Safety: Assessing the infrastructure risk

 

Safety: Assessing the infrastructure risk By Robert Lemos Staff Writer, CNET News.com August 26, 2002, 4:00 a.m. PT In 1998, a 12-year-old hacker broke into the computer system that controlled the floodgates of the Theodore Roosevelt Dam in Arizona, according to a June Washington Post report. If the gates had been opened, the article added, walls of water could have flooded the cities of Tempe and Mesa, whose populations total nearly 1 million.

There was just one problem with the account: It wasn't true.

A hacker did break into the computers of an Arizona water facility, the Salt River Project in the Phoenix area. But he was 27, not 12, and the incident occurred in 1994, not 1998. And while clearly

Fear of cyberterrorism has led to false ideas about the damage that can be inflicted on U.S. infrastructure facilities. Here is a list of some possible--though still improbable--worst-case cyberattacks, followed by more realistic threats.
Electricity  Power lines, transmission facilities Worst-case cyberattack: An attack on control systems via wireless, modem or Internet access could cause localized brownouts or blackouts. More realistic threat: Physical destruction of generating plants or transmission facilities could cause brownouts or blackouts for days. "All the electric companies are connected to the Web in one way or another, but that doesn't mean that the control systems are." --Ellen Vancko, representative, North American Electric Reliability Council
Surface transportation  Railroads, trucks, barges and buses Worst-case cyberattack: An attacker could use the Internet to gain access to one of 500 small railroads' control systems and cause two trains to take the same track and collide. More realistic threat: Use of explosives on trains or trucks carrying hazardous materials could cause an environmental disaster. "We simply know there is room for damage to be done, and we are trying to take steps to plug any holes in the system. Are we taking cyberterrorism more seriously than physical terrorism? No. They are both threats." --Nancy Wilson, senior assistant vice president, Association of American Railroads
Water  Reservoirs, canals, dams and water treatment facilities Worst-case cyberattack: Water could be contaminated with untreated waste or high levels of chlorine or other chemicals by attacks on control systems via wireless, modem or Internet access. More realistic threat: Physically adding a biological or chemical agent to the water could cause people who drink it to become ill. Frequent testing of the water minimizes this risk, however. "If you had so many dollars to spend on water-system security, most of it would go to the physical side." --Diane VanDe Hei, executive director, Association of Metropolitan Water Agencies
Energy  Energy trading, energy plant operation, exploration, but not pipelines Worst-case cyberattack: Disrupting the parts of the Internet used by the energy trading systems could halt buying and selling and cause a temporary energy shortage. More realistic threat: Physical destruction of refineries or pipelines could cause a shortage and an environmental disaster. "We depend greatly on the Internet. Any interruption in that fabric could cause problems." --Carl Tianen, chairman, Energy Information Sharing and Analysis Center (ISAC)
Financial  Infrastructure: Banks, trading houses and other financial firms Worst-case cyberattack: A worm that disables key servers and networks could create enough disruption that a financial market would be forced to close. More realistic threat: Combining a cyberattack that disables computer networks and a physical attack that destroys key facilities could disrupt multiple markets and significantly lengthen an outage. "We are so interrelated--the payment systems, the clearing systems and the financial distribution--that an effect on one has an effect on everybody." --Stash Jarocki, chairman, Financial Services ISAC
Information technology  Server, computer and network software Worst-case cyberattack: Vulnerabilities in flawed software could be used to gain access to specific critical systems to aid a cyberattack on other infrastructure elements or to cause widespread Internet communications problems. More realistic threat: Vulnerabilities in flawed software could be used to gain access to specific critical systems to aid a cyberattack on other infrastructure elements. "To say that you can't see the possibility (of a crippling cyberattack) is blinding yourself and preventing the nation from protecting itself." --Greg Akers, president, IT-ISAC

trespassing in critical areas, the hacker never could have had control of any dams--leading investigators to conclude that no lives or property were ever threatened.

"It's like the children's game of 'telephone,'" said Gail Thackery, assistant attorney general for Arizona and the prosecutor on the Salt River hacking case. "You get the reality at one end and, at the other end, something completely different."

The misreported incident serves as a metaphor for today's pressing debate over the Internet's vulnerability to attack. While warnings pervade government and the media, doomsday scenarios of cyberterrorism that result in massive deaths or injury remain largely the stuff of Hollywood scripts or conspiracy theory.

