It is a crisp winter morning. The sun rising over Boston Harbor blinds as it strikes the white oil drums on the industrial edge of Chelsea. Marcus Kempe, director of operations support at the Massachusetts Water
Resource Authority (MWRA), is showing off the crescent-shaped bank of computers that control the flow of water pumped into 2.5 million faucets across eastern Massachusetts every day.
These are the computers that would have to be hacked in order to carry out a cyberattack. And these days, most of Kempe’s job involves planning against such an eventuality. But he is not particularly worried about it.
“You’re talking about ridiculous barriers,” says Kempe, who is a 25-year veteran of the MWRA and oversees its computer infrastructure. “Could a computer attack get us to a high-consequence event? Probably not.”
First, Kempe says, a hacker would have to worm into the IT infrastructure. Then, he’d have to hop over a firewall and slip into the MWRA’s SCADA (supervisory control and data acquisition) system (the crescent-shaped bank of computers) through one of two very narrow access points. Finally, he would have to plant surreptitious code that would allow remote control of the chemical distribution or even the flow of water itself. (To learn more about the obstacles a hacker would have to hurdle at the MWRA, read “Debunking the Cyberterrorist Threat to Water Utilities,” at www.cio.com/printlinks.)
“You’re talking about three hacks,” says Kempe. “To us, cyberterrorism is a lower-level threat.”
Since Sept. 11, it’s been almost unpatriotic to suggest that the threat of cyberterrorism is anything other than dire. But CIOs and security experts are beginning to challenge the assumption that a hack on the nation’s critical infrastructure will be the next big terrorist outrage. In fact, cyberterrorism may not be nearly as worrisome as some would make it. That’s because it is utterly defensible. And CIOs can play a crucial role in the defense.
DEFINING THE THREAT
As was the case with so many New Yorkers, Sept. 11 inspired Ed Cannon to get involved. Within a couple of weeks of the attack, Cannon, executive vice president and CIO of the global marketing communications company Grey Global Group in New York City, had formed the Information Civil Defense Group (ICDG). He envisions ICDG as a sort of neighborhood watch group, where the neighborhood is the private sector’s critical infrastructure and the residents are concerned CIOs. ICDG will stage seminars for CIOs and work with Washington on security standards around critical infrastructure.
So far, Cannon has 100 volunteer CIOs and has met with Richard Clarke, special adviser to the president for cyberspace security, in the Office of Homeland Defense. About 80 percent to 90 percent of critical technology infrastructure resides in the private sector, and that puts private sector CIOs in a unique position of leadership. They run the systems that need to be protected against terrorist threats.
“We CIOs have the responsibility for managing this,” Cannon says. “We have a real role to play.”
The first order of business is defining cyberterrorism. Since Sept. 11, threats once considered digital aggravations have been tagged cyberterrorist provocations. Suddenly, encryption was not a software feature but a weapon in the cyberterrorist’s arsenal. Knocking out e-mail was cyberterrorism. One widely quoted security consultant warned of the threat posed by the fans on computers, which can “breathe” and spread deadly bacteria. Is this, then, a form of “bio-cyberterrorism”? The term lost its meaning as it stretched to keep pace with flights of anxiety.
This is how the National Infrastructure Protection Center (NIPC) under Director Ron Dick, a key figure in the government’s infrastructure protection scheme, defines cyberterrorism: a criminal act perpetrated through computers resulting in violence, death and/or destruction, and creating terror for the purpose of coercing a government to change its policies.
So to qualify as cyberterrorism, an act must fulfill two criteria: a political motivation and a destructive result. But computer attacks usually satisfy only one: the motivation. It’s far more difficult to cause destruction with computers. If phones don’t work, it’s annoying, perhaps costly, even dangerous, but not in and of itself destructive. Even the most often cited cyberterrorist threat?shutting down the Internet?is that really destructive, or just a massive inconvenience? Most experts believe it’s the latter. Very few malicious uses of technology qualify under Dick’s definition of cyberterrorism.
“It’s a bad word. Cyberterrorism is not terrorism in cyberspace because there is no terror there,” says security expert Bruce Schneier, CTO and founder of Counterpane Security in Cupertino, Calif. He distinguishes between the term cyberterrorism and what he calls “cyberhooliganism,” which would include viruses, website defacement and so forth. “Computers can be a vector for terrorism just as the mail system has become a vector for terrorism. But if the mob goes and shoots up a convenience store, we don’t call that terrorism. Think of the horrible crimes we don’t call terrorism,” says Schneier. “So if you shut down the Internet”?a feat Schneier and others warn is plausible and not unlikely?”yes, it’s a huge malicious attack, but it’s not terrorism.”
