STEPHEN BARLAS, ALAN EARLS, MICHAEL FITZGERALD, JERRI LEDFORD AND DENNIS MCCAFFERTY
Published: 06 Sep 2004
Somewhere in Pakistan's mountainous interior, U.S. and Pakistani operatives last spring discovered a laptop with detailed reconnaissance of American targets. Al Qaeda apparently spent years carefully staking out the headquarters of several high-profile financial firms--Prudential, Citigroup, NYSE, World Bank and the International Monetary Fund.
It was a chilling materialization of Osama bin Laden's 2001 edict: "Concentrate on hitting the U.S. economy through all possible means."
The Financial Services Information Sharing and Analysis Center (FS-ISAC) wasted no time alerting its members to the threat, even though the intelligence pointed to a physical attack rather than a cyber-strike.
"You can't just look at this as a threat of a physical attack. If you have a physical attack that involves cyber-assets, it's considered a cyberattack," says FS-ISAC chairperson Suzanne Gorman.
Al Qaeda's objectives were clear: Attack rich and visible components of the nation's critical infrastructure to disrupt the U.S. economy, undermine confidence in the monetary system and inflict fresh wounds in the American psyche. The attack could be part of the dreaded "digital Pearl Harbor," a coordinated physical/cyber attack that many have prophesied since the early '90s.
In the months following 9/11, then-cybersecurity czar Richard Clarke warned of the dangers of a cyberattack against the institutions and services the country can't do without: the government, financial services, transportation, energy and telecommunications. The "National Strategy to Secure Cyberspace" was then drafted as a blueprint to protect this critical infrastructure.
More than 80 percent of the critical infrastructure is owned by the private sector, and there's no economic incentive to add expensive security measures and redundant systems. While some see terrorists and hostile nation-states behind every server, others say there are more pressing security matters.
If you have a physical attack that involves cyber-assests, it's considered a cyberattack.
"A random attack--a worm or some hacker who doesn't know what he's doing--might inadvertently set in motion a chain reaction that could cause serious damage," says Bruce Schneier, CTO of Counterpane Internet Security and author of Beyond Fear. "This kind of thing is far more likely, and worrisome, than a cyberterrorist."
In this special report, Information Security looks at the security of the U.S. critical infrastructure and critical infrastructure threats following 9/11, the measures taken to protect it, and the work that still needs to be done.
The financial services industry has spent untold billions on security infrastructure policies and plans. Despite the high stakes, more than half of IT and security professionals working for financial companies say they're unprepared for a cyberattack, according to a recent Information Security survey. However, most also report that they're better prepared than they were on 9/11.
Banks, brokerages, investment firms and insurance companies treat security as a business continuity issue. Financial institutions have redistributed their workforces, infrastructure and data, and have built resilient backup facilities and lines of communication.
I don't know if an attacker could bring America to her knees.
security managerVerizon, Inc.
"A few years ago, people didn't really have a common definition for route diversity," says Eric Guerrino, senior VP and information security officer at the Bank of New York. "When you signed up for a backup line, there was no way of knowing whether that line shared the same physical route as your primary line."
"We have multitiered security infrastructures, which are making us better prepared than we were just a few years ago," says FS-ISAC's Gorman, who is also managing director of corporate information security at Securities Industry Automation Corporation (SIAC).
Sharing intelligence is the foundation of financial services' security. Through FS-ISAC and other data exchange conduits, the industry is cooperating to understand and defend against threats faced collectively and individually. Some criticize FS-ISAC for being a "big banks' club," leaving smaller institutions out of the information sharing loop. But, the group is trying to change that.
"On September 11, 2001, we had 70 members. We were missing most of the sector; we need to engage 30,000 institutions," Gorman says. Today, FS-ISAC has 637 members.
"Is there something that someone could do that would take down the whole banking system? I don't think so. But they could cause a lot of harm," says Richard Mogull, a Gartner risk and security analyst.
Two months before 9/11, a freight train caught fire inside a Baltimore tunnel, melting several telecommunications and Internet backbone lines. For several days, connectivity from Washington, D.C., to New England was intermittent or, for some regions and businesses, altogether absent.
What keeps telecommunications industry security managers awake at night are the hackers and worms that could inflict the same kind of disruption on a much larger scale. Attacks against telephone switches, wireless hubs and Internet DNS servers could render the nation deaf, dumb and blind. About two-thirds of telecom IT and security managers surveyed by Information Security believe their industry isn't prepared for a cyberattack.
However, many in the telecom industry don't believe in the doomsday scenario, including John Lewandowski, a security manager at Verizon.
"If I were an attacker, I don't think I would use any one attack--worms, DDoS and so on. I would use a combination of them. And I don't know that it would bring America to her knees," says Lewandowski.
According to SBC Communications, the number of telecom vulnerabilities doubles each year, and the industry is banding together to create standards to reduce risk exposure. Spearheading security efforts are a spate of new organizations, including the Telecom Information Sharing and Analysis Center (Telecom-ISAC), the Network Reliability and Interoperability Council and the National Security Telecom Advisory Committee.
