The Feds Step In
Not long ago, hackers broke into the computer system of a chemical plant in a remote region of Idaho. From their computer keyboards, the hackers sneaked through two levels of firewalls protecting the plant’s computer network and broke into its process control network.
They spent a couple of days “just looking around,” finding pumps, valves and other devices connected to the network — and learning how to use them. When they had mastered the system, they took control of the facility. For starters, they blinded the operators in the plant’s control room by sending commands to the human-to-machine interface to make it appear that nothing had changed.
But, of course, things were changing. Free to do as they pleased, the hackers turned on a group of feed pumps, filled a tank, caused it to overflow and flooded the plant floor with chemicals.
The plant operators could not believe what was happening. Fortunately, they knew it was just a demonstration by the Idaho National Laboratory (INL) in Idaho Falls. But they had previously rejected the idea that it was possible to hack into and take over the electronic systems that control industrial plant processes. Plant operators that use Supervisory Control and Data Acquisition (SCADA) controls seem particularly stunned when they witness such a demonstration; SCADA had typically been thought to be impervious to cyber-attacks.
Idaho National Laboratory has been working for several years to persuade utility owners, water companies, manufacturers and others that their process control systems need better cyber-security. INL is a good starting place for this effort. The lab operates on an 890-square-mile property built out like a small city. The facility has its own chemical plant, water plant, electricity generating plant, as well as telecommunication systems, computer networks and other examples of critical infrastructure — especially those infrastructures that make use of electronic process control systems. The lab uses its facility to dramatic effect by proving what a terrorist would find to be possible when mounting an attack on one or another category of critical infrastructure.
“When we show people these kinds of real-world examples, it proves that vulnerabilities do exist,” says Thomas Harper, Ph.D., director of critical infrastructure protection at INL.
Perhaps more troubling is how deep the infrastructure vulnerabilities run.
INFRASTRUCTURE FAILURES CAUSE RIPPLE EFFECT
When something hurts one piece of infrastructure, the aftereffects ripple through society, causing harm elsewhere.
Here is an example: In 1998, the on-board controller of a key communications satellite malfunctioned. As a result, almost 90 percent of pagers in North America went down. Hospitals could not reach doctors. Emergency workers could not receive pages. Even people trying to buy fuel by swiping credit cards at gas pumps were shut down. The loss of capacity within the communication infrastructure affected the health care infrastructure, the emergency response network, the economics of the oil industry and the banking and finance industry and even impinged on the transportation infrastructure.
Another example: On August 14, 2003, the electrical infrastructure up and down the east coast failed, thus illustrating how dependent modern society is on electrical power. Throughout the affected area, computer networks went down, oil-refining processes and pipelines wheezed to a halt, communications systems failed and drinking water treatment plants choked and stalled. Anything needing power that did not have back-up power stopped.
“There is not a person living along the Gulf of Mexico today (after Katrina) that does not understand the concept of interdependency between electric power and energy or the emergency services process and its dependence on transportation or the interdependence of components of critical infrastructure,” says John A. McCarthy, director of the Critical Infrastructure Protection Program at the George Mason University School of Law in Arlington, Va. “Interdependent infrastructure assets drive public health and safety, national security and the economy, but control over these assets usually does not lie with the government.”
WHOSE INFRASTRUCTURE IS IT?
The federal government has the authority to order security upgrades for some categories of critical infrastructure. In many cases, however, the federal government must persuade the owner of a critical infrastructure to enhance security.
According to most estimates, 85 percent of the infrastructure that the federal government has defined as critical is owned by private industry. In some cases, federal regulations specify security measures. Agencies within the Department of Energy (DOE) regulate security at nuclear power plants, for example. The Environmental Protection Agency (EPA) regulates water authorities, both public and private. The Department of Homeland Security (DHS) regulates security for air and other modes of transportation. The Department of the Treasury regulates banking and finance.
In other cases, however, an industry may hesitate to move forward, and the government will force the issue with regulations. The chemical industry, for example, may have security regulations in its future. “We have done a lot of work in the chemical industry over the past 18 months,” says Thomas Dinanno, deputy assistant secretary for infrastructure protection with DHS. “We have an intricate understanding of the risks facing that industry. We have also done a lot of work in a voluntary framework to close those vulnerabilities. But we believe there are gaps, and we feel we need a regulatory requirement to close them.”
On the other hand, the owners of a host of other critical infrastructures are free to determine what is and is not necessary to secure their assets. Agriculture, commercial high-rise buildings, postal and shipping services, as well as the oil, natural gas and electrical generating industries — all categorized by the federal government as critical infrastructures — are currently free to set their own security priorities.
That’s where programs like that run by INL come in. “We have been doing these demonstrations (about cyber-vulnerabilities) for two years,” says Michael Assante, senior relationship manager with INL. “In many cases, we’ve gotten the attention of infrastructure owners. Now, we hope to begin helping them to understand and solve the problems at issue.”
