One of my cybersecurity nightmares is that foreign nations will use a network attack to bring down our power grid in a time of crisis. I’m not alone. Richard Clarke and Rob Knake spend a lot of time on the risk in their book on Cyberwar. So naturally the privacy lobby, determined to downplay the threat, would like to reassure everyone that this risk is just some science fiction boogeyman dreamed up by defense contractors to scare Americans.
The reporter most reliably in the tank for the privacy lobby is probably Ryan Singel of Wired, though he’s got plenty of competition. Singel’s review of the Clarke/Knake book predictably trashes as alarmist the notion that the grid is at risk:
Clarke returns over and over to the security of the power grid, focusing on the systems known as SCADA that allow utilities to remotely monitor and control electric generation and transmission equipment. Here, he starts reasonably enough: Good security practices dictate that these systems should be unreachable from the public net, and, unfortunately, that’s not always the case. But from there, he quickly moves back to fantasy. He suggests darkly throughout the book that the nation’s power and chemical plants are all shot through with secret backdoors implanted by the Russian, North Korean and Chinese governments, even though there’s never been a single publicly documented case, outside of a vague and anonymously sourced article in the Wall Street Journal.
… The Chinese and Russians don’t have secret backdoors into the transformer outside your house, and if it blows up, it’s more likely a rodent chewing through the casing than a cyberwarrior sitting in an internet cafe in Shanghai.
But this week brought a bit of news that undercuts Singel’s happy talk. Researchers discovered that USB memory sticks were being infected with a new exploit. This news poses two problems for the cyberwar deniers, and Singel in particular.
First, as I point out in Skating on Stilts, Singel’s simple solution, making SCADA systems “unreachable from the public net,” doesn’t really protect such systems from attack:
The government used to have its own illusions about security. Maybe our unclassified networks are compromised, Defense Department officials used to say, but the classified networks are still bombproof. They can’t be compromised by all this malware floating around the Internet. Because they aren’t connected to the Internet. There’s an “air gap” between the two.
But … the air gap illusion, too, has fallen prey to the exponential empowerment of hackers that we’ve seen in recent years.
The “Conficker” computer worm … infiltrated as many as 15 million machines around the world. One of the ways it spreads is by infecting the USB thumb drives that carry data from one machine to the next. Even classified or isolated networks could be captured if a bad thumb drive was used to transfer data to a machine on a secured network.
Second, this particular exploit is remarkably sophisticated and singleminded. It does not depend on Windows’ autoplay or autorun features, which can be turned off. Instead, the malware is a new and sophisticated zero-day attack that seems to start running as soon as Windows Explorer opens up the memory stick to see what’s on it. But most troubling is what the malware goes looking for once it starts up. The entire attack seems designed to exploit holes in the Siemens SCADA software that runs electric grids around the world.
As far as I can tell, there’s no reason to compromise a SCADA system other than to take it down. The SCADA system doesn’t contain credit card numbers or other financial data, and I doubt that compromising it is a cost-effective way to steal power for free. The guy who found the SCADA calls, Frank Boldewin, says, “As this Siemens SCADA system is used by many industrial enterprises worldwide, we must assume that the attackers’ intention was industrial espionage or even espionage in the government area”. In fact, though, there are no obvious secrets to steal from a SCADA system – other than the secret of how to bring the system down. So the logical goal of the malware is not so much espionage as sabotage.
Let me repeat that for emphasis. This elaborate, previously unseen piece of malware, which surely could have been a big moneymaker if used to create a botnet or to send spam, has instead been put to use for a purpose that has no obvious economic payoff — compromising the power grid. Singel’s claim that “there’s never been a single publicly documented” backdoor into the power grid is looking pretty shaky with this disclosure.
I welcome comments, especially from those who can evaluate the malware code, on whether this is the smoking gun establishing that non-financially motivated malware attacks are being aimed at our power grid. Because the consequences for public policy are profound.
Michael Benson says:
As far as I know a backdoor and a piece of malware designed to attack a network are two completely separate things. Is there any evidence at all that this attack has been successful? Do these systems even run windows?
July 18, 2010, 12:25 pmBill says:
If you’d followed links from the original post, you would have found the answer to your question: Yes.
See: http://www.sea.siemens.com/us/News/Industrial/Pages/SIEMENS-WinCC-SCADA-SOFTWARE-NOW-SUPPORTS-WINDOWS-VISTA.aspx
July 18, 2010, 12:39 pmJeffL says:
I’m an IT guy, and I’ve worked on SCADA systems, albeit in the oil & gas industry, not electrical power.
You’re correct that this is scary stuff, but you seem to have gone out of your way to hype this up.
There are many reasons to compromise a SCADA system other than sabotage. Trade secrets is one — learning how a particular plant is run would be seen as a gigantic competitive advantage. The SCADA project I was involved in was all about letting the Corporate Masters look over the shoulders of the guys running the plant so they could keep an eye on the processes being used.
Perhaps a bit more fanciful, but market predictions could be another. If you could (say) peek into every refinery in America, and see exactly what kinds of products are being produced, you’d have major advantage in trading on the spot markets.
Those are two ideas, just off the top of my head. I’m sure there are other. Leaping from “SCADA exploit” to “ENEMIES ATTACK” is just wrong.
To answer Michael Benson: Modern SCADA systems are distributed across multiple tiers. The databases & control applications aren’t on Windows, but the human interfaces often are. I would assume that’s where this exploit is aimed.
