Governing Magazine/April 2002

FEATURE: NETWORK SECURITY

DIGITAL NIGHTMARE

What if terrorists break into critical state and local networks and
wreak havoc?

By Ellen Perlman

Something is terribly wrong in Springfield. Hospitals are being
inundated with people desperately sick with intestinal problems.
Shockingly, the symptoms are those of cholera and dysentery,
waterborne diseases usually found in third-world countries.
 Doctors and public health investigators, trying to piece together
clues on what is happening, find the city's water supply has been
compromised: The digital controls monitoring chlorine injection at the
main water plant have been tampered with by a very sophisticated
hacker. The hacker knew how to slow down the pumps and turn off the
chlorine injectors--without the disinfecting agent, bacteria in the
water runs rampant--and how to turn off system alarms warning that
there is a problem.
 Thousands of miles away, a police sergeant cruises his beat and spots
a thug he collared several months ago. He is sure the felon, armed and
dangerous, should be behind bars serving a 20-year sentence. He radios
the police department, setting off a scramble to investigate. A
computer technologist discovers someone has hacked into the state's
computer network and corrupted criminal justice data, changing release
dates of prisoners. Hundreds of hardened criminals have been released
in error and are out on the streets causing trouble.
 These are nightmare scenarios--the kind of "what if?" situations
being tossed around in meetings of public officials charged with
protecting residents in an age of terrorism. Are the "what ifs" off
the wall? Few water treatment plant managers or criminal justice
employees will say attacks on their computer networks are impossible--
or that they're absolutely certain that they're 100 percent protected
from insidious invasions.
 Some government officials don't like to air these scenarios; they
worry that terrorists will get ideas about ways to create havoc and do
harm. But the bad guys already have the ideas. It's the good guys,
anti-terrorism experts say, who are shocked by them--and therefore
potentially unprepared.
 Besides, the scenarios aren't figments of pure imagination. Take the
water plant incident. According to the FBI, U.S. law enforcement and
intelligence agencies have received indications that Al-Qaeda members
have sought information on Supervisory Control and Data Acquisition
systems--the systems that allow utilities to monitor and control pumps
and valves and other equipment at treatment plants from a remote
location. "They specifically sought information on water supply and
wastewater-management practices in the U.S. and abroad," an FBI
bulletin reported.
 Then there are threats to the computer systems of other utilities.
The National Infrastructure Protection Center warned recently that it
had received reports that computers used by a variety of critical
industries--electric utilities in particular--"are under active
physical surveillance" by unknown intruders and that terrorists may
have inspected the physical equipment. The bulk of the reports have
been deemed not credible, but a NIPC spokesman says, "There are a few
that could presage future attacks."
 From the federal level on down to states and localities, the nation
is engaged in discussions about and activities furthering homeland
security, focusing on threats to critical infrastructures and the
computer networks that run them. A major aspect of the debate is the
likelihood of cyber attacks--whether terrorists could take control of
a computer system or destroy a database that stores vital information
used by a government. The federal government takes the possibility
seriously enough that the White House is calling for an investment of
$2.7 billion this fiscal year on computer and network security, a
figure projected to grow to $4.2 billion in the 2003 federal budget.
 What can state and local governments do about cyber threats? The
simple answer is to put policies and procedures in place to protect
themselves as best they can while simultaneously preparing for the
worst.
 Take Harris County, Texas' approach. Just as with practice runs for
coordinating the response to a natural disaster, Harris County has
been working on how it will respond if its computer systems are
attacked.
 "We literally play 'what if' games," says Steven Jennings, who heads
up the county's technology center. What if, for instance, the county
lost a system or a server? After raising the possibilities, the
center's staff then works out responses.
 Last June, the center practiced a drill in which the county's entire
computer network system went down. With the network in ruins, Oscar
Cantu, division chief for technical operations and security, and four
Harris County programmers, boarded a Continental Airlines flight from
Houston to Denver. They then made their way to Boulder, where they
would attempt to bring the whole thing back up.
 Before the programmers set out, a call was made to Vital Records, the
company that picks up the county's back-up tapes each night and stores
them at a secure location. At the county's request, the company sent
650 back-up tapes of the county's networked computer system to the
Boulder facility.
 After Cantu and his team landed in Colorado, they checked into a
Boulder hotel for the night. The next morning, at 7 a.m., the group
arrived at a facility on the outskirts of town, a business-recovery
center that looks like a military complex. They checked in at the
gate, showing identification cards to a security guard. Once inside,
an employee showed them to a locked room with computer monitors, where
a "starter system" awaited them.
 It was the job of Cantu's team to spend the next 24 hours loading the
tapes and bringing up the county's system. Then they had to test
applications and activate a connection back to a test location in
Houston, to be sure everything was working.
 The team worked through the night. Cantu and a couple of the men went
out at one point to bring back meals and snacks for them all to eat at
their computer stations in the windowless room. "A lot of snacks,"
Cantu says. "A lot of coffee." The snacks and the skills of the
programmers made for a successful operation. It was also the sixth
time the county had tested its ability to function from a remote site
should disaster strike at home.
 Clearly, this is something many governments were doing or thinking
about before the September 11 terrorist attacks focused the nation's
attention on potential computer network vulnerabilities. What
September 11 did was make believers out of skeptics, a change that
information technology departments and others hope will bring more
funding for the protection job they've always had to do.
 Whether or not the likelihood of terrorist attacks to systems is
greater since 9/11, the concern about the risk has heightened. So far,
however, there have been no cyber terrorist attacks reported, at least
as they are defined by Rich Mogull, research director for Gartner
Research. Such an attack would involve "someone creating mass
destruction to create fear or foster social or political change."
Since September, there's been "normal" cyber crime or "hacktivism,"
something that's been going on for years.

