Date:30 April 2009
Hackers could use the very computer systems that keep America’s infrastructure running to bring down key utilities and industries. Is it time to start worrying?
The next world war might not start with a bang, but with a blackout. An enemy could send a few lines of code to control computers at key power plants, causing equipment to overheat and melt down, plunging sectors of the US and Canadian grid into darkness.
Trains could roll to a stop on their tracks, airport landing lights wink out and the few traffic lights that remain active blink at random. In the ensuing silence and darkness, citizens may panic, or they may just sit tight and wait for it all to reboot. Either way, much of America would be blind and unresponsive to outside events. And that might be the enemy’s objective: divert the superpower’s attention while mounting an offensive against another country.
Pentagon planners have long understood the danger of cyber attacks on US military networks. Indeed, the Defence Department’s Global Information Grid is one of the most frequently targeted computer networks on Earth. But the cat-and-mouse game of information espionage on military networks is not the only digital threat that keeps national security experts up at night. There is a growing concern over the vulnerability of far more tangible assets essential to the economy and wellbeing of American citizens.
Much of the critical infrastructure that keeps America humming – water-treatment facilities, refineries, pipelines, dams, the electrical grid – is operated using a hodgepodge of technologies known as industrial control systems. Like banks and telecommunications networks, which are generally considered critical infrastructure, these industrial facilities and utilities are owned by private companies that are responsible for maintaining their own security.
But many of the control systems in the industrial world were installed years ago with few or no cyber-security features. That wasn’t a big problem when these systems were self-contained. But in the past two decades, many of these controls have been patched into company computer networks, which are themselves linked to the Internet. And when it comes to computer security, a good rule of thumb is that any device that is computer-controlled and networked is vulnerable to hacking.
Bad-guy hackers pulling the plug on public utilities is a common theme of Hollywood films, including 2007’s , but such scenarios present more than a mere fictional scare to US intelligence officials. According to Melissa Hathaway, cyber-co-ordination executive for the Office of the Director of National Intelligence, the list of potential adversaries in a cyber attack is long, ranging from disgruntled employees to criminals to hostile nations.
Most experts agree that China and Russia routinely probe America’s industrial networks, looking for information and vulnerabilities to use as leverage in any potential dispute. James Lewis, a cybersecurity expert for the policy think tank Centre for Strategic and International Studies (CSIS), says that although cyber warfare couldn’t cripple the US, it could serve as an effective military tactic.
“If I were China and I were going to invade Taiwan,” he says, “and I needed to complete the conquest in seven days, then it’s an attractive option to turn off all the electricity, screw up the banks and so on.” Could the entire US grid be taken down in such an attack? “The honest answer is that we don’t know,” Lewis says. “And I don’t like that answer.”
Ghosts in the machine
In January 2008, senior CIA analyst Tom Donahue dropped a bombshell on a small conference of government offi cials and power-company engineers from the US and Europe. He told them that extortionists had managed to hack into utilities in multiple regions outside the United States and disrupt power equipment. “In at least one case,” he said, “the disruption caused a power outage affecting multiple cities”.
The CIA has been highly secretive about the incident, and Donahue would not discuss where the blackouts occurred or what companies were affected. But he admitted that the CIA had no idea who had perpetrated the attacks. Hackers had shaken down a public utility, it seems, and had got away with it.
Some security professionals think that government officials have been guilty of as much drama-mongering on the issue as Hollywood has. “Honestly, I think the threat is overblown,” says Bruce Schneier, author of . “The risks today are due more to errors than to malicious intent.” He sees Donahue’s story as nothing more than a gloomy rumour. Nevertheless, Schneier thinks vulnerabilities in infrastructure will eventually become a real national-security threat.
The problem is that the errors that Schneier refers to can cause bad things to happen. Much of computer hacking is predicated on exploiting glitches in commonly used systems. Such exploits on a Windows PC are irritating, but at a nuclear facility, they can be unnerving.
In August 2006, a glitch shut down the Browns Ferry nuclear power plant in northern Alabama. Plant administrators lost control of recirculation pumps on one of the plant’s reactors because of excessive data traffic on the control-system network. The plant was forced to go temporarily offline.