July 18, 2010, 12:49 pmMichael Benson says:
Thanks, it wasn’t obvious to me which link answered that question.
July 18, 2010, 12:49 pmMLS says:
July 18, 2010, 1:08 pmOrenWithAnE says:
Every SCADA system I’ve seen has the USB ports (and ethernet/DB25/1394/…) superglued shut.
$5 of superlgue works far better than billion dollar legislation.
July 18, 2010, 1:20 pmStewart Baker says:
I must say that I don’t find either of your examples particularly compelling. Which companies exactly would view the indiscriminate distribution of malware throughout the world — followed by hacking into the compromised computers — to be a good business model either for gaining trade secrets from competitors or to assemble a market conditions report? It would take many employees to run the malware/hacking part of that scheme, and many more who’d have to know about it to use the intelligence that was gathered. Every one of these employees would be party to a felony, and any one of them could compromise the whole scheme and break the company by going to the cops. That doesn’t sound like a viable alternative to, say, hiring executives from your competitor, which gives you much the same information without risk of liability.
But that does sound like something that could be managed by many governments, since government employees won’t be worried about prosecution, and finding dozens of patriots willing to compromise some other country’s networks wouldn’t be that hard.
I think it’s Occam’s razor, not hype, that points to cyberwar as the reason for this exploit.
July 18, 2010, 1:22 pmlgm says:
This is a Microsoft virus. They found it. You get rid of it by re-installing the OS. The sky is not falling.
July 18, 2010, 1:28 pmStewart Baker says:
I don’t know how many SCADA systems you’ve seen, but I’m pretty skeptical of that claim (not least because I expect that whoever wrote the malware already knew it would work). How does the power company staff using the SCADA system install updates? Add data? How likely is it that every. single. port has been glued shut? Plus, you’ve really begged the question: Do you think we have the right to insist on proof that electric power companies have actually used superglue on their ports, or done something equally effective? Or would that be an impertinent billion dollar mandate?
July 18, 2010, 1:31 pmNoah says:
Stewart Baker: What I think OrenwithAnE was trying to say was all the unused ports are superglued shut. I never seen a SCADA system, but have worked on a couple of secure physically isolated systems. The un-used ports were removed. The used ones had the cables locked in place with metal plates. The software never “talked” on a port without confirming who was at the other end. There are always ways to access a secure system if you can get in the room. The accidental exposure to malware when grandma uploads pictures of the new grand kid didn’t happen.
July 18, 2010, 1:51 pmyankee says:
Color me confused; what concerns the “privacy lobby” about regulations to increasing power companies’ IT security? Even the review you cite is happy to admit that “there’s a good case to be made that the feds ought to have strong rules governing these systems, and, as he [Clarke] suggests, a crew of white hat hackers tasked with trying to bust into the grid on a daily basis.”
July 18, 2010, 2:12 pmSam Hall says:
I have designed communications systems for large power companies to connect their SCADA systems. The data on these networks are not connected to the internet.
Many (most, all) SCADA systems use Embedded Single Board Computers that run a custom built operating system. You upgrade them by changing the Eproms or burning new code into them.
Now, there may well be Windows or Unix computers in the control centers, but I doubt any USB sticks are ever used except by an administrator. Why would they? These are not somebody’s personal computer, they interface with the power system, nothing else.
There is no need for superglue, Under Windows, an administrator can turn the USB ports off.
I am not saying it is impossible to hack a power control system, but it is a lot harder than most people think.
July 18, 2010, 2:23 pmJohn Thacker says:
Your use of extra periods does not make your argument seem more serious; rather, quite the reverse. USB ports are commonly disabled throughout classified systems, and thumb drives are forbidden. It’s actually enormously common and, yes, required as part of being certified for classified operation. There are other ways to update systems and add data besides thumb drives.
It is 100% likely that “every. single. USB port” has been deactivated inside a SCIF, from my experience. And bringing a USB thumb drive inside a SCIF is a major Security Violation.
Why would you expect that whoever wrote the malware “knew it would work?” They might have known it would work if the thumb drive were inserted into the system, but that doesn’t mean that they know that people regularly insert thumb drives. Tons of malware is written just for the fun of it, as strange as that may sound; other malware was not actually written intending to be malware.
Also consider that, as opposed to your musings, there are SCADA systems besides electric power. Why does Occam’s Razor lead you to assume that electric power must be the target?
You seem, oddly, to assume that electric power companies have little incentive to keep their own systems from being compromised. But even if there are regulations for systems that maintain electric power, I don’t see what it has to do with the privacy lobby, other than that the privacy lobby likes to also point out that the hype for cyberwar has exceeded its reality.
There have been a lot more severe network incidents from plain stupidity and misconfiguration than from malicious attacks. There are plenty of low probability disaster scenarios out there of all types. It is difficult to decide which ones to defend against. Merely because your scenario is theoretically possible does not necessarily mean that it should be the top priority out of all things out there.
July 18, 2010, 2:24 pmStewart Baker says:
Are you offering odds? Because the Conficker worm managed to travel — almost certainly by thumb drive — to both the French and British classified systems and thus to make it impossible, or at least unwise, for their fighter jets to take off. I suppose it’s possible that the French and the British don’t understand the air gap principle, or that American soldiers (let alone electric power employees) are much more disciplined about network hygiene than French and British military personnel. But I doubt it.
