"When I wake up in the morning, I’m surprised I have power." That’s what Mike Guthrie, senior information security engineer for Chickasaw Nation Industries (CNI), said at a late April conference on cyber security sponsored by Rep. Roscoe Bartlett (R-Md.). Guthrie, former network security architect for Bonneville Power Administration in Portland, Ore., was answering a question posed by MANAGING POWER. The question: "How easy is it to hack an electric utility SCADA system?"
"That’s all I can tell you without violating security," Guthrie said. He was taking part in a demonstration, led by Joe Albaugh, chief information security officer for the Federal Aviation Administration, showing how a savvy hacker can use social media, in particular Twitter and Facebook, to hijack computers, bypass the usual security measures, access confidential information, capture passwords, and otherwise cause cyber havoc and, more frightening by far, cyber theft.
A second demonstration at the conference in Hagerstown, Md., showed how to use a captured computer account with Amazon.com access to turn Amazon’s cloud service, EC2, into a weapon of mass information destruction. The CNI hacking team, which does a lot of cyber security consulting work for government agencies, also showed how to use email and an Adobe Acrobat .pdf file to spear phish a computer user. Here’s how the FBI describes spear phishing: "Instead of casting out thousands of e-mails randomly hoping a few victims will bite, spear phishers target select groups of people with something in common—they work at the same company, bank at the same financial institution, attend the same college, order merchandise from the same website, etc. The e-mails are ostensibly sent from organizations or individuals the potential victims would normally get e-mails from, making them even more deceptive."
According to an account in WIRED magazine, the Department of Energy’s Oak Ridge National Laboratory last April was forced to shut down Internet access after its computers were seized by attackers in a spear phishing episode. Similar attacks also damaged systems at a data encryption firm and Google last year.
Bartlett, a spry 85 years old, has become one of the few cyber-savvy solons in Washington. He commented, "The recreational hackers are like the kids who break into your house while you are gone by smashing a window or kicking in a door. They pull out the drawers and throw the contents around. They spread the kitty litter all over the floor. It’s no fun if they can’t show they have been there. The professional hackers sneak in by picking your lock. They put things back in place when they steal your pearls. You don’t know they have been there until six months later, when you look for the pearls for a special occasion and they aren’t there."
Donna Dodson, chief of the National Institute of Standards and Technology’s (NIST’s) computer security division, told the meeting that a variant of 40-year-old Moore’s Law for microchip technology (which holds that the number of transistors that can economically constitute an integrated circuit doubles every two years) has a cybersecurity analog: The power of attackers doubles every 18 months. NIST is heavily involved in the standards for development of the electric "smart grid." Dodson noted that security is a crucial component of the smart grid; without it, the grid’s smarts simply don’t matter.
Bartlett, who chairs the House Armed Services Committee’s tactical air and land forces subcommittee, says he is fearful of the impacts of cyber attacks on the electrical grid. "It’s quite literally the end of civilization as we know it," he told MANAGING POWER. "Make no mistake, if we lose the grid for any significant period, people will die. It won’t be possible to pump fuel to power trucks to replenish our supermarkets with food. Water will stop flowing. With the smart grid, increased interconnections and communications capabilities introduce new vulnerabilities. There’s not nearly enough attention to grid security." Bartlett’s statement drew nods of assent from the several Federal Energy Regulatory Commission staff who were in the audience.
Ironically, the Maryland cyber security meeting came just two days after reports of a new cyber attack against Iran’s uranium enrichment facility at Natanz. The new computer worm, which the Iranians dubbed "Stars" on their website paydarymelli.ir, came a year after the "Stuxnet" virus damaged some 1,000 centrifuges in the Iranian facility. The Iranians have blamed the U.S. and Israel for the attacks, and western journalists have uncovered evidence to support that claim. U.S. and Israeli officials have refused to comment on the source of either attack.
Iran said it is still dealing with the effects of the Stuxnet attack, which does not surprise U.S. experts. David Albright, a former U.N. weapons inspector in Iraq and president of the Institute for Science and International Security in Washington, said Stuxnet was designed to work through 2012 and could then go into hiding in the computer code controlling the Siemens centrifuges, to be activated later, remotely. Albright said the success of the Stuxnet attack may have emboldened the Western intelligence community for more attacks, such as the Stars code. He added that Iran might choose to retaliate by attacking business computer networks and systems in the West.
"We are at war," said Bartlett. "It is a cyber war. And it is the most asymmetrical war we have ever faced."
—Kennedy Maize is MANAGING POWER’s executive editor.