California hack points to possible IT surveillance threat

The revelation that hackers broke into computer systems owned by California's primary electric power grid operator and remained undetected for 17 days this spring highlights a growing concern of federal officials that such intrusions could be part of long-term intelligence-gathering activities.

The intent of the network break-in at the Folsom, Calif.-based California Independent System Operator (Cal-ISO) isn't clear. But security analysts said the lack of apparent damage indicates that it was conducted either by an unsophisticated group of hackers or by attackers whose intent was merely to collect information about how the systems work and to document their vulnerabilities.

The incident, which took place between April 25 and May 11, is being investigated by the FBI. While Cal-ISO officials said they managed to trace the attack to a system in China, experts said current security technology can't help users differentiate the noise of so-called script kiddies from the more nefarious hacking sponsored by governments or terrorists.

"You still don't know if you're dealing with a kid, organized crime, an intelligence service or an economic competitor," said Frank Cilluffo, a senior policy analyst at the Center for Strategic & International Studies and co-chairman of a task force that the Washington-based think tank has set up to study future cyberthreats.

However, government officials and security researchers have documented a significant increase in Internet probes and server scans this year (see story). A large percentage of the probes, they said, could be part of an organized effort by foreign intelligence services and other groups to map potential security holes in critical systems.

A report released last month by the Defense Science Board, an industry and academic group convened by the U.S. Department of Defense, confirmed that the current state of the art in cyberattacks launched by governments or terrorists includes preliminary intrusions into various critical infrastructure networks. "Defenses must be probed, vulnerable systems reconnoitered, logic bombs planted," the report stated. "We should be watching intently for just such activities."

The primary threat to the most critical networks in the U.S. currently comes from countries that are actively mapping the Internet for vulnerabilities, said Richard Clarke, national coordinator for security, infrastructure protection and counterterrorism at the National Security Council. "And they know more about our national architecture than many of us do," Clarke said while speaking last month at an Internet security conference in Washington (see story).

Cal-ISO is a nonprofit company that was created by the government of the state of California to run the bulk of the state's electricity grid, and its systems are tightly integrated with the major power distribution network serving the entire western U.S. Grids such as Cal-ISO's are managed using highly proprietary technology known as Supervisory Control and Data Acquisition (SCADA) systems.

Potential vulnerabilities associated with SCADA systems, particularly those used to manage the flow of electricity, have been widely known for years and were documented in a 1996 report by a presidential commission. But the available information about the vulnerabilities isn't detailed enough for hackers to easily take advantage of, analysts said.

"There's a tremendous learning curve for [infiltrating] SCADA systems," said Tim Belcher, chief technology officer at Riptech Inc., a security consulting firm in Alexandria, Va. "This leads me to believe that [the Cal-ISO break-in] wasn't an extremely sophisticated attack because with 17 days' worth of access [to the systems there], I know what we could have done."

Cal-ISO spokesman Greg Fishman also downplayed the incident. The intruders "never really got close at all to our operational systems that run the grid," Fishman said. But the incident "was an attempt to breach our security, and we take that very seriously," he added. "We are in the midst of an investigation with the FBI."

Chris Rouland, director of the X-Force vulnerability research unit at Internet Security Systems Inc. in Atlanta, said his company has documented "a consistent widescale probing of the Internet taking place." But technology can't tell "a hacker sitting in a Chatahoochee, Fla., high school from a crime syndicate in Beijing or [alleged terrorist] Osama Bin Laden," said Rouland.

That's something the Defense Department and U.S. intelligence agencies would like to be able to do. But critics charge that bureaucratic roadblocks to information sharing among those groups and law enforcement agencies, such as the FBI's National Infrastructure Protection Center, are clouding the government's picture of what's happening on the Internet.

"Gathering information about the kinds of attacks now being launched is the crucial first step of any defensive effort," the Defense Science Board's report concluded. "But the effort to begin this task has become the subject not of effective initiative, but of continuing political and bureaucratic conflict."

Related stories:

Copyright © 2001 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon