What a ‘Cyber Katrina’ event might look like
Last Updated on Wednesday, 4 March 2009 06:11 Written by admin Wednesday, 4 March 2009 06:11
The following scenario is written in the style used by the NIC Global Trends 2025 for their individual scenarios. The NIC failed to come up with a Cyber “main event” so I decided to pick up the challenge and include it in my book Inside Cyber War. Since I’m in the process of writing this chapter now, I’d appreciate any feedback you’d care to leave on how to improve the scenario in the Comments section.
The purpose of this exercise is to show the respective agencies what’s possible and open a dialog on what to do about it.
October 19, 2012
Chairperson
House Permanent Select Committee on Intelligence
Washington, D.C.
RE: Establishment of North American Urgent Radiological Information Exchange
Madame Chairperson:
While we do not believe that this is a matter that rightfully falls under the province of your Committee, in the interest of cooperation, this letter will address the events leading up to the establishment of the North American Urgent Radiological Information Exchange (NAURIE).
As you know, on the 10th year anniversary of 9/11, all of our nation’s nuclear power plants were targeted in a massive distributed denial of service attack orchestrated by the Conficker III botnet which had grown to a heretofore unheard of 30,000,000+ infected PCs.
While US CERT teams as well as regional DOE cyber security personnel were focused on combating this external threat, each plant’s internal firewall separating the Command and Safety System Networks from the Site Local Area Network was breached from the inside due to the use of pirated hardware with malicious embedded code that passed server control to external users.
Of even more concern is the fact that all of these plants were targets of a carefully planned, longterm social engineering attack which relied on human error and the broad-based appeal of Social Network sites. As DOE employees broke protocol and downloaded phony social software apps, malicious code worked its way into secure networks and lay dormant until activated by the attacking force.
This led to a number of consecutive failures in our safety mechanisms resulting in partial to complete core meltdowns at 70% of our plants. When these plants went offline, the nation’s power requirements couldn’t be met. Grids were overwhelmed and blackouts began occurring in our most heavily populated urban areas. Once criminal gangs realized that overburdened police departments were unable to respond to every 911 call, looting of businesses began in earnest as did home invasions in the wealthier neighborhoods.
One year later, we still do not have a final count on the number of deaths and casualties but most responsible estimates place them in the tens of thousands. If we extrapolate out for the as yet unknown future effects of radiation poisoning on the victims, the count goes into six figures.
While this is clearly a tragedy on every level, I feel I must point out that the NNSA, as late as 2009, in a letter to the Los Alamos National Laboratory, did our part in improving security by determining that the loss of 83 LANL laptops should no longer be considered just a “property management” issue, but a cyber security issue as well.
Also, that our G3 physical security model (Gates, Guards, Guns) was not compromised, and that cyber security compliance has never been a mandatory policy; that instead it was an ongoing negotiation among various other considerations.
Sincerely,
Director, National Nuclear Security Agency
Jeff,
This looks great! Congratulations! I look forward to the rest of the book.
-Ned
This was great. I can’t wait for this book! =]
Perhaps discuss the fact that while some saw that it was a problem, issues of “who should be dealing with cybersecurity” prevented any real work from getting done (currently there are the CIA FBI CERT NSA and then of course maybe some day AF CyberCommand: maybe mention something about all of these guys overlapping and preventing anything from actually getting done)
But really, good stuff.
Thanks Ned and Joseph.
Joseph, your point is well taken. Still, I do think some work is getting done; just not broadly enough or fast enough – and I know that frustrates a lot of good, hardworking folks on the inside who strugggle with this scenario and ones like it on a daily basis.
Hey Jeff:
I think there is a confusion of terms here. First off, I dislike “cyber Katrina” and “cyber Pearl Harbor” as they are mostly used to invoke feelings of fear based on some past event.
However, given that you are going to use the terms, I think that their needs to be some clarity in their meaning. Katrina was a natural disaster that, through poor response, was made significantly worse. The attack on Pearl Harbor was an attack by a nation-state that aimed to reduce our ability to respond and damage a particular infrastructure (naval). And, just to be complete, 9/11 was an attack by a non-state actor aimed at inspiring terror in a particular populace.
In cyber terms, we have dubbed these things (apparently) a cyber Katrina, a cyber Pearl Harbor (or Digital Pearl Harbor) and cyber terrorism. I won’t get into the problems with using these terms, except to say that using these analogies can prejudice our strategic thinking in such a way that we plan improperly for actual events.
To better define the terms, however, I would say that a cyber Katrina should invoke the concept of an *unintended* disaster that impacts cyberspace. A cyber Pearl Harbor should suggest an outright attack, possibly a sneak attack, that attempts to destroy the cyber capabilities of the target. Finally, cyber terrorism should only be used to describe an attack that instills fear in the populace that associates themselves with the victims.
What you describe in the above scenario seems to be cyber terrorism with a mix of a cyber Pearl Harbor. A better example of a cyber Katrina would be a misconfigured router that somehow rerouted the Internet in such a way that recovery was difficult, sort of a critical BGP error. Or, a worm that, by accident not design, caused such disruption across the Internet, that users could not access normal services.