July 18, 2010, 2:42 pmStewart Baker says:
I don’t question your expertise, but is this statement really comforting? If we’re dealing with a zero-day exploit, the best administrator in the world won’t have a clue what he’s doing to the system when he pops that USB drive in.
I am also happy to agree with you that hacking the grid is harder than most people think. All the more reason to believe that anyone trying to hack the grid without any hope of an economic payoff is working for a government. And do we really think that those grid administrators, relying on an air gap and the wisdom of, well, administrators are a match for determined government employees? Where do those Eproms come from, anyway? And since when is “custom-built operating system” a guarantee of security? If it were, we’d have this Windows security problem licked by now, wouldn’t we?
July 18, 2010, 2:57 pmClarence R says:
Stewart,
If you think our SCIFS are vulnerable to people with top secret clearances bringing in USB drives ( a major security violation),
how do you propose securing unclassified power plants?
The NSA uses polygraph exams to check personnel – this is a bogus pseudo scientific test. Did you support this practices? If so, how can we trust the advice of someone who supported such nonsense?
July 18, 2010, 3:15 pmShane says:
I have worked on classified machines that not only allowed but required thumb drives to operate properly. Sometimes you need to transfer a set of instructions to a non-networked machine. I’ve even seen pieces of software that had to periodically check the licensing dongle via USB to ensure it was licensed for use – apparently the contractors don’t trust DoD not to pirate software. Or something.
While the punishment for bringing in a USB device is quite high in SCIFs, I’ve seen it done commonly enough that policy alone is not reassuring. When you throw in the fact that these classified networks often reach the middle of nowhere, where the guy in charge of enforcing policy is a 19 year old serviceman who really likes to charge his iPod on his work computer, I’m not convinced that even the most locked down networks are safe so long as they’re running Windows terminals for the end user.
I would imagine that SCADA systems are more secure, simply because they’re not as thoroughly networked and the systems are less interesting to poke around in.
July 18, 2010, 3:19 pmChris says:
Can you cite any examples of “the privacy lobby” lobbying against specific security precautions that would protect SCADA systems against USB malware? I’m not seeing the connection here.
July 18, 2010, 3:43 pmSFC B says:
And so why should another federal agency be created, or a current one tasked, to watch power companies when the government itself does the exact same thing you’re worried a private company does?
July 18, 2010, 4:04 pmStewart Baker says:
This is a theme of several comments, but I think it has to be willful blindness. I’ve posted before — twice – on the HuffPo-Drudge alliance to attack what opponents persist in calling the “Internet kill switch.” There is no kill switch in the Lieberman-Collins-Carper bill; it simply provides some minimal security oversight for critical infrastructure like the power grid. But it’s being trashed as such by the usual left-right coalition. The privacy lobby has turned out in force to cripple that bill, seeking massive changes that would simply set the stage for another attack. If you were trying to define the NGO portion of the privacy lobby, you couldn’t do better than the list of groups trying to slow or kill that bill. Here’s the signature list from their letter on the topic:
American Civil Liberties Union
American Library Association
American Association of Law Libraries
Association of Research Libraries
Bill of Rights Defense Committee
Center for Democracy & Technology
Citizens Committee for the Right to Keep and Bear Arms
Competitive Enterprise Institute
Constitution Project
Cyber Privacy Project
Defending Dissent Foundation
DownsizeDC.org
Electronic Frontier Foundation
Government Accountability Project
Liberty Coalition
Liberty Guard
Muslim Public Affairs Council
Muslimah Writers Alliance
National Lawyers Guild – National Office
OpenTheGovernment.org
OMB Watch
Political Research Associates
Rutherford Institute
U.S. Bill of Rights Foundation
Now, I’m sure some will argue, as Chris seems to be arguing, that no one in the privacy lobby is against better USB hygiene in electric power companies, and if the government proposed legislation to do that, the privacy lobby would have no objection. And that might be true, though I doubt it.
But that wasn’t my point. My point is that the privacy lobby has a vested interest in pretending that threats to our networked infrastructure are all hype. Even if the privacy lobby, like Ryan Singel, were willing to sacrifice the power companies to greater federal regulation, it would insist that the regulation not touch the Internet.
But the security risks can’t really be addressed without doing something about the way the Internet enables many of these attacks, including the USB attacks.
In short, the privacy lobby resists the idea that there is a risk of cyberwar, because they fear that acknowledging that risk will legitimize regulation that affects the Internet. They’ve successfully peddled the idea that this is all hype. See the Wired article cited in my post. Now, however, this exploit offers something that is as close to proof of nation-state infiltration of SCADA systems as we’re likely to get (at least until someone actually turns the systems off during a crisis).
July 18, 2010, 4:27 pmElemenope says:
In viewing the charge that poor, vulnerable, National Security is being threatened by the nefarious combine of Big Privacy, I don’t know whether to be awed by the great horror or laugh hysterically at the absurdity.
July 18, 2010, 5:25 pmGene Hoffman says:
Stewart,
Holding a power company hostage for a payoff is a tried and true non nation state scam. Versions have been used against porn sites and online casinos. Insert bot, prove infiltration, ask for bribe to get out of the network.
-Gene
July 18, 2010, 5:49 pmSam Hall says:
Stewart Baker
Trying to control the Internet to protect the power system is just a typical Washington con game since they have nothing in common.