Both Schneier and Dick agree that the definition of cyberterrorism includes two clear subcategories of cyberterrorist threats.
- The physical infrastructure threat: compromising critical systems to severely affect critical physical infrastructure, such as power grids, water and sewer systems, dams, hospital equipment, pipelines, communications, global positioning satellites, air traffic systems or any other networked system, which would result in death and/or destruction.
- The critical data threat: compromising critical computer systems to steal or irreversibly damage vital data, such as the Social Security database, a large financial institution’s records or secret military documents, which would result in death, destruction and/or catastrophic economic turmoil.
Of these scenarios, the first?hacking to terrorize utilities?has dominated the cyberterrorism dialogue. But are these systems really networked, and if they are, why did companies and public agencies open critical infrastructure to obvious vulnerabilities?
SEDUCED BY THE WEB
To answer those questions, we have to go back and look at how infrastructure adapted to the introduction of computers. In the 1970s, computers made it possible to network command and control functions of systems like the power grid or dams or communications switches. Remote control was considered a boon to routine maintenance; it created new efficiencies. Ironically, it was also deemed a good defense against terrorism; the government feared onsite attacks. The notion that someone could manipulate a computer to affect infrastructure was considered a bit of science fiction.
In the 1980s and early ’90s, SCADA systems matured and came to dominate critical physical infrastructure. With SCADA, power companies could remotely control functions like load dispatching (balancing transformers so that no one power station gets overloaded). Networked SCADA looked like the future of utility maintenance and control.
The Nuclear Regulatory Commission (NRC) was the exception. After a short evaluation, the NRC decided to forbid remote control at nuclear plants. Then in the late ’90s, critical utilities were, like everyone, barraged by consultants promising unprecedented cost savings through the Internet.
Kempe at the MWRA recalls meetings during the Web’s headiest days, when he and his staff discussed the merits of opening up his systems to the Internet. “It was so tempting,” he recalled. “It looked so wonderful?the cost savings, the efficiencies.” In the end, the MWRA resisted temptation.
Not everyone did. Many utilities, particularly smaller outfits, and, for arbitrary reasons, power companies, embraced the Web. The ones who dove in either didn’t recognize or didn’t care at the time that they were also embracing the security weaknesses inherent in the public network.
Today, there remains an unsettling lack of understanding about just how safe utilities are from cyberattack. Even NIPC Director Dick seems to have no idea as to the overall state of networked infrastructure. Asked if he knows which utilities are vulnerable, Dick says, “I don’t know that anyone knows.”
WHY CYBERTERRORISM IS NOT WORTH THE WORRY
This much is known: Some critical computers are vulnerable. In 1997 a hacker shut down control tower services at the Worcester, Mass., airport. The incident didn’t cause any accidents, though service was affected. Three years later, a General Accounting Office report suggested the Federal Aviation Administration computers were vulnerable. And in Maroochy Shire, Australia, in April 2000, a disgruntled consultant-turned-hacker compromised a waste management control system and loosed millions of gallons of raw sewage on the town.
The hacker had deep knowledge of the system, and he had stolen sewage-control software on his laptop. He spent two months getting into the system from the outside.
The good news?besides the lack of human casualties (marine life died)?is it took this former insider 46 tries to unleash the waste; the bad news is that those managing this critical infrastructure missed his first 45 attempts.
It wasn’t cyberterrorism. But even so, many view the cyberterrorist threat to computer infrastructure as largely implausible.
Why? For one, experts say terrorism is like lightning. It takes the path of least resistance to its end. And, right now, it’s easier to blow something up than to figure out how to damage it by hacking into and manipulating a computer system.
Take the MWRA. After Sept. 11, Kempe’s first order was not to lock down computers; it was to erect Jersey barriers, weld manhole covers and call in the National Guard. Terrorists want to make an immediate impact, and cyberterrorism is largely quiet.
“Terrorists need to make a big splash, to draw headlines,” says Mike Hager, vice president of security at Oppenheimer Funds in Engelwood, Colo., who was at the World Trade Center Sept. 11 and escaped after both planes hit. “The type of cyberterrorist attack pulled off would have to be huge.” According to Hagar, the fact that a hacker turned some lights out wouldn’t convey any terrifying message. “The terrorists [on Sept. 11] could have hacked into the power system of the World Trade Center.” They didn’t, because that wouldn’t have made a statement.
