How Vulnerable is U.S. Infrastructure to a Major Cyber Attack?
Could hackers take down key parts of our infrastructure? Experts say yes. They could use the very computer systems that keep America’s infrastructure running to bring down key utilities and industries, from railroads to natural gas pipelines. How worried should we be about hacking, the new weapon of mass disruption?
By Glenn Derene
To dramatize the threat posed by cyber attacks, pyrotechnics expert Drew Jiritano attached an explosive squib to the back of a laptop computer; stop-motion photography captured the results. PM’s digital imaging specialist Anthony Verduccio completed the concept.
The next world war might not start with a bang, but with a blackout. An enemy could send a few lines of code to control computers at key power plants, causing equipment to overheat and melt down, plunging sectors of the U.S. and Canadian grid into darkness. Trains could roll to a stop on their tracks, while airport landing lights wink out and the few traffic lights that remain active blink at random.
In the silence and darkness, citizens may panic, or they may just sit tight and wait for it all to reboot. Either way, much of the country would be blind and unresponsive to outside events. And that might be the enemy’s objective: Divert America’s attention while mounting an offensive against another country.
Pentagon planners have long understood the danger of cyber attacks on U.S. military networks. Indeed, the Defense Department’s Global Information Grid is one of the most frequently targeted computer networks on Earth. But the cat-and-mouse game of information espionage on military networks is not the only digital threat that keeps national-security experts up at night. There is a growing concern over the vulnerability of far more tangible assets essential to the economy and well-being of American citizens.
Much of the critical infrastructure that keeps the country humming—water-treatment facilities, refineries, pipelines, dams, the electrical grid—is operated using a hodgepodge of technologies known as industrial control systems. Like banks and telecommunications networks, which are also generally considered critical infrastructure, these industrial facilities and utilities are owned by private companies that are responsible for maintaining their own security.
But many of the control systems in the industrial world were installed years ago with few or no cyber-security features. That wasn’t a big problem when these systems were self-contained. But in the past two decades, many of these controls have been patched into company computer networks, which are themselves linked to the Internet. And when it comes to computer security, a good rule of thumb is that any device that is computer-controlled and networked is vulnerable to hacking.
Bad-guy hackers pulling the plug on public utilities is a common theme of Hollywood films, including 2007’s Live Free or Die Hard, but such scenarios present more than a mere fictional scare to U.S. intelligence officials. According to Melissa Hathaway, cyber-coordination executive for the Office of the Director of National Intelligence, the list of potential adversaries in a cyber attack is long, ranging from disgruntled employees to criminals to hostile nations.
Most experts agree that China and Russia routinely probe our industrial networks, looking for information and vulnerabilities to use as leverage in any potential dispute. James Lewis, a cyber-security expert for the policy think tank Center for Strategic and International Studies (CSIS), says that although cyber warfare couldn’t cripple the U.S., it could serve as an effective military tactic. “If I were China, and I were going to invade Taiwan,” he says, “and I needed to complete the conquest in seven days, then it’s an attractive option to turn off all the electricity, screw up the banks and so on.” Could the entire U.S. grid be taken down in such an attack? “The honest answer is that we don’t know,” Lewis says. “And I don’t like that answer.”
Ghosts in the Machine
In January 2008, senior CIA analyst Tom Donahue dropped a bombshell on a small conference of government officials and power-company engineers from the U.S. and Europe. He told them that extortionists had managed to hack into utilities in multiple regions outside the United States and disrupt power equipment. “In at least one case,” he said, “the disruption caused a power outage affecting multiple cities.” The CIA has been highly secretive about the incident, and Donahue would not discuss where the blackouts occurred or what companies were affected. But he admitted that the CIA had no idea who had perpetrated the attacks. Hackers had shaken down a public utility, it seems, and had gotten away with it.
Some security professionals think that government officials have been guilty of as much drama-mongering on the issue as Hollywood has. “Honestly, I think the threat is overblown,” says Bruce Schneier, author of Schneier on Security. “The risks today are due more to errors than to malicious intent.” He sees Donahue’s story as nothing more than a tenebrous rumor. Nevertheless, Schneier thinks vulnerabilities in infrastructure will eventually become a real national-security threat.
The problem is that the errors that Schneier refers to can cause bad things to happen. Much of computer hacking is predicated on exploiting glitches in commonly used systems. Such exploits on a Windows PC are irritating, but at a nuclear facility, they can be unnerving.
In August 2006, a glitch shut down the Browns Ferry nuclear power plant in northern Alabama. Plant administrators lost control of recirculation pumps on one of the plant’s reactors because of excessive data traffic on the control-system network. The plant was forced to go offline temporarily.
Nuclear plants are designed to shut down in the event of major malfunctions to prevent a Chernobyl-style catastrophe. But they also generate almost 20 percent of U.S. power. What if a hacker exploited a coding error in a cooling system to shut down a sizable piece of the nation’s power supply?