Although it is possible for electronic intrusions to damage infrastructure and threaten physical danger, taking control of those systems from the outside is extremely difficult, requires a great deal of specialized knowledge and must overcome non-computerized fail-safe measures. As a result, government and corporate security experts--while careful not to dismiss the gravity of the issue--point to this indisputable fact: It is still easier to bomb a target than to hack a computer.

"If we had so many dollars to spend on a water system, most of it would go to physical security," said Diane VanDe Hei, executive director of the Association of Metropolitan Water Agencies and point person for the Information Sharing and Analysis Center (ISAC) for the water utilities.

In a so-called "digital Pearl Harbor" exercise sponsored by the U.S. Naval War College and Gartner last month, analysts posing as terrorists were able to simulate a large-scale cyberattack on the nation's infrastructure. But to do so they needed $200 million, high-level intelligence and five years of preparation time. The college concluded that such an offense could cripple communications in a heavily populated area but would not result in deaths or other catastrophic consequences.

Yet the hyperbole about an Internet attack frequently overshadows common sense. On Sept. 11, it took less than 24 hours after four passenger jets were used as weapons of mass destruction for cries of cyberterrorism to emerge as the next great threat, triggering calls for new legislation to broaden the authority of law enforcement agencies.

"Until we secure our cyber infrastructure, a few keystrokes and an Internet connection is all one needs to disable the economy and endanger lives," said Rep. Lamar Smith, R-Texas, in a statement heralding the House's passage of the Cyber Security Enhancement Act last month. His favorite tag line: "A mouse can be just as dangerous as a bullet or a bomb."

That sort of rhetoric is why many dislike the term "cyberterrorism." Ambiguity over its definition--and, therefore, which threats are real and which are not--has confused the public and given rise to countless myths. The phrase has become a catchall buzzword that evokes nightmare images that can be exploited to support political agendas ranging from stronger surveillance authority to tighter immigration controls.

"If you say cyberterrorism, you confuse people," said Richard Clarke, President Bush's special adviser for cybersecurity. "Osama bin Laden is not going to come for you on the Internet."

Cyberattacks come in two forms: one against data, the other on control systems. The first type attempts to steal or corrupt data and deny services. The vast majority of Internet and other computer attacks have fallen into this category, such as credit-card number theft, Web site vandalism and the occasional major denial-of-service assault.

Control-system attacks attempt to disable or take power over operations used to maintain physical infrastructure, such as "distributed control systems" that regulate water supplies, electrical transmission networks and railroads. While remote access to many control systems have previously required an attacker to dial in with a modem, these operations are increasingly using the Internet to transmit data or are connected to a company's local network--a system protected with firewalls that, in some cases, could be penetrated.

Still, Clarke and other security officials say any damage resulting from electronic intrusion would be measured in loss of data, not life.

"It would be relatively easy to conduct a cost-free or risk-free attack given the endemic vulnerabilities in our system," said Michael Vatis, director of the Institute for Security Technology Studies at Dartmouth University and a former director of the National Infrastructure Protection Center, the cybersecurity arm of the FBI. "It would be harder to kill people or have a lasting effect using cyberattacks."

It is true, however, that data attacks could have severe consequences without causing deaths. Many power companies and water utilities are operated with networks of computer-controlled devices, known as supervisory control and data acquisition (SCADA) systems, which could be hacked.

SCADA systems could be attacked by overloading a system that, upon failure, causes other operations to malfunction as well, said John Dubiel, a Gartner consultant who worked on the electrical power attack in last month's war games. Such domino effects have been seen in incidents resulting from natural events.

In 1996, the power along much of the West Coast corridor went out for nine hours after a tree branch fell on some power lines and, in combination with several other problems, caused a cascading failure. In 1990, a similar event with an AT&T switch touched off a chain reaction that shut down long-distance communications across the United States.

"The system attacks itself in these cases," Dubiel said.

Making matters worse, more than 80 percent of such critical infrastructure is privately owned, and in many cases the companies have not been sufficiently educated about information security until recently. Security consultants have attested that many utilities have an indirect path to the Internet from their SCADA master terminals.