What it comes down to is that homeland security on the IT front
involves a balance between paranoia and preparedness, between the
likelihood of a threat and the time and resources necessary to guard
against attacks. But terrorism is not the only thing governments have
to worry about. Any number of bad actors could be responsible for
harmful incidents, from disgruntled employees to teenage hackers, from
criminals to foreign espionage groups. It's not always easy to tell
who broke into a system, what they did or whether it was a coordinated
attack or an isolated incident.
 Internally, a disgruntled employee with access to code could put a
"time bomb" in a system and set it to go off at a certain time and
date to destroy or change information. This person could, says Harris
County's Jennings, "play Pac Man with all your data and systems and
render them useless."
 Previous incidents have showcased how someone with a mission can
exploit holes in computer systems. An inmate in a Key West, Florida,
jail was able to hack into a jail computer system and delete text
files. A young computer hacker in Massachusetts was able to disable a
key telephone company computer that provided service for the Worcester
airport, disrupting and disabling vital services to the control tower
for six hours.
 Then there are the destructive powers of viruses. Fairfax County,
Virginia, was hit by "Nimda." Once the virus entered the system, it
infected the network, forcing the county to take the network down. The
virus had the potential to expose private information stored on the
county's hard drives. It also meant that people who were not
authorized to do so could add or delete files.
 Fairfax had to shut down its computers to the outside world for two
weekdays and a weekend while it "scrubbed" every PC and the network to
make sure the virus was gone. "We literally turned ourselves off the
Internet," says Dave Molchany, the county's chief information officer.
Citizens could not do business online with the county during those
periods of time. At one point, Fairfax thought it had eradicated the
virus, only to find it came storming back, re-infecting the system.
 Despite being hit once by a serious virus and being subject to record
levels of noise about cyber threats, Molchany doesn't fear an imminent
attack. Nor do many other stewards of network systems. That said,
Molchany adds, "We take all cyber attack alerts that come through very
seriously."
 Illinois has been dealing with potential cyber attacks for a long
time, reports Mary Reynolds, the state's chief technology officer.
Certain agencies are hit hundreds of times each month. The attempts
are caught, and the hackers have yet to get through. "It's not a new
threat," Reynolds says. "This goes on all the time." The difference
between now and the pre-9/11 era is more sensitivity to new angles.
 Other governments have not been as successful in fending off
intrusions, and hackers are making their way in. The main reason is
that agencies aren't keeping their software updated, properly
configuring firewalls, using intrusion-detection systems and scanning
for viruses in the right places on the network. The Code Red computer
virus and Nimda "exploited a system vulnerability that had been known
about for months," says Vincent Weafer, a security expert with
Symantec Security Response. Software has bugs, or flaws, and when
they're discovered, computer companies write a patch, or software
program, for users to install on systems to fix those flaws.
 Carnegie Mellon University's Computer Emergency Response Team, a
federally funded computer clearinghouse for Internet security, warned
in February that much of the network equipment used on the Internet
has a security flaw that could make networks vulnerable to attacks
that could cause systems to fail or allow hackers to gain control. The
list of the Internet's network devices that are vulnerable is 20 pages
long. There are software patches available for most of the equipment,
or there will be soon. The question is whether they will be installed
before an attack occurs.
 Governments have to prepare their enterprises now by staying current
with those fixes. There are far more attackers out there than ever
before--30,000 Web sites are dedicated to hacking. The speed of
attacks is increasing, and the types of tools used to hack into
systems are becoming more sophisticated. In 2001, there was a 200
percent increase in computer security incidents, according to Carnegie
Mellon's CERT. Those incidents included Web site attacks and malicious
virus intrusions into networks.
 For governments to keep on top of all the software fixes, someone
needs to be assigned to watch for the newest software releases and
changes and make sure they're installed. Diligence is essential as
hackers multiply and become more sophisticated. "Connectivity is
changing, how we do business is changing," Jennings says. "It's going
to become more critical to identify and get an understanding of the
cyber threat."
 The U.S. Department of the Interior learned the hard way about
vulnerability. Security experts hired to hack into it assessed the
department's system. They found it so open to attack that the
department's communications systems were shut down by court order for
10 weeks. There was concern that the department could not protect the
accounting system used to manage money for Native Americans.
 Governments--and private industry as well--may be leaving themselves
unprotected by not practicing the basics of cyber-attack prevention.
Although the sense is that the country needs to guard against
bioterrorism, bombs and the destruction of power plants and bridges,
government technologists should have a narrower focus. While
technology people are worrying about power systems failing, Mogull
says he tells government IT clients to "clean up your house before you
start worrying about this other stuff."
 By that, Mogull means taking steps to test networks and internal
security. It is a point echoed by the National Research Council.
Organizations, the council wrote in a January report, should "conduct
frequent, unannounced red-team penetration testing of deployed systems
and report the results to responsible management."
 And governments should be looking at employees who work on systems.
"We have to really start enhancing security on background
investigations, not once when we hire, but with continued vigilance,"
says Jennings, remembering a case of a spy who had worked for the
government for 20 years. He wasn't a spy when he was hired, but he
became one after several years on the job.

