October 17th, 2011
10:28 AM ET

Inside a government computer attack excercise

By CNN's Mike M. Ahlers

Forget, for the moment, about computer whiz kids who download copyrighted music for free.

Forget, too, about sophisticated hackers who can steal identities.

Focus instead on the next wave of potential computer miscreants - criminals who can penetrate corporate computer systems to turn valves, start pumps or surge power at factories or electrical plants. They might even be able to hit chemical facilities.

Those folks are on the minds of the researchers at the Idaho National Laboratory, where the federal government regularly trains industry leaders on how to protect critical infrastructure from cyberattacks.

In the not-so-distant past, instructors here say, security officials relied on the "3 Gs" - guns, gates and guards - to protect infrastructure from intrusions. But increasingly mechanical systems inside those gates are being linked to computers and controlled via networks and cyberspace.

That has left industrial control systems vulnerable to attack.

To demonstrate the vulnerability, the Department of Homeland Security and Idaho National Laboratory in Idaho Falls recently showed reporters a cyberattack on a mock-up of a chemical facility.

In the exercise, a small group of "Red Team" attackers staged an assault on the chemical plant. A larger group of "Blue Team" defenders sought to protect that mock-up building, which was constructed of barrel-size containers of water connected by pipes and pumps such as those found in chemical plants.

The exercise used concepts that are relevant in the real world.

Among them:

Exploiting corporate trust

The Red Team attackers, looking for access to the computer network, don't look for direct access to the control systems they covet. They know the vulnerability is elsewhere - most likely in the executive offices of the fictitious chemical company.

Executives frequently have access to internal computers networks, so they'll have timely access to information about productivity, output and information important to the market.

They also frequently have access, perhaps indirectly, to networks that link to control systems. Assailants know they can "exploit the trust relationship."

Getting a toehold into a system

In the Idaho exercise, Red Team members get a toehold by phishing, a tactic also used by hackers to steal financial or other information. They send an e-mail that appears to be from a friend or a legitimate organization to a representative, which contains malicious software and which opens a link between the sender's computer and the corporate computer.

Subverting a system's security

Having established a toehold on the chemical company's computer, the Red Team discovers a surveillance camera in the chemical plant's control room. The camera, intended to safeguard the chemical plant, can now be turned against it. The Red Team can use the camera to observe the plant's staffing levels or zoom in on control panels and mechanical devices, gathering information that will help them in their attack. And once the attack is launched, they can each watch their opponent's response.

The 'man in the middle'

In sophisticated attacks, the Red Team can even insert itself between the machine and the machine's operator. The team can control the amount of water through a pump, while indicating to the machine's operator that everything remains normal.

Red Team-Blue Team exercises typically last between eight to 12 hours, and are followed by a "hot wash" in which a "White Team" analyzes the attack and reviews ways to prevent attacks and respond to them.

Fears of online intrusions on industrial control systems are not theoretical.

In a then-classified 2007 demonstration at Idaho, experimenters using computer inputs altered a large electric power generator, causing it to self-destruct. The experiment, known as "Aurora," was the first demonstration that attackers could not only turn a mechanical device on or off but could destroy it.

Then in 2010, a computer worm known as Stuxnet was discovered after it spread indiscriminately but is believed to have targeted equipment used by Iran to enrich uranium. The source of the worm has not been identified.

Department of Homeland Security officials say attacks on industrial systems are occurring.

Attackers are "kicking on the doors" of industrial systems, said Greg Schaffer, acting deputy under secretary of the department's National Protection and Programs Directorate.

soundoff (11 Responses)
  1. Dreamer96

    What?? They sent a Java script file in an email, or pulled a picture off another site that was embeded with and executeable program, or a video clip that was more than a video clip....

    Any email contains the origional senders email address and every handler of that email alone the route to you...Yes these can be faked...They can also be checked against a local database of known friends email addresses, only those addresses already known are allowed in..You can also send a pre-email notice that someone is about to send an email, or will be sending an email, this notice is forced to take a different route...If you do not have this notice..then the email is fake, or you can check with the sender's computer and see if they really sent you this email....

    You can setup your internet firewall to only allow contact with pre-determined internet addresses...no roaming the internet...If a message going into or out of the list of addresses tries to pass through the firewall...you flag it...and block it, maybe scan it..

    The real problem is everyone sets up their network from off the shelf equipment and software, but does not finish the job and setup the trusted sites and trusted computer port access controls needed...and to many use Java and other browser addons like video players and have no idea what the program is really doing...If the system is Microsoft based, do they even monitor the access to the operating system registry, is an unknown program trying to enter or alter the registry ,or do the users even purge their internet browser temporary internet files and cookies....or do their monitor the list of active processes running, or monitor the open computer internet ports and who they are talking to....

    This attack started by having the computer user open an email that triggered a Java script program to call out to another computer over the internet, or just request a picture file off some server, this triggered the upload of a dangerous program...so right there you see the firewall is letting any computer on the inside computer local network contact anyone outside on the internet without any idea who they are...bad security right there..Is the internet address a know bad site address, what country is it in...Iran?

    Anyway this demo shows people don't know how to tighting up access....If you lock your front door but leave the windows and backdoor unlocked, then the bad guys will get in, if they come knocking when your there or gone...

    October 22, 2011 at 9:03 am | Reply
  2. Chris

    Why don't these types of SCADA systems have an air gap? The companies that designed/developed and installed them should be held responsible for providing a sub-standard product. Remediation should include a redesigned system that doesn't connect to the "public" Internet. It's not like there were no threats during the "early days" of the Internet...the system developers ought to have known about them.

    October 19, 2011 at 3:43 pm | Reply
    • gelbkreuz

      That is true. I've always thought that kind of hardware is disconnected. It could only be reliably attacked via 'road apple' or another physical means.

      October 24, 2011 at 10:10 am | Reply
  3. od

    backtrack linux is a very fine distro indeed 😉

    October 18, 2011 at 7:33 am | Reply
  4. Brigette

    Either they don't proofread anymore, or the proofreaders can't spell either.

    October 17, 2011 at 6:44 pm | Reply
    • rehyn

      What do you mean, "proofread"?

      October 22, 2011 at 8:37 am | Reply
  5. English Teacher

    "Excercise"? It's "exercise"!

    October 17, 2011 at 4:11 pm | Reply
    • kristy

      i really do agree with you guys...they do need to proofread or w.e(:

      October 24, 2011 at 3:39 pm | Reply
  6. kristy

    omg!!!! this is crazy....i think imma do my curent event on this in chemistry...this is crazy...i mean i knew people did this....but wow....hahaha.

    October 17, 2011 at 3:58 pm | Reply
    • kristy

      i didnt mean to sound weird...but this is very interesting....i love to learn about crazy things. lol :3

      October 17, 2011 at 3:59 pm | Reply

Post a comment


CNN welcomes a lively and courteous discussion as long as you follow the Rules of Conduct set forth in our Terms of Service. Comments are not pre-screened before they post. You agree that anything you post may be used, along with your name and profile picture, in accordance with our Privacy Policy and the license you have granted pursuant to our Terms of Service.