Several large cyberattacks have threatened the U.S. infrastructure over the past decade or so, but none has resulted in death or mass destruction. 2001: In September, Nimda virus worms its way into servers and networks Internet-wide, hitting the financial industry especially hard. 2000: In February, denial-of-service attacks flood Yahoo, eBay, CNN and ZDNet with data, blocking access for many users for two to three hours. LoveLetter virus strikes companies worldwide in May, flooding e-mail servers as it spreads. 1997: A technician at a small Virginia ISP updates the company's router with erroneous information. The changes cause a large portion of critical Internet routers to crash. A teenager disables a key telephone company computer servicing a small airport in Worcester, Mass., in March. The control tower loses critical services for six hours, but airplanes can still get information from radio and other airports in the vicinity. 1994: A hacker known as Merc manages to dial into a server at the Salt River Project and explores computers used to monitor canals in the Phoenix region. 1990: A glitch in an AT&T router causes a long-distance outage that lasts nine hours. Many believe falsely that a hacker took down the network. 1989: The Legion of Doom hacker group "owns" the BellSouth telephone system and is able to tap lines, route calls and pose as technicians. 1988: Robert Morris releases a worm that infects between 3,000 and 4,000 of the Internet's approximately 60,000 servers.

In November 2001, 49-year-old Vitek Boden was sentenced to two years in prison for using the Internet, a wireless radio and stolen control software to release up to 1 million liters of sewage into the river and coastal waters of Maroochydore in Queensland, Australia.

Boden, who had been a consultant on the water project, conducted the attack in March 2000 after he was refused a full-time job with the Maroochy Shire government. He had attempted to gain access to the system 45 times, and his last attempt proved successful, allowing allowed him to release raw sewage into the waterways.

"Marine life died, the creek water turned black and the stench was unbearable for residents," said Janelle Bryant, investigations manager for the Australian Environmental Protection Agency.

That the facility failed to notice the first 44 attempts speaks volumes about the state of security at public utilities. In a 1997 survey of 50 utilities, then-graduate student Barry C. Ezell, a captain in the U.S. Army, found that 40 percent of water facilities allow their operators direct access to the Internet, and 60 percent of the SCADA systems could be connected by modem.

Ellen Vancko, a representative for the North American Electric Reliability Council, said such access should not always be considered unsafe. "All the electric companies are connected to the Web in one way or another," she said. "But that doesn't mean our control systems are hooked up to the public Net."

Granted, but an Internet connection does provide one more way for an electronic intruder to get into a system. Chris Wysopal, director of research and development for digital security firm @Stake, said he first looks for connections to the Net when called in to analyze the security of an infrastructure network.

"Whenever we see a control system connected to the Internet, that is scary. There is no need for it, except for productivity, and when you are talking about public safety, you should err on the side of security," said Wysopal, whose company has been hired for such audits only since Sept. 11. "We found a power plant where all the control systems had their administrative systems set to the same password."

Because firewalls and other internal protections are not always adequate, risk levels are increased exponentially if networks are connected to the Internet.

"Are we vulnerable? Absolutely. We have the massive bowl of spaghetti between the Internet, phone lines, and extranets, and no one can map it," said Assistant Attorney General Thackery. "We have miles and miles and miles of wire and none of it is secure. And we have all these windows and doors that are open, and they are still open."

She noted that the Net played a major role in a well-publicized incident in 1989, when the Legion of Doom hacker group seized control of much of the infrastructure of Southern Bell's telephone network. During the attack, the hackers could have tapped phone lines and even shut down the 911 system.

BellSouth "had 42 people that I knew of on 24-hour emergency alert to keep control of their network," said Thackery, who was forced to use an encrypted phone in the Secret Service's office in Phoenix because her line had been tapped. "To me, that's one of the scariest scenarios, and these were all college kids. Just pranksters."

Yet even the most notorious incidents have fallen well short of the type of massive destruction envisioned in some of the more imaginative warnings about cyberterrorism. The Queensland incident, for instance, claimed no lives and cost just $13,000 to clean up, and it was accomplished only with extensive inside knowledge.

Wysopal and many other security experts readily acknowledge that wide-scale infrastructure disruption is no easy feat. Even if an intruder manages to break in, he said, commandeering a system "still requires a fairly sophisticated skill set."

"Terrorist groups are increasingly using new information technology and the Internet to formulate plans, raise funds, spread propaganda and engage in secure communications. Cyberterrorism--meaning the use of cybertools to shut down critical national infrastructures (such as energy, transportation or government operations) for the purpose of coercing or intimidating a government or civilian population--is clearly an emerging threat."

--J. T. Caruso, deputy executive assistant director, Counterterrorism/
Counterintelligence, FBI in March 21, 2002, testimony before House Subcommittee on National Security, Veterans Affairs and International Relations

In last month's "Pearl Harbor" exercise, Gartner analysts playing the role of attackers reinforced that observation. "It is very hard to attack something that you don't have a specific knowledge of," said David Fraley, an analyst who simulated an attack on telecommunications networks.

