Idaho Lab in a Race to Shore Up Critical Infrastructure Systems

IDAHO FALLS, Idaho – All it took was one click of a mouse from the CEO of the ACME Chemical company.

Within half an hour of that tap hackers had exfiltrated proprietary documents from the company’s network, commandeered IP-based surveillance cameras at the facility to spy on network administrators, seized control of a computer system managing its chemical mixing process and finally caused a toxic spill that administrators were powerless to stop.

The nondescript two-story building where the exercise occurred is unmarked on the outside and is just one of dozens of INL facilities scattered in and around the small agricultural town of Idaho Falls.

The perpetrators of this industrial disaster? ACME’s competitors at the Barney Advanced Domestic chemical company — or BAD Chem, for short — who also cut power to the plant at one point, sending ACME employees scrambling in blind confusion and panic.

The actual perpetrators of this simulated exercise were employees of the Idaho National Laboratory (INL) who opened their control system training facility to reporters last week to show how the Department of Homeland Security, in conjunction with the Department of Energy lab, is training people who run industrial control systems to do so securely, to fend off real-life instances of the simulated attack played out for journalists.

“[Attackers] are kicking on the doors of these systems, and in some cases there have been intrusions,” said Greg Schaffer, acting deputy undersecretary for DHS’s National Protection and Programs Directorate, without elaborating on the intrusions.

The nondescript two-story building where the exercise occurred is unmarked on the outside and is just one of dozens of INL facilities scattered in and around the small agricultural town of Idaho Falls. The lab holds week-long training sessions about once a month for workers from various industries, including energy, transportation, and oil and gas. Most critical infrastructures in the U.S. are privately owned and operated, and are not governed by any regulations requiring owners to secure them. The White House is urging Congress to pass legislation that would require such facilities to obtain third-party audits certifying that they meet certain cybersecurity criteria, but in the meantime INL and DHS operate a program to conduct security assessments of control systems and also offer security training to workers.

During the week-long session at the training facility, students are divided into a Red Team (attackers) and Blue Team (defenders), with each receiving a playbook containing a minimal amount of background information on the target company. The target network consists of web servers, e-mail servers and control systems that all contain multiple vulnerabilities commonly found in real-world systems, such as default hard-coded passwords and communication protocols that transmit commands in cleartext — the same kinds of flaws that a researcher recently found in control systems made by the German conglomerate Siemens.

Vulnerabilities in control system networks have been in the spotlight since last year when the Stuxnet worm was found on computers in Iran, the U.S. and elsewhere. The sophisticated worm was designed to attack a specific Siemens industrial control system operating a uranium enrichment facility in central Iran. It was the first known targeted attack against an industrial control system and the first malware found in the wild that was designed to cause physical destruction. The malware, launched in June 2009, is believed to have damaged about 1,000 centrifuges at the enrichment plant before it was discovered in June 2010. Fingers have pointed at Israel and the U.S. as the likely culprits behind the malicious code.

DHS and INL operate a malware analysis lab about a mile from the training center in Idaho Falls, where INL experts reverse-engineered the Stuxnet code last year after it was found on systems in the U.S. Marty Edwards, Director of DHS’s Control Systems Security Program, wouldn’t discuss the details of what the researchers found in Stuxnet, although private researchers have already released extensive analysis of the worm. Edwards said DHS did disclose some of its findings in private to companies and facilities that needed to protect themselves from the worm or copycat attacks.

“I still believe that [the technical details are] sensitive,” Edwards told reporters last week. “You’re not going to see us post those kind of details to a completely open, public web site. Because we don’t want to encourage the script kiddie or the copycat types.”

A second program at the INL lab works with the makers of industrial control systems to examine and test the systems for security vulnerabilities. Last year 75 vendors had their control system products examined by the lab, but because the findings are bound by non-disclosure agreements with vendors, the lab won’t disclose its findings. Edwards said vendors are required to provide the lab with a report within a year after an assessment, providing information about steps the vendor has taken to patch or mitigate vulnerabilities the lab found in the vendor’s system. Though he admits that some basic vulnerabilities, or design flaws as he calls them, cannot easily be patched by vendors. Hard-coded passwords are among these.

In 2008, the lab conducted a security vulnerability assessment of the Siemens system that was later targeted by Stuxnet. The New York Times suggested earlier this year that information gleaned from that assessment was subsequently used by the creators of Stuxnet to attack the Siemens system in Iran, indicating that the lab may have played a role in the creation of Stuxnet. But Edwards denied that the lab’s research contributed to Stuxnet.

“There was no research that was done [by the lab] that was leveraged to create Stuxnet,” he said, adding that Stuxnet targeted different vulnerabilities than those that were uncovered during the INL assessment.

Story photo: Cyber security analysts that were part of the Blue Team watch their computers during a mock exercise last week at the Department of Homeland Security’s secretive cyber defense training facility at Idaho National Laboratory. (AP Photo/Mark J. Terrill)

Homepage photo: A reflection of the Department of Homeland Security logo is seen in the glasses of a cyber security analyst in the watch and warning center at the Department of Homeland Security’s secretive cyber defense facility at Idaho National Laboratory, which is intended to protect the nation’s power, water and chemical plants, electrical grid and other facilities, Friday, Sept. 30, 2011, in Idaho Falls, Idaho. (AP Photo/Mark J. Terrill)