Black Ice

Editor's Note: Dan Verton's book gets its title from an emergency planning exercise for the 2002 Winter Olympics in Utah, code-named Black Ice. In the simulation, a major ice storm combines with the disruption of utility computer systems to produce regional blackouts, Internet outages, cell phone overload and telephone failures. It demonstrated the devastating effect of physical and electronic attacks on the power grid and everything that depends on power, including computer systems. An earlier exercise, run by the National Security Agency (NSA) and code-named Eligible Receiver, was equally chilling:

Prior to launching their attacks on June 9, 1997, officials briefed the team of 35 NSA computer hackers on the ground rules. They were told in no uncertain terms that they were allowed to use only software tools and other hacking utilities that could be downloaded freely from the Internet through any one of the hundreds and possibly thousands of hacker Web sites. In other words, the Pentagon's own arsenal of secret offensive information warfare tools, which the NSA certainly had, could not be used. And while they were allowed to penetrate various Pentagon networks, the Red Team was prohibited from breaking any U.S. laws. The primary target was the U.S. Pacific Command in Hawaii, which is responsible for all military contingencies and operations conducted in the Pacific theater, including the tension-wracked Korean peninsula.

Posing as hackers hired by the North Korean intelligence service, the NSA Red Team dispersed around the country and began digging their way into military networks. They floated through cyberspace with ease, mapping networks and logging passwords gained through brute-force cracking and the more subtle tactic of social engineering - sometimes it was just easier to call somebody on the telephone, pretend to be a technician or high-ranking official, and ask for his password. The team gained unfettered access to dozens of critical Pentagon computer systems. With that level of access, they were free to create legitimate user accounts for other hackers, delete accounts belonging to authorized officials, reformat the server hard drives and scramble the data, or simply shut the systems down. They were able to break through the paltry network defenses with ease, after which they could conduct denial-of-service attacks, read or make minor changes to sensitive e-mail messages, and disrupt telephone services. And they did so without being traced or identified.

The results of the exercise stunned all who were involved. The NSA Red Team, using hacking tools that were available to anybody on the Internet, could have crippled the U.S. military's command and control system for the entire Pacific theater of operations. From a military perspective, that alone was a nightmare. But it soon became clear that the exercise had revealed much broader vulnerabilities.

During the course of analyzing what the Red Team had accomplished, NSA officials discovered that much of the private-sector infrastructure in the U.S., such as the telecommunications and electric power grids, could easily be sent into a tailspin using the same tools and techniques. More importantly, one former high-ranking NSA official indicated that the exercise revealed it would be possible to cause "strategic damage to the U.S. money supply."

Utilities

During any given year, the average large utility company experiences about 1 million cyber-intrusions that require investigation to ensure that critical system components have not been compromised. In addition, data collected by Alexandria, Va.-based Riptech Inc. on cyber-attacks during the six months following the Sept. 11 terrorist attacks showed that companies in the energy industry suffer intrusions at twice the rate of other industries. And many of those attacks appear to be sponsored by governments or organizations in the Middle East. Power and energy companies averaged 12.5 severe or critical attacks requiring immediate intervention per company. That rate was more than twice the average rate of attacks for all 300 companies surveyed.

The energy industry and many other industrial sectors of the economy have opened their enterprises to a vast array of cyber-disruptions by creating inadvertent Internet links (both physical and wireless) between their corporate networks and the digital crown jewels of most industrial processes -- Supervisory Control and Data Acquisition (SCADA) systems. These are the systems, including real-time programmable logic controllers, that manage the actual flow of electricity and natural gas and perform other critical functions in various industrial control settings, such as chemical processing plants, water purification and delivery systems, wastewater management facilities and a host of manufacturing firms. Control, disruption or alteration of critical commands, instructions and monitoring functions performed by these systems can be an issue of regional and possibly national security .

Deregulation and the increased focus on the bottom line have forced utilities and other companies to move more and more operations to the Internet as a means of improving efficiency and reducing costs. In addition, there has been a simultaneous increase in the number of remote dial-in connections established between mobile and home systems belonging to technicians and the actual SCADA systems.

Telecommunications

Prolonged power failures have many casualties, the first of which is often the telecommunications infrastructure, including the Internet. But the telecommunications industry faces its own security challenges that, like those of the energy industry, are the product of market forces.

The industry has assisted adversaries by making it easier for the infrastructure to be targeted and disrupted. "The vulnerability of the [Internet and communications] infrastructure to physical attack has increased as service providers have concentrated their operations in fewer facilities," stated the report of the President's Commission on Critical Infrastructure Protection in 1997.

This remains a serious problem today, as many large data centers have been erected throughout the country that provide single points of failure, particularly from a physical attack perspective. Should those facilities be destroyed or severely damaged, hundreds and potentially thousands of companies that chose to outsource IT infrastructure or business processes could be left without mission-critical data and connectivity.

At the same time, there's been an enormous upswing in consolidation throughout the telecommunications industry, the result of deregulation and the unbundling of local networks. This has spawned millions of new connection points into the infrastructure that adversaries, malicious hackers and terrorists can use to exploit well-known vulnerabilities.

The susceptibility of telecommunications switching equipment to software-based disruption became clear during the 1990 collapse of AT&T's long-distance service. A few lines of incorrect code caused a cascading failure of 114 electronic switching systems. And while that failure was the result of an internal system glitch, the Commission on Critical Infrastructure Protection concluded that the same type of failure "could alternatively have been triggered maliciously by relatively small individual actions." It went on to state that newer generations of switching equipment are likewise "potentially vulnerable to remote access, alteration, or control by skilled attackers."

Financial Services

Trillions of dollars change hands every day in the U.S., thanks to electronic transaction and payment systems running on computer networks that rely on uninterrupted sources of electric power. But deregulation in both the energy and telecommunications industries has helped create multiple points of potential failure in the support networks that serve the financial community -- support networks that were once operated end-to-end by single providers. Therefore, regional failures or disruptions of the energy and telecommunications systems that power the cyber-infrastructure of the financial community would have an immediate impact on banks, financial services companies, payment systems, investment companies, and securities and commodities exchanges.

Unfortunately, conducting strategic attacks has been made easier by the increase in mergers and acquisitions in the financial sector, which often result in centralization of operations centers. And while key organizations, such as the New York Stock Exchange, have undertaken efforts to increase diversity in support infrastructure, the attacks of Sept. 11, 2001, proved that massive physical attacks that disable critical power and telecommunications infrastructure can stop the nation's financial dealings dead in their tracks.

Drunk With Denial

Despite these lessons, many in corporate America remain unconvinced. Two months after the attacks, the wounds still wet and raw, a survey of 459 CIOs at major companies found that just 53% of firms had business-continuity plans, and less than half had IT security awareness and training for employees. The private sector remains drunk with denial.

But if the private sector has been operating under the influence, its bartender has been the federal government and its policy of allowing market forces to determine the level of investment in security. Former Virginia Gov. James S. Gilmore III (R) says the Bush administration's policy of relying "on private-sector willingness to take certain security measures and bear the costs" has had little impact to date on the state of security readiness in the private sector.

Reprinted with permission from Black Ice: The Invisible Threat of Cyber-Terrorism, by Dan Verton (McGraw-Hill, 2003). Verton is a Computerworld reporter.