by Barton Gellman, The Washington Post
WASHINGTON - Late last fall, Detective Chris Hsiung of the Mountain View,
Calif., Police Department began investigating a suspicious pattern of
surveillance against Silicon Valley computers. From the Middle East and
South Asia, unknown browsers were exploring the digital systems used to
manage Bay Area utilities and government offices.
Hsiung, a specialist in high-technology crime, alerted the FBI's San
Francisco computer-intrusion squad.
Working with experts at the Lawrence Livermore National Laboratory, the
FBI traced trails of a broader reconnaissance. A forensic summary of the
investigation, prepared in the Defense Department, said the bureau found
"multiple casings of sites" nationwide.
Routed through telecommunications switches in Saudi Arabia, Indonesia
Pakistan, the visitors studied emergency telephone systems, electrical
generation and transmission, water storage and distribution, nuclear-power
plants and gas facilities.
Digital Devices Targeted
Some of the probes suggested planning for a conventional attack, U.S.
officials said. But others homed in on a class of digital devices that allow
remote control of services such as fire dispatch and of machinery such as
pipelines. More information about those devices - and how to program them
turned up on al-Qaida computers seized this year, according to
law-enforcement and national-security officials.
Unsettling signs of al-Qaida's aims and skills in cyberspace have led
some government experts to conclude that terrorists are at the threshold
using the Internet as a direct instrument of bloodshed. The new threat bears
little resemblance to familiar financial disruptions by hackers responsible
for viruses and worms. It comes instead at the meeting points of computers
and the physical structures they control.
U.S. analysts believe that by disabling or taking command of the
floodgates in a dam, for example, or of substations handling 300,000 volts
of electric power, an intruder could use virtual tools to destroy real-world
lives and property.
"The event I fear most is a physical attack in conjunction with a
successful cyberattack on the responders' 911 system or on the power grid,"
Ronald Dick, director of the FBI's National Infrastructure Protection
Center, told a closed gathering of corporate security executives in Niagara
Falls on June 12.
In an interview, Dick said those additions to a conventional al-Qaida
attack might mean that "the first responders couldn't get there ... and
water didn't flow, hospitals didn't have power. Is that an unreasonable
scenario? Not in this world. And that keeps me awake at night."
Regarded until recently as remote, the risks of cyberterrorism now
command urgent White House attention. Discovery of one acute vulnerability
in a data transmission standard known as ASN.1, short for Abstract Syntax
Notification - rushed government experts to the Oval Office on Feb. 7 to
brief President Bush. The security flaw, according to a subsequent written
assessment by the FBI, could have been exploited to bring down telephone
networks and halt "all control information exchanged between ground and
aircraft flight-control systems."
Officials said Osama bin Laden's operatives have nothing like the
proficiency in information technology of the most sophisticated
nation-states. But al-Qaida is now judged to be considerably more capable
than analysts believed a year ago. In Islamic chat rooms, computers linked
to al-Qaida had access to "cracking" tools used to search out networked
computers, scan for security flaws and exploit them to gain entry - or full
command, sources said.
Most significantly, perhaps, U.S. investigators have found evidence that
al-Qaida operators spent time on sites that offer software and programming
instructions for the digital switches that run power, water, transport and
Such specialized digital devices are called distributed-control systems,
or DCS, and supervisory control and data acquisition, or SCADA, systems.
simplest ones collect measurements, throw railway switches, close
circuit-breakers or adjust valves in the pipes that carry water, oil and
gas. More complicated versions sift incoming data, govern multiple devices
and cover a broader area.
What is new and dangerous is that most of these devices are now being
connected to the Internet - some of them in ways that their owners do not
suspect, according to classified reports by "Red Team" mock intruders from
the Energy Department's four laboratories who test security systems.
Because the digital controls were not designed with public access in
mind, they typically lack even rudimentary security. Much of the technical
information required to penetrate the systems is widely discussed in the
public forums of the affected industries, and specialists said the security
flaws are well-known to potential attackers.
