So why aren't hackers crashing the grid?
- By Thomas Rid <p> Thomas Rid, reader in war studies at King's College London, is author of "Cyber War Will Not Take Place" and co-author of "Cyber-Weapons." </p>
Hacking power plants and chemical factories is easy. I learned just how easy during a 5-day workshop at Idaho National Labs last month. Every month the Department of Homeland Security is training the nation’s asset owners — the people who run so-called Industrial Control Systems at your local wastewater plant, at the electrical power station down the road, or at the refinery in the state next door — to hack and attack their own systems. The systems, called ICS in the trade, control stuff that moves around, from sewage to trains to oil. They’re also alarmingly simply to break into. Now the Department of Homeland Security reportedly wants to cut funding for ICS-CERT, the Cyber Emergency Response Team for the nation’s most critical systems.
ICS-CERT’s monthly training sessions in Idaho Falls put 42 operators at a time into an offensive mindset. For the first three days in last June’s workshop, we learned basic hacking techniques, first in theory, then in practice: how to spot vulnerabilities, how to use exploits to breach a network, scan it, sniff traffic, analyse it, penetrate deeper into the bowels of the control network, and ultimately to bring down a mock chemical plant’s operations. There was something ironic about Department of Homeland Security staff teaching us how to use Wireshark, an open-source packet analyzer; Metasploit, a tool for executing exploit code; man-in-the-middle attacks; buffer overflow; and SQL-injection — all common hacking techniques — and then adding, only half-jokingly: "Don’t try this on your hotel’s Wi-Fi!"
So it may come as a surprise to learn that attackers have never been able to engage in cyber-sabotage against America’s critical infrastructure — not once. ICS-CERT has never witnessed a successful sabotage attack in the United States, they told me. Sure, there have been network infiltrations. But those were instances of espionage, not destructive sabotage. Which raises two questions: one obvious, and one uncomfortable. If it’s so easy, why has nobody crashed America’s critical infrastructure yet? And why isn’t the Defense Department doing more to protect the grid?
The questions only loomed large on the fourth day of the training — a 10-hour exercise. We split into two groups, a large blue team and a small red team. The blue team’s task was to defend a fake chemical company, with a life-sized control network complete with large tanks and pumps that would run production batches, a real human-machine interface, a so-called "demilitarized zone," even simulated paperwork and a mock management with executives that didn’t understand what’s really happening on the factory floor — just like in real life. The red team’s task was to breach the network and wreak havoc on the production process. By 5 pm they got us: toxic chemicals spilled on the floor, panic spread in the control room. Good thing for us this was only an exercise, and the gushing liquid was just water.
That exercise in Idaho was not unrealistic — control system-related incidents can have serious consequences. In March 1997, a teenager in Worcester, Massachusetts, used a dial-up modem to disable controls systems at the airport control tower. In June 1999, 237,000 gallons of gasoline spilled out of a 16-inch pipeline in Bellingham, Washington, killing three people when it ignited. An ICS performance failure limited the controller’s ability to understand what was happening and react swiftly. In August 2006, two disgruntled transit engineers sabotaged the traffic light controls at four busy L.A. corners for four days, causing major traffic jams. One of the most serious accidents happened in 2009 at the Sayano-Shushenskaya hydroelectric dam and power station in Russia, when a remote load increase caused a 940-ton turbine to be ripped out of its seat. The accident killed 75 people, pushed up energy prices, and caused damage in excess of $1.3 billion. In Idaho I heard two more stories from participants: one maintenance issue paralysed 600 ATM machines for 6 hours, and one innocent network scan in a manufacturing plant caused a large and powerful robotic arm to swirl around as if in rage, potentially injuring anybody near it.
Attacking such systems just got easier, for a number of reasons. One is that vulnerabilities are easier to spot. The search engine Shodan, dubbed the "Google for hackers," has made it easy to find turbines and breweries and large AC-systems that shouldn’t be connected to the Internet but actually are. One project at the Freie Universität Berlin has enriched the Shodan data and put them on a map. The rationale of this "war map," as project leader Volker Roth called it tongue-in-cheek, is visualizing the threat landscape with colored dots, yellow for building management systems, orange for monitoring systems, and so on. The U.S. eastern sea board looks like a butt on a paintball range after a busy shooting session.
