Grid-hacking is back in the news, with the unveiling of "Perfect Citizen," the National Security Agency's creepily named effort to protect the networks of electrical companies and nuclear power plants.

People have claimed in the past to be able to turn off the internet, there are reports of foreign penetrations into government systems, "proof" of foreign interest in attacking U.S. critical infrastructure based on studies, and concerns about adversary capabilities based on allegations of successful critical infrastructure attacks. Which begs the question: If it’s so easy to turn off the lights using your laptop, how come it doesn’t happen more often?

The fact of the matter is that it isn’t easy to do any of these things. Your average power grid or drinking-water system isn’t analogous to a PC or even to a corporate network. The complexity of such systems, and the use of proprietary operating systems and applications that are not readily available for study by your average hacker, make the development of exploits for any uncovered vulnerabilities much more difficult than using Metasploit.

To start, these systems are rarely connected directly to the public internet. And that makes gaining access to grid-controlling networks a challenge for all but the most dedicated, motivated and skilled – nation-states, in other words.

Let’s pretend for a moment that hackers were planning to attack the United States. What would they need to do to gather enough information necessary to take out the electrical power in key parts of the country? They don’t want to fiddle at the edges, mind you. They want to have enough data to build the technical capability necessary to shut out the lights in Washington or New York or California at precisely the time and for exactly the duration they want.

For starters, they would need to know things like: Where are the power plants? What kind of plants are they? What sort of fuel do they use? Who built them and when? What sort of materials and technology were used when they were built? Who manufactured the generators, turbines and other key equipment? Whose SCADA software are they running? Who runs the plants? How does fuel, people, supplies get into or out of the plant? What sort of security do they have? And perhaps most importantly: Which plants supply power to which parts of the country?

Where to begin? Even in places like the United States, where there isn’t much you cannot find online, you’re not going to be able to get the depth and detail you need to turn off the lights with a simple network connection. You’re going to have to deploy national-level resources:

* HUMINT (human intelligence, aka spies) to collect both open and private (though not necessarily classified) material about plant construction and operation. In the United States, we’re pretty good at announcing who won a contract to do what. In less open societies, it is going to take time to identify who is most likely to have the information you need and then more time to try and figure out the best way to get them to provide that information to you (if they’ll do it at all).

* IMINT (imagery intelligence, aka satellite or aerial pictures) to help analysts and engineers determine what sort of plant it is, give some idea as to where its various components may be located, the number of people it takes to run it, etc.

* SIGINT (signals intelligence, aka intercepted communications) to pick up key words, terms and conversations by those who built or are building the plant, who are working at the plant, who provide supplies and transport workers to the plant, to hear what local media and officials are saying about plant operations, reliability, etc.

* MASINT (measurement and signature intelligence) to gauge from afar things like temperature, magnetic fields, vibrations, exhaust and other meaningful emanations. These can be used to help determine what is likely to be happening behind walls that a human source might not be able to reach (or understand), and to help confirm (or dispute) what other intelligence sources report.

The point being: A purely online approach is simply not going to provide you with the type and volume of information you are going to need to accomplish your mission. Which is why, if you are trying to deny an adversary access to such information, you need organizations like the NSA (and others in the intelligence community) involved. These are the sorts of missions they are supposed to be undertaking: defending us against national-level threats. Sending forth agents to “spy out the land” costs money, takes people, requires logistics, takes time; all things that can be detected and exploited no matter how “cyber” some portions of the effort may be.

The real problem with Perfect Citizen is not in its goals, but in its sponsor. Intelligence agencies do some amazing things, but intelligence-involvement in civilian systems is a bad idea for many reasons. The head of NSA said as much just last year; of course that was before he put two hats as both the Director of NSA and Commander of U.S. Cyber Command. The argument that the NSA is the perfect place for such a program because of the skills of its employees is certainly compelling, but it does nothing to overcome the fact that NSA is predominantly an intelligence agency. We have a Cyber Command now, and a Cabinet-level Department charged with protecting the Homeland, which allegedly has its own cybersecurity capabilities and responsibilities.

True, Perfect Citizen could rightfully fall into the bucket of responsibilities of NSA’s defensive mission, but as argued recently, you cannot convince most people that the left and right hands of the agency are not working together, and that’s a problem if you are into things like liberty and freedom from unnecessary government intrusion and such. Having worked at the NSA and for related organizations, I know perfectly well how seriously agency employees take their responsibility to not "spy on Americans," but I also know that in a panic, real or contrived, people will cave with the best of intentions.

If the government truly believes that we need a strong intelligence presence inside our critical infrastructure systems, they should consider taking some less expensive, less risky, and more practical steps:

* Use the federal government's Intergovernmental Personnel Act program to shift grid-protecting expertise to DHS. The true measure of a government organization’s power is its ability to get the best talent on the job, on demand and by name. Anything else is just filling the ranks with “those who can be spared.”

* Get as many industry geeks security clearances so that information sharing is more equitable. Government is notoriously parsimonious when it comes to providing information of any value, while it simultaneously harps on industry to give more. Clearing the the bosses isn’t enough; if technical management cannot see for themselves what the real threats are, there is no hope for the implementation of practical solutions.

* Implement a simple, anonymous info-brokerage system to reduce the burden associated with providing information. It'll also eliminate the public stigma and legal jeopardy (via shareholder or customer lawsuits) private sector organizations risk should word of vulnerabilities or breaches become public.

* Come up with a system of rewards for industry participation in data sharing and infrastructure security efforts. Two quick ideas: tax breaks for demonstrably improving IT security, and conditional relief from certain regulatory burdens for active, meaningful participation in sharing efforts.

Absent additional information, it is hard to determine the full extent of what Perfect Citizen will provide in the way of improved security or situational awareness of foreign threats. Longtime observers of government involvement in this business cannot help but think that we are listening to the echo of past historical failures in this area and ignoring new ideas and promising research that could produce meaningful solutions that don’t involve letting spooks in the wire.

Photo: NOAA

See Also: