Cyber War!

interview: michael skroch
photo of skroch

Skroch manages the Information Operations Red Team and Assessments (IORTA) group at Sandia National Laboratories. When hired by corporations or governmental agencies, the red team plays an adversarial role, hacking into computer systems to assess and improve information security. In this interview Skroch describes how U.S. critical infrastructure, including SCADA systems, has become more reliant on computers and information technology and how that has created new vulnerabilities. He tells FRONTLINE, "There's no reason that U.S. infrastructures could not be secured from cyber attack," but warns that implementation of information security technology must move at a faster pace, before the U.S. experiences the equivalent of a "cyber Pearl Harbor." This interview was conducted on March 13, 2003.

Define for me the program that you head out here and its purpose.

The program that I'm in charge of is the Information Operations Red Team and Assessments (IORTA) group. The purpose of that group is to perform assessments, or red teaming, of information systems in a broad sense, including social engineering, psychological operations and physical effect on information systems.

We've seen in the past that a simple branch falling on a power line took down the western states. ... I think that any malevolent attack with human intent behind it could have a much more damaging effect.

What's a red team?

Red team is an overloaded term. To us, it means an adversarial force against a system with malevolent intent against that system.

For what purpose?

The purpose that we have is to improve the design of that system, to improve the security implementation of that system. ...

One of the things that Dick Clarke talks about when he defines the vulnerabilities that we have is that whenever government red teams are hired on to hack into systems -- specifically electrical, power companies or systems -- they always get in. As far as you see it, what is the truth behind that, and what is the significance?

When we go after an electrical power system, electrical power provider for the critical infrastructures, we always penetrate that system. We do that in a number of ways: through social engineering, through cyber means. What this points out is that there are a number of vulnerabilities that exist for a certain level of adversary. This doesn't mean that there's no security or that we can penetrate with the simplest means. It just means as a sophisticated adversary, as a national lab, we are eventually able to get in.

What is the significance in this world that that is the case? You guys get in; other people, NSA, other teams that probe these systems and then hack them get in every single time. Why is that a significant fact?

The fact that we're able to penetrate these systems all the time is significant, in that it shows that industry isn't able to apply security mechanisms to their critical infrastructures. This is for a couple of reasons. Number one, they don't have a business case to apply that security, and the awareness is being raised now where they're starting to realize that this may be important.

In addition, it's difficult to apply security to an information system because we don't have the cyber engineering and cyber science to define that process. Our attempts at red teaming and through IORTA are an attempt to provide a tool to do that.

Give me the overall story here, over the past decade or longer, of the growing dependence of our infrastructures on the cyber world.

In the past, critical infrastructures -- electrical power, oil and gas, transportation -- were relatively segmented. They were independent, and not reliant upon information technologies. But because of the efficiencies that information technology brings, these information technologies were adopted and brought into these infrastructures. We had very proprietary systems that were introduced, and these were relatively secure in that they were obscure. Each group had a different type of technology.

What's happening today is really three things that are going on today in critical infrastructure. Number one is that critical infrastructure, through SCADA systems and other IT technologies, are bringing in common operating systems like Microsoft Windows and relying on the Internet protocols, such as TCP/IP to control their equipment. What this means is that they're not only adopting new technology for efficiencies, they're bringing a whole adversary set that understands these technologies and can attack them.

The second thing that is going on is that they're connecting their IT enterprise to their SCADA enterprise for efficiencies, so they can do things like automated billing. So this introduces another avenue of attack on systems.

The third thing they're doing is using the Internet for communications and control. The Internet is not as robust as people think, and as a result, the Internet is subject to effects such as the Slammer worm, which took down communications on the Internet temporarily. If an infrastructure is reliant upon the Internet for communication and a worm such as Slammer comes by, they'll be at a loss.

Let's go through what we saw yesterday. What was the purpose of the exercise that we saw at the solar tower?

The purpose of the exercise that we saw at the solar tower was to demonstrate vulnerabilities that exist in SCADA systems. ... We did two demonstrations at the solar tower. One was an attack on an IT infrastructure that allowed us to control the SCADA system through that IT infrastructure. The second demonstration was a direct attack on the SCADA communications.

What was the effect of the direct attack on the SCADA communications?