There are other approaches to protecting computerized control systems
for utilities, such as a water plant. Chicago has created a buffer
zone by not having the SCADA system linked to a network to the outside
world. "We have some good level of protection from a hacker," says
Jack Farnan, the water district's general superintendent. He won't say
Chicago is "absolutely, positively immune," but the water district has
limited the possibility for incursions, and the system is staffed 24
hours a day, unlike at smaller plants.
 Weafer, the security expert, agrees it's important not to have direct
access from the Internet to a network control system. With such
access, there is the potential for someone to hack into an employee's
PC, get the user rights of that person and enter the plant system.
"There should be a gap," Weafer says. "There should be no direct
connection in any shape or form, no network path between the two."
 In addition to safeguards and best practices to protect against
attacks, there is another important step. There needs to be a plan to
protect against the chaos and physical harm that could occur if
crucial systems were to be manipulated.
 The state of Texas' security council has been formulating exercises
so state employees can practice responses to effects of a network
invasion. One of the disasters the state hopes to address in a
practice drill is water contamination. "You can have all the best
guards around a building, but if I take over your network, I've got
you. I can contaminate the water supply," says Mel Mireles, who heads
up enterprise operations for the Department of Information Resources.
He notes that his department is "going to come to the table with a
cyber-terrorism exercise."
 Sometimes reacting in fear to a threat can produce worse results than
anything a terrorist might do. At a recent meeting attended by Pat
Karney, director of Cincinnati's sewer district, one participant
wondered whether municipal treatment plants ought to disable their
SCADA systems completely. That struck Karney as "a higher degree of
interference with our way of life than if a terrorist came in and did
one or two things in isolated areas." The computerized control systems
can provide much tighter control on much more diverse systems more
accurately than people ever could, he says. It would be better, Karney
suggests, to figure out what you've got and what encryption, control
or back-up you need.
 Technology infrastructure and policy are tightly coupled. Security-
conscious employees need to apply secure components to the system and
continue to monitor and maintain the system. "Hackers are out there
24/7," Mireles says. "They have a lot of time on their hands."
 Unfortunately, hackers are not the only ones with time on their hands
and mayhem in their heads. There are incidents and episodes having to
do with workplace violence, civil unrest and vandalism through labor-
type situations. It's even possible for a resident to get really mad
and want to show the big bad utility a thing or two. "Terrorism has
been a wake-up call to look at what we're doing," says Cincinnati's
Karney. "But we can't fixate on it. There are a lot of other things
out there."


SECURITY SITES AND STUDIES

"Cyberattacks: Prepare Your Enterprise Now"
www.gartner.com/DisplayDocument?id=341001&acsFlg=accessBought

"The Twenty Most Critical Internet Security Vulnerabilities"
www.sans.org/top20.htm

"Top 10 Stupid Things People Do to Screw Up Their Networks"
http://www.whiteknighthackers.com/Talks/TopTenV3/img0.htm

"CyberNotes"
www.nipc.gov

"Cybersecurity Today and Tomorrow: Pay Now or Pay Later"
http://bob.nap.edu/html/cybersecurity

----------------------------------------------------------------------

Copyright 2002, Congressional Quarterly, Inc. Reproduction in any form
without the written permission of the publisher is prohibited.
Governing, City & State and Governing.com are registered trademarks of
Congressional Quarterly, Inc.
http://governing.com