Security expert Rob Rosenberger feels much of the rhetoric about cyberterrorism is political posturing to gain funding. “The information-war people say this cyberterrorist threat is out there, but they never provide any plausible scenarios,” says Rosenberger, director of Vmyths.com, an independent website that squelches virus myths and general computer security hysteria. “I’m asking for reality, and I’m not getting it.”
THE REAL THREAT
Rosenberger fears the second scenario far more?cyberterrorist attacks that destroy critical data. And he’s not the only one.
The general state of data security is woeful, again, thanks to the Web. Despite unprecedented spending on security in the past three years, more hacks than ever are successful, they are easier to create and carry out, and they produce ever more devastating results. Most of those threats are not through disablement but rather corruption: tricking a system into doing the wrong tasks while it supposes it’s working normally.
Parasites?tiny computer programs that live in databases and slowly corrupt the data and its backups?could wreck a crucial database like Social Security. Or a hacker could penetrate a pharmacy chain’s network or hospital database, causing fatal medical errors when a patient takes a prescription drug. If you want to raise hell on airlines, you hack the reservation system, says Schneier. If you want to cyberterrorize airlines, you hack the weights and measures computers that control planes’ fuel and payload measurements.
Such “fringe systems” are seen as the most vulnerable to data corruption. “The threat to data is absolutely more of a concern,” says Hager. “It’s so much easier to attack, and there are so many more targets.”
In any case, the threat of cyberterrorism is deemed most plausible as a supplement to a larger terrorist attack. In other words, we shouldn’t think about cyberterrorism as the next great threat after the physical horror of airplane hijacking and the biological horror of Anthrax. Rather, cyberterrorism is something smaller that will be used to amplify those far greater horrors.
“I keep going back to Sept. 11 and wondering how bad it would have been if the Code Red worm hit at the same time?the level of anxiety and panic that would have caused,” says Grey Global’s Cannon. “Having e-mail was one of the saving graces of that day.”
The good news is that protecting against any security threat protects against cyberterrorism. Kenneth Niemi, CIO of the Minnesota State University System, learned that recently when he faced a two-and-a-half-week employee strike. It turned into a de facto antiterrorist exercise. Niemi found himself planning a defense against disgruntled employees who possessed the two keys to any security breach?knowledge and access.
Niemi’s greatest takeaway from this exercise was how much physical and IT security should and can intersect. (For more information on this, read “How to Plan for the Inevitable,” Page 74.) Since Sept. 11, the trend toward combining aspects of IT security with onsite security has accelerated. “We made key card access enforceable 24 hours a day. We require certain employees to take their laptops home in case we need to deal with a situation remotely,” Niemi says.
Niemi also formalized the process of registering guests who enter his building and is adding computer lab surveillance.
Cannon has also tightened physical security by revoking several employees’ access to the data center. He also moved many consoles out of the data center, all in an effort to reduce traffic near critical systems.
The MWRA already has tight integration of physical and network security. To begin with, the computers are in a locked room, which is accessible by key card and manned 24/7. Visitors check in and check out at the front desk, and after visitors leave, their host sends a memo to senior management detailing the visit.
SCADA connects through a private line (soon, via microwave) to pump stations and reservoirs. If something goes wrong at a water facility, an alarm sounds both onsite and at the SCADA operations centers. The alarm also flashes on the computers, and it can’t be shut off until a formal acknowledgement of the alarm is made and physically logged by a person with clearance to do so.
“Roving crews” periodically go to MWRA pump stations and storage sites to check the integrity of the facilities and their connection to the control computers. Most of the sites are under surveillance.
“I see IT and these physical security rules meshing more and more,” says Cannon. “Especially when you talk about disgruntled employees and screening. But it’s a fine line. We want to treat employees like adults. Cut off too much access and you’re saying you don’t trust them.”
Besides meshing physical and IT security, two other measures CIOs can take are to get involved and share information with each other. Joining Cannon in the Information Civil Defense Group, meeting with government groups like the National Infrastructure Protection Center, raising awareness of the cyberterrorist threat within one’s own company and opening security dialogues with peers are all important steps to take.
Six months after the Sept. 11 attacks, there’s a great deal of optimism among technology professionals about their ability to deflect the cyberterrorist threat.
“[Awareness] is a big reason for optimism,” says Alan Paller, security expert and director of research at the SANS Institute in Bethesda, Md. “The operations guy is getting a call from the vice chairman, someone really high up, who’s asking what the company is doing about this threat. That conversation has never happened before. Underneath there are still a lot of vulnerable systems out there, but I believe cyberterrorism is very hard to pull off.
“My newest speech is about this topic, and it’s not ’look how life is ending,’” Paller adds. “It’s optimistic. There are many more reasons for optimism now than there were six months ago.”