Plus the fact that the feds can’t protect their own computers. Every computer the government has should have at least two things, a fingerprint scanner to control access and a fully secure hard drive with high-level encryption. Any CD they burn should also be encrypted. When they don’t even do simple cheap things like that, how can you expect them to write rules to protect a private network that probably uses equipment more modern that anything they have?
I worry at lot more about the government run air traffic control network than I do about the power system.
July 18, 2010, 6:08 pmToby says:
Well let’s see.
- Last summer substantial portions of Brazil’s grid were taken down by a labor action–and backdoors well known to the operators (because they themsleves used them)
- At least one town has been held for ransom
- A DOE speaker at a prominent smart grid conference in Santa Clara last may stated that the smart grid woul ideally support each home and office being disconnected with no loss of service for periods of up to 8 days.
Nope. Nothing to see here. Move along.
July 18, 2010, 6:28 pmStephen Lathrop says:
How do you hack into a computer that you compromised with a thumb drive, because an air gap prevented you from reaching it on the net?
July 18, 2010, 6:31 pmPaul Strassmann says:
Let’s get some facts:
Can anyone positively verify that all SCADA systems are Embedded Single Board Computers that run a custom built operating system?
Can anyone validate that you can upgrade SCADA systems only by changing the Eproms or burning new code into them.
If the above is true, there is no problem.
July 18, 2010, 6:45 pmAvatar says:
There’s your problem.
If the government wants to enact tougher security provisions on critical infrastructure, it can darned well say what it considers to be “critical” in that context.
Very few people would object to the idea of the federal government monitoring critical embedded systems within our power grid to ensure that they remain functional. But that’s not the only infrastructure that the government has in mind, is it? Okay, so what else? Municipal water and sewer systems? Traffic light control networks? Oil and gas distribution systems and refineries? I suspect you could name all of the above systems in and push through a bill tomorrow, with no objections. (Well… possibly you’d run into a federalism objection based on the systems actually operated by state and local governments…)
But you can’t grant the government the same power to “monitor” general-purpose communication networks without opening up a tremendous can of worms. If we’re going to grant that something like the Internet or the telephone network is “critical” in the above sense, I would still want very strict limits placed on what the government is allowed to monitor. Under no circumstances would I want such monitoring to include things that would be of utility to law enforcement. If you want to tap the phone, get a warrant; you don’t get to invoke “national security” to do it.
July 18, 2010, 7:18 pmSam Hall says:
Toby says:
Well let’s see.
- Last summer substantial portions of Brazil’s grid were taken down by a labor action–and backdoors well known to the operators (because they themsleves used them)
That is very different than hacking which is what the topic is about. Also note that our telephone system has had some very nasty strikes, but never had a switch taken down because they prepared for that possibility.
July 18, 2010, 7:21 pmptt says:
If we really needed proof that cyber attacks are a real threat, I suppose all we’d need to do is disclose what we are capable of doing to the power grids of our “enemies”.
July 18, 2010, 7:32 pmSam Hall says:
ptt says:
If we really needed proof that cyber attacks are a real threat, I suppose all we’d need to do is disclose what we are capable of doing to the power grids of our “enemies”.
Here you go:
“The BLU-114/B is a special-purpose munition for attacking electrical power infrastructure. Although very little is known about this highly classified weapon, reportedly it functions by dispensing a number of submunitions which in turn disperse large numbers of chemically treated carbon graphite filaments which short-circuit electrical power distribution equipment such as transformers and switching stations. The weapon is sometimes referred to as a “soft bomb” since its effects are largely confined to the targetted electrical power facility, with minimal risk of collateral damage. ”
July 18, 2010, 7:45 pmhttp://www.fas.org/man/dod-101/sys/dumb/blu-114.htm
SecurityExpert says:
What an inane, disappointing blog post. Stewart Baker tries to blame “the privacy lobby” as the reason that our national power grid is insecure, and tie “the privacy lobby” to skepticism about cyberwar. I think that’s total baloney.
I’m an expert in security and have followed privacy closely, and what I’ve seen doesn’t align with Stewart Baker at all. Instead, here’s what I’ve seen:
There is an active debate about the true level of risk of “cyberwar”. Some say it is a massive risk, others say it has been massively over-hyped (possibly in an inside-the-beltway maneuver by some folks to try to expand their agency or to land lucrative contracts). What I’d observe is that hard facts are hard to come by in a public setting; mostly we have speculation. I don’t think anyone who is speaking publicly really knows the true level of vulnerability or risk of subversion of the power grid. It’s hard to tell. I’ve certainly seen some signs that leave me concerned (e.g., signs of over-confidence among power grid operators; operators who say “our SCADA systems aren’t connected to the Internet, so we’re safe”, while missing that airgaps are imperfect — witness viruses on SIPRNET and other classified, airgapped networks — and that some employees have access to the SCADA systems from their laptops, the very same laptops which at other times are Internet-connected; and elementary security flaws in SCADA equipment). But it’s hard to know for sure.
But what I can tell you is that the folks who are debating this are security folks. Securing the power grid is basically orthogonal to privacy. If you think about the top five most effective things we might do to secure the power grid, none of them have much privacy relevance. That’s assuming that you legitimately want to improve security of the power grid specifically, rather than spread FUD about cyberwar in general.