Even in a successful attack on a metropolitan power grid, many critical systems--such as hospitals and prison operations--would continue running because they have independent generators. In addition, utilities and infrastructure operators have elaborate backup measures to protect the public even if a system is breached.

For example, if a hacker were to dramatically raise the chlorine levels of a reservoir, the contaminated water would probably never make it to the public because such supplies are typically tested up to five times before entering public pipelines. The Environment Protection Agency requires utilities to look for more than 90 regulated contaminants in these tests. An easier attack, and one that such agencies spend more to prevent, is a terrorist dumping chemicals into a reservoir directly.

Federal authorities are also concerned about computer systems that control the nation's transportation systems, including trains, trucks, buses and barges. The railroad industry's networks alone are massive, with more than 500 small railroads to supervise.

"The railroad industry today is one of the biggest users of computer systems in the country," said Nancy Wilson, senior vice president of the Association of American Railroads and point person on the Surface Transportation ISAC. "We were early users of technology and we are big users of technology. If we lose computer capabilities, we would kind of grind to a halt."

For that reason, most rail companies have extensive safety measures and backup systems. Sensors tell when the track has been tampered with, and security mechanisms provide early warning alerts for possible intrusions.

Information sharing and analysis centers (ISACs) are up and running, or in the works, for all major infrastructures to help eliminate vulnerabilities. Here's a list of the main ones. Chemical industry American Chemistry Council / Chemical Transportation Emergency Center Electric power North American Electric Reliability Council Energy trading and refineries Energy ISAC Finance and banking Financial Services ISAC Fire response National Fire Academy Food Food Marketing Institute Gas and oil pipelines National Petroleum Council Information technology Information Technology ISAC Law enforcement National Infrastructure Protection Center Railroad, trucking, barges and buses Surface Transportation ISAC Telecommunications National Coordinating Center for Telecommunications Water Association of Metropolitan Water Agencies' Water ISAC

"We have had our share of little hacker problems, but they have never been serious," Wilson said. "I'm not saying we are perfect, but I am saying that we have come a long, long way toward identifying our vulnerabilities."

Redundant safety measures are also taken in manufacturing companies, many of which use SCADA systems. But that hasn't stopped the proliferation of popular urban legends.

In one such myth, a hacker breaks into a food company's network through a Web connection and manipulates a breakfast cereal recipe to add vastly higher levels of iron, threatening children who have a low tolerance for the mineral. Another rumor had a hacker gaining entry to a tank-manufacturing company and changing the temperature specifications for armor used in the vehicles, making the metal more brittle and vulnerable. Neither story is true.

Security experts generally agree that the infrastructure most susceptible to hacking alone is the Internet itself. They often point to the Nimda worm, which caused as much as $3 billion in estimated damages and lost productivity by some estimates.

Some Internet vulnerabilities have been exposed without any attacks. At least one serious weakness was discovered in 1997 when a technician changed two lines of code and nearly brought down the global network for three hours.

The change occurred to one of the hundreds of thousands of routers that form a key part of the Internet infrastructure. Because of the two-line mistake by the technician at the McLean, Va.-based MAI Network Services, one of its routers indicated that it provided the best path to the entire Internet. Other routers then began sending all their data to the ISP's small leased line, crashing MAI's network and clogging systems around the world.

"Within minutes you had most of the routers throughout the Internet going down," said Craig Labovitz, director of network architecture and lead border gateway protocol researcher for security firm Arbor Networks. "It was absolutely the most massive Internet outage we've seen."

Here again, however, the consequences were neither disastrous and nor interminable.

"This wasn't a catastrophe. It was a brownout that sporadically hit providers at various strengths," said one network technician to the North American Network Operator's Group following the outage. He noted that at least one network service provider saw a drop of only 15 percent in traffic.

To law enforcement agencies, the Internet's largest threat is simply the ease of international communication and the ability to hide among the seemingly infinite volume of traffic it carries. In an effort to track down terrorists electronically, the FBI has waived several requirements for new recruits who have technical training.

"The worry right now is not so much a cyberterrorism event," said Don Cavender, a special agent and instructor with the FBI's Computer Training Unit at Quantico, Va., "but when the terrorists use the Internet to facilitate the planning of these attacks." 

Day 2 - Politics: Security vs. liberties