"Perfect Citizen" Program to Protect the Power Grid

The federal government’s super-secret National Security Agency (NSA) has launched a beefed-up program designed to protect civilian and government infrastructure from hostile cyber attacks, according to multiple press accounts. Among the items slotted for protection is the U.S. power grid.

The Maryland-based NSA confirmed the existence of a program named “Perfect Citizen,” aimed at infrastructure protection, and first reported in The Wall Street Journal. “Specifically, it does not involve the monitoring of communications or the placement of sensors on utility company systems,” NSA spokesperson Judith Emmel said in a statement reported in eWeek  “This contract provides a set of technical solutions that help the National Security Agency better understand the threats to national security networks, which is a critical part of NSA’s mission of defending the nation.”

According to the Journal, NSA awarded Raytheon Corp. a contract worth as much as $100 million to develop the first phase of the project. The contract and contract award are classified. The newspaper, citing unnamed sources, said that “industry and government officials” with knowledge of the program have raised concerns about whether NSA will be tracking domestic electronic traffic. NSA’s forte is capturing and deciphering electronic transmissions, including telephone traffic. It is not permitted under law to track information from U.S. citizens except under exceptional and controlled circumstances.

The initial target for the NSA program, according to several press accounts, will be older computer-controlled communications and distribution systems built without security against cyber attacks in mind. This includes, among other systems, the power grid, the air traffic control system, chemical plants and oil refineries, and many transportation networks, including gas and oil pipelines.

A military official told the Journal that the new system builds on an earlier, smaller prototype known as April Strawberry. The program, said the newspaper, “was a piecemeal effort to forge relationships with some companies, particularly energy companies, whose infrastructure is widely used across the country.”

In another cyber security development, the U.S. Department of Energy (DOE) has released a report done by the Idaho National Laboratory (INL) highlighting holes in the security structure of the U.S. power grid. The report, work done by INL’s National SCADA Test Bed, looked at 24 utility instrumentation and control systems (ICS), comparing 2009 results with those reported in 2003. The report found a “significant improvement” in network security since 2003. “There has
been slight improvement in reducing host exposure through services. Little, or spotted, improvement has been seen in vulnerability remediation and secure development of new products. Vulnerabilities, due to unsecure coding practices, are found in new and old products alike, and the introduction of Web applications into ICSs has created more, as well as new, types of vulnerabilities.”

The INL inquiry found that cost of upgrading security is an impediment to improving grid security. To minimize costs, companies are looking to encryption to protect their ICS systems. The report said, “Secure design and vulnerability remediation activities have been judged by many companies as undoable due to time, cost, and backward compatibility issues involved. Encryption is in the process of being applied to ICS communications as a mitigation in lieu of remediation. Adding encryption can limit exposure, but does not prevent access through the encrypted channel if an attacker has compromised an encryption endpoint. Encryption can also make system monitoring and trouble-shooting difficult. NSTB experience and feedback have shown that encryption of ICS communications is rarely accomplished successfully.”

Steven Aftergood of the Federation of American Scientists, who first called attention to the INL report, said, “The specific vulnerabilities that were found are no big surprise—open ports, unsecure coding practices, and poor patch management.  But by describing the issues in some detail, the new report may help to demystify the cyber security problem and to provide a common vocabulary for publicly addressing it.”

As the INL report surfaced, there were also reports of an attack on Siemens control systems, targeting vulnerabilities in the Windows operating system. CNET News reported, “The attack involves several components: a worm that spreads via USB drives and exploits a previously unknown vulnerability in Windows and a Trojan backdoor that looks to see if an infected machine is running a specific type of software created by Siemens used in control systems including industrial manufacturing, utilities and even nuclear powered aircraft carriers.”

Also during the summer, the North American Electric Reliability Corp. (NERC) published “High-Impact, Low-Frequency Event Risk to the North American Bulk Power System.” The report grew out of a November 2009 closed workshop involving NERC, DOE, several administrative agencies, and congressional staff. The NERC report termed the risks that concern it and others as those that “have the potential to cause catastrophic impacts on the electric power system, but either rarely occur, or, in some cases, have never occurred.” Examples? Cyber attacks, high-altitude nuclear weapons detonations, earthquakes, tsunamis, pandemics, and solar storms causing geomagnetic disturbances.

The NERC report noted, “Deliberate attacks (including acts of war, terrorism, and coordinated criminal activity) pose especially unique scenarios due to their inherent unpredictability and significant national security implications.” In typical passive voice constructions, the report outlines the potential threats and notes, “The time needed to address these issues and complete the work contemplated herein will be measured in years.” What should be done? NERC and DOE, along with other agencies of government, and the private sector will “support the development and execution of a clean and concise action plan to ensure accountability and coordinated action on these actions going forward.”

—Kennedy Maize is MANAGING POWER’s executive editor.