The effect of the attack on the SCADA communications was to either fool the operator so that they didn't understand the condition of their infrastructure, or to directly control the infrastructure without the knowledge of the operator.

What would an operator see in such a situation on the control panel?

During an attack on a SCADA system, an operator will see what the adversary wants them to see, of course, dependent upon the scenario and the security of that system. So an operator may see a false indication of the condition of their infrastructure. They may be fooled into taking actions that are unwarranted in a particular circumstance, so that they themselves damage the infrastructure, not the attacker. They may see that everything is fine when in fact the infrastructure is having trouble because of the attack. ...

In the scenario we saw, what was the effect?

... At the solar facility, when we attacked the IT infrastructure, we hacked into the system using a common technique. Once we were into the system, we were able to access any of the command and control functions that the operator would be able to use. In this case, we simply executed a script that moved four of the mirrors and danced them around on the solar facility.

Could that script have been written by the hacker?

In a more sophisticated attack on the IT infrastructure, the red team could have gained access to the system, written a more specific script to have specific effect on the mirrors, such as moving them to the wrong location or causing damage to the solar facility. But that would have taken a lot more effort, and we didn't want to pursue that, because damage may have occurred at the solar facility. ...

Is any firewall or any other protection that you know enough to keep you guys out?

There are a lot of techniques that can be used today immediately to secure systems: blocking routers, firewalls that are properly configured, local security mechanisms.

Really smart system engineering, end-to-end engineering of the system security is what's required. If an infrastructure or a particular client implements these techniques and are mature in their security posture, it's very difficult for a red team to hack in using only cyber means.

Is it impossible?

It's never impossible to hack into a system with only cyber means. It really has to do with the sophistication of the adversary and the amount of time required to achieve that attack. Oftentimes, though, it's extremely difficult, and an adversary will not pursue that method. They'll try to attack in another way, for instance, inserting an insider, using social engineering, using a physical effect with a cyber effect. ...

John Hamre and Jim Lewis, who works with him in the think tank, defined Eligible Receiver as basically only a game; that you really couldn't take the grid down, there's too many spokes to the system, that in reality, it doesn't signify anything much. What's your comment on that? Basically because what he's saying, if that's true, then to some extent everything that you guys do I would assume falls into the same category -- that the real world is very different than the artificial world, where you have a bunch of government kind of folk and red teams going after the assistance. What's the reality?

I think that the effects on the electrical power system, as an example, are important in this debate over can a cyber attack have an effect or not. We've seen in the past that a simple branch falling on a power line took down the western states. This was a chance situation that took advantage of complexities of that system that the operators didn't understand.

I think that any malevolent attack with human intent behind it could have a much more damaging effect against a system than a branch falling on an electric power wire.

The Eligible Receiver scenario, if that same operation was run today, could you repeat their successes?

We've looked at a number of electrical power systems, a number of electrical power infrastructure sectors, and we were able to postulate multiple effects given the vulnerabilities that we identified. Our goal is to improve those systems and stop the negative effects. We won't speculate on the broad consequences that we could achieve as a red team.

People say that the grid is a very complicated thing, that it's not one grid; it's multiple grids, lots of different systems. Is there a possibility, though, just to define it overall for us, that cascading effects through a system that is tied together could cause wider damage than one might expect?

If an adversary were trying to have a widespread effect on the electrical power grid, they'd have to be relatively sophisticated. These systems are engineered to be fault-tolerant by industry, and so it would take a lot of detailed work, a lot of sophistication and a coordinated attack. It is not easy to do.

But if that was a sophisticated opponent, could they do it?

A sophisticated opponent may be able to achieve these results, especially if industry doesn't take steps to secure their systems.

What is a cascading effect?

A cascading effect in the electrical power grid is simply an overload condition in one section that causes a fault in that section, causes another overload in the next section, and it ripples across the power grid. If they're not able to islandize or separate the grid, then the cascading effect may cover a wider area. ...

So what's the bottom line on the threat when it comes to an organization like Al Qaeda? Some people say, "Hey, there's a bunch of guys don't know what they're doing; they only can blow themselves up." Other people sort of say, "Don't underestimate." Now what are your feelings about that?

