eTerrorism: Assessing the infrastructure risk

There was just one problem with the account: It wasn't true.

A hacker did break into the computers of an Arizona water facility, the Salt River Project in the Phoenix area. But he was 27, not 12, and the incident occurred in 1994, not 1998. And while clearly trespassing in critical areas, the hacker never could have had control of any dams--leading investigators to conclude that no lives or property were ever threatened.

"It's like the children's game of 'telephone,'" said Gail Thackery, assistant attorney general for Arizona and the prosecutor on the Salt River hacking case. "You get the reality at one end and, at the other end, something completely different."

The misreported incident serves as a metaphor for today's pressing debate over the Internet's vulnerability to attack. While warnings pervade government and the media, doomsday scenarios of cyberterrorism that result in massive deaths or injury remain largely the stuff of Hollywood scripts or conspiracy theory.

Although it is possible for electronic intrusions to damage infrastructure and threaten physical danger, taking control of those systems from the outside is extremely difficult, requires a great deal of specialized knowledge and must overcome non-computerized fail-safe measures. As a result, government and corporate security experts--while careful not to dismiss the gravity of the issue--point to this indisputable fact: It is still easier to bomb a target than to hack a computer.

"If we had so many dollars to spend on a water system, most of it would go to physical security," said Diane VanDe Hei, executive director of the Association of Metropolitan Water Agencies and point person for the Information Sharing and Analysis Center (ISAC) for the water utilities.

In a so-called "digital Pearl Harbor" exercise sponsored by the U.S. Naval War College and Gartner last month, analysts posing as terrorists were able to simulate a large-scale cyberattack on the nation's infrastructure. But to do so they needed $200 million, high-level intelligence and five years of preparation time. The college concluded that such an offense could cripple communications in a heavily populated area but would not result in deaths or other catastrophic consequences.

Yet the hyperbole about an Internet attack frequently overshadows common sense. On Sept. 11, it took less than 24 hours after four passenger jets were used as weapons of mass destruction for cries of cyberterrorism to emerge as the next great threat, triggering calls for new legislation to broaden the authority of law enforcement agencies.

"Until we secure our cyber infrastructure, a few keystrokes and an Internet connection is all one needs to disable the economy and endanger lives," said Rep. Lamar Smith, R-Texas, in a statement heralding the House's passage of the Cyber Security Enhancement Act last month. His favorite tag line: "A mouse can be just as dangerous as a bullet or a bomb."

That sort of rhetoric is why many dislike the term "cyberterrorism." Ambiguity over its definition--and, therefore, which threats are real and which are not--has confused the public and given rise to countless myths. The phrase has become a catchall buzzword that evokes nightmare images that can be exploited to support political agendas ranging from stronger surveillance authority to tighter immigration controls.

"If you say cyberterrorism, you confuse people," said Richard Clarke, President Bush's special adviser for cybersecurity. "Osama bin Laden is not going to come for you on the Internet."

Cyberattacks come in two forms: one against data, the other on control systems. The first type attempts to steal or corrupt data and deny services. The vast majority of Internet and other computer attacks have fallen into this category, such as credit-card number theft, Web site vandalism and the occasional major denial-of-service assault.

Control-system attacks attempt to disable or take power over operations used to maintain physical infrastructure, such as "distributed control systems" that regulate water supplies, electrical transmission networks and railroads. While remote access to many control systems have previously required an attacker to dial in with a modem, these operations are increasingly using the Internet to transmit data or are connected to a company's local network--a system protected with firewalls that, in some cases, could be penetrated.

Still, Clarke and other security officials say any damage resulting from electronic intrusion would be measured in loss of data, not life.

"It would be relatively easy to conduct a cost-free or risk-free attack given the endemic vulnerabilities in our system," said Michael Vatis, director of the Institute for Security Technology Studies at Dartmouth University and a former director of the National Infrastructure Protection Center, the cybersecurity arm of the FBI. "It would be harder to kill people or have a lasting effect using cyberattacks."

It is true, however, that data attacks could have severe consequences without causing deaths. Many power companies and water utilities are operated with networks of computer-controlled devices, known as supervisory control and data acquisition (SCADA) systems, which could be hacked.

SCADA systems could be attacked by overloading a system that, upon failure, causes other operations to malfunction as well, said John Dubiel, a Gartner consultant who worked on the electrical power attack in last month's war games. Such domino effects have been seen in incidents resulting from natural events.

In 1996, the power along much of the West Coast corridor went out for nine hours after a tree branch fell on some power lines and, in combination with several other problems, caused a cascading failure. In 1990, a similar event with an AT&T switch touched off a chain reaction that shut down long-distance communicationS across the United States.

"The system attacks itself in these cases," Dubiel said.

Making matters worse, more than 80 percent of such critical infrastructure is privately owned, and in many cases the companies have not been sufficiently educated about information security until recently. Security consultants have attested that many utilities have an indirect path to the Internet from their SCADA master terminals.

In November 2001, 49-year-old Vitek Boden was sentenced to two years in prison for using the Internet, a wireless radio and stolen control software to release up to 1 million liters of sewage into the river and coastal waters of Maroochydore in Queensland, Australia.

Boden, who had been a consultant on the water project, conducted the attack in March 2000 after he was refused a full-time job with the Maroochy Shire government. He had attempted to gain access to the system 45 times, and his last attempt proved successful, allowing allowed him to release raw sewage into the waterways.

"Marine life died, the creek water turned black and the stench was unbearable for residents," said Janelle Bryant, investigations manager for the Australian Environmental Protection Agency.

That the facility failed to notice the first 44 attempts speaks volumes about the state of security at public utilities. In a 1997 survey of 50 utilities, then-graduate student Barry C. Ezell, a captain in the U.S. Army, found that 40 percent of water facilities allow their operators direct access to the Internet, and 60 percent of the SCADA systems could be connected by modem.

Ellen Vancko, a representative for the North American Electric Reliability Council, said such access should not always be considered unsafe. "All the electric companies are connected to the Web in one way or another," she said. "But that doesn't mean our control systems are hooked up to the public Net."

Granted, but an Internet connection does provide one more way for an electronic intruder to get into a system. Chris Wysopal, director of research and development for digital security firm @Stake, said he first looks for connections to the Net when called in to analyze the security of an infrastructure network.

"Whenever we see a control system connected to the Internet, that is scary. There is no need for it, except for productivity, and when you are talking about public safety, you should err on the side of security," said Wysopal, whose company has been hired for such audits only since Sept. 11. "We found a power plant where all the control systems had their administrative systems set to the same password."

Because firewalls and other internal protections are not always adequate, risk levels are increased exponentially if networks are connected to the Internet.

"Are we vulnerable? Absolutely. We have the massive bowl of spaghetti between the Internet, phone lines, and extranets, and no one can map it," said Assistant Attorney General Thackery. "We have miles and miles and miles of wire and none of it is secure. And we have all these windows and doors that are open, and they are still open."

She noted that the Net played a major role in a well-publicized incident in 1989, when the Legion of Doom hacker group seized control of much of the infrastructure of Southern Bell's telephone network. During the attack, the hackers could have tapped phone lines and even shut down the 911 system.

BellSouth "had 42 people that I knew of on 24-hour emergency alert to keep control of their network," said Thackery, who was forced to use an encrypted phone in the Secret Service's office in Phoenix because her line had been tapped. "To me, that's one of the scariest scenarios, and these were all college kids. Just pranksters."

Yet even the most notorious incidents have fallen well short of the type of massive destruction envisioned in some of the more imaginative warnings about cyberterrorism. The Queensland incident, for instance, claimed no lives and cost just AUD$13,000 to clean up, and it was accomplished only with extensive inside knowledge.

