Hacking power plants and chemical factories is easy. I learned just how easy during a 5-day workshop at Idaho National Labs last month. Every month the Department of Homeland Security is training the nation's asset owners -- the people who run so-called Industrial Control Systems at your local wastewater plant, at the electrical power station down the road, or at the refinery in the state next door -- to hack and attack their own systems. The systems, called ICS in the trade, control stuff that moves around, from sewage to trains to oil. They're also alarmingly simply to break into. Now the Department of Homeland Security reportedly wants to cut funding for ICS-CERT, the Cyber Emergency Response Team for the nation's most critical systems.
ICS-CERT's monthly training sessions in Idaho Falls put 42 operators at a time into an offensive mindset. For the first three days in last June's workshop, we learned basic hacking techniques, first in theory, then in practice: how to spot vulnerabilities, how to use exploits to breach a network, scan it, sniff traffic, analyse it, penetrate deeper into the bowels of the control network, and ultimately to bring down a mock chemical plant's operations. There was something ironic about Department of Homeland Security staff teaching us how to use Wireshark, an open-source packet analyzer; Metasploit, a tool for executing exploit code; man-in-the-middle attacks; buffer overflow; and SQL-injection -- all common hacking techniques -- and then adding, only half-jokingly: "Don't try this on your hotel's Wi-Fi!"
So it may come as a surprise to learn that attackers have never been able to engage in cyber-sabotage against America's critical infrastructure -- not once. ICS-CERT has never witnessed a successful sabotage attack in the United States, they told me. Sure, there have been network infiltrations. But those were instances of espionage, not destructive sabotage. Which raises two questions: one obvious, and one uncomfortable. If it's so easy, why has nobody crashed America's critical infrastructure yet? And why isn't the Defense Department doing more to protect the grid?
The questions only loomed large on the fourth day of the training -- a 10-hour exercise. We split into two groups, a large blue team and a small red team. The blue team's task was to defend a fake chemical company, with a life-sized control network complete with large tanks and pumps that would run production batches, a real human-machine interface, a so-called "demilitarized zone," even simulated paperwork and a mock management with executives that didn't understand what's really happening on the factory floor -- just like in real life. The red team's task was to breach the network and wreak havoc on the production process. By 5 pm they got us: toxic chemicals spilled on the floor, panic spread in the control room. Good thing for us this was only an exercise, and the gushing liquid was just water.
That exercise in Idaho was not unrealistic -- control system-related incidents can have serious consequences. In March 1997, a teenager in Worcester, Massachusetts, used a dial-up modem to disable controls systems at the airport control tower. In June 1999, 237,000 gallons of gasoline spilled out of a 16-inch pipeline in Bellingham, Washington, killing three people when it ignited. An ICS performance failure limited the controller's ability to understand what was happening and react swiftly. In August 2006, two disgruntled transit engineers sabotaged the traffic light controls at four busy L.A. corners for four days, causing major traffic jams. One of the most serious accidents happened in 2009 at the Sayano-Shushenskaya hydroelectric dam and power station in Russia, when a remote load increase caused a 940-ton turbine to be ripped out of its seat. The accident killed 75 people, pushed up energy prices, and caused damage in excess of $1.3 billion. In Idaho I heard two more stories from participants: one maintenance issue paralysed 600 ATM machines for 6 hours, and one innocent network scan in a manufacturing plant caused a large and powerful robotic arm to swirl around as if in rage, potentially injuring anybody near it.