Back Doors Beckon Openly

A classroom laboratory at the National Defense University (NDU) Information Resources Management (IRM) College features a tabletop model of a typical military base complete with functioning vital infrastructure elements, including electric lights and a powered main gate. Students learn how easy it is to take control of those elements as part of their infrastructure protection training.

The way into the vital infrastructure may be through secondary information networks.

While information technology experts have been hard at work securing the national infostructure, other key sectors in the United States’ vital infrastructure may be vulnerable to attack through their own information systems. Critical elements such as ports, railroads, the electrical grid, fuel pipelines and hazardous materials facilities may be equipped with information systems that are virtual open doors to malicious marauders ranging from rookie hackers to al-Qaida terrorists.

The focal point of these vulnerabilities is an organization’s supervisory control and data acquisition, or SCADA. A SCADA system controls physically dispersed assets by using centralized data acquisition and control. Many infrastructure elements have SCADA systems that were installed years or even decades ago when information security threats were not nearly as sophisticated as they are now. However, cyberspace interlopers have not lagged in their pursuit of technological sophistication, and many of these older systems are easy targets for every type of networked malicious operator.

The result is that cyberthreats abound for drawbridges, gas pipelines, chemical factories and nuclear power plants, to name a few diverse examples. Terrorists easily could launch coordinated attacks on these and other vital infrastructure elements through information system back doors. And, system operators might not see any evidence of an attack on their display consoles.

The National Defense University (NDU) in Washington, D.C., is training government and military information technology experts at its Information Resources Management (IRM) College. Dr. John Saunders, a professor at the IRM College and director of its Center for Information Assurance, teaches a course on managing security and control systems. He explains that the college’s task is to help the military protect its large infrastructure, but the course also educates people from the U.S. Department of Homeland Security (DHS). Many of the infrastructure protection lessons imparted in the course apply to the civilian side as well.

While the IRM College is a U.S. Defense Department organization, half of its funding comes from other sources, relates IRM College Director Robert D. Childs. In addition to interagency and even international activities, the college is reaching out to state and local governments. The bulk of the nation’s critical infrastructure is local in nature, but the states often lack the funds for education, he adds.

Large U.S. Army, Navy, Air Force and Marine Corps bases all have their own infrastructures that reflect those of the civilian world. These bases take the form of communities with electrical systems, water works, fuel delivery systems and other key elements of everyday life. In some cases, the bases have minimal connectivity with the outside world and effectively control what takes place within their own infrastructures.

The IRM College has constructed a small physical model of an independent community similar to that of a typical military base. This model features functioning elements such as security gates and electric power. The classroom network that makes up this community’s information infrastructure is sealed off from the outside world. This is to ensure that all of the class’s red team activities—hacking and other information attacks—do not intrude on public cyberspace. Everything is contained within the classroom infosphere, which serves as a surrogate for cyberspace and its many vulnerabilities.

Saunders describes it as a microcosm of the typical control centers that monitor elements of the national infrastructure. A user interface mimics SCADA systems found in large facilities. Within this laboratory environment, students and teachers are able to explore means of protecting the infrastructure as well as of bringing down an infrastructure element. Knowing how to cripple a part of the vital infrastructure is key to understanding how to protect it, and the classroom training explores both activities in depth.

These lessons translate to the private sector as well. Every public building and commercial facility equipped with SCADA systems faces the same challenges and threats. In many cases, servicing is outsourced, so a company or municipality may not realize immediately that a power outage or equipment failure is the work of a hacker or terrorist until the service representative can be called to the scene.

The Government Accountability Office (GAO) warned of the SCADA threat nearly three years ago. In a critical infrastructure protection report on challenges in security control systems, the GAO stated, “It is clear that the systems that monitor and control the sensitive processes and physical functions of the nation’s infrastructures are at increasing risk to threats of cyber attacks,” adding that these attacks “could have devastating consequences.” The report went on to say that securing these systems posed significant challenges requiring action by government and industry.

The National Institute of Standards and Technology (NIST) is drafting a guide to SCADA and industrial control system security. This document would provide initial guidance on addressing industrial control systems within the Federal Information Security Management Act (FISMA). A specific guidance document on applying the FISMA framework is slated for release late this year.

But overall, attention is lagging. “Nobody’s really paying a lot of attention to this,” Saunders asserts. “You have your base physical plant people maintaining the systems, but [information] security is not part of their vernacular—as opposed to the computer where security is a normal part of their everyday duties.

“What we are hoping to do is get the chief information officers more involved with the physical plant people—create this partnership so that they are both paying attention to this basic infrastructure issue,” he emphasizes.

The IRM College SCADA facility features hardware and software common to control systems and hackers. The panels shown in the back feature commercial routers and switches along with typical remote terminal units and programmable logic controllers. The laptop at left shows the display that a system control operator might see. The laptop at right can be used by a student role-playing as a hacker to take control of the operator’s station.

The IRM College’s SCADA classroom includes key hardware items that serve as gateways and relays for information activities. Among these pieces of key hardware are a remote terminal unit (RTU) and a programmable logic controller. Saunders points out that these devices can be found in many infrastructure systems. The classroom RTU is identical to those used in electrical substations, and the logic controller can be found on factory floors and in other production facilities. A typical programmable logic controller takes information fed into its inputs—such as from sensors—then activates other systems and devices such as valves or switches. In a waterworks, a sensor might input information that the water level in a reservoir or tank has reached a certain height, and the controller then would open a floodgate to lower the water level. The classroom devices are equipped with   Ethernet cards and installed on a local area network.