Forrester Research security analyst Michael Rasmussen says the telecom industry ranks second in cooperation with other critical infrastructure sectors (financial services is first). "Down the road, we'll see these pieces all being able to collaborate well," he says.
"Telecommunications infrastructure falls under the auspices of the Department of Homeland Security, which has given a lot more attention to physical security," Rasmussen says. "Cybersecurity has been lacking, and it needs to be raised up a couple of notches."
Could a cyberattack cripple the telecom infrastructure? "It would be relatively difficult; it's getting more difficult as time goes by," says Ron Wallace, director of network security at Nortel Networks.
The near-simultaneous incidence of last summer's Blaster worm and the Northeast blackout was uncanny. While the joint U.S.-Canada investigation determined Blaster had no role in shutting off the lights--a conclusion viewed with skepticism by some observers--the blackout vividly demonstrated the fragility of the country's aging and increasingly automated power grid.
"There are a million-and-one metrics around software complexity and its ability to fail. The more complex, the more likely we're our own number one enemy," says Brandon Dunlap, head of IT security at Baltimore-based Constellation Energy Group.
Disruption of the energy supply--electricity and fuel--could devastate the country's economy and security. The Northeast blackout alone cost nearly $5 billion in lost productivity, complicated the operations of government and emergency response agencies, and left more than 50 million people in the dark, according to the Anderson Economic Group.
"It would take a good bit of knowledge to start introducing events that could take out the power grid, but it's not beyond the realm of possibility," says Michael J. Assante, CSO of American Electric Power in Ohio.
It's a view shared by others in the energy sector. More than half of energy sector respondents to Information Security's survey say they're unprepared for cyberattacks, and the majority say the threat to energy systems is moderate to high.
And, the risk is growing: Most energy automation is controlled by system control and data acquisition (SCADA) systems, which are purpose-built for managing highly regulated, automated processes such as power generation and manufacturing. As these systems come in contact with the Internet, they're potentially exposed to the same risks and threats as PCs and servers.
To secure the energy infrastructure, the departments of Energy and Homeland Security have set up a National SCADA Testbed at the Idaho National Engineering and Environmental Laboratory to study and reduce SCADA vulnerabilities. The energy industry is working to create security standards and information sharing through the Energy Information Sharing and Analysis Center.
But securing energy infrastructures isn't an easy proposition, since most are controlled by systems designed for high availability, not security. While patching Windows systems isn't easy and can cause disruptions, it's nearly catastrophic in SCADA systems, which aren't supposed to be rebooted or shut down. Standard protections--such as firewalls, intrusion detection and encryption--can slow SCADA systems to the point of self-inflicted DoS attacks.
"These systems measure performance in milliseconds, and you can't steal a few (milliseconds) to add encryption," says Dunlap.
But, the complexity of SCADA systems worries some observers more than cyberterrorists, hackers and malware. "The biggest risks are self-inflicted cyber-wounds, not cyberattacks," says Gartner analyst John Pescatore.
A successful cyberattack against the energy industry would require a deep penetration of SCADA systems, causing a cascading failure of the power grid that the redundant systems couldn't absorb. Pescatore says that's why errant squirrels and falling tree limbs cause more power outages than cyberattacks.
"Avoiding mistakes isn't nearly as sexy as the threat of cyberterrorists and won't get you critical infrastructure funding," he adds.
The railroads and their computerized control systems offer tempting targets for terrorists, hackers and other cyber-miscreants. An attack on a single rail switch or schedule system could cause a devastating accident--especially with trains carrying hazardous cargo.
"The network tells 40,000 people where to go to work. It directs 7,000 locomotives that are worth about $2 million apiece. It helps us manage the onboard diagnostic tools, as well as the GPS tracking on board. It allows for us to know which trains aren't healthy and where can we shop them," says Rick Holmes, general director of security for Union Pacific. "We can't afford to be down on any one of our systems."
The government has failed to lead by example.
The situation is similar for other transportation sectors. Seaports must guard systems that monitor ships entering harbors. Airports and airlines must ensure the integrity of air traffic control systems. And highway and mass transit networks must keep traffic flowing freely. Given these massive challenges, it's no surprise that two-thirds of transportation security practitioners surveyed by Information Security say the industry isn't prepared for cyberattacks.
The transportation industry and government policymakers are taking action, and each subordinate sector is making moves to bolster security. For instance, the railroad industry is working with the Department of Home-land Security and other government agencies to assess the threat to its networks and apply the appropriate countermeasures. The industry has adopted encryption to protect internal network traffic and intersystem communications and is drafting secure wireless standards. Transportation Information Sharing and Analysis Centers are coordinating the exchange of security intelligence among members.
Probably no other sector has received as much security scrutiny as air transportation. Since 9/11, screening passengers, monitoring manifests and tracking planes have been top priorities for airlines, the Federal Aviation Administration, the Transportation Security Administration and regional port authorities.
"How will this data be protected, as it is shared across multiple airlines and government agencies? It's a big issue," says Gartner transportation analyst Robert Goodwin.