The various agencies of the U.S. intelligence community have not reached
consensus on the scale or imminence of this threat, according to
participants in and close observers of the discussion. The Defense
Department is most skeptical of al-Qaida's interest and prowess in
"DCS and SCADA systems might be accessible to bits and bytes," Assistant
Secretary of Defense John Stenbit said in an interview. But al-Qaida prefers
simple, reliable plans and would not allow the success of a large-scale
attack "to be dependent on some sophisticated, tricky cyber thing to
But White House and FBI analysts, as well as officials in the Energy
Commerce departments with more direct responsibility for the civilian
infrastructure, describe the threat in more robust terms.
"We were underestimating the amount of attention (al-Qaida was) paying
the Internet," said Roger Cressey, a longtime counterterrorism official.
"Al-Qaida spent more time mapping our vulnerabilities in cyberspace than
previously thought. An attack is a question of when, not if."
Counterterrorism analysts have known for years that al-Qaida prepares
attacks with elaborate "targeting packages" of photographs and notes. But,
in January, U.S. forces in Kabul, Afghanistan, found something new.
A computer seized at an al-Qaida office contained models of a dam, made
with structural architecture and engineering software, that enabled the
planners to simulate its catastrophic failure. Bush administration
officials, who discussed the find, declined to say whether they had
identified a specific dam as a target.
The FBI reported the computer had been running Microstran, an advanced
tool for analyzing steel and concrete structures; Autocad 2000, which
manipulates technical drawings in two or three dimensions; and software
"used to identify and classify soils," which would assist in predicting
course of a wall of water surging downstream.
To destroy a dam physically would require "tons of explosives," Assistant
Attorney General Michael Chertoff said a year ago. To breach it from
cyberspace is not out of the question. In 1998, a 12-year-old hacker,
exploring on a lark, broke into the computer system that runs Arizona's
Roosevelt Dam. He did not know or care, but federal authorities said he
complete command of the SCADA system controlling the dam's massive
Roosevelt Dam holds back as much as 1.5 million acre-feet of water, or
489 trillion gallons. That volume could theoretically cover the city of
Phoenix, down river, to a height of 5 feet. But in practice, that could
happen. Before the water reached the Arizona capital, the rampant Salt River
would spend most of itself in a flood plain encompassing the neighboring
cities of Mesa and Tempe - with a combined population of nearly a
In Queensland, Australia, on April 23, 2000, police stopped a car on
road to Deception Bay and found a stolen computer and radio transmitter
inside. Using commercially available technology, Vitek Boden, 48, had turned
his vehicle into a pirate command center for sewage treatment along
Australia's Sunshine Coast.
Boden's arrest solved a mystery that had troubled the Maroochy Shire
wastewater system for two months. Somehow the system was leaking hundreds
thousands of gallons of putrid sludge into parks, rivers and the manicured
grounds of a Hyatt Regency hotel.
Specialists in cyberterrorism have studied Boden's case ecause it is
only one known in which someone used a digital-control system deliberately
to wreak harm.
Boden had quit his job at Hunter Watertech, the supplier of Maroochy
Shire's remote-control and telemetry equipment. Evidence at his trial
suggested he was angling for a consulting contract to solve the problems
To sabotage the system, he set the software on his laptop to identify
itself as "pumping station 4," then suppressed all alarms. Paul Chisholm,
Hunter Watertech's chief executive, said in an interview that Boden "was
central control system" during his intrusions, with unlimited command of
SCADA nodes governing sewage and drinking water alike.
Like thousands of utilities around the world, Maroochy Shire allowed
technicians operating remotely to manipulate its digital controls. Boden
learned how to use those controls as an insider, but the software he used
conforms to international standards, and the manuals are available on the
Web. He faced virtually no obstacles to breaking in.
Nearly identical systems run oil and gas utilities and many manufacturing
plants. But their most dangerous use is in the generation, transmission
distribution of electrical power, because electricity has no substitute
every other key infrastructure depends on it.
