A nation must think before it acts.
Mr. Chairman, distinguished members of the Committee, my name is Stephen Gale and I am co-chair of the Center on Terrorism, Counter-Terrorism, and Homeland Security at the Foreign Policy Research Institute in Philadelphia. I am also a professor at the University of Pennsylvania, where I have been teaching and doing research on terrorism and counter-terrorism for over twenty years. I thank the Committee for inviting me to testify this morning.
In my testimony, articles, and interviews over the past couple of years, I have tried to make my point about the seriousness with which we need to take the prospects of future terrorist attacks by outlining what I have come to call “a bunch of scary scenarios.” Drawing largely from open source materials and the inventive work of my colleagues at the Foreign Policy Research Institute’s Center on Terrorism, Counter-Terrorism, and Homeland Security, I have outlined the variety of terrorist actions that I not only believe are feasible, but which can have direct and devastating effects on the Commonwealth and the US. Although a number of these scenarios focus specifically on purely private sector operations, the bulk are aimed at the vulnerabilities in our national “commons” — the collection of mixed public/private sector concerns that we often call Public Utilities.
For the record, I will simply recount three key examples. Please keep in mind that they are intended only to be illustrative and are restricted to those cases where the US has found information indicating that groups such as al Qaeda are already aware of the vulnerabilities. (It hardly seems to be appropriate to use the presentation of testimony as a spur to terrorist planning.)
- Attacks on one or another component of the electric grid are not only feasible — plans for attacking several of our key facilities were found in terrorist training camps and safe houses — but are likely to have the most directly damaging effects to the US. All of what we call modern society is directly dependent on the availability of electricity and any attack that would effect the ability of the Commonwealth’s — and the nation’s — electric utilities to provide power for, say, a month or so, would likely result in such significant chaos that the prospects for organizing repairs would depend more on domestic military actions than police operations. And keep in mind that, while it is still unclear what ultimately caused the blackout in the Northeast last month, terrorist groups were, in fact, learning from the ways in which we responded to the crisis.
- The nation’s water supply is provided by over 50,000 public, private, and joint public-private organizations plus an extensive number of independent sources such as private wells. Varying patterns of ownership of the sources of water, the distribution mechanisms, and the treatment facilities makes it difficult to enumerate the vulnerabilities in any systematic way — a difficulty compounded by the relative openness of the transportation and computing systems that support the operation of these facilities. As with the electric grid, attacks on the Commonwealth’s water utilities could easily result in short-term disruptions that lead to longer-term chaos.
- With the increased dependency on large-scale enterprise systems (such as those provided by SAP), the nation’s transportation and communications systems are now integral parts of the supply chain that we use to support our personal and business lives. For example, given the move to just-in-time inventory systems, the typical supermarket now only has sufficient inventory for about thirty-six hours of operations. Industrial operations are, if anything, far more dependent on the viability and dependability of the transportation and communications systems since, in many cases, businesses have no inventories and no nearby warehousing.
The short of it is quite clear: the Commonwealth’s — and the nation’s — utilities are highly vulnerable to terrorist attacks and even modest actions can cause severe disruptions to the economy and society. What is of far greater importance to this Committee, I believe, is our failure to take active steps in the past two years to provide even a modicum of security for these facilities.
Rather than resort once again to motivating my argument by describing a series of “scary scenarios” that outline the gaps in the security systems currently employed at many of the Commonwealth’s utilities, I will try to give you an idea of what kinds of steps I believe we now need to take in order to achieve acceptable levels of security that can be readily aligned with national standards and priorities. As I have learned, scary stories do little more than provide the kind of momentary media exposure that titillate and are quickly forgotten. What is needed, I believe, is a kind of “Red Team Effort” that can provide the Commonwealth with a well-grounded appreciation of the goals, strategies, and tactics of terrorist groups, their priorities in using the types of leverage that can successfully disrupt and cripple the US economy and society, and the methods that we can employ to identify the priority “counter-leverage” points that can result in effective and efficient investments in security.
To illustrate my point, I will outline the results of one of the projects that my colleagues and I have been working on under the Commonwealth’s funding for the Center. In particular, FPRI’s approach to its research on terrorism, counter-terrorism, and homeland security is based on a four step analysis process:
- Using available reports on the objectives, capabilities, and training of terrorist groups together with detailed information on the operational requirements for the nation’s utilities, we have identified the range of potential vulnerabilities and their expected priority as targets of terrorist actions.
- For each of the identified vulnerabilities, we then identified the types of security measures that are available to secure the system. Based on a thorough operational and financial review of the costs and benefits of the options using methods developed by the Center’s research group, we then determined which of the potential security measures provided the highest level of effectiveness and efficiency. (Think of it as a method for determining how to get the best bang from the security buck.)