Of course, there are some who appear to want to spread fear, uncertainty, and doubt, and hype up cyber-war in general, and use that to justify invasive surveillance measures. Sure, privacy advocates push back against that. But they’re not pushing back against securing the power grid. As far as I can tell, privacy advocates don’t have an opinion one way or the other on the power grid; that specific issue has little privacy or civil liberties implications.
I don’t know why Stewart Baker thinks the “Internet kill switch” provisions have anything to do with the power grid. If the “Internet kill switch” bill passes, it’s not going to do anything to make our power grid more secure; it’s basically irrelevant to power grid security. Stewart Baker seems to be trying to smear the privacy lobby with preventing us from securing the power grid, but his argument is incoherent.
Bottom line: Stewart Baker’s blog post made no sense to me. I wonder if he is allowing his dislike of “the privacy lobby” to cloud his judgement?
July 18, 2010, 8:29 pmhidflect says:
A few unemployed software engineers sent back to Mumbai now getting ready to get even with the system that fired them by going short on the Dow before triggering a nationwide power-down?
July 18, 2010, 8:39 pmRobbie Bru says:
SecurityExpert ftw
July 18, 2010, 10:49 pmBarb says:
I’m thinking we should hope there is a God and that He would be on our side –or that we would be on His –because I’m thinking that evil never rests. Remember that power grid failure that affected cities from New York to Ohio–at least? All the traffic lights went out and we were driving. My husband has always said such a power failure –or any nation-wide computer system collapse –would bring the great USA or the world to her knees. It would be better if we went to our knees before it happened –so that it wouldn’t happen. Like in the Bible.
July 18, 2010, 10:59 pmBob says:
Please do not use the word “deniers”. Its use has a distasteful past and will not improve your credibility.
July 18, 2010, 11:53 pmOrenWithAnE says:
(1) A few dozen, not enough to be a meaningful sample I admit.
(2) It would be criminal negligence for the operator of a power network not to require all updates from outside the secure network to pass through a centralized procedure.
(3) This would be a quite reasonable mandate.
July 19, 2010, 12:51 amMCM says:
Yeah, if I didn’t know better, I’d think Mr. Baker was selling something. Oh wait…
July 19, 2010, 3:11 amanon1234 says:
Stewart Baker is constantly wetting his pants in the name of national security. He pretends to be an expert in such matters even when exposed as an ignoramus.
July 19, 2010, 8:09 amCoupla Cybersecurity Notes says:
[...] there’s former DHS policy official Stewart Baker’s unusually harsh attack on the “privacy lobby” and Wired reporter Ryan Singel on Volokh.com. The comments are good-quality and [...]
July 19, 2010, 9:07 ama guy says:
“As far as I can tell, there’s no reason to compromise a SCADA system other than to take it down. “
you should read the article you posted, especially the part where it clearly says “espionage”.
July 19, 2010, 9:17 amToby says:
Agreed it is a different type of hack than the Siemens / windows / SQL Server malware hack. It does call into question, though, any assertions about air gaps and no outside access and custom operating systems and …
July 19, 2010, 10:46 amLehuster says:
I don’t. If they compromised the ATC, we could ground aircraft until we fixed it. It would be annoying, but we’d live. If they shut down the power grid, people would start dying very quickly.
July 19, 2010, 11:03 amTDR says:
Ah…nothing like the invigorating smell of panic mixed with arrogance to make my morning coffee even tastier. Let’s just save some time with these national security stories and reduce them to the same old non sequitir propositions:
1. X (“smart grid” compromise) would be a major problem
2. Y (USB viruses) have just been discovered as a threat
THEREFORE:
3. Y shows that X is an inevitable probability
IN CONCLUSION:
4. Accept on the basis of my good authority that Z (expansive, intrusive national security legislation) will work as an effective cure for X (even if it doesn’t actually work for Y, which was the warrant for seeing X as a problem).
Yep. Good, seamless logic…
July 19, 2010, 11:14 amBorepatch says:
There are so many people touting themselves as “Security Experts” that I won’t step in to that. However, let me say a few things based on 25 years of work at 3-letter Intel agency and computer security companies:
1. “There are friendly governments, but there are no friendly Intelligence Agencies.” If our adversary’s intel agencies are NOT heavily involved in this, then they should probably be fired (or shot). This is a very high value target, and shutting down a significant portion of the grid (or shutting down the ports of Long Beach, Newark, and Beaumont) would seriously hamper the US Military’s logistics effort. Remember: “When talk turns to war, amateurs discuss strategy; professionals discuss logistics.”
2. Apologies to the IT folks from power companies here, but it’s vanishingly small that you know precisely what your networks actually look like. I’m willing to believe that you have a decent idea, and better than most industries, but the incentives for someone to plug something in somewhere and never tell you is very large. Lumetta’s entire business plan was to map these networks accurately; the fact that they crashed and burned says very strongly that nobody cares enough to pay money to actually know this in near real time. Money talks.
3. We know that the DoD classified networks were successfully targeted. We know why. We know that USB was banned. Google “How to hack a classified network” for my thoughts on how you will never stop this (the incentive structure is against you, and will always be so). My post is the first result.
So, to recap: the attackers are presumed to be better funded than the defenders. The IT security team will always have imperfect information, not least because their own users want easier access, not security. We have seen successful attacks against better-protected systems in the recent past, where there is not just a culture of security, but armed guards as well.
Anyone who says that this is not “plausible” (in the words of the MythBusters) is hopelessly naive.