Nuclear plants are designed to shut down in the event of major malfunctions to prevent a Chernobyl-style catastrophe. But they also generate almost 20 per cent of US power. What if a hacker exploited a coding error in a cooling system to shut down a sizeable piece of America’s power supply?
Incidents of digital malfunctions that cause danger to human life are rare, but such events have happened. In June 1999, in Bellingham, Washington, shortly before a routine delivery of petrol by the Olympic Pipe Line Company, a worker updated a database for the company’s pipeline computer-control system.
According to a report by the National Transportation Safety Board, a simple typo in the database caused the system to fail, disabling remote control for the pipeline’s operators, 158 km away in Renton, Washington. Pressure began to build in the line, so the operator issued a command to open a secondary pump to relieve it, but the system was unresponsive.
A weak point in the pipeline ruptured, releasing 897 000 litres of petrol into nearby Whatcom Creek. An hour and a half later, the petrol ignited. The ensuing fireball scorched 1,6 km of riverbank, killing three people, including two 10-yearold boys, and damaged the city’s water-treatment facility.
The aurora vulnerability
Conventional wisdom about digital attacks is that you can steal information, and you may even be able to shut down critical systems, but any damage would be temporary and superficial. A cyber attacker could generate a lot of confusion by killing the lights in California, but give the state and utility officials a few days to re-set the systems, and everything would be back up and running. It’s a phenomenon that infrastructure security expert Eric Byres, of Byres Security, refers to as “weapons of mass annoyance”.
In 2007, however, a video leaked out of the Department of Homeland Security that showed an experiment the DHS had sponsored at Idaho National Laboratory. In the video, a massive diesel generator shakes violently and belches smoke as it goes into total meltdown. Dubbed the Aurora experiment, it demonstrated how an over-the-Internet cyber attack could cripple big, essential machines.
When the video hit CNN, it alarmed many in the utilities industry. Most of the details of the Aurora vulnerability have not been released, but DHS statements about the experimental hack describe it as a man-in-the-middle, or spoofing, attack, in which a malicious computer intercepts all traffic going between two other computers, essentially controlling the line of communication between them. According to Sean McGurk, director of control systems security for the DHS, the vulnerability was common to control systems throughout critical infrastructure.
The saboteur’s story
The most frequently told anecdote in the world of infrastructure cyber security is that of Maroochy Shire. The incident, which occurred in Queensland, Australia, is viewed by many in the industry as an object lesson in the damage that can be done when someone with computer skills and a grudge takes aim at a public system.
In 2000, Vitek Boden, a computer expert in his late 40s who had been turned down for a job in municipal government, rigged up his laptop computer to a radio-frequency wireless transceiver to hack into the city’s computerised wastewater management system. Over the course of two months, Boden broke into the system 46 times, instructing it to spill hundreds of thousands of litres of raw sewage into rivers, parks and public areas. He was finally caught when a police officer pulled him over and found control-systems equipment in his car.
The reason the Maroochy Shire incident is recounted so frequently is that it shows how difficult it is to thwart hackers who want to disrupt the infrastructure, since attacks can come from almost anywhere. An insider with detailed knowledge could target a specific company’s system or a hacker could launch an anonymous Internet assault from a distant country.
The Department of Homeland Security’s Computer Emergency Readiness Team (known as US-CERT) encourages industry to report cyber accidents and intrusions, but there are few legal requirements for private companies to do so. It is possible that many more incidents have occurred, and companies have simply kept them quiet.
Infrastructure is meant to last a long time, so upgrades to existing systems tend to occur at a glacial pace. “There is a long life cycle associated with this,” says Jeff Dagle, chief electrical engineer at the Department of Energy’s Northwest National Labs. “Utilities are used to this equipment lasting 30 years.”
Nevertheless, big utilities and industrial facilities are starting to see cyber security as a reliability issue, and are modernising their equipment, building redundant, multi-tiered networks (a tactic known in military circles as “defence in depth”). The caveat is that with big utility networks such as the electrical grid, telecommunications or pipelines, a clever adversary wouldn’t attack the well-defended components of the system.
“Why should I go after the company that put a lot of money into securing its networks when I can get into one that hasn’t and damage them both?” asks the CSIS’s James Lewis.
Ironically, the current weakness of the economy may provide a shot in the arm for the digital defences of critical infrastructure. Much of President Obama’s stimulus package is aimed at revitalising infrastructure, and as antiquated equipment gets upgraded, modern security technology can be built in.