I think that we shouldn't underestimate any adversary, especially one as sophisticated as Al Qaeda. This kind of group, if they don't have the innate knowledge to achieve a cyber attack, if they should choose to do so, can obtain that knowledge from other individuals. ...

Let's talk basics here. SCADA systems. What are they, what do they look like?

SCADA systems are really the cyber world's portal into our 3-D world. They allow cyberspace to sense what we're doing, sense temperature, sense movement, sense position, and they allow cyberspace to control things in our 3-D world: move a motor, close a switch, turn on a heater. So SCADA systems really are an interface between cyberspace and our 3-D world.

Describe what they look like.

SCADA systems are really digital control systems. They look like computer boards. They're housed in different cabinets, different components, and so there's really a number of physical implementations of SCADA systems. But they're simply a circuit board, a relay, a computer chip, that interfaces between cyberspace and the physical element.

And it's a brain that then has feelers that go out to trigger specific functions like turning a motor on? Just explain that.

Some SCADA systems are self-aware, have computer elements on them, so they're able to think, react to a specific situation without external control. Other SCADA systems require direct interface or interaction by a remote human operator or other IT system.

You wanted to make another point. Tell me about how you guys use the Suki ad and describe what the Suki ad is.

The Suki ad is an EDS commercial that is very good. It talks about SCADA systems. Essentially a group of people are running around in an auto factory and they see the robots going haywire, writing something on the side of a car. They can't control it, they can't stop it, and it turns out to be [a little girl named] Suki [writing her name on the car]. And this is really the effect of a little girl somewhere in the world, probably not local, deciding to write her name on some program that she has access to. So it's a very light, humorous way to make the point that industry really needs to consider security when they're implementing SCADA systems and real-time digital control. ...

So why is that a threat? Sort of here's a cute little idea, so it can cause some hassle and it probably wouldn't happen that way or whatever. So what's the real threat here?

The real threat to small incidents like this is that they might become more numerous, and they also can be executed remotely. So if you could do this across the country in different places, you might affect the confidence of the U.S. population on a particular sector, in a particular activity that they have to perform that's related or controlled by SCADA systems. ...

Why not use encryption authentication systems, for instance, or other IT security technology when it comes to SCADA systems? Is that a possibility? Is that something people should be doing at this point?

I think that there are a number of ways that SCADA systems and information technology systems can be more secure. SCADA systems could use end-to-end authentication and encryption to stop many of the attacks that we perform. Many of the attacks that we showed at the solar facility are preventable through simple means, and we're trying to raise the awareness that those means should be instituted. It's really end-to-end system engineering for security that's required.

But are there special vulnerabilities specific to SCADA systems which would disallow that?

No. There's no reason that U.S. infrastructures could not be secured from cyber attack. This includes SCADA systems. Today, technologies are available for end-to-end encryption and authentication of signals that would prevent many of the attacks that we've demonstrated at the solar facility.

What would that cost?

What would be entailed in securing a SCADA system and IT enterprise that supports it are really basic techniques and technologies that exist today: firewalls, routers, anti-viral software that pretty much don't exist on these systems today. In addition, encryption could be added to these products at little cost to the overall system. ...

So why hasn't that happened?

I believe that industry really hasn't had a business case to look at security or implement security, and so they don't have an argument that will go to their bottom line that the security that they need to act as SCADA systems should be added. In addition, it's very difficult to understand that, because we don't have the cyber science and cyber engineering to calculate the risk and tradeoff associated with those things.

So what's it going to take? You defined a large threat, and others have, too. What's it going to take before people get it?

I think that today there's a lot of awareness of IT security and the threats coming across the Internet. So we're having a slow increase in computer security, information security for SCADA systems. However, it's not fast enough. IT technology and the implementation of that technology on our infrastructure is increasing too fast. What it's really going to take is a cyber Pearl Harbor or some disastrous cyber effect before we implement the security that's required. ...

Could your team, if you wanted to, take down the entire grid in the United States?

The IDART red team could demonstrate numerous vulnerabilities and system effects against U.S. critical infrastructure that are scenario-dependent and adversary-dependent. We do this so that we can help improve the systems so that they can't be taken down in the future, and a cyber Pearl Harbor won't affect the U.S. infrastructures.