It’s said that if you’re falling, dive. The discussion really needs to focus on how to make the outages regional in scope and easier to recover from. IOW, robustness, not security.
Your IT security is not a Maginot line. Get over it.
July 19, 2010, 12:19 pmAnon1111 says:
USB ports are generally secure in/around DC. Once you get downrange, not so much. Battlefield necessity takes precedence over proper SCI protocols.
July 19, 2010, 1:30 pmLehuster says:
Borepatch — all very true. But is it realistic to expect that the companies that won’t pay to map their networks or defend them effectively will be willing to pay to make them robust and to develop the capability to recover easily?
July 19, 2010, 1:31 pmcashmoney says:
Stewart,
What about Richard Clarke’s vested interest in hyping cyberwar fears? Isn’t he now a spokespimp for a company peddling remedies to protect against cyberwar intrusions?
July 19, 2010, 1:48 pmRorschach says:
I too have worked with SCADA systems, and I am not quite so sanguine to believe that they are as impenetrable as claimed.
The PRC required Microsoft and Apple both to supply source code for both Windows and OSX as well as Office and other major programs to them before they would be allowed to sell those Operating Systems and software to China. The claim was that they were looking for embedded back doors written in to the software by the NSA/CIA, but of course what they were really doing was looking for places to put their own.
Most of the SCADA systems I’ve worked on used X86 based Single Board computers running some version of Windows.
SCADA systems run more than just power distribution/generation systems. They run refineries/Petrochemical plants, they run subway/transit systems, they run flood control systems, and they even run oil well pumps.
July 19, 2010, 2:17 pmCould you imagine the damage and loss of life you could expect if someone were to hack into BP Texas City or Exxon Baytown refinery and close the valves on a distillation tower without shutting down the heater? Or any number of other processes that occur every moment in a refinery? Refineries can be induced to blow up, and with both blast as well as toxic chemical effects.
Ralph Hitchens says:
I have to believe that if it were easy to compromise SCADA networks it would have been done by now on a large scale. To date it has been done only a handful of times, usually by a disgruntled former employee or “trusted insider,” with less than catastrophic results. Extravagent claims are made of vulnerabilities, but these are hard to document.
July 19, 2010, 2:39 pmRorschach says:
An excellent example of a system that is supposed to be isolated from the internet for security reasons but usually is not would be CAT and MRI scanners. These machines are operated by versions of Windows more often than not with a X86 based user interface computer. These machines are not supposed to be networked, nor are they supposed to be updated with OS patches except after FDA approval to ensure that the patch has no medically dangerous effect on the hardware. But walk into any Hospital Radiography lab and you’ll find that every single one of them is connected to the Hospital network and is dumping patient data into the Hospital databases and the operators can surf the web with virtual impunity from behind the hospital firewalls. I brought this up last time I had an MRI at a major Hospital in Houston (one of the nations top ten according to US News and world report) and the operator had no idea that the machine was considered a medical device and was not allowed to be networked or patched without FDA approval.
July 19, 2010, 2:54 pmInternet Kill Switch | TJ Systems says:
[...] an informed (if at times hysterical) expert in the area of “cyber-terrorism” posted an interesting discussion of the specific threat on the Volokh [...]
July 19, 2010, 3:25 pmslow says:
You couldn’t take down any major US city with malware on a thumb drive attack. The system just doesn’t work that way.
First, you couldn’t do with incidental attacks (meaning an employee accidental bring in an infected drive)because you would have no way of knowing when the system was comprised so coordinating an attack across multiple systems would not be possible.
Second, doing it with directed attacks by insiders seems incredibly hard to pull off, given the number of locations and installations that would need to be compromised.
The energy grid is more likely to be taxed or go offline due to solar flares than thumb drive malware. The whole argument is just a scare tactic, no real meat behind it.
July 19, 2010, 4:25 pmBorepatch says:
@TDR, agreed that policy discussions gravitate very quickly to lowest common denominator. PCI is an excellent example of that – the bar has been set pretty low, and this often makes it harder to get better security (some would say “adequate” security) that exceeds this. I don’t have any solutions to offer here, unfortunately.
I do think that a focus on robustness rather than security is likely a win, though. For example, if it were easy to restore the SCADA machines to a known good state pretty quickly (say, some flavor of in-the-field re-imaging), that would make it a lot faster to get the power back on. If this sort of thing were to go into a national policy, then it would be an advance. Maybe even a non-trivial advance.
@Lehuster, lots of people don’t want to pay for security. PCI has actually been an example where the compliance standard got at least basic levels of security investment (“You don’t even have antivirus? You just failed your audit, and can expect to be fined.”)
This is why I am more hopeful for resilience than for security. Security is a very rapidly moving target, and a lot of folks simply don’t want to pay the expense to do it. A lot of critical infrastructure becomes a lot harder to target if you can quickly recover.
This doesn’t help if someone triggered an Earth Shattering Kaboom in your refinery, though.
July 19, 2010, 5:24 pmKirk Parker says:
So my house, and every other house in the nation, is supposed to have ~8 days’ worth of electrical-generation capacity onsite? Wow…
Amusingly, this statement would work just as well, or maybe even better, if it said “Your IT security IS a Maginot line”.
July 19, 2010, 5:34 pmKirk Parker says:
You have got to be kidding me. I missed the conclusion of your story, where you took this up with hospital management and the FDA and got a bunch of people fired for malfeasance.
