I suppose that it was just a matter of time, but there is finally the first official word of Internet based attacks disrupting major public utility services. Unlike the shadowy attacks on Estonia last spring, which were little more than large scale graffiti vandalism, the recent intimations from the CIA at a New Orleans security conference suggest that several equipment disruptions and at least one large-scale, multi-city outage have been caused by remote intrusion into electric utility computers.

The information, via Information Week, is sketchy at best and unlikely to be confirmed any time soon. The pattern, however, fits the conventional mold of electronic crime today: a security breach, extortion, and then a brief demonstration of power. But the real worry is not extortion, but terrorism. Now that the capability has been demonstrated, the technique may be moving from the criminals to the ideologs.

I've often said that terrorists are stupid and I think recent history has borne me out; consider what you might have done to make September 2001 much, much worse than it actually was, or what various things you uniformly bright readers might come up with even today to compromise our laughable airline security or water supply? If you think that TSA has been keeping you safe these last several years, the joke is on you... the only thing keeping us safe is the fact that we are battling disorganized idiots.

But criminals have a profit motive and know how to get things done, and they'll sell to anybody. Even if you're not CIO at a major utility, it's time to do some hard thinking about what your organization's security means to your community. Most of us think in terms of our organizational risks, and I can't tell you how often I here C-level executives say things like "Well, we don't really have anything a hacker would want here, security isn't a priority." This, however, assumes a lot about what hackers might want, and probably incorrectly. To date, the largest threat to most organizations has been the desirability of using their systems as botnets. Now, more nefarious objectives may be at hand.

If you run a hospital or healthcare IT system, if you are responsible for IT at any company representing a significant chunk of the country's GDP, if you are CIO at a transportation company... think about what the security of your organization's IT infrastructure means to your community. Because even if they can't do this just yet, if they can disrupt your operations, then you may be more of a target than you ever realized.