Many of these information system devices in the national infrastructure are quite old, Saunders points out. The relatively simple design of RTUs gives them a mean time between failures of up to 1,000 years. Their simple function does not require repeated upgrades common to advanced computing hardware. So, many key infrastructure elements may have the same RTU for decades. And, when these devices were installed 20 or 30 years ago, information security was not a prime concern. Dial-in access is common, he adds.

Because many of these devices are installed on local area networks, students are shown how easy it is to read data packets flowing on the network and to launch an injection attack that mimics those packets and orders the device to activate—or deactivate—key systems. This can be accomplished with a mere dial-in attack.

“A child in a basement can war-dial and find out if one of these units is available,” notes Dr. Robert Young, professor and director of NDU information assurance. War-dialing is a common mass-calling approach that allows even beginning hackers to discover telephone numbers that feature modems providing access to systems or networks. For example, a hacker can locate a major power grid intersection by driving around in a populated area and then can determine the telephone number exchanges common to that region. That will allow the hacker to narrow the war-dialing search.

Many electric utilities employ the same single protocol. A hacker aware of that fact can send commands in that protocol through the telephone to take over the system. If the utility has a different protocol, the hacker can take over the system once he or she identifies that protocol. All it takes is a low-level command. Even a cyberspace neophyte can perform these tasks.

“It wouldn’t require an experienced hacker,” observes Research Assistant Aaron Schulman. “It can be anyone with enough knowledge of computers to read through a Web site and get an introduction on how to do it.”

NDU students are taught these and other tactics to familiarize them with the intrusion methods against which they must defend. The college impresses on them that they are not to use these hacking tools on any system or network outside the classroom, nor are they allowed to take resource materials home. “Why do we teach managers to hack?” Young asks. “Because you have to know your enemy in order to defeat it.”

Once inside a system, a hacker can generate a switch display on his or her computer that is virtually identical to the display viewed by a system operator. So, the hacker literally can turn parts and systems on or off. Students in the class learn just how easily they can turn off an electrical grid.

“If you don’t have power, you don’t have to worry about whether the computers are running—so much for security.” Saunders points out.

Similarly, the hacker can disguise SCADA system status for the operator. In a nuclear plant, which is a more complex target, this might take the form of showing green status boards for displays that instead should be showing red alarm lights for an overheated reactor on the brink of a meltdown. System operators would learn of the crisis only when presented with firsthand physical evidence—a catastrophic explosion.

Or the hacker could introduce into a system a virus that causes any of a number of potential problems. That virus might cause the system to order a series of actions at a time chosen by terrorists for a coordinated attack. Or, a virus simply could keep ordering the system to reboot repeatedly, which would cripple the system and prevent experts from easily isolating the virus.

But in addition to the hacker or cyberspace terrorist, organizations must be wary of the inside threat to the vital infrastructure. Many foreign students learn on Windows-based systems in the United States, and then they take their skills back to their native countries. Such students could become ripe recruitment targets for al-Qaida, which is actively seeking their expertise.

Today’s information technology vendors are international, and a customer may not be completely aware of what hardware and software elements make up a new system. An al-Qaida sympathizer—or even just an ambitious hacker—employed as a code writer could embed a back door or a Trojan horse in software code that controls a new SCADA system. This renegade code probably would go undetected until it activated to the user’s detriment.

The DHS has a major initiative on software assurance, notes Mary Polydys, NDU Information Operations and Assurance Department chair. This national initiative addresses the software that is embedded in new systems, and many vendors are working with the department on securing this software.

Even simple actions can lead to increased vulnerabilities. An insider could place a sniffer on a network that would read and record network activity. That information would help interlopers analyze packets so that they could craft their own packets that mimic the legitimate activity. For example, if an adversary were watching the main gate at a compound, that person would know the exact time the gate opened and closed. This in turn would allow the hacking sniffer to identify the appropriate packet for opening and closing the gate, which effectively cedes control of the gate to the hacker.

These gate concerns apply to another key infrastructure element: drawbridges. Many drawbridges no longer have human operators in their control towers. That is because they are controlled from central control centers, and in many cases their control signals are sent via wireless links. This presents two serious vulnerabilities that security experts must address.

Saunders emphasizes that many infrastructure companies are working to close these back doors, but too many vulnerabilities remain. Every system is custom-designed. Even neighboring power companies often have different systems, and a variety of vendors and designs can be found within single power suppliers.

Many power grid companies are retrofitting their older RTUs. However, because these devices lack built-in security, companies must resort to add-ons. And, these add-ons often cause problems in areas such as timing and protocols. The DHS and businesses are researching fixes, Saunders notes.

In response to the growing threat, the IRM College is expanding its SCADA classroom laboratory. The facility will triple in size, Saunders allows. But education alone is insufficient to solve the SCADA problem.

“We need to add this on to being another audit function,” he posits. “Right now we audit financially, we audit computer and network security; but we need to add an audit function for SCADA and control systems.”

 

Web Resources
NDU Information Resources Management College: www.ndu.edu/irmc
GAO Control System Vulnerability Report: www.gao.gov/htext/d04140t.html
Department of Homeland Security: www.dhs.gov
NIST FISMA: http:csrc.nist.gov/sec-cert