July 19, 2010, 5:41 pmRorschach says:
@slow, You don’t think that The PRC, Russia, and other nations don’t have whole rafts of sleeper agents working in sensitive parts of our infrastructure? You don’t think they could pull off a coordinated attack? Al Queda pulls off coordinated attacks in Baghdad every day.
July 19, 2010, 5:53 pmRorschach says:
@Kirk Parker, the FDA has known of these problems for years but have chosen to look the other way. It would put too much of a crimp in the goal of online medical records and it would slow access to medical imaging data in emergency situations. The Hospital IT people probably don’t know anything about the safety protocols involved with patching the machines, BUT on the flip side, since these machines ARE networked, it is probably safer that the machines be patched than not, but either way it is a risk.
July 19, 2010, 5:58 pmKirk Parker says:
Rorschach, don’t misunderstand me: I’m not saying “of course these machines shouldn’t be networked”; that’s a bit above my pay grade these days. (Actual that was above my pay grade even when I was writing software that was regulated by the FDA as a medical device.)
What concerned me was more the lack of general understanding that (1) the machine and all attached computers do indeed constitute a medical device, (2) it’s OK to browse the web on the computer used to control the device, and (3) could have its OS or any other software upgraded willy-nilly.
July 19, 2010, 6:15 pmMark F. says:
You don’t think that The PRC, Russia, and other nations don’t have whole rafts of sleeper agents working in sensitive parts of our infrastructure? You don’t think they could pull off a coordinated attack?
Why would they? Neither Mao or Stalin wanted to start a war with the United States. Why would these countries want to start a war today?
July 19, 2010, 10:52 pmPeter Gerdes says:
While it could be some big conspiracy coming from a foreign government I find that HIGHLY unlikely.
Consider the costs/benefits for such a government. They gain nothing from shutting down the grid now in the abscence of a conflict if we don’t know who did it and if we do they likely suffer from retaliation. Maybe they get info on our countermeasures but if the malicious code is detected we will be more likely to change those measures and close the holds they used. Besides, our power grid isn’t so heavily classified that conventional intelligence operations couldn’t scout out the system. In short, A foreign government has everything to lose by injecting exploit code into our power system now and every reason to hold their exploits in reserve for use in a confrontation. The situation is even worse for a criminal who would never be able to get away with any blackmail money he managed to extort.
So who is likely to have perpetrated such a ‘sophisticated’ attack? A bored CS student or hacker eager to prove they were the shit. Hacking and exploit discovery is more like math than weapon design in that single obsessively interested nerd can often produce more than well funded milatary project. Besides this ‘new’ exploit wasn’t new in the sense of this being the very first person to know about it…it was new in the sense of being just discoved by the malware researchers (or at least the press). Anyone could have heard about it through word of mouth and thrown this little SCADA search into the code on a lark.
Don’t get me wrong, other governments do computer espionage but their attacks are going to look more like the backdoor installed in the google servers by Chinese hackers to spy on email than this kind of thing. That had all the fingerprints of an official operation. There was a specific informational objective and the attack was subtly disguised and limited to that objective to avoid discovery. This looks nothing like that.
July 20, 2010, 2:24 amRorschach says:
Kirk, even if that particular device is never used to browse the internet, the mere fact that it is networked to machines that can puts it at risk of being infected/exploited. Same with the SCADA systems that are being networked back to the main office so the Suits can look over the grunt’s shoulders, You think THOSE machines are isolated? I highly doubt that. They are used to surf kitty porn and play Evony and download cute videos of dogs doing whatever dogs do like every other corporate machine on the planet. That means that if there is a known exploit for that particular version of windows that has not been patched, it is going to get exploited.
Now, would a foreign entity take advantage of that exploit immediately? Of course not, they’d make sure that the machine acted as normally as possible and never ever gave anyone any indication that it was infected but they’d make sure that they maintained access to the machine in the event that they wanted to do something with it, just like a zombie bot awaiting instructions.
Now as to a foreign entity’s motivation, they might not care whether they were ever identified as the culprit, or they might well prefer that their identity never be revealed. If large portions of the US infrastructure were to go haywire, we would be so busy stacking bodies and trying not to die from Typhus and lord only knows what else that we would not be in a position to do much about what happened beyond simple survival, at least not initially. We might, after 6 to 9 months, or perhaps a year or more, finally have the wherewithal to actually do something about it, but by that time, whatever the end game planned was, it would be over and done with.
There are several scenarios that end in the same place. Another one is the detonation of a nuke (or nukes, plural) at high altitude over the CONUS. The result would be much the same. North Korea’s sub-kiloton nuclear test was not a dud as the media would have you believe. It was exactly as large as they planned. I’ve spoken with someone that does top secret seismic work for the DoE and he has seen video of the test. The collapse crater went right up to the instrumentation trailer. Had it been intended to be much larger, the trailer would have been destroyed. The device was similar in size to an upgraded US W-48 type device, like the ones that were converted to be “backpack nukes” AKA SADM’s. Their ballistic missiles are small and started out life as old Russian SCUD designs. Much of the missile’s original payload capacity has been converted to extended range by adding a second and in some cases, a third stage. Therefore they don’t have the payload capacity to carry a megaton nuke the way the original SCUD could, but they could carry something the size and weight of a 155mm Howitzer shell which is how big a W-48 is. NK has been trying to put a small payload into orbit for some time now, ostensibly a communications satellite, but anyone want to bet that the device is in fact a small nuke? And backpack nukes also make for very lucrative terrorist weapon on the international black market. They ALSO are ideal to be delivered via 155mm howitzers to South Korea from existing artillery emplacements in the North. So a W-48 style device is perfect for their purposes.