Again, the reason that Paul Kurtz (see: http://www.securityfocus.com/news/11547) mentioned this (and I assume that was what prompted this post) was to point out that there is no civilian agency capable of dealing with a non-malicious disaster on the Internet. Moreover, considering that attribution of attacks is so difficult in cyberspace, I would maintain that such an agency would have to be the first responder to all incidents that dramatically affected the workings of the Internet.
Anyway, just some thoughts for you.
Hi Rob: Great comment. I’ll try to do it justice with my reply.
Regarding Katrina as a natural disaster – that’s not quite an accurate depiction. While the trigger was clearly a hurricane, the actual ‘disaster’ was a mix of fragile infrastructure (the levies), failed policies, inept Emergency Response management and a host of other human-derived errors. These are the same ingredients that will result in a future cyber disaster. Still, there is no equivalent ‘natural’ element in the cyber realm so that part of your critique remains valid.
In fact, I’m happy to acknowledge the weaknesses in using terms like Cyber Katrina, etc., but its become common terminology and its what people understand.
I would hate to see this devolve into a debate about terms when we should be debating the core issues. You seem to believe that the term shapes the debate. I disagree. Digital 9/11, for example, is only useful as an attention grabber. It doesn’t inform the debate in any informative way. Instead, we need to address the core issues of how to defend these critical systems against the many exploits that can be leveraged against them.
I welcome your suggestions of alternate cyber disaster events. I think there are a lot of them to choose from. This is just one of many, which is a bit disconcerting in and of itself.
I just tackled the terms because they rankle me so much.
As far as the debate is concerned, I would agree with you, the debate should be about core issues. For example, the Cyber Audit Guidelines, of which I should have a belated article up today, are a good way to handle some of these issues, but they still don’t solve who’s in charge.
In terms of the scenario, I guess my main criticism is that of likelihood. Your scenario seems forced. Of course, as we all know, the advantage attackers have on the Internet is to take the smallest vulnerability and turn it into a major attack. So I’m definitely not arguing that the scenario is impossible. It just seems so, well, Die Hard 2012-ish.
Possible other ideas regarding non-malicious cyber events could be BGP cascade issues, mass poisoning of DNS a la Kaminsky, an aggressive worm attack that overwhelms a fragile protocol (SCADA-related perhaps), and many others.
OK, you’ve discovered my ulterior motive, Rob. I’m positioning myself for a multi-million dollar movie rights deal for the book (a la Die Hard 2012).
I do like your alternate attack vectors though. Perhaps the thing to do is provide a few different scenarios as options. May I follow up with you via email at a later date?
While I am with Rob Lemos on the terminology I agree that that is not the main issue.
To make your scenario fit a more war-like definition you may wan to include some sort of follow up. Just causing havoc with our power grid, and civil unrest is a worthless objective of a strike unless you happen to be engaging in terrorist activity. So, throw in China taking advantage of the disruption caused by this cyber attack and annexing Taiwan during this episode and you will have something that most people will agree is “cyber war”
Thanks, Stiennon, but I’m thinking you might have missed the part about loss of life numbering in five to six figures?
The explicit purpose of Cyber warfare from the Chinese perspective is to defeat an enemy without firing a shot. I would think this would qualify as a significant attack from that or any point of view. Do you think differently?
Certainly agree that defeating the enemy without firing a shot would be the ultimate execution of a cyber war.
I saw the loss of life in your scenario but no tie in to a larger purpose. Terrorists are interested in causing havoc and loss of life as an end. A cyber war would cause havoc and loss of life in pursuit of some other target, such as invasion, or conquest.
I would question that many deaths due to radiation. There are not that many employees at nuclear power plants that would be exposed. Maybe riots, cold, and disease, but I doubt that too.
Excellent post.
If you haven’t already, you may want to think about multiple diverse vectors with a coordinated time-on-target (with multiple targets) on multiple SCADAs, food supply terrorism or disruption, etc.
Thanks for some great suggestions, everyone. I’ll definitely work as many of them as I can into the final copy of the book.
I realize the memo is a fictionalized work, but the details might be a little unrealistic. My fiance is a nuclear regulator so I’ve spent some time with that crowd. Generally speaking, the nuclear C&C networks are air gaped from other networks. Additionally, the reactors are VERY old (though many are new in the queue) so they aren’t as computer driven as one might believe. The more realistic attack vectors are wireless and adjacent systems. Wireless is especially prevalent because to put a hole in the wall of a nuclear facility requires a special permit. Therefore, they throw up wireless — all over the place. As to adjacent systems, you could conceivably trick a scada system (monitoring the grid) to believe there is a surge in the grid or not enough power causing a surge. The core as a direct target has been well hardened. The more realistic vector is by aligning several indirect attacks.
Thanks for your feedback, Matthew. I’ll incorporate it for future versions of this scenario.