Incidents of digital malfunctions that cause danger to human life are rare, but such events have happened. In June 1999, in Bellingham, Wash., shortly before a routine delivery of gasoline by the Olympic Pipe Line Co., a worker updated a database for the company’s pipeline computer-control system. According to a report by the National Transportation Safety Board, a simple typo in the database caused the system to fail, disabling remote control for the pipeline’s operators, 98 miles away in Renton, Wash. Pressure began to build in the line, so the operator issued a command to open a secondary pump to relieve it, but the system was unresponsive. A weak point in the pipeline ruptured, releasing 237,000 gal of gasoline into nearby Whatcom Creek. An hour and a half later, the gasoline ignited. The ensuing fireball scorched more than a mile of riverbank, killing three people, including two 10-year-old boys, and damaged the city’s water-treatment facility.
The Aurora Vulnerability
Conventional wisdom about digital attacks is that you can steal information, and you may even be able to shut down critical systems, but any damage would be temporary and superficial. A cyber attacker could generate a lot of confusion by killing the lights in California, but give the state and utility officials a few days to reset the systems, and everything would be back up and running. It’s a phenomenon that infrastructure security expert Eric Byres, of Byres Security, refers to as “weapons of mass annoyance.”
In 2007, however, a video leaked out of the Department of Homeland Security that showed an experiment the DHS had sponsored at Idaho National Laboratory. In the video, a massive, green diesel generator shakes violently and belches smoke as it goes into total meltdown. Dubbed the Aurora experiment, it demonstrated how an over-the-Internet cyber attack could cripple big, essential machines.
When the video hit CNN, it alarmed many in the utilities industry. Most of the details of the Aurora vulnerability have not been released, but DHS statements about the experimental hack describe it as a man-in-the-middle, or spoofing, attack, in which a malicious computer intercepts all traffic going between two other computers, essentially controlling the line of communication between them. According to Sean McGurk, director of control systems security for the DHS, the vulnerability was common to control systems throughout critical infrastructure.
The Saboteur’s Story
The most Frequently told anecdote in the world of infrastructure cyber security is that of Maroochy Shire. The incident, which occurred in Queensland, Australia, is viewed by many in the industry as an object lesson in the damage that can be done when someone with computer skills and a grudge takes aim at a public system. In 2000, Vitek Boden, a computer expert in his late 40s who had been turned down for a job in municipal government, rigged up his laptop computer to a radio-frequency wireless transceiver to hack into the city’s computerized wastewater management system. Over the course of two months, Boden broke into the system 46 times, instructing it to spill hundreds of thousands of gallons of raw sewage into rivers, parks and public areas. He was finally caught when a police officer pulled him over and found control-systems equipment in his car. The reason the Maroochy Shire incident is recounted so frequently is that it shows how difficult it is to thwart hackers who want to disrupt the infrastructure, since attacks can come from almost anywhere. An insider with detailed knowledge could target a specific company’s system, or a hacker could launch an anonymous Internet assault from a distant country.
The Department of Homeland Security’s Computer Emergency Readiness Team (known as US-CERT) encourages industry to report cyber accidents and intrusions, but there are few legal requirements for private companies to do so. It is possible that many more incidents have occurred, and companies have simply kept them quiet.
Infrastructure is meant to last a long time, so upgrades to existing systems tend to occur at a glacial pace. “There is a long life cycle associated with this,” says Jeff Dagle, chief electrical engineer at the Department of Energy’s Northwest National Labs. “Utilities are used to this equipment lasting 30 years.” Nevertheless, big utilities and industrial facilities are starting to see cyber security as a reliability issue, and are modernizing their equipment, building redundant, multitiered networks (a tactic known in military circles as “defense in depth”). The caveat is that with big utility networks such as the electrical grid, telecommunications or pipelines, a clever adversary wouldn’t attack the well-defended components of the system. “Why should I go after the company that put a lot of money into securing its networks when I can get into one that hasn’t and damage them both?” asks the CSIS’s James Lewis.
Ironically, the current weakness of the economy may provide a shot in the arm for the digital defenses of critical infrastructure. Much of President Obama’s stimulus package is aimed at revitalizing infrastructure, and as antiquated equipment gets upgraded, modern security technology can be built in. One example is the Smart Grid, a Department of Energy plan that could receive around $4.5 billion to modernize the nation’s electricity delivery system with state-of-the-art computer controls. Of course, more computing technology in the grid allows for more potential attacks, but it could also mean a more robust and nimble defense.
The result may be infrastructure networks that are a lot like the Internet itself. The redundancy and flexibility of the Internet’s core architecture has allowed it to withstand two massive denial-of-service attacks—in 2002 and 2007—on the 13 Domain Name System root servers that make up the backbone of the system. In each instance, the servers absorbed incredible amounts of traffic as parts of the system either failed or came close to failing. To the engineers who run the system, it was terrifying, but the rest of the world barely noticed. If our infrastructure were that robust, the cyber war of the future might have little more impact on your life than a dimming of the lights and a shrug of your shoulders.