explosive fission chain reaction.
— (U//FOUO) A gun-assembly weapon is the simplest type of nuclear weapon.
Typically, chemical (explosive) propellant accelerates a subcritical fissile-material
projectile down a gun barrel-like tube, where it meets with a subcritical
fissile-material target to form a supercritical mass. A successful gun-type device
would use highly enriched uranium (HEU). Little Boy, the 15-kiloton-yield
weapon used at Hiroshima, was a gun-assembled device.
— (U//FOUO) An implosion weapon uses either plutonium or HEU. The need to
achieve uniform spherical compression for the fission to take place makes an
implosion device more difficult to design and build than a gun-assembly weapon.
High explosives such as RDX or HMX compress the fissile material upon weapon
initiation. One advantage of an implosion weapon is that less fissile material is
required to produce a given yield compared with a gun-type weapon. Fat Man,
the 21-kiloton-yield weapon used at Nagasaki, was an implosion weapon.
(U//FOUO) Size of nuclear explosions: Nuclear explosions are classified based on the
amount of energy they produce, called yield. Given what we know of terrorist efforts, a
terrorist nuclear weapon most likely would have a yield of less than 1 to several kilotons.
A kiloton is the equivalent energy of 1,000 tons of TNT. Large military nuclear weapons systems deliver weapons with yields in the multihundred kilotons to megaton (1 million
(U//FOUO) Effects of a detonation: The effects of a nuclear detonation depend on the
yield and success of the detonation. A low-yield (about 1 kiloton) device is one of the
most likely weapons. Effects include air blast, heat, initial radiation, ground shock, and
secondary radiation. The ground shock and air blast would cause major disruptions in the
— (U//FOUO) Air blast: As with a conventional explosive, a nuclear detonation
produces a shock wave, or air blast wave. The air blast from a 1 kiloton
detonation could cause 50 percent mortality rate from flying glass shards to
individuals within an approximate radius of 300 yards. This radius increases to
approximately 0.3 mile for a 10 kiloton detonation.
— (U//FOUO) Heat: The second effect would be extreme heat, a fireball, with
temperatures to millions of degrees. The heat from a 1 kiloton detonation could
cause 50 percent mortality from thermal burns to individuals within an
approximate 0.4 mile radius. The radius increases to approximately 1.1 miles for
a 10 kiloton detonation.
— (U//FOUO) Initial radiation: The initial radiation is produced in the first minute
following detonation. The initial radiation pulse from a 1 kiloton device could
cause 50 percent mortality from radiation exposure within an approximate 0.5
mile radius, if individuals were not given immediate medical intervention. This
radius increases to approximately 0.75 mile for a 10 kiloton detonation.
— (U//FOUO) Ground shock: Ground shock equivalent to a large localized
earthquake also would occur. This could cause additional damage to buildings,
communications, roads, utilities, and other portions of the infrastructure.
— (U//FOUO) Secondary radiation: Secondary radiation exposure from fallout
would occur primarily downwind from the blast, but changing weather conditions
could spread radioactivity and enlarge the affected area. For a 1 kiloton device,
radiation exposure from fallout within the first hour after the blast could cause
50 percent mortality for approximately 3.5 miles downwind of the event. This
distance increases to approximately 6 miles for a 10 kiloton detonation.
(U//FOUO) Failed detonation or fizzle yield: A fizzle yield occurs if the fissile material
mechanically disassembles before a significant yield is generated. Even a fizzle yield,
however, can produce a very large explosion that could disperse radioactive material
widely, essentially becoming a radiological dispersal device or “dirty bomb.”
(U//FOUO) Usama Bin Ladin and al-Qa‘ida have publicly expressed their clear desire to
acquire weapons of mass destruction, including specifically nuclear weapons, to attack
the United States. In a 1999 interview, Bin Ladin referred to acquiring biological,
chemical, and nuclear weapons as a “religious duty.” Since the late 2001 invasion of
Afghanistan, U.S. and Coalition armed forces, and various members of the media, have
recovered hundreds of documents detailing al-Qa‘ida’s quest to develop and use these
(U) Key Components
(U//FOUO) To conduct a nuclear attack on the Homeland, terrorists need possession of a
nuclear weapon—created, purchased, or stolen—and the ability to deploy the weapon in
the United States.
(U//FOUO) Acquiring a weapon: Terrorists possibly could acquire a nuclear weapon in
several ways, including theft, purchase through illicit channels, or donation by a nuclear
weapons capable state program. Generally speaking, nation states make every effort to
secure weapons of this kind, which poses a formidable challenge to terrorists.
Vulnerabilities may exist, however, in some countries that have nuclear weapons. Some
weapons may have devices to prevent unauthorized use, or terrorists might lack
confidence that they could make an acquired weapon work, but terrorists could
deconstruct the weapon for nuclear materials and components to make their own device.
(U//FOUO) The manufacture of a nuclear weapon is a difficult challenge. The most
difficult step is acquisition of a sufficient quantity of fissile material. Potential sources of
fissile material include Russia and the countries of the former Soviet Union and nuclear
research reactors throughout the world that may have inventories potentially at risk of
diversion or theft. In addition to a source of nuclear material, a cadre of competent
technical specialists would be required. Processing and machining of valuable and often
dangerous materials are involved, requiring specialized equipment to cast and machine
explosives, plutonium, or uranium.
(U//FOUO) Deploying the weapon: In addition to acquiring a nuclear weapon, terrorists
must have the expertise to deploy the weapon, including transporting it into or within the
United States and successfully detonating it.
(U) Methods of Employment
(U//FOUO) Several options exist for transporting a nuclear weapon into the
United States. Once the weapon is inside the country, it could be moved by air, land, or
sea. Potential methods to get the device into the country include the following:
— (U//FOUO) Use of aircraft flown from outside the United States, with the
weapon either detonating in the air over a U.S. city or transferred to another mode
— (U//FOUO) Use of a container ship or oil tanker with detonation occurring in
the port or transfer of the weapon to another mode of travel.
— (U//FOUO) Movement of the weapon by a smaller boat for infiltration to a
populated coastal city for detonation or smuggling to less monitored coastal areas
for transfer to another mode of travel.
— (U//FOUO) Transport by motor vehicle across a land border.
(U//FOUO) Five elements are common to these delivery scenarios:
— (U//FOUO) Use of suicide teams: Terrorist teams likely would be willing to
conduct a suicide mission to ensure success and control of the weapon at all
— (U//FOUO) Security focused: Maintaining operations security and control of the
weapon would be paramount, given the great expense, risk, and limited
opportunities to attack with this method.
— (U//FOUO) Target location: Terrorists may focus on prominent economic,
infrastructure, and political targets with the goal of producing mass casualties,
visually dramatic destruction, significant economic aftershocks, and fear among
the U.S. population. A nuclear attack likely would be aimed at population centers
situated along the periphery of the United States, since an attack at such locations
would limit the logistics and risk of detection in transporting the weapon.
— (U//FOUO) Points of entry: Terrorists likely would attempt to bypass official
ports and border crossings, particularly those known to conduct inspections or use
— (U//FOUO) Backup planning: If the mission is compromised before the weapon
reaches its intended target, terrorists might detonate the nuclear device in place or
at secondary targets rather than allow the plot to fail completely.