But whether or not the failure of infrastructure is due to EMP or a Trojan Virus, either way it would be devastating. There are no manufacturers of large transformers and switchgear in the US anymore, they are all overseas, and the lead time for them is currently stretched out to over a year. So if the transformers or switchgear are damaged from either type of attack, we may not be ABLE to bring the system back up in anything under a year and a half. And this “smart grid” that they are touting? It is even MORE vulnerable to EITHER type of attack.
Again, in a battle analysis, you don’t think about what you think the enemy wants to do, you think about what he has the technical capability of doing, because that is probably exactly what he will do.
July 20, 2010, 9:12 amDougF says:
With all due respect to the experts here, there is at least one anti-malware product on the market now that would immediately detect and quarantine software moving from any removable media to the computer (I won’t mention name or provide link because this is not a marketing post).
“Software” doesn’t look like other files, and Trojans, worms, viruses, and so on are all software. Software can be detected and disposed of; if the USB drive is writable, the malware can be removed from the USB drive. Processes on the computer can be monitored, compared to “what ought to be” and blocked, if necessary. We do it every day on the computers at the company where I work, and our customers’ computers.
Unlike with traditional anti-virus, we don’t need to know what the malware looks like. We can detect, block, and quarantine it even if we are the first on the planet to see it. It doesn’t get a chance to execute and can therefore do no harm.
We saw three years ago that endpoint security was headed rapidly downhill because of the increasing rate of release of new malware, and new variants. Panda recently estimated more than 2.5 million new releases last year, and the rate is rapidly growing. It was becoming, and has now become, virtually impossible to protect computers using signature-based anti-virus, or heuristics, or IDS/IPS, or packet inspection, or firewall, or all the above.
We are not the only company trying to develop a workable solution (ours really does work). The security industry doesn’t need government regulation in order to work. What it really needs is results-based standards, more along the lines of SANS’ Critical Controls than the likes of FISMA and PCI (government types, and their counterparts in mega-businesses, love checklists – how better to justify using something that doesn’t work and being blameless for it not working?).
The Federal government is in charge of everything related to offshore oil production. What, exactly, has that done for us? Ask the Governor of Louisiana.
July 20, 2010, 3:51 pmJohn Gilmore says:
Stewart claims “the privacy lobby has a vested interest in pretending that
threats to our networked infrastructure are all hype.”
The privacy lobby has been advocating good cryptographic computer security for decades, stating that the US was particularly vulnerable because our networks were so pervasive.
On the other hand, Stewart Baker directly opposed the deployment of good cryptographic computer security throughout the private sector, as the head lawyer at NSA. The export controls and secrecy that he defended kept US industry unprotected for decades. The privacy lobby’s constitutional lawsuits, software initiatives, public education, public cracking of NSA-approved codes like DES, and many other efforts are the only reason we have ANY computer security today. Stewart fought us every step of the way. Under Stewart’s reign, ssh was illegal and https had to be carefully segregated to US citizens only. I know people who were prosecuted, convicted and deported for exporting a few harmless DES-based satellite TV decoders to rural Latin Americans!
Ignore him, he’s just a manipulative demagogue.
July 21, 2010, 5:06 pmStewart Baker says:
Actually, the one place where US law allowed deployment of strong crypto — for decades — was the US. And in any event strong crypto has been exportable for something like a decade. If the availability of strong crypto — or even the exportability of strong crypto — were the key to a secure infrastructure, shouldn’t US industry should be really secure by now?
July 22, 2010, 6:48 amRorschach says:
Here is another article on the methodology of the attack:
July 22, 2010, 9:17 amhttp://news.cnet.com/8301-27080_3-20011159-245.html?tag=topStories1
It would not appear that strong crypto would have really helped. The biggest issue I see is Seimens uses a hard coded default password that is in the open literature and has been circulating online for years which even in light of this, they do not recommend changing. The use of hard coded passwords in control systems programming would appear to be a widespread practice. It is also a very UNSECURE practice. As usual, the problem is not so much technological as social engineering and lazy humans. Sure there is a technological component, the zero-day flaw in the way Windows handles shortcut icons and the rootkit that the worm installs are the big ones, but the piss-poor software design utilized by Seimens is the biggest culprit, that and the fact that even though the use of USB thumb drives is a restricted practice, it still happens on a very regular basis, with thousands of infection attempts happening per day.
Yikes « Internet Scofflaw says:
[...] Strong evidence that someone is plotting a cyber attack on the power [...]
July 22, 2010, 12:43 pmVoip windows says:
Hi … I just stumbled upon your post.. a gud view point.. Hey ur post left me quenching for more Your post really gives out useful knowledge.. thanks
July 23, 2010, 7:50 amThe Volokh Conspiracy » Proof that other countries are planning cyberattacks on the power grid?
Microsoft to Issue Emergency Patch for Critical Windows Bug — Krebs on Security says:
[...] around this Stuxnet worm: Early on, the news media and pundits fixated on the notion that this was proof that other countries were planning cyber attacks on our power grid and other highly complex networks that rely on the types of SCADA systems targeted [...]
July 30, 2010, 4:02 pm