Massoud Amin, a mathematician directing new security efforts in the
industry, described the North American power grid as "the most complex
machine ever built." At an April 2 conference hosted by the Commerce
Department, participants said, government and industry scientists agreed
they have no idea how the grid would respond to a cyberattack.
What they do know is that "Red Teams" of mock intruders from the Energy
Department's four national laboratories have devised what one government
document listed as "eight scenarios for SCADA attack on an electrical-power
grid" - and all of them work. Eighteen such exercises have been conducted
date against large regional utilities, and Richard Clarke, Bush's
cybersecurity adviser, said the intruders "have always, always
Joseph Weiss of KEMA Consulting, a leading expert in control-system
security, reported at two recent industry conferences that intruders were
"able to assemble a detailed map" of each system and "intercepted and
changed" SCADA commands without detection.
"What the labs do is look at simple, easy things I can do to get in"
tools commonly available on the Internet, Weiss said in an interview. "In
most of these cases, they are not using anything that a hacker couldn't
Bush has launched a top-priority research program at the Livermore,
Sandia and Los Alamos labs to improve safeguards in the estimated three
million SCADA systems in use. But many of the systems rely on instantaneous
responses and cannot tolerate authentication delays. And the devices
deployed now lack the memory and bandwidth to use techniques such as
"integrity checks" that are standard elsewhere.
In a book-length Electricity Infrastructure Security Assessment, the
industry concluded on Jan. 7 that "it may not be possible to provide
sufficient security when using the Internet for power-system control." Power
companies, it said, will probably have to build a parallel private network
The U.S. government may never have fought a war with so little power
the battlefield. That became clear again on Feb. 7, when Clarke and his
chairman at the critical infrastructure board, Howard Schmidt, arrived in
the Oval Office.
They told the president that researchers in Finland had identified a
serious security hole in the Internet's standard language for routing data
through switches. A government-threat team found implications - for air
traffic control and civilian- and military-phone links, among others - that
were more serious still.
"We've got troops on the ground in Afghanistan and we've got
communication systems that we all depend on that, at that time, were
vulnerable," Schmidt recalled.
Bush ordered the Pentagon and key federal agencies to patch their
systems. But most of the vulnerable networks were not government-owned.
Since Feb. 12, "those who have the fix in their power are in the private
sector," Schmidt said.
A Tough Sell
New public-private partnerships are helping, but the government case
remains a tough sell. Alan Paller, director of research at the SANS
Institute in Bethesda, Md., said "substantially none" of the banks and
brokerages, considered the most security-conscious businesses, tell
government when their systems are attacked.
Sources said the government did not learn crucial details about last
fall's Nimda worm, which caused about $530 million in damage, until stricken
firms began firing their security executives.
Experts said public companies worry about loss of customer confidence
legal liability to shareholders or security vendors when they report
The FBI is having even less success with its "key asset initiative,"
attempt to identify the most dangerous points of vulnerability in 5,700
companies deemed essential to national security.
Michehl Gent, president of the North American Electric Reliability
Council, said last month it will not happen: "We're not going to build such
a list. ... We have no confidence that the government can keep that a
For fear of terrorist infiltration, Clarke's critical infrastructure
board and Tom Ridge's homeland-security office are now exploring whether
private companies would consider telling the government the names of
employees with access to sensitive sites.
There is no precedent for that. The FBI screens bank employees but has
statutory authority in other industries. Using classified intelligence
databases of suspected terrorists would mean the results could not be shared
with the employers. Bobby Gillham, manager of global security at oil giant
Conoco, said he doubts his industry would go along.
"You have Privacy Act concerns," he said. "And just to get feedback that
there's nothing here, or there's something here but we can't share it with
you, doesn't do us a lot of good."
Exasperated by companies seeking proof that they are targets, Clarke
stopped talking about threats at all.
"It doesn't matter whether it's al-Qaida or a nation-state or the teenage
kid up the street," Clarke said. "Who does the damage to you is far less
important than the fact that damage can be done. You've got to focus on
vulnerability ... and not wait for the FBI to tell you that al-Qaida has
in its sights."
Information from Knight Ridder Newspapers is included in this report.