A BIG JOB
Protecting critical infrastructures is a massive task. A 2004 study by the Congressional Research Service says that DHS identified 4,000 chemical facilities, out of 66,000 in the United States, as potentially critical. The researchers also note DHS had recorded 33,000 individual assets in its “national asset database.” About five percent of those, or 1,700 assets, were deemed nationally critical. The rest are critical within their regions.
Protecting infrastructure is also an important task. The U.S. Patriot Act, currently awaiting reauthorization by Congress, defines critical infrastructure as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health and safety or any combination of those matters.”
In an attempt to cut its job into smaller, more manageable pieces, one of the first steps taken by DHS has been to divide critical infrastructures into 17 categories, including energy, the defense industrial base, cyber, telecommunications and commercial buildings.
Over the past two years, DHS has methodically organized owners of these vast networks of critical infrastructure into councils capable of studying their own infrastructure security needs.
In the Banking and Finance category, for instance, DHS has formed a Banking and Finance Government Coordinating Council, composed of federal agencies that deal with this industry: the Comptroller of the Currency, Secret Service, FBI, the Federal Reserve, Treasury Department regulators and others.
On the flip side, DHS has also organized the private banking and finance sector into councils, bringing together brokers and dealers as well as retail and investment bankers, mortgage brokers and others with an interest in finance and banking.
“We have done this across all 17 sectors of critical infrastructure,” Dinanno says. “In some categories, we have broken the coordinating councils down into sub-councils. The agriculture category, for instance, is diverse, and we have broken it into eight sub-councils including processors, manufacturers, retail, warehousing and logistics and producers such as farmers and herders.”
DHS trains members of the councils and sub-councils to conduct vulnerability studies appropriate to their industries and threat profiles. “We have trained more than 5,000 individuals over the last couple years,” Dinanno says.
Councils and sub-councils meet regularly to share information. The councils also help relay information from DHS to industry members.
According to Dinanno, DHS reviews intelligence information obtained from classified sources every day, edits and declassifies the information and forwards it to one or more councils. To speed communications between government and infrastructure owners, DHS is installing a secure fiber optic information network, called the Homeland Security Information Network (HSIN); it will make it possible for all members of infrastructure councils and sub-councils to receive regular intelligence updates and advisories about infrastructure threats.
“The experiences of the past decade show that we need a new relationship between the government and private sector to protect national security and economic security,” McCarthy of the CIPP says.
Perhaps HSIN and other methods for exchanging information will help private owners and the federal government hammer out the new relationships necessary to securing the nation’s critical infrastructure.
According to “The CIP Report,” a newsletter from the Critical Infrastructure Protection Program, a research organization based at the George Mason University School of Law in Arlington, Va., the federal government will spend approximately $625.5 million on critical infrastructure protection and information security during the 2006 fiscal year. That’s just over 15 percent of the $40.6 billion 2006 DHS budget.
DHS itemizes infrastructure security spending as follows:
MANAGEMENT AND ADMINISTRATION
CRITICAL INFRASTRUCTURE OUTREACH AND PARTNERSHIP
CRITICAL INFRASTRUCTURE IDENTIFICATION AND EVALUATION
NATIONAL INFRASTRUCTURE SIMULATION AND ANALYSIS CENTER
NATIONAL SECURITY/EMERGENCY PREPAREDNESS TELECOMMUNICATIONS
Categories & Responsibilities
Homeland Security Presidential Directive 7 (HSPD-7) and the Department of Homeland Security (DHS) have divided critical infrastructure into 17 large categories. HSPD-7 also assigns agencies to oversee critical infrastructure protection in these various categories. It is also the sector specific agency setting policy for 10 of these categories. Seven categories have been assigned to other agencies.
Each of the 17 categories of critical infrastructure is listed below. The agency noted in connection with each listing is responsible for coordinating critical infrastructure protection in that category. DHS serves as coordinator for 10 critical infrastructures, while also developing executive level policies for all categories of critical infrastructure.
- WATER (Environmental Protection Agency)
- OIL, GAS AND ELECTRIC POWER, EXCEPT FOR COMMERCIAL NUCLEAR FACILITIES (Department of Energy)
- DEFENSE INDUSTRIES (Department of Defense)
- COMMERCIAL CHEMICAL PLANTS (DHS)
- COMMERCIAL NUCLEAR POWER PLANTS (DHS)
- COMMERCIAL SERVICES, SUCH AS HIGH RISE BUILDINGS, STADIUMS AND OTHER VENUES (DHS)
- GOVERNMENT BUILDINGS AND FACILITIES (DHS)
- EMERGENCY SERVICE FACILITIES (DHS)
- HEALTHCARE, PUBLIC HEALTH, AND CERTAIN FOODS (Health and Human Services)
- AGRICULTURE (Department of Agriculture)
- NATIONAL MONUMENTS AND ICONS (Department of the Interior)
- TRANSPORTATION (DHS)
- BANKING AND FINANCE (Department of Treasury)
- CYBER AND INFORMATION TECHNOLOGY (DHS)
- TELECOMMUNICATIONS (DHS)
- DAMS (DHS)
- POSTAL SERVICES AND SHIPPING (DHS)