National Security

Cyber-Sabotage Is Easy

So why aren't hackers crashing the grid?

Hacking power plants and chemical factories is easy. I learned just how easy during a 5-day workshop at Idaho National Labs last month. Every month the Department of Homeland Security is training the nation's asset owners -- the people who run so-called Industrial Control Systems at your local wastewater plant, at the electrical power station down the road, or at the refinery in the state next door -- to hack and attack their own systems. The systems, called ICS in the trade, control stuff that moves around, from sewage to trains to oil. They're also alarmingly simply to break into. Now the Department of Homeland Security reportedly wants to cut funding for ICS-CERT, the Cyber Emergency Response Team for the nation's most critical systems.

ICS-CERT's monthly training sessions in Idaho Falls put 42 operators at a time into an offensive mindset. For the first three days in last June's workshop, we learned basic hacking techniques, first in theory, then in practice: how to spot vulnerabilities, how to use exploits to breach a network, scan it, sniff traffic, analyse it, penetrate deeper into the bowels of the control network, and ultimately to bring down a mock chemical plant's operations. There was something ironic about Department of Homeland Security staff teaching us how to use Wireshark, an open-source packet analyzer; Metasploit, a tool for executing exploit code; man-in-the-middle attacks; buffer overflow; and SQL-injection -- all common hacking techniques -- and then adding, only half-jokingly: "Don't try this on your hotel's Wi-Fi!"

So it may come as a surprise to learn that attackers have never been able to engage in cyber-sabotage against America's critical infrastructure -- not once. ICS-CERT has never witnessed a successful sabotage attack in the United States, they told me. Sure, there have been network infiltrations. But those were instances of espionage, not destructive sabotage. Which raises two questions: one obvious, and one uncomfortable. If it's so easy, why has nobody crashed America's critical infrastructure yet? And why isn't the Defense Department doing more to protect the grid?

The questions only loomed large on the fourth day of the training -- a 10-hour exercise. We split into two groups, a large blue team and a small red team. The blue team's task was to defend a fake chemical company, with a life-sized control network complete with large tanks and pumps that would run production batches, a real human-machine interface, a so-called "demilitarized zone," even simulated paperwork and a mock management with executives that didn't understand what's really happening on the factory floor -- just like in real life. The red team's task was to breach the network and wreak havoc on the production process. By 5 pm they got us: toxic chemicals spilled on the floor, panic spread in the control room. Good thing for us this was only an exercise, and the gushing liquid was just water.

That exercise in Idaho was not unrealistic -- control system-related incidents can have serious consequences. In March 1997, a teenager in Worcester, Massachusetts, used a dial-up modem to disable controls systems at the airport control tower. In June 1999, 237,000 gallons of gasoline spilled out of a 16-inch pipeline in Bellingham, Washington, killing three people when it ignited. An ICS performance failure limited the controller's ability to understand what was happening and react swiftly. In August 2006, two disgruntled transit engineers sabotaged the traffic light controls at four busy L.A. corners for four days, causing major traffic jams. One of the most serious accidents happened in 2009 at the Sayano-Shushenskaya hydroelectric dam and power station in Russia, when a remote load increase caused a 940-ton turbine to be ripped out of its seat. The accident killed 75 people, pushed up energy prices, and caused damage in excess of $1.3 billion. In Idaho I heard two more stories from participants: one maintenance issue paralysed 600 ATM machines for 6 hours, and one innocent network scan in a manufacturing plant caused a large and powerful robotic arm to swirl around as if in rage, potentially injuring anybody near it.

Attacking such systems just got easier, for a number of reasons. One is that vulnerabilities are easier to spot. The search engine Shodan, dubbed the "Google for hackers," has made it easy to find turbines and breweries and large AC-systems that shouldn't be connected to the Internet but actually are. One project at the Freie Universität Berlin has enriched the Shodan data and put them on a map. The rationale of this "war map," as project leader Volker Roth called it tongue-in-cheek, is visualizing the threat landscape with colored dots, yellow for building management systems, orange for monitoring systems, and so on. The U.S. eastern sea board looks like a butt on a paintball range after a busy shooting session.

But so far, attackers have lacked either the necessary skill, intelligence, or malicious intention to use that map as a shooting range. That may be changing. While the more sophisticated ICS attacks are actually harder than meets the eye, many nation states as well as hackers are honing their skills. Some are also busy gathering intelligence; earlier this year, for example, the U.S. Army Corps of Engineers' National Inventory of Dams was breached, possibly from China. And any political crisis may change an attacker's intention and rationale to strike by cyber attack.

All of which keeps the federal government's main organization in charge of critical infrastructure protection busy. ICS-CERT employs between 80 and 100 staff, depending on contractors. Three of its activities stand out.