- Based on our analysis of the vulnerabilities and recommended security measurers, we then worked with selected utilities and one or more firms capable of providing the security solution to produce an operational demonstration project that serves as a working model.
- Finally, we prepared what we call a “technology transfer proposal” — an outline of the steps that are needed to move the recommendations from working model to practice.
In order to make this general outline more concrete, I will briefly summarize our work on a project directly related to the electronic security of the Commonwealth’s utilities.
At the outset, it must be kept in mind that attacks on specific assets, as horrific as they may be, are in fact interchangeable from the perspective of terrorist groups that seek to disrupt the US. Protecting the electrical grid from a devastating attack, for example, is not a risk management problem for the electric utility industry alone — after all, the coal that fires many of the Commonwealth’s generators is shipped by rail. Clearly, the utilities and independent system operators would be involved in the design and implementation of the protective measures but, from the perspective of the management of risks associated with terrorism, security must be viewed as protection for systems not facilities. Similarly, managing the risks to water purification, water distribution, and wastewater disposal systems is not solely a problem for the municipal authorities and investor-owned utility companies. Pure water is essential not only for residential drinking, washing, and cooking, but for almost every conceivable manufacturing process. Water is unquestionably at the core of both our ability to sustain life and our way of life. Other utilities, those that form and support the “commons” of our society — including our rail networks, airways, and communications networks — also present the same issues and require similar solutions but, for our purposes today, I will concentrate only on securing our water systems.
In effect, I believe that we must recognize that, although government agencies, private companies, and even individuals may own one or more of the components that collectively make up the Commonwealth’s utility systems (or regulate them), the management of the risks to the system must ultimately account for both the value of these “common” assets to the owners as well as the society as a whole.
Supervisory, Control, and Data Acquisition networks (SCADA, pronounced “skay-da”) are the systems of sensors, computers, controllers, and communications networks that are used to monitor and control industrial and transportation processes ranging from the purification and distribution of our drinking water to maintaining the balance of the loads on the electric grid to ensuring the quality of chemical and pharmaceutical production to communicating switching information for transportation systems. Typically, these systems employ programmable logic controllers, electronic communications networks, and host computers. In addition, many SCADA systems have been connected to the Internet as a means of facilitating remote monitoring and control. In effect, SCADA network technologies support much of what we have come to regard as the Commonwealth’s and the nation’s critical infrastructure.
SCADA networks have been in use for more than twenty years and are based on the use of a wide variety of technologies ranging from simple data capture and switch sensors to sophisticated logic controllers, digital computers, and communications networks. Because of the age, widespread distribution, obscurity of hardware and software, and simplicity of some parts of these networks, in the past it has often been assumed that extensive (and possibly expensive) investments in network security are unwarranted.
The evidence of the risk to SCADA systems is also clear. In a report issued last month (GAO-03-121: Protecting Information Systems), the General Accounting Office stated that there have been threats — as well as actual attacks — aimed at disrupting the SCADA-based information systems supporting our critical infrastructure. The report also indicated that the threats are increasing and that failure to protect these information systems could lead to serious “consequences for national security, national economic security, and national public health and safety.” [1]
As I have argued many times in the past, an enemy wishing to undermine the US economy could easily choose to do so by targeting our utility systems. Conventional attacks on our water systems, for example, might be difficult to stage and, even if implemented, would likely have very limited impact given the distributed nature of the systems and the attention to physical security paid by system owners and operators. (Note that this is probably not the case for the systems that support the water supply for such cities as Los Angeles.) As demonstrated by the recent Northeast blackout, however, utilities such as the electric grid are not invulnerable to disruption. For terrorists, however, the objective would not require the physical destruction of any facility. The true target need only be our confidence in the safety and reliability of the utility, regardless of whether its product is electricity or water. In fact, cyber-attacks aimed at our utility control systems have already been launched from overseas, and training for such attacks is part of what we have found in the al Qaeda documents in Afghanistan.
Certainly, attacks aimed solely at compromising SCADA systems are unlikely, though not unheard of.[2] However, the threat of a combined attack — in which the SCADA system is one component of a larger system — is both likely and more troubling. [3] And a physical attack, coupled with compromises of the SCADA systems would result not only in the corruption of the data which supports the accuracy of the systems but potentially massive disruptions in their quality and safety.
While it is possible to “wiretap” a SCADA sensor, it is far harder to prevent and detect those attacks that use the network interconnections that permit remote logging and control. More and more, these systems rely on standard Internet connectivity. SCADA systems, however, do not typically include robust information security as a designed-in feature, and are thus vulnerable both to hackers and terrorists. In the past, these systems have also been notoriously difficult to retrofit with effective and efficient security measures.