Wysopal and many other security experts readily acknowledge that wide-scale infrastructure disruption is no easy feat. Even if an intruder manages to break in, he said, commandeering a system "still requires a fairly sophisticated skill set."

Remembering Pearl Harbour

In last month's "Pearl Harbor" exercise, Gartner analysts playing the role of attackers reinforced that observation. "It is very hard to attack something that you don't have a specific knowledge of," said David Fraley, an analyst who simulated an attack on telecommunications networks.

Even in a successful attack on a metropolitan power grid, many critical systems--such as hospitals and prison operations--would continue running because they have independent generators. In addition, utilities and infrastructure operators have elaborate backup measures to protect the public even if a system is breached.

For example, if a hacker were to dramatically raise the chlorine levels of a reservoir, the contaminated water would probably never make it to the public because such supplies are typically tested up to five times before entering public pipelines. The Environment Protection Agency requires utilities to look for more than 90 regulated contaminants in these tests. An easier attack, and one that such agencies spend more to prevent, is a terrorist dumping chemicals into a reservoir directly.

Federal authorities are also concerned about computer systems that control the nation's transportation systems, including trains, trucks, buses and barges. The railroad industry's networks alone are massive, with more than 500 small railroads to supervise.

"The railroad industry today is one of the biggest users of computer systems in the country," said Nancy Wilson, senior vice president of the Association of American Railroads and point person on the Surface Transportation ISAC. "We were early users of technology and we are big users of technology. If we lose computer capabilities, we would kind of grind to a halt."

For that reason, most rail companies have extensive safety measures and backup systems. Sensors tell when the track has been tampered with, and security mechanisms provide early warning alerts for possible intrusions.

"We have had our share of little hacker problems, but they have never been serious," Wilson said. "I'm not saying we are perfect, but I am saying that we have come a long, long way toward identifying our vulnerabilities."

Redundant safety measures are also taken in manufacturing companies, many of which use SCADA systems. But that hasn't stopped the proliferation of popular urban legends.

In one such myth, a hacker breaks into a food company's network through a Web connection and manipulates a breakfast cereal recipe to add vastly higher levels of iron, threatening children who have a low tolerance for the mineral. Another rumor had a hacker gaining entry to a tank-manufacturing company and changing the temperature specifications for armor used in the vehicles, making the metal more brittle and vulnerable. Neither story is true.

Security experts generally agree that the infrastructure most susceptible to hacking alone is the Internet itself. They often point to the Nimda worm, which caused as much as US$3 billion in estimated damages and lost productivity by some estimates.

Some Internet vulnerabilities have been exposed without any attacks. At least one serious weakness was discovered in 1997 when a technician changed two lines of code and nearly brought down the global network for three hours.

The change occurred to one of the hundreds of thousands of routers that form a key part of the Internet infrastructure. Because of the two-line mistake by the technician at the McLean, Va.-based MAI Network Services, one of its routers indicated that it provided the best path to the entire Internet. Other routers then began sending all their data to the ISP's small leased line, crashing MAI's network and clogging systems around the world.

"Within minutes you had most of the routers throughout the Internet going down," said Craig Labovitz, director of network architecture and lead border gateway protocol researcher for security firm Arbor Networks. "It was absolutely the most massive Internet outage we've seen."

Here again, however, the consequences were neither disastrous and nor interminable.

"This wasn't a catastrophe. It was a brownout that sporadically hit providers at various strengths," said one network technician to the North American Network Operator's Group following the outage. He noted that at least one network service provider saw a drop of only 15 percent in traffic.

To law enforcement agencies, the Internet's largest threat is simply the ease of international communication and the ability to hide among the seemingly infinite volume of traffic it carries. In an effort to track down terrorists electronically, the FBI has waived several requirements for new recruits who have technical training.

"The worry right now is not so much a cyberterrorism event," said Don Cavender, a special agent and instructor with the FBI's Computer Training Unit at Quantico, Va., "but when the terrorists use the Internet to facilitate the planning of these attacks."