But so far, attackers have lacked either the necessary skill, intelligence, or malicious intention to use that map as a shooting range. That may be changing. While the more sophisticated ICS attacks are actually harder than meets the eye, many nation states as well as hackers are honing their skills. Some are also busy gathering intelligence; earlier this year, for example, the U.S. Army Corps of Engineers’ National Inventory of Dams was breached, possibly from China. And any political crisis may change an attacker’s intention and rationale to strike by cyber attack.
All of which keeps the federal government’s main organization in charge of critical infrastructure protection busy. ICS-CERT employs between 80 and 100 staff, depending on contractors. Three of its activities stand out.
The first is incident response. At the request of asset owners, ICS-CERT can deploy so-called fly-away teams to meet with the affected organization. They’ll review network topology, identify infected systems, image drives for analysis, and collect other forensic data. Last year, the government’s control system experts responded to 177 incidents. That included 89 site visits and, in the most extreme cases, 15 deployments of on-site teams to respond to advanced persistent threat incidents in the private sector, the DHS told me. The fly-aways are controversial, with some critics pointing to a lack of focus and a waste of scarce government resources. One prominent critic is Dale Peterson of Digital Bond, a leading consultancy on critical infrastructure protection. "It doesn’t scale," he says about the fly-away teams, "It’s a band-aid." Still, a band-aid is better than no treatment at all.
The second main activity is keeping the operators vigilant and informed. ICS-CERT is doing this through vulnerability alerts and advisories: one recent alert, for instance, warned about a range of 300 medical devices that had hard-coded passwords, which could enable an attacker to gain remote access to surgical and anaesthesia devices or drug infusion pumps.
But for some, the warnings don’t come fast enough, or don’t produce a strong enough response. So more and more independent security researchers publish information on faulty design without notifying vendors and their clients first. Many at the Department of Homeland Security think some of these revelations are irresponsible or premature — Digital Bond disagrees. The consultancy organizes a leading industry event, the S4 conference, where devices get hacked for good effect. A lot of people in the ICS community, Peterson tells me, "are getting gradually more aggressive because there has been so little progress."
Then there are those five-day-training sessions for those who are really at the front line of potential cyber attacks: the plant and factory owners and operators. That program is the least controversial. After three days of lectures and hands-on practice, and after one day of spilling chemicals by cyber attack, the participants in my class had a chance to discuss lessons learned on the fifth day. One or two may have expected a slightly different technical focus, yes, but the rest loved it. The Department of Homeland Security understood a crucial thing: if the asset owners understand the offense, they are able to improve — and better invest in — their network defense.
The reverse does not apply. The National Security Agency and its military twin, U.S. Cyber Command, are investing in all kinds of offensive measures that do nothing to make the nation’s critical infrastructure more secure: They’re discovering and buying previously unknown zero-day vulnerabilities — holes in software that hackers can use to wiggle their way into a system. They’re gathering target intelligence on foreign infrastructure, and clandestinely developing bespoke cyber weapons for high-profile attacks from Fort Meade. All of this may have theoretical benefits at some point. But such offensive investments do not translate into more efficient information-sharing at home, into safer logic controllers, or into better-trained asset owners. To the contrary: the offense can suck up skills needed on the defense. And while it would make all of us more secure to close up those software holes, the NSA and CYBERCOM would rather they stay open as avenues of espionage and attack.
One reason why, perhaps, is that, so far, there’s only been one publicly-acknowledged destructive ICS attack anywhere, ever. The only successful cyber-sabotage strike that targeted control systems (and that was not an insider attack) was an American intelligence operation: the famous Stuxnet worm that targeted Iran’s nuclear enrichment program in Natanz — without achieving its goal. The White House, it seems, has learned some lessons from this episode. In a recently leaked secret document, the administration highlighted the "unintended or collateral consequences" of offensive cyber operations that may affect U.S. national interests. Apparently the White House sensed that Stuxnet had a counterproductive effect on "values, principles, and norms for state behavior." Cyber sabotage, they fear, could come back to haunt them.
In cyber security, it seems, a good offense is bad defense — certainly made worse by sequestering the critical training of those who really keep the nation’s infrastructure safe: the asset owners, engineers, and operators who make the monthly trek to Idaho Falls from all fifty states. Idaho National Labs has its own "war map" with red and blue and green and white pins: it’s a large chart of the entire United States (and a smaller with allied nations), up in the first floor lunch area of the training facility. Every participant of the ICS training places a pin into their home town by sector: white if they come from the government, red for energy, blue for water, and so on. This is the map that really counts. The more dots and the more color, the better. But unless there’s a radical change in how the U.S. secures its power plants and factories, there’s never going to be enough push pins to stave off calamity.