A nation must think before it acts.
Mr. Chairman, distinguished members of the Committee, my name is Stephen Gale and I am co-chair of the Center on Terrorism, Counter-Terrorism, and Homeland Security at the Foreign Policy Research Institute in Philadelphia. I am also a professor at the University of Pennsylvania, where I have been teaching and doing research on terrorism and counter-terrorism for over twenty years. I thank the Committee for inviting me to testify this morning.
In my testimony, articles, and interviews over the past couple of years, I have tried to make my point about the seriousness with which we need to take the prospects of future terrorist attacks by outlining what I have come to call “a bunch of scary scenarios.” Drawing largely from open source materials and the inventive work of my colleagues at the Foreign Policy Research Institute’s Center on Terrorism, Counter-Terrorism, and Homeland Security, I have outlined the variety of terrorist actions that I not only believe are feasible, but which can have direct and devastating effects on the Commonwealth and the US. Although a number of these scenarios focus specifically on purely private sector operations, the bulk are aimed at the vulnerabilities in our national “commons” — the collection of mixed public/private sector concerns that we often call Public Utilities.
For the record, I will simply recount three key examples. Please keep in mind that they are intended only to be illustrative and are restricted to those cases where the US has found information indicating that groups such as al Qaeda are already aware of the vulnerabilities. (It hardly seems to be appropriate to use the presentation of testimony as a spur to terrorist planning.)
The short of it is quite clear: the Commonwealth’s — and the nation’s — utilities are highly vulnerable to terrorist attacks and even modest actions can cause severe disruptions to the economy and society. What is of far greater importance to this Committee, I believe, is our failure to take active steps in the past two years to provide even a modicum of security for these facilities.
Rather than resort once again to motivating my argument by describing a series of “scary scenarios” that outline the gaps in the security systems currently employed at many of the Commonwealth’s utilities, I will try to give you an idea of what kinds of steps I believe we now need to take in order to achieve acceptable levels of security that can be readily aligned with national standards and priorities. As I have learned, scary stories do little more than provide the kind of momentary media exposure that titillate and are quickly forgotten. What is needed, I believe, is a kind of “Red Team Effort” that can provide the Commonwealth with a well-grounded appreciation of the goals, strategies, and tactics of terrorist groups, their priorities in using the types of leverage that can successfully disrupt and cripple the US economy and society, and the methods that we can employ to identify the priority “counter-leverage” points that can result in effective and efficient investments in security.
To illustrate my point, I will outline the results of one of the projects that my colleagues and I have been working on under the Commonwealth’s funding for the Center. In particular, FPRI’s approach to its research on terrorism, counter-terrorism, and homeland security is based on a four step analysis process:
In order to make this general outline more concrete, I will briefly summarize our work on a project directly related to the electronic security of the Commonwealth’s utilities.
At the outset, it must be kept in mind that attacks on specific assets, as horrific as they may be, are in fact interchangeable from the perspective of terrorist groups that seek to disrupt the US. Protecting the electrical grid from a devastating attack, for example, is not a risk management problem for the electric utility industry alone — after all, the coal that fires many of the Commonwealth’s generators is shipped by rail. Clearly, the utilities and independent system operators would be involved in the design and implementation of the protective measures but, from the perspective of the management of risks associated with terrorism, security must be viewed as protection for systems not facilities. Similarly, managing the risks to water purification, water distribution, and wastewater disposal systems is not solely a problem for the municipal authorities and investor-owned utility companies. Pure water is essential not only for residential drinking, washing, and cooking, but for almost every conceivable manufacturing process. Water is unquestionably at the core of both our ability to sustain life and our way of life. Other utilities, those that form and support the “commons” of our society — including our rail networks, airways, and communications networks — also present the same issues and require similar solutions but, for our purposes today, I will concentrate only on securing our water systems.
In effect, I believe that we must recognize that, although government agencies, private companies, and even individuals may own one or more of the components that collectively make up the Commonwealth’s utility systems (or regulate them), the management of the risks to the system must ultimately account for both the value of these “common” assets to the owners as well as the society as a whole.
Supervisory, Control, and Data Acquisition networks (SCADA, pronounced “skay-da”) are the systems of sensors, computers, controllers, and communications networks that are used to monitor and control industrial and transportation processes ranging from the purification and distribution of our drinking water to maintaining the balance of the loads on the electric grid to ensuring the quality of chemical and pharmaceutical production to communicating switching information for transportation systems. Typically, these systems employ programmable logic controllers, electronic communications networks, and host computers. In addition, many SCADA systems have been connected to the Internet as a means of facilitating remote monitoring and control. In effect, SCADA network technologies support much of what we have come to regard as the Commonwealth’s and the nation’s critical infrastructure.
SCADA networks have been in use for more than twenty years and are based on the use of a wide variety of technologies ranging from simple data capture and switch sensors to sophisticated logic controllers, digital computers, and communications networks. Because of the age, widespread distribution, obscurity of hardware and software, and simplicity of some parts of these networks, in the past it has often been assumed that extensive (and possibly expensive) investments in network security are unwarranted.
The evidence of the risk to SCADA systems is also clear. In a report issued last month (GAO-03-121: Protecting Information Systems), the General Accounting Office stated that there have been threats — as well as actual attacks — aimed at disrupting the SCADA-based information systems supporting our critical infrastructure. The report also indicated that the threats are increasing and that failure to protect these information systems could lead to serious “consequences for national security, national economic security, and national public health and safety.” [1]
As I have argued many times in the past, an enemy wishing to undermine the US economy could easily choose to do so by targeting our utility systems. Conventional attacks on our water systems, for example, might be difficult to stage and, even if implemented, would likely have very limited impact given the distributed nature of the systems and the attention to physical security paid by system owners and operators. (Note that this is probably not the case for the systems that support the water supply for such cities as Los Angeles.) As demonstrated by the recent Northeast blackout, however, utilities such as the electric grid are not invulnerable to disruption. For terrorists, however, the objective would not require the physical destruction of any facility. The true target need only be our confidence in the safety and reliability of the utility, regardless of whether its product is electricity or water. In fact, cyber-attacks aimed at our utility control systems have already been launched from overseas, and training for such attacks is part of what we have found in the al Qaeda documents in Afghanistan.