But could you if you wanted to?

I won't answer that question. ...

This is very focused at this point. We started out with the idea of the potential for cyber war and what the threat is. Are SCADA systems the weak link? Is that why it's important to understand this technology? That's why it's important to work on better technology?

SCADA systems are only one component of U.S. critical infrastructure. They're not the most important component, but they're one that we don't understand very well today. They're one that has difficulty applying security. We understand physical security, we know how to achieve physical security. So when we look at SCADA, we're looking at only one node in the overall security approach to U.S. critical infrastructure.

How important is this one point?

SCADA systems are an important point, just as IT infrastructure are important, because they can be affected at a distance through cyber means, and security isn't being applied today. There is no fence around a SCADA system to protect it like they have a fence physically around U.S. infrastructures.

So it's a weak link?

SCADA systems are a weak link in U.S. infrastructure, but it's not the only weak link. ...

How many SCADA systems are out there? How big a problem is this? Is it like major companies that you got one or two? Dozens, hundreds, thousands?

SCADA systems are just about everywhere. They're being adopted to automate and make more efficient our everyday lives. They're included in most of the infrastructures. Electrical power, oil and gas, transportation use SCADA systems. In addition, manufacturing uses SCADA systems to control its assembly lines or the production of chemicals. SCADA systems are used to control the environmental controls on buildings and facilities. Even today, people with the right technical aptitude have installed smart home systems in their homes. These are SCADA systems. ...

In general, Joe Weiss says the power industry underestimates the vulnerabilities across the board. Is that a problem?

I think that most of the U.S. infrastructures that use SCADA systems underestimate the vulnerabilities associated with those systems, particularly because they're not interested in security. They're interested in delivering a product, and security is not viewed as a part of that process. ...

Joe Weiss says there's a commonality within systems, SCADA systems, and there's also a commonality in the communication handshakes or protocol between systems, like in the electrical grid. Is that a problem? What is the situation?

The commonality in SCADA systems is really the technology that they're adopting to be effective and cost-effective in our current economy -- that is, Internet technologies, IP-based communications, and operating systems that are popular and are prevalent in our economy.

What's the problem between that?

The problem with adopting these technologies, by SCADA using these technologies to implement its command and control, is that they're adopting not only the technology, but they're adopting the broad base of vulnerabilities, and adversaries that are able to take advantage of those vulnerabilities.

He says also that our control centers have in almost all cases firewalls, intrusion detection, demilitarized zones -- everything you could put around them to secure them, and that same thing cannot be said for power plants, for substations.

It has been our experience that the SCADA infrastructure is not protected to the same degree as IT infrastructure as far as computer security and information security. I think that those techniques and technologies are being adopted today. ...

Worst-case scenario, Joe Weiss says, you could cause the loss of power in America for a period of about six months. What's your comment on that? Now here's a guy who knows SCADA systems. He's an engineer, he's been at this a long time, he's been called before Congress to give testimony. He tells us on-camera, worst-case scenario is "Yes, it's possible to bring down the electrical grid across America and keep it down for six months." Put that into perspective for us.

I think it's highly unlikely that there could be a cyber attack on the U.S. electric power grid that could take it down for extended periods. We have a lot of good people working those systems that have built in robustness and fault-tolerant measures. A cyber attack can only have limited consequences, and I don't believe that they could go down for a long period of time. They could go down for minutes and possibly for days.

But look what we did in Sept. 11 and the response to that particular attack. We had an outpouring of support and help and response from people that were intending to respond and those that weren't. If we had an attack on the electrical power grid, I believe that we would respond quickly to remedy that situation.

So are you in the camp of non-Pearl Harbor, but death by a thousand cuts possibility as a scenario we need to worry about?

I don't think I'm in the camp from a death by a thousand cuts or cyber Pearl Harbor. I truly believe that both are threats. Both are paths that an adversary can take to affect the United States, and there's also many in between. So as far as the electrical power grid, for instance, I believe that there are effects across that range. It's just that there are less likely the more disastrous you get in the scenario set.

