Inside a government computer attack exercise

Forget, for the moment, about computer whiz kids who download copyrighted music for free.

Forget, too, about sophisticated hackers who can steal identities.

Focus instead on the next wave of potential computer miscreants – criminals who can penetrate corporate computer systems to turn valves, start pumps or surge power at factories or electrical plants. They might even be able to hit chemical facilities.

Those folks are on the minds of the researchers at the Idaho National Laboratory, where the federal government regularly trains industry leaders on how to protect critical infrastructure from cyberattacks.

In the not-so-distant past, instructors here say, security officials relied on the “3 Gs” – guns, gates and guards – to protect infrastructure from intrusions. But increasingly mechanical systems inside those gates are being linked to computers and controlled via networks and cyberspace.

That has left industrial control systems vulnerable to attack.

CNN: Hackers take aim at real-world targets

To demonstrate the vulnerability, the Department of Homeland Security and Idaho National Laboratory in Idaho Falls recently showed reporters a cyberattack on a mock-up of a chemical facility.

In the exercise, a small group of “Red Team” attackers staged an assault on the chemical plant. A larger group of “Blue Team” defenders sought to protect that mock-up building, which was constructed of barrel-size containers of water connected by pipes and pumps such as those found in chemical plants.

The exercise used concepts that are relevant in the real world.

Among them:

Exploiting corporate trust

The Red Team attackers, looking for access to the computer network, don’t look for direct access to the control systems they covet. They know the vulnerability is elsewhere – most likely in the executive offices of the fictitious chemical company.

Executives frequently have access to internal computers networks, so they’ll have timely access to information about productivity, output and information important to the market.

They also frequently have access, perhaps indirectly, to networks that link to control systems. Assailants know they can “exploit the trust relationship.”

Getting a toehold into a system

In the Idaho exercise, Red Team members get a toehold by phishing, a tactic also used by hackers to steal financial or other information. They send an e-mail that appears to be from a friend or a legitimate organization to a representative, which contains malicious software and which opens a link between the sender’s computer and the corporate computer.

Subverting a system’s security

Having established a toehold on the chemical company’s computer, the Red Team discovers a surveillance camera in the chemical plant’s control room. The camera, intended to safeguard the chemical plant, can now be turned against it. The Red Team can use the camera to observe the plant’s staffing levels or zoom in on control panels and mechanical devices, gathering information that will help them in their attack. And once the attack is launched, they can each watch their opponent’s response.

The ‘man in the middle’

In sophisticated attacks, the Red Team can even insert itself between the machine and the machine’s operator. The team can control the amount of water through a pump, while indicating to the machine’s operator that everything remains normal.

Red Team-Blue Team exercises typically last between eight to 12 hours, and are followed by a “hot wash” in which a “White Team” analyzes the attack and reviews ways to prevent attacks and respond to them.

Fears of online intrusions on industrial control systems are not theoretical.

In a then-classified 2007 demonstration at Idaho, experimenters using computer inputs altered a large electric power generator, causing it to self-destruct. The experiment, known as “Aurora,” was the first demonstration that attackers could not only turn a mechanical device on or off but could destroy it.

Then in 2010, a computer worm known as Stuxnet was discovered after it spread indiscriminately but is believed to have targeted equipment used by Iran to enrich uranium. The source of the worm has not been identified.

Department of Homeland Security officials say attacks on industrial systems are occurring.

Attackers are “kicking on the doors” of industrial systems, said Greg Schaffer, acting deputy under secretary of the department’s National Protection and Programs Directorate.