Wednesday, 26 February 2014 08:59 By: Cynthia E. Ayers
The Jewish Voice has been at the forefront of media outlets in providing much needed information to the public about U.S. critical electric infrastructure vulnerabilities. The effects of an electromagnetic pulse (EMP) attack in the form of high-altitude nuclear weapons and geomagnetic disturbances (GMD) from coronal mass ejections have been described within this publication over the past several weeks. As noted within previous articles, the very similar consequences of both can be devastating. As much as 90% of the population may not survive a “grid-down” environment lasting a year or more – and the National Academy of Sciences projected a 4 to 10 year recovery period for a “severe” event affecting a large regional expanse.
There is bipartisan agreement that our electric infrastructure is crucial to the survival of the nation. President Obama, in announcing the release of the new Framework for Improving Critical Infrastructure Cybersecurity (National Institute of Standards and Technology, Feb 2014), emphasized the dangers of cyber attacks to critical infrastructure. Comparable warnings were issued during the closing months of 2012 and the first six months of 2013, when DHS Secretary Janet Napolitano, Secretary of Defense Leon Panetta, Director of National Intelligence James Clapper, and representatives of Congress all expressed extreme concern over the cyber threat to critical infrastructure. Although nothing was specifically said about the connection between cyber warfare and the use of EMP weapons in these official statements, the accompanying descriptions of potentially catastrophic damage closely resemble the results of a high-altitude nuclear blast.
The military, on the other hand, just released Field Manual 3-38 (February 2014) entitled Cyber Electromagnetic Activities. Authors of a much earlier article, in a discussion of pending documentation (to include FM 3-38) on what is now called “CEMA,” stated:
It’s important to recognize the convergence of cyber and EMS [electromagnetic spectrum] capabilities. Commercial and military systems are increasingly reliant on both as networks and telecommunication infrastructures expand their use of wireless means. This is particularly important for collaborative systems that require connectivity to operate effectively. The synergistic effect of these networks is a significant reason why EW [electronic warfare], EMSO [electromagnetic spectrum operations], and cyber operations must be viewed as interrelated and interdependent. (ARMY Magazine, June 2012, p. 44)
The article describes the importance of the Commanders’ recognition that CEMA activities can be used to gain operational advantages over adversarial entities. The authors additionally warn that allowing the degradation or destruction of friendly force “freedom of movement within cyberspace and the EMS” constitutes placing our own forces “at a significant disadvantage.”
Interestingly, less than a month prior to the release of the final version of FM 3-38, the Defense Department issued a carefully crafted response to a Fox News “Special Report” segment on EMP. It read: “The Department is unaware of any increase in the threat of a deliberate destructive use of an EMP device. Further, any reporting to the contrary by those without access to current threat assessments is both reckless and irresponsible.” (In other words: Nothing to see here – move along.) The dismissive tone of this statement seems intended to provide fuel for the fires of skeptics who refuse to consider (in depth) any problem they politically or ideologically disagree with. The fact that the response does not discount the nature or potential consequences of an EMP attack is lost in claims that it is “reckless and irresponsible” to report on adversarial threat. (This actually makes sense in the context of current politically correct obfuscation of enmity).
Regardless, it was apparently not “reckless and irresponsible” for the Secretary of Defense, Secretary of Homeland Security, the Director of National Intelligence and the President to report the threat to critical infrastructure from cyber warfare. To be fair, there have long been critics on either side of the cyber issue. Some reject the idea that cyber attacks could cause serious damage for a long period of time over a wide region, while others claim that cyber attacks can be just as devastating, but are easier to achieve by a resource-challenged adversary than an EMP.
Congressional EMP Commission staff found that cyber and EMP threats are not only related, but have been combined within the cyber doctrine of potential enemies (similar to our own FM 3-38). Entities who would (and are) using cyber operations to attack U.S. critical infrastructure have openly discussed targeting the U.S. with a first strike using the ultimate cyber weapon (an EMP) to remove the U.S. as an actor on the world stage, instantaneously and long-term. Additionally, officers in the service of foreign militaries have established possible attack scenarios that include temporarily disabling communications (and possibly other sectors likely to provide threat warning) with cyber operations, in anticipation of a follow-on high-altitude nuclear EMP attack to “finish the job.”
Attackers in the cyber realm are already extraordinarily active and becoming more successful with their efforts. According to reporting by the DHS Industrial Control Systems – Cyber Emergency Response Team (ICS-CERT), the numbers of reported cyber attacks on critical infrastructure are doubling every six months, with the energy sector being by far the most frequently targeted. In October 2012, ICS-CERT reported identification of malware and “crimeware” within the control systems of two power plants. One facility was noted to have been down for “approximately 3 weeks.”