Working with two private-sector partners, Promia and Unlimited Software Associates, FPRI has developed a robust security solution for the vulnerabilities associated with SCADA networks that meets our criteria for implementation: it is both effective and efficient; it is simple to install use, and service; and it is inexpensive. In short, it is a technology solution to safeguard the systems that control our utility and production facilities.
Briefly, the solution involves the installation of an electronic card that provides several levels of security without any change in the underlying SCADA networks into which they are installed. These cards simply prevent outsiders from even seeing that the SCADA network exists. (Note that this is also a good example of the value of transferring federal standards and procedures to state and local governments and the private sector: the technologies are based on a form of protection developed for the US Navy, but retooled into an unclassified version with a simpler set of procedures.)
In effect, if a cyber-terrorist were to tap into a network protected by these devices, the intruder would see only encrypted information, carried on thousands of constantly changing channels, interspersed with a great deal of “fake” information generated by the devices themselves.
To disclose more in this forum would be to run a risk of reducing the effectiveness of our solution. Let us simply say that installation of these cards is a good example of the types of expensive investments in effective cyber-terrorism protection for our utilities and industries.
As I am sure that many of you recognize, the process that we used in this example is very similar to the procedures that are employed in the venture capital industry — and for very good reasons. At least in terms of the kinds of analyses required and the standards for assessing the potential value of alternative investments, venture capitalists face many of the same problems that we now need to deal with in providing security for the Commonwealth’s utility systems. Does the technology work and does it provide an effective operational solution to a market need? Of all the possible solutions, which one (or ones — alone or in combination) offer the highest levels of return given the level of investment (cost) required? What type of evidence is needed to demonstrate the value of the solution to the market? And, finally, what kinds of relationships need to be developed in order to produce, market, and service the solution?
Perhaps the sole unique quality of this procedure when used in the context of identifying the effectiveness and efficiency of security solutions is in the determination of the benefits. Unlike traditional venture capital situations, the overall benefits associated with specific investments in homeland security typically must be measured in terms that are far broader than the relative assessment of the value of the solution to those that make (or authorize) the expenditures. The owners of electricity generating facilities, transmission lines, and the ISO’s (the Independent Service Operators that provide for the coordination and load balancing of the grid) benefit to the extent that the corporations can remain operational and can continue to sell their services. (Indeed, in those cases where there is a failure, the utility is generally insured against financial losses.) And much the same reasoning also applies to virtually all other types of utilities. However, from the perspective of the citizens of the Commonwealth— and the nation— the operation of each utility (taken as a stand-alone business unit or facility) is of far less consequence— and, therefore, value — than is the value of the system as a whole. In this regard, the problem— and the possible security solutions— must be analyzed in terms of the benefits accruing to the operation of the entire system. In effect, the assessment of the value of security investments for the Commonwealth’s utilities must be based on the determination of both the costs associated with each component of the system and the benefits derived from the continued operation of the system as a whole. As with analyses of environmental problems, security solutions must account for the costs and benefits to the society and not simply specific organizations or corporations.
As matters now stand, it seems as if the attacks of September 11, 2001 did not make much of an impact on American society. Yes, to some extent we are far more conscious of the threat of terrorism. And yes we have seen a few examples of just what an even partially successful attack can realize in terms of loss of life and physical destruction. But the “message” on September 11th was not simply that there is a threat to the nation’s airlines, buildings, and their occupants. The target, in fact, was not American lives — it was the American way of life.
In order to successfully counter the threat of terrorism, it is not enough — it is no where near enough — to provide superficial security measures aimed at preventing a repeat of the attacks on September 11, 2001. Al Qaeda’s goal is to defeat America in order to ensure that the US is not capable of interfering with its plans to recreate and institute a religiously pure Islamic Caliphate. For several domestic terrorist organizations, the objective is similar: to disrupt the US economy and, thereby, permit the recreation of an America circa 1840. To achieve these objectives, the tactical and strategic targets are unlikely to be individuals, buildings, or airplanes. Rather, the targets will more likely be the Commonwealth’s — and the nation’s — utilities. Protecting our utilities will, in turn, require far more than uncoordinated investments in security. And to do this requires that we — whether as individuals, corporations, citizens, or political leaders — recognize that the only workable model of security investment depends on our ability to leave the promise of “business as usual” to the future and initiate new standards and procedures that allow us to make timely security investments that respond to the message of September 11th that there can be “no more business as usual” until we can truly deal with the threat of terrorism as part of our day-to-day lives.