Certainly, attacks aimed solely at compromising SCADA systems are unlikely, though not unheard of.[2] However, the threat of a combined attack — in which the SCADA system is one component of a larger system — is both likely and more troubling. [3] And a physical attack, coupled with compromises of the SCADA systems would result not only in the corruption of the data which supports the accuracy of the systems but potentially massive disruptions in their quality and safety.
While it is possible to “wiretap” a SCADA sensor, it is far harder to prevent and detect those attacks that use the network interconnections that permit remote logging and control. More and more, these systems rely on standard Internet connectivity. SCADA systems, however, do not typically include robust information security as a designed-in feature, and are thus vulnerable both to hackers and terrorists. In the past, these systems have also been notoriously difficult to retrofit with effective and efficient security measures.
Working with two private-sector partners, Promia and Unlimited Software Associates, FPRI has developed a robust security solution for the vulnerabilities associated with SCADA networks that meets our criteria for implementation: it is both effective and efficient; it is simple to install use, and service; and it is inexpensive. In short, it is a technology solution to safeguard the systems that control our utility and production facilities.
Briefly, the solution involves the installation of an electronic card that provides several levels of security without any change in the underlying SCADA networks into which they are installed. These cards simply prevent outsiders from even seeing that the SCADA network exists. (Note that this is also a good example of the value of transferring federal standards and procedures to state and local governments and the private sector: the technologies are based on a form of protection developed for the US Navy, but retooled into an unclassified version with a simpler set of procedures.)
In effect, if a cyber-terrorist were to tap into a network protected by these devices, the intruder would see only encrypted information, carried on thousands of constantly changing channels, interspersed with a great deal of “fake” information generated by the devices themselves.
To disclose more in this forum would be to run a risk of reducing the effectiveness of our solution. Let us simply say that installation of these cards is a good example of the types of expensive investments in effective cyber-terrorism protection for our utilities and industries.
As I am sure that many of you recognize, the process that we used in this example is very similar to the procedures that are employed in the venture capital industry — and for very good reasons. At least in terms of the kinds of analyses required and the standards for assessing the potential value of alternative investments, venture capitalists face many of the same problems that we now need to deal with in providing security for the Commonwealth’s utility systems. Does the technology work and does it provide an effective operational solution to a market need? Of all the possible solutions, which one (or ones — alone or in combination) offer the highest levels of return given the level of investment (cost) required? What type of evidence is needed to demonstrate the value of the solution to the market? And, finally, what kinds of relationships need to be developed in order to produce, market, and service the solution?
Perhaps the sole unique quality of this procedure when used in the context of identifying the effectiveness and efficiency of security solutions is in the determination of the benefits. Unlike traditional venture capital situations, the overall benefits associated with specific investments in homeland security typically must be measured in terms that are far broader than the relative assessment of the value of the solution to those that make (or authorize) the expenditures. The owners of electricity generating facilities, transmission lines, and the ISO’s (the Independent Service Operators that provide for the coordination and load balancing of the grid) benefit to the extent that the corporations can remain operational and can continue to sell their services. (Indeed, in those cases where there is a failure, the utility is generally insured against financial losses.) And much the same reasoning also applies to virtually all other types of utilities. However, from the perspective of the citizens of the Commonwealth— and the nation— the operation of each utility (taken as a stand-alone business unit or facility) is of far less consequence— and, therefore, value — than is the value of the system as a whole. In this regard, the problem— and the possible security solutions— must be analyzed in terms of the benefits accruing to the operation of the entire system. In effect, the assessment of the value of security investments for the Commonwealth’s utilities must be based on the determination of both the costs associated with each component of the system and the benefits derived from the continued operation of the system as a whole. As with analyses of environmental problems, security solutions must account for the costs and benefits to the society and not simply specific organizations or corporations.
As matters now stand, it seems as if the attacks of September 11, 2001 did not make much of an impact on American society. Yes, to some extent we are far more conscious of the threat of terrorism. And yes we have seen a few examples of just what an even partially successful attack can realize in terms of loss of life and physical destruction. But the “message” on September 11th was not simply that there is a threat to the nation’s airlines, buildings, and their occupants. The target, in fact, was not American lives — it was the American way of life.
In order to successfully counter the threat of terrorism, it is not enough — it is no where near enough — to provide superficial security measures aimed at preventing a repeat of the attacks on September 11, 2001. Al Qaeda’s goal is to defeat America in order to ensure that the US is not capable of interfering with its plans to recreate and institute a religiously pure Islamic Caliphate. For several domestic terrorist organizations, the objective is similar: to disrupt the US economy and, thereby, permit the recreation of an America circa 1840. To achieve these objectives, the tactical and strategic targets are unlikely to be individuals, buildings, or airplanes. Rather, the targets will more likely be the Commonwealth’s — and the nation’s — utilities. Protecting our utilities will, in turn, require far more than uncoordinated investments in security. And to do this requires that we — whether as individuals, corporations, citizens, or political leaders — recognize that the only workable model of security investment depends on our ability to leave the promise of “business as usual” to the future and initiate new standards and procedures that allow us to make timely security investments that respond to the message of September 11th that there can be “no more business as usual” until we can truly deal with the threat of terrorism as part of our day-to-day lives.