The first is incident response. At the request of asset owners, ICS-CERT can deploy so-called fly-away teams to meet with the affected organization. They'll review network topology, identify infected systems, image drives for analysis, and collect other forensic data. Last year, the government's control system experts responded to 177 incidents. That included 89 site visits and, in the most extreme cases, 15 deployments of on-site teams to respond to advanced persistent threat incidents in the private sector, the DHS told me. The fly-aways are controversial, with some critics pointing to a lack of focus and a waste of scarce government resources. One prominent critic is Dale Peterson of Digital Bond, a leading consultancy on critical infrastructure protection. "It doesn't scale," he says about the fly-away teams, "It's a band-aid." Still, a band-aid is better than no treatment at all.

The second main activity is keeping the operators vigilant and informed. ICS-CERT is doing this through vulnerability alerts and advisories: one recent alert, for instance, warned about a range of 300 medical devices that had hard-coded passwords, which could enable an attacker to gain remote access to surgical and anaesthesia devices or drug infusion pumps.

But for some, the warnings don't come fast enough, or don't produce a strong enough response. So more and more independent security researchers publish information on faulty design without notifying vendors and their clients first. Many at the Department of Homeland Security think some of these revelations are irresponsible or premature -- Digital Bond disagrees. The consultancy organizes a leading industry event, the S4 conference, where devices get hacked for good effect. A lot of people in the ICS community, Peterson tells me, "are getting gradually more aggressive because there has been so little progress."

Then there are those five-day-training sessions for those who are really at the front line of potential cyber attacks: the plant and factory owners and operators. That program is the least controversial. After three days of lectures and hands-on practice, and after one day of spilling chemicals by cyber attack, the participants in my class had a chance to discuss lessons learned on the fifth day. One or two may have expected a slightly different technical focus, yes, but the rest loved it. The Department of Homeland Security understood a crucial thing: if the asset owners understand the offense, they are able to improve -- and better invest in -- their network defense.

The reverse does not apply. The National Security Agency and its military twin, U.S. Cyber Command, are investing in all kinds of offensive measures that do nothing to make the nation's critical infrastructure more secure: They're discovering and buying previously unknown zero-day vulnerabilities -- holes in software that hackers can use to wiggle their way into a system. They're gathering target intelligence on foreign infrastructure, and clandestinely developing bespoke cyber weapons for high-profile attacks from Fort Meade. All of this may have theoretical benefits at some point. But such offensive investments do not translate into more efficient information-sharing at home, into safer logic controllers, or into better-trained asset owners. To the contrary: the offense can suck up skills needed on the defense. And while it would make all of us more secure to close up those software holes, the NSA and CYBERCOM would rather they stay open as avenues of espionage and attack.

One reason why, perhaps, is that, so far, there's only been one publicly-acknowledged destructive ICS attack anywhere, ever. The only successful cyber-sabotage strike that targeted control systems (and that was not an insider attack) was an American intelligence operation: the famous Stuxnet worm that targeted Iran's nuclear enrichment program in Natanz -- without achieving its goal. The White House, it seems, has learned some lessons from this episode. In a recently leaked secret document, the administration highlighted the "unintended or collateral consequences" of offensive cyber operations that may affect U.S. national interests. Apparently the White House sensed that Stuxnet had a counterproductive effect on "values, principles, and norms for state behavior." Cyber sabotage, they fear, could come back to haunt them.

In cyber security, it seems, a good offense is bad defense -- certainly made worse by sequestering the critical training of those who really keep the nation's infrastructure safe: the asset owners, engineers, and operators who make the monthly trek to Idaho Falls from all fifty states. Idaho National Labs has its own "war map" with red and blue and green and white pins: it's a large chart of the entire United States (and a smaller with allied nations), up in the first floor lunch area of the training facility. Every participant of the ICS training places a pin into their home town by sector: white if they come from the government, red for energy, blue for water, and so on. This is the map that really counts. The more dots and the more color, the better. But unless there's a radical change in how the U.S. secures its power plants and factories, there's never going to be enough push pins to stave off calamity.



Go Big or Go Home

If the United States wants its Middle East mojo back, it's going to have to pay to play.

The United States is facing the worst of all worlds in the Middle East: interventions that erode Washington's prestige and popularity but fail to exert enough influence to secure U.S. interests. If Secretary of State John Kerry's effort to restart Israeli-Palestinian talks is to succeed -- and if the United States is to secure its interests, ranging from oil security to nuclear nonproliferation -- America must once again play a leading role in the region.

In theory, the Obama administration's strategic objective is to "pivot" to Asia, focusing on rising powers across the Pacific (with the ancillary benefit of pleasing an electorate back home that is weary of the Middle East's seemingly endless troubles). With the exception of the Arab-Israeli peace process -- where Secretary Kerry is putting his personal prestige at stake -- the administration hopes to achieve this objective by more aggressively supporting Arab or European diplomacy in the Middle East, quietly securing U.S. interests by pushing its allies to do more and coordinating their actions. U.S. officials hoped this approach would cost little, minimize domestic political risk, and score points with the so-called Arab street by keeping the American presence limited.