Less than a year ago, ICS-CERT warned companies involved in critical electric infrastructure operations that cyber attacks are being launched with the intent to gain remote access to control systems and commit sabotage. Cyber attacks against the private sector have historically been categorized as “criminal,” with theft (intellectual or financial) believed to have been the main goal; but with this fast-paced increase in incidents and obvious adversarial intent, attitudes within our own government have changed, and the government, in turn, is attempting to challenge industry to consider national security implications.
In October of 2012, SECDEF Panetta stated: “If we detect an imminent threat of attack that will cause significant physical destruction in the United States or kill American citizens, we need to have the option to take action against those who would attack us, to defend this nation when directed by the president.” To that end, “a secret legal review” was conducted “on the use of America’s growing arsenal of cyberweapons” which reportedly scoped and outlined Presidential “power to order a pre-emptive strike” in the event that U.S. intelligence is able to detect evidence of a major cyber attack such as those indicated by SECDEF.
This review apparently culminated in two products: 1.) Executive Order 13636, entitled: Improving Critical Infrastructure Cybersecurity; and 2.) Presidential Policy Directive 21 (PPD-21), entitled Critical Infrastructure Security and Resilience. These were being finalized and signed on February 12th — the same day as the President’s 2013 State of the Union Address, which also contained warnings of enemy attacks against the power grid. In addition to announcing the Executive Order within the State of the Union speech, the President encouraged Congress to pass legislation designed to secure the nation against such attacks.
What is not generally addressed (at least in public) is the enormous difficulty in establishing what is and what isn’t indication of imminent attack (cyber or otherwise). A “cyber first strike” is intended to ensure that the target is “taken down” instantaneously for a period of time, thus enabling subsequent measures (such as a high-altitude nuclear explosion) which would bring about long-term degradation and destruction. There may be no opportunities to respond. By the time any indication of attack is realized, it may already be too late.
Unfortunately, the fact that cyber attacks on critical infrastructure are being taken seriously by authorities doesn’t mean that the public can rest easy in a belief that all will be taken care of. Officials recognize that cyber protection is a never ending, and increasingly resource-consuming process. Furthermore, the ability of infrastructure IT systems administrators to keep up with attackers by constantly upgrading software and firewalls is tenuous; and software fixes are not the only necessary step. There are many ways to bypass cyber security efforts.
The EMP Commission found that hardening against EMP would also protect segments of the grid against cyber operations intended to damage systems and grid components. Mitigation against all-hazards is thus all the more important to the defense of the country. If the urgency that our senior officials are trying to impart is a real indication of threat levels (and I believe it is), we must begin now.
Passive Cyber Defense Cannot be Relied Upon as the Sole Defense
In regard to cyber attack, Industrial Control Systems and their Supervisory Control and Data Acquisition networks (ICS/SCADA) – essentially all computerized systems that attach to and/or interface with transmission and distribution equipment, whether or not they individually interface with the Internet — are highly vulnerable to attack. This is true of communications links and all equipment (transformers, generators, capacitors, etc) that could be manipulated, altered, denied access to, and otherwise damaged or destroyed via instructions from hackers and/or malware.
Malicious code can be introduced to the system via the internet, via wireless devices, and from external storage devices (e.g. those used during system maintenance). There are a multitude of ways that malware can be injected into a system. Once system infiltration has been accomplished, equipment settings can be changed, effects can be modified, and attacks masked. The most well-known example is the Aurora test; but the STUXNET virus brought major attention to the problem, as did the destruction of Aramco’s 30,000 computers in August of 2012.
In March, 2013, Trend Micro researcher Kyle Wilhoit released a report on his effort to discover the types and extent of cyber attacks on control systems. Having set up “honeypots” where hackers would believe that they were able to control “fake gauges” of a water plant, Wilhoit found a surprising number of attacks that were amazingly advanced and successful (“roughly 17 would have been considered ‘catastrophic’ to the water pressure pumping system” that was used as a honeypot). The attacks notably came from both international and domestic sources.
Protection against cyber attacks via usual methods (passive defense) is not enough to thwart major adversarial cyber operations. A 2013 Verizon report noted that “finding specific vulnerabilities and blocking specific exploits is a losing battle.” In a similar vein, SECDEF Panetta had earlier noted that the U.S. “won’t succeed in preventing a cyberattack through improved [cyber] defenses alone.”
One reason that passive defense is not always the best defense is the time lag between attack and identification of attack-related activity, let alone the time needed to generate a software “fix.” A major cyber intrusion and compromise of the US Army Corps of Engineers’ National Inventory of Dams by Chinese military/government cyber actors is an example that raised alarm over the possibility of a future cyber attack by China on the U.S. power grid. The attacks had occurred over a period of months, beginning in January (2013), only to be discovered in April – a delay that could be costly, if not deadly, in a cyberwar “first strike” scenario.