Seaport security is more an effort to prevent data leaks. Port authorities are closely guarding information on the arrival of hazardous cargo, such as natural gas tankers, to prevent a terrorist attack that could inflict massive damage. RFID tags are also being used to inventory and track the more than 20,000 cargo containers arriving daily at U.S. ports.
Preventing gridlocked traffic and keeping cars moving along the highways are the goals of highway security. Traffic monitoring and signal control systems use IP-based networks, wireless transmitters and microwave relays to shuffle information.
"If something like a traffic signal network were hacked, it could really cause serious problems for the public," says Salvatore A. D'Agostino, who cochairs the Security Task Force for the Transportation Research Board's Freeway Operations Committee.
How prepared is the transportation sector to fend off a cyberattack? Rail and ground are getting high grades from government regulators for their security programs, while air and sea are devoting most of their energy toward physical security.
The Department of Homeland Security is the nucleus of the nation's cybersecurity defense. With its creation, it absorbed most of the agencies that coordinate and defend the government's digital infrastructure and protect the rest of the country's networked assets.
No wonder Sen. Joseph Lieberman (D-Conn.) was outraged by a report that DHS wireless networks are riddled with commonly exploited vulnerabilities.
"The report's findings reveal a troubling lack of diligence," says Lieberman, the ranking Democrat on the Senate Government Affairs Committee, in a statement. "The department that has responsibility for leading our national cybersecurity effort has failed to lead by example with respect to its own wireless systems. It's like the fire department forgetting to install smoke detectors in the station house."
That's not an uncommon assessment. Rep. Adam Putnam (R-Fla.) gave the government an overall "D" for cybersecurity last year, an improvement over the "F" rating of 2002.
"The threat is serious. The vulnerabilities are extensive. And the time for action is now," Putnam said during a recent congressional security hearing. Putnam is chairperson of the House Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census.
A big driver of government security improvement is the Federal Information Security Management Act (FISMA), which requires regular reporting on agency security efforts. Over the next five years, the government will spend $1.8 billion hardening networks against external attacks and internal misuse. Under FISMA, the Office of Management and Budget has the authority to stop agencies from spending their IT dollars elsewhere until they improve security.
Yet, more than three-quarters of government security professions surveyed by Information Security say that the government isn't prepared for a cyberattack.
"Is the government preparing for a cyberattack? Does it have the technical means and the mechanisms to react to and recovery from a cyberattack? The answer is generally yes, but the caveat is these things can unfold in any number of complexities," says Amit Yoran, director of the National Cybersecurity Division (NCSD), the nucleus of the DHS cybersecurity effort.
The NCSD is disseminating critical security information and analysis to both federal agencies and the private sector. It's also leading mock terrorist response drills like last fall's Livewire, the first nationwide simulation of a cyberattack on both public and private organizations. The exercise's less-than-stellar results led to the creation of the Cyber Interagency Incident Management Group, which includes federal officials in law enforcement, defense and intelligence with responsibility for responding to intragovernmental cyberspace crises.
Livewire also exposed gaps in emergency communications systems. DHS will spend $350 million through 2005 to build the Homeland Secure Data Network (HSDN), which would be the equivalent of the Defense Department's Secret Internet Protocol Router Network (SIPRNET). HSDN will consolidate five legacy WANs into one network for classified and unclassified information. The first phase of the project is expected to be completed by the end of this year.
A second system, the Cyber Warning and Information Network (CWIN), links the DHS NOC to NOCs at other federal agencies and at telecommunications companies. But CWIN has limited functionality and only reaches a few NOCs. DHS hopes to increase the number of nodes to 100 by the end of the year.
"A tremendous amount of progress is being made and continues to be made on an aggressive timeline," Yoran says. "If you look just a few years ago at how ill-prepared government was to unsophisticated attacks, government systems were significantly and adversely affected. Now, against the more common threats, the government is as well protected as corporate America."
In his 2003 book Black Ice, Dan Verton paints a frightening scenario in which terrorists launch a broad, coordinated attack using truck bombs to take out key telecom hubs and strategic hacks to disrupt response units' command and control. Using common hacking tools, the terrorists create chaos and successfully leverage the Internet as a force amplifier.
How realistic is this scenario? It's a question of degrees.
"We're not so dependent on information systems that a cyberattack is going to cripple the nation," says James Lewis, a senior fellow at the Center for Strategic and International Studies. "Network failures are fairly routine, and people just adjust and work around them," thus undercutting the rationale for critical infrastructure protection.
Nevertheless, most responding to Information Security's critical infrastructure survey say that their industry/sector is better prepared for cyberattacks than they were prior to 9/11. The optimistic responses make sense, since protecting revenue-producing accesses through measured mechanisms and policies is good for business.
But, the application of "adequate" security across the critical infrastructure doesn't add up to good national security, since, as Gartner's Mogell says, a single breach to business "isn't the same as sinking the Titanic."
About the authors:
This report was written by Information Security contributing writers Stephen Barlas (government), Alan Earls (financial services), Michael Fitzgerald (energy), Jerri Ledford (telecommunications) and Dennis McCafferty (transportation).