One example is the Smart Grid, a Department of Energy plan that could receive around R47 billion to modernise America’s electricity delivery system with state-of-the-art computer controls. Of course, more computing technology in the grid allows for more potential attacks, but it could also mean a more robust and nimble defence.
The result may be infrastructure networks that are a lot like the Internet itself. The redundancy and flexibility of the Internet’s core architecture has allowed it to withstand two massive denial-of-service attacks – in 2002 and 2007 – on the 13 Domain Name System root servers that make up the backbone of the system. In each instance, the servers absorbed incredible amounts of traffic as parts of the system either failed or came close to failing.
To the engineers who run the system, it was terrifying, but the rest of the world barely noticed. If our infrastructure were that robust, the cyber war of the future might have little more impact on your life than a dimming of the lights and a shrug of your shoulders.
Much of America’s infrastructure is computer-controlled and therefore subject to hacking.
Railway networks, shipyards, airports and city traffic systems all rely on centralised computer networks to run smoothly. Last year, two Los Angeles traffic engineers pleaded guilty to accessing the Automated Traffic Surveillance Centre and shutting down four traffic lights to influence a union dispute.
Modern banking is entirely reliant on digital money transfer and computer databases. In January, a tech contractor was indicted for planting a digital “logic bomb” on mortgage giant Fannie Mae’s servers. The malicious code was designed to destroy all data on the company’s network.
The bad news is that telecommunications connects everything and vulnerabilities are manifest. The good news is that the sprawling system is hard to knock out of commission because of redundant connections across widely distributed fibre optic lines and backbone computers.
It may not be the first target most people think about, but the outdated computer-control systems that regulate the flow of water and wastewater could make easy targets for hackers. In 2006, computers at a Harrisburg, Pennsylvania, water-filtering plant were hijacked for the distribution of spam e-mail.
America’s oil and gas pipelines and electrical grid depend on an awkward marriage of antiquated control-system hardware and modern information technology. The infrastructure itself is spread over vast distances and owned by multiple companies. Here are five cyber-security holes in America’s energy network – and ways to fix them.
* Human nature can sometimes provide an easy end run around a strong firewall. An old hacker trick is to drop a USB drive in a public area, then count on the curiosity of passers-by to do the rest. When a facility employee plugs the USB drive into his work computer to identify the owner of the device, the drive automatically installs hidden rootkit software that invites the bad guys in.
It may sound mundane, but a good deal of cyber security is awareness and education. Hackers are con artists as well as computer scientists, so employees of infrastructure facilities should be taught not to fall for social-engineering tricks.
* The most dangerous threat to any facility’s computer system is someone who understands its inner workings. A disgruntled computer tech can install hardware, such as a DSL modem, that enables him to access and control the refinery’s network remotely.
Split up network maintenance between multiple employees. Keep a detailed inventory of all equipment connected to industrial control systems.
* Attackers have a variety of options for breaking into an industrial facility’s operations: Often, control systems are connected to corporate systems, so commonly known Windows or server vulnerabilities can open a back door into the control room. Some equipment may be so old that it is accessible by dialup modem. Hackers can search for vulnerable equipment by using a “war-dialler” program that automatically calls through a list of phone numbers looking for modems.
Experts advocate placing firewalls between corporate networks and control systems and installing accesscontrol software on old equipment.
* Compressor station Pipelines and other sprawling infrastructure systems have many remote, unmanned substations. Entry is often a matter of cutting a fence and jacking into the controls with a laptop. Many facilities have wireless access points that could allow attackers to log in from a distance – no bolt cutters required.
Cyber security often means physical security such as taller fences and tougher locks. Plus, wireless access for critical control systems should be password-protected.
* An attack on one utility can cripple downstream facilities. For example, nearly half the electrical power in California is generated using natural gas. A cyber attack on compressor stations that fuel electrical power plants could result in multistate blackouts.
Upcoming Smart Grid tech will add intelligence to control systems, automatically rerouting power during a crisis.
Dear Mr Editor
Cyber attacks on the world’s computer-controlled infrastructure could bring down key utilities and industries. Just how worried should we be? To read what other had to say and to post a comment of your own, click here