Recent government and news reports have highlighted the vulnerability associated with our increasingly interconnected world. Hackers have been around since the dawn of Donkey Kong ®, but the sophistication of today’s complex information technology systems and the vital organisms they control have escalated their importance and the difficulty of protecting them. The distribution systems that support our grid are the circulatory system for the source of the nation’s vitality. These new threats are serious as a heart attack and just as potentially fatal. More appropriately, they are like a blood clot in the brain because they attack the intelligent aspect of grid management and could affect us at any time. Today, the DoD has no control over the prophylactic measures required to secure their energy sources. That responsibilities lie with the local utilities and DoD is at their mercy.
The Department of Energy and Idaho National Laboratory published a May 2010 report entitled “NSTB Assessments Summary Report: Common Industrial Control System Cyber Security Weaknesses”. The purpose of the report was to identify “vulnerabilities that could put critical infrastructure at risk to cyber-attack”. Specifically they examined critical energy infrastructure throughout the U.S.. They found a system riddled with application and operating system exposures, Web services accessibilities and unsecured Industrial Control Systems (ICS) protocols. The utilities are working on the vulnerabilities, but our installations are vulnerable because they are dependent on those utilities to deliver the power necessary for mission accomplishment.
The next item, found in the 23 Sep Navy Times, quotes VADM Barry McCullough’s comments to a House Armed Services Committee query on “cyber warfare” . When asked by Rep. James Langevin, D-R.I. about the vulnerability of the U.S. grid the Admiral, who is commander of the 10th Fleet, responded saying, ““These systems you discuss are very vulnerable to attack. Do we have a plan for an alternative power source, water source? A lot of this is single-source into a base, and if you take that away, while you have some limited backup power generation, it’s very limited for things such as water, sewer and so forth.”. The 10th Fleet was born out of the anti-submarine warfare community and, appropriately, is responsible for the Navy’s defense again this century’s “silent service”, cyber-attacks. The strategic vulnerability that Rep. Lagevin asked about manifests itself tactically in the ability to disable the long term power projection capabilities of our military installations. If you can’t control it, you can’t defend it.
Finally, David Sanger reported in the New York Times on 25 Sep that Iran is gravely concerned about the presence of a malware worm called Stuxnet in the supervisory control and data acquisition (SCADA) systems associated with their nuclear facilities, including Natanz. A worm is a self-replicating malware computer program. This piece of software, “Stuxnet, which was first publicly identified several months ago, is aimed solely at industrial equipment made by Siemens that controls oil pipelines, electric utilities, nuclear facilities and other large industrial sites. While it is not clear that Iran was the main target — the infection has also been reported in Indonesia, Pakistan, India and elsewhere — a disproportionate number of computers inside Iran appear to have been struck, according to reports by computer security monitors.”. In a security conscious (some might say paranoid) country like Iran, in as sensitive a facility as a nuclear material production plant which has been under intense scrutiny by the west, one would think that securing the SCADA systems would be job one. It probably has been, yet the presence of this bit of code in these particular mechanisms is evidence of the vulnerability of all IT systems.
Richard Clarke in his book, Cyber War: The Next Threat to National Security and What To Do About It, describes cyber war as "actions by a nation-state to penetrate another nation's computers or networks for the purposes of causing damage or disruption.". Attacks on our grid maybe perpetrated by state actors or non-state actors; either way, DoD installations must have the resilience to absorb such attacks and continue to execute their mission. They must continue to be power projection platforms when the power is out. We can build all the solar, wind, geothermal, etc., power generation systems inside our gates, guns and guards, but we must be able to secure those systems against the malicious and acts of war. The smart microgrids under consideration by DoD as part of the joint capabilities technology demonstration "Smart Power Infrastructure Demonstration for Energy Reliability and Security" (SPIDERS) must have cyber security as its foundation, not an add on. It needs the full support of DoD because the threat is real and current. A seven to ten year development and acquisition cycle is too long. DoD is vulnerable now. They must protect their ability to project power by the protecting the power necessary to meet this vital mission.