In practice, however, the Middle East still consumes an enormous amount of U.S. government bandwidth and remains impervious to influence. The latest crisis, a coup in Egypt, has left Washington reeling over the question of whether or not to cut the $1.3 billion in military aid the United States sends Egypt annually. Missing from the debate, however, is how marginal the U.S. role has become. Before the coup, the United States tried to push the Muslim Brotherhood-led government to compromise with the opposition. But backed by $8 billion in support from tiny Qatar since President Mohamed Morsy's election, the Brotherhood regime was free to flout U.S. entreaties.

Even after the coup, the threat of a U.S. aid cutoff remains equally underwhelming. Kuwait, Saudi Arabia, and the United Arab Emirates have pledged a total of $12 billion to support the new regime. And while Washington has failed to exert influence over events in Egypt, it has somehow succeeded in making itself even more loathed. Perhaps the only thing Brotherhood supporters and their opponents can agree on is that the United States is conspiring against them.

U.S. policy hasn't gained much traction elsewhere in the region, either. In Tunisia, attention to promoting democracy has faltered as other regional crises consume Washington's attention. Tunis needs help developing its private sector and building its economy, but development aid remains low. Even a possible free trade agreement, which would complement and accelerate economic restructuring, has not made much progress despite the fact that it would benefit U.S. commerce as well.  

Next door in Libya, U.S. efforts to help the government restore order remain small scale, with the Benghazi debacle making the United States even more reluctant to engage. Since officially ending the war in Iraq in 2011, the United States has limited its engagement to arms sales, even as the country has suffered close to 3,000 dead since April -- the worst violence since 2007 -- and risks spiraling into all-out civil war. As U.S. influence fades, Iran's relative clout in Iraq grows.

The limits of U.S. influence are most painfully apparent in Syria. Even if one takes the cold-blooded approach that says 100,000 dead is not Washington's problem, it's long been clear that the conflict is spilling over into neighboring countries and threatening to destabilize the region. Iraq and Lebanon are already suffering greater violence, Iran and Hezbollah are deeply enmeshed in the conflict, and U.S. allies like Israel have quietly ramped up their operations in Syria.

In response to confirmed chemical weapons use by Bashar al-Assad's regime and Hezbollah's intervention in force, the United States announced in June that it would enter the fray with arms and training for the Syrian opposition. In so doing, Washington raised the hopes of the Syrian people, as well as expectations that it would tip the balance in favor of the rebels. But the United States has so far refused to devote the resources to back up its own policies and has failed to articulate an overall strategy. U.S. military supplies are limited to small arms; training programs have barely begun. And earlier shipments of non-lethal aid like body armor and night-vision goggles were slow to come or never arrived.

Qatar, in contrast, provided $3 billion to the rebels -- including to radical Islamist forces -- and is also giving them heat-seeking shoulder-fired missiles and other more advanced systems. As a result, the cautious U.S. approach achieves few of its objectives: The rebels still get the systems that make the United States queasy, jihadists grow in influence, and the opposition remains divided -- in part because its friends are not working together.    

Congress, unfortunately, has made this problem worse. Lawmakers are skeptical of any increase in aid to Syrian rebels despite the fact that it could increase Washington's leverage if used properly. Congressional objections are further delaying the already late U.S. arms promised to the Syrian opposition. Congress's reaction to the Benghazi killings, moreover, suggests that it will crucify the administration for any and all missteps. As a result, the administration has doubled down on its cautious approach, even though mistakes or tradeoffs are inevitable when dealing with chaotic and fast-changing situations like the Middle East. Zero mistakes means paralysis, not perfection. 

The end result is not a Goldilocks solution but rather the worst of all worlds. America's allies work at cross-purposes with one another -- and even with the United States. In Egypt, Qatar backed the Brotherhood while other Gulf states backed the military coup; in Syria, the Gulf states are backing different factions of the anti-Assad forces, fragmenting rather than uniting the opposition. As the violence spreads, the jihadist presence has gone from negligible to vast. Syria has attracted large numbers of hardline Islamists from around the Muslim world, and strife there is strengthening jihadist groups in Iraq and Lebanon.

All of this underlines the extent to which the United States is now seen as a marginal player in the Middle East, a grim fact that will inevitably make it harder to bring the Israelis and Palestinians together at the negotiating table. If the United States wants to protect its interests in the Middle East, it cannot rely on allies to do its bidding -- or otherwise do so on the cheap. The United States must pay to play. Some battles may not be worth fighting, but those that matter most will require high-level attention and resources. The problems of the region are getting worse, and if the United States doesn't shore up its influence now, it will be even less relevant when it most needs to act.