An attack on a computer network shuts down a power plant, plunging New York City into darkness. A control tower at an airport is suddenly overwhelmed with false signals from nonexistent airplanes.
Could a terrorist group or foreign country mount a cyberattack that causes this sort of crisis? Secretary of Defense Leon Panetta thinks so.
In October 2012, Panetta warned a group of business executives about a "cyber Pearl Harbor"— a massive cyberattack upon the United States that would compromise critical pieces of infrastructure.
The term wasn't Panetta's invention. Experts have been using "cyber Pearl Harbor" ever since it became clear in the mid-1990s that such attacks were possible.
More recent events have erased all doubt. The Stuxnet worm of 2010 demonstrated that a piece of malware can do real harm to an industrial system, even one not connected to the Internet.
Stuxnet, which was likely created by the U.S. or Israel, altered the rate of spin of uranium centrifuges in an Iranian nuclear facility, spinning them faster until they broke. At the same time, it fed false information to the facility operators, reporting that everything was functioning normally.
Critical infrastructure systems, such as power plants or transportation systems, are vulnerable because today's industrial processes are largely controlled by computers.
Small workhorse computers known as programmable logic controllers (PLCs) operate the machinery. PLCs in turn are controlled by industrial control systems (ICSs) that humans use.
Large-scale ICSs, often spanning geographically separated facilities, are called supervisory control and data acquisition (SCADA) systems.
Since both PLCs and SCADA systems use commonly distributed software, they are vulnerable to disruption and to hacking.
"It’s really not a challenge to find new vulnerabilities in SCADA systems, because it's designed without security in mind," said Sergey Gordeychik, chief technology officer at Positive Technologies, a London-based company that assesses IT vulnerabilities for industry.
In one sense, the comparison to Pearl Harbor might be misleading, argued Jon Stanford, director of power and utilities security at the worldwide accounting firm PriceWaterhouseCoopers.
"The motives [of cyberattacks] aren't clear, and the perpetrators aren't visible," Stanford said.
The attack on Pearl Harbor had a specific objective: Cripple the U.S. Navy's Pacific fleet. It was also clear that the Japanese navy carried out the attack. Such clarity is rare in cyberspace.
While the possibility of a massive cyberattack upon American infrastructure is a real concern, it's important to put it in perspective, experts say.
Robert Graham, chief executive officer of Atlanta consulting firm Errata Security, noted that hacking is a matter of both luck and skill.
"China could easily send tourists over to make fertilizer bombs to blow up substations and long-distance power lines, and create a much greater effect" than a hacker could, Graham said.
The question, Graham said, is always how likely a given line of attack is.
So what are some of the juiciest targets for cyberattackers? Here are 10.
Industrial control systems are vital to running power plants, especially nuclear power plants. Altering the information put out by monitoring systems could lead to a series of cascading failures that could cause a nuclear plant to shut down, or, in the worst cases, to suffer a fuel-core meltdown.
The great Northeastern blackout of Aug. 14, 2003, which cut off power to Detroit, Toronto and New York, was caused by overheated power lines sagging into trees near Cleveland, according to a join Canadian-U.S. official report.
Some security experts contend that a piece of Windows malware called the Blaster worm, which had spread rapidly through the Internet in the previous three days, may have played a role by hampering communications among dozens of different power companies.
It's still not clear whether Blaster did in fact worsen the blackout. What is clear is that malware can indeed disrupt the industrial control systems at power plants.
At the 2012 Black Hat and DEFCON security conferences in Las Vegas, security researchers Andrei Costin and Brad Haines separately showed how they could "spoof" an aircraft's signal to an air-traffic controller using off-the-shelf equipment.
The hacks were done on the ADS-B system, which replaces radar and uses GPS and unencrypted radio data links to locate a plane in flight.
But as Costin and Haines demonstrated, it's not hard to create radio transmissions from "ghost" flights that don't exist.
As for GPS, its weak signals are easy to jam. In 2009, Newark Liberty International Airport traced air-traffic-control disruptions to local truck drivers who used illegal GPS jammers so their boss couldn't tell where they were.
ADS-B is a core part of the Next Generation Air Transportation System, which is currently being deployed by the Federal Aviation Administration and scheduled to be fully in place by 2020.
A stock-market plunge by itself won't cripple an economy, but it can certainly result in losses of millions of dollars or even do in a big financial firm.
In 1995, the 230-year-old British investment bank Barings was destroyed by a $1.3 billion loss in the Asian options markets by a single Singapore-based trader who falsified records to cover his tracks.
In 2010, a cascade of rapid-fire trades caused the "Flash Crash" that brought the Dow Jones Industrial Average down by 1,000 points in minutes.
In August 2012, a "technology breakdown" at Knight Capital Group in Jersey City, N.J., caused rapid computerized-trading glitches, causing price disruptions in dozens of stocks. Some soared while others crashed.
None of these incidents was the result of a hack, but it's not hard to imagine a hacker causing a lot of mayhem by breaching the security of a trading system. All he would need to do would be to surreptitiously alter a trading algorithm.
Many road-traffic control systems are now computer-controlled, and some are even being networked.
In the classic 1969 crime caper "The Italian Job," British gold thieves fed malicious software into the city of Turin's road-traffic-control computer, causing traffic jams that allowed the robbers, driving tiny Mini Coopers, to escape police.
That was fiction. But if a piece of malware were to interfere with a road-traffic-control system's proper functioning — for example, the traffic lights of greater Los Angeles at rush hour — there could indeed be gridlock.
For at least three months in early 2000, malicious commands were sent via radio transmission to sewage-treatment pump stations in southern Queensland, Australia. Raw sewage was pumped into parks, rivers, canals, a harbor and even the grounds of a local Hyatt Regency hotel.
The culprit was Vitek Boden, a man who had been denied a job by the local public water utility. He had likely helped install the radio-controlled PLCs on the pump stations when he worked for a private contractor.
In November 2011, a hacker who called himself "pr0f" posted images online of the SCADA system that managed water infrastructure in South Houston, Texas.
Pr0f had been angry over the security industry's dismissive reaction to an alleged cyberattack on an Illinois water facility, which turned out to be a false alarm.
Pr0f didn't do anything to the South Houston plant; he only wanted to point out that he could have, and that it was stupid to connect such systems to the Internet.
In the United States, water-delivery and wastewater-treatment systems are fairly decentralized, but that doesn't make them immune.
The attack in Australia came from a disgruntled employee, but it isn't hard to imagine a terrorist — or a kid out for laughs — trying the same thing in this country.