"You don't know who is fingerprinting the critical infrastructure," said Francis Cianfrocca, CEO of Bayshore Networks, during an interview at the 2012 RSA Security Conference in San Francisco. Hackers "have found their way in -- you know they are in there -- you just don't know how they got in, where they are residing, and what they are doing there."

To better understand the national security implications, we have to take a look at how the industrial control systems can be manipulated. As they first started to appear in wide use, they were originally connected together via serial lines with no connection to the Internet, and therefore physical security substituted logical security in most cases. However, in the mid-'90s, the control gear began to ship with Internet connectivity built in, thereby opening up these devices to all the risks associated with being connected to the Internet and other networked systems.

We can look to the supervisory control and data acquisition (SCADA) system vulnerabilities highlighted at last year's Black Hat conference in Las Vegas to illustrate the possible consequences of an attack on the critical infrastructure. A hacker could feasibly leverage one of the SCADA system's numerous inherent vulnerabilities, such as a well-known hard-coded password on a power grid control system, in order to gain access to the system. [Also see: ""]

Then the attacker could, for example, capture "stop" commands from one self-controlled programmable logic controller (PLC) and play them back to another remote-controlled PLC via HTTP and telnet with the goal of shutting it down. The attacker could then further sabotage the environment by using the PLC to initiate other malicious commands. Such commands could cause pipeline valves to open or close or centrifuge motor speeds to increase or decrease, any of which could cause damage to the individual components of the supply chain or even force the entire connected environment to completely collapse, even physically explode.