But the potential for an adversary who is sophisticated, who is malicious enough against us, trying to bring down our infrastructure, realizing that the private infrastructures of America are sort of the underpinnings of our society -- how serious do we have to take the potential for use of cyberspace in a manner where one day the electrical grid goes off in New York, the next day you lose phone communication in Toledo, the next day -- in other words, a long war against us day after day, hitting us in ways to hurt our infrastructure, to hurt us psychologically?

I think that one problem in the debate between cyber attacks doing nothing to cyber attacks causing Pearl Harbor is that we're operating with little information. It's a debate of passion and concern. What we really need is to understand the effects that could be imposed by an adversary, both from the death by a thousand cuts all the way to the cyber Pearl Harbor in order to add some sanity to this debate. We really need to better understand through studies, assessments and additional research what could happen.

So we're really at the beginning days of trying to figure out how to deal with this threat.

I think we are at the beginning days of trying to understand the effect of cyber attack on the United States. We don't have enough information to quantify all of the effects that could occur. Various programs are attempting to quantify those things so we have a more reasonable set of information to make our decisions.

We interviewed a hacker out there, a very sophisticated one, one who's considered to be very knowledgeable. I'd like to sort of run by you a couple things that he said and see what you think. One of the things he says is the only reason we have not seen an attack of this sort, an aggressive attack against the infrastructures of America through cyberspace by terrorists, is because they can't believe that we're as vulnerable as we are. What's your reaction to that?

I think that one reason we may not have seen an attack on U.S. critical infrastructure, particularly through cyber means and SCADA, is that the sophistication of the adversary isn't such that they're aware of the possible vulnerabilities and techniques they might use to achieve such an attack.

Might they learn those?

Anyone might learn.

This hacker also says that given six to 10 people and a few million dollars, that group, including himself, would be able to take out huge sections of the American infrastructure. How realistic?

Does he say this by cyber means?

By cyber means.

I think that any well-funded, sophisticated adversary could have negative effects on portions of the infrastructure. Even demonstrating something like this through a scenario, the question is, what is the objective and the goal? It could have little effect. It could anger the United States and not really have the intended effect that the adversary may have.

So if we postulate if a particular group of a certain size, funded by a certain amount, could have an effect, we're really not doing well in considering what the goals are of our true adversaries. So we really need to understand those kind of goal and the effects that are desired.

The goals of Al Qaeda are to hurt us in any possible way they can -- doesn't matter how many they kill, doesn't matter what they do. They want to bring down the infrastructure. Bin Laden himself has been quoted as saying one of the main goals is to hurt us, our financial infrastructure. Seems like the perfect tool.

I think that the comments that we've heard from various terrorists that want to affect our society show that they're interested in our infrastructure and that it will be a future target. ...

SCADAs are vulnerable -- again, this is the hacker talking -- because most depend on Microsoft operating systems of Windows NT and Windows 2000. Is that the case? Is one of the major problems here the operating systems? Is that perhaps where we should be focusing to some extent?

I think that two of the vectors of attack on SCADA systems are common operating systems that are used today, and there's a number of common operating systems. Also the information communication path, and that's Internet protocol communications -- these are systems that are used in our IT infrastructures and our adversaries already know how to attack these. So it's definitely a vector of attack on SCADA.

So should the Microsofts of the world -- or specifically Microsoft -- be changing anything?

I think that all vendors that provide information technology should consider security in their design. This is really a change that's required.

Why hasn't it happened?

I think the reason why industry hasn't included security in operating systems and communication equipment is that there's no bottom line. It doesn't add to their bottom line in sales, and therefore they're not going to look at security. This is only starting to change recently.

But this it the national security of the United States we're talking about. Isn't that a concern? Why don't the software developers understand that?

I think that industry doesn't consider national security, because it's not their job. National security is the job of the United States government. So we have the disconnect between the industry that's trying to serve a product and the United States that's trying to serve national security. We've seen recently a merging of these. The communication is very encouraging, and I think that that'll have a lot of positive results. ...



home :introduction : interviews : experts' answers : faqs : vulnerabilities : warnings?
discussion : readings & links : maps : producer's chat
tapes & transcripts : press reaction : credits : privacy policy
FRONTLINE : wgbh : pbsi

published apr. 24, 2003

background photograph copyright © photodisc
web site copyright 1995-2014 WGBH educational foundation