I was at INFOWARCON in DC today. It was quite interesting and goes on for a couple more days. I’m hoping to have several blog posts about it.
Today, however, the most interesting talk I heard was about a 2002 critical infrastructure vulnerability exercise run in Seattle—my home town—which is only just now being made public. This was pretty much the most hair-raising thing I’ve heard in a long time, so I thought I’d share it with you.
The briefer was Jake Schaffner, an official in the Office of the Undersecretary of Defense for Intelligence. He had been an observer at the Seattle exercise, which was known as “Alki”—an evocative term for us Washingtonians and Seattleites. He said that until recently he and all the other participants in Alki have been under a non-disclosure agreement required by the City of Seattle. His talk at INFOWARCON was the first public discussion of the exercise. Apparently the veil is being allowed to drop now that Seattle has taken serious remedial action based on the findings from the exercise.
Two main factors had led Seattle to want to run what became Alki. First off, in the wake of September 11, Seattle realized that it was unusual among American cities in the size and widely varied nature of its critical infrastructure. For instance, Seattle runs hydroelectric dams and is a major electricity contributor to the Bonneville Power Administration. IT also had the third largest traffic management SCADA system in the US. Secondly, in 2002 the insurance industry started rating cities by their perceived likelihood of being attacked. Seattle was alarmingly high on the industries list, right after NYC, Washington DC, San Francisco and Chicago.
So, the city’s Chief Information Security Officer asked “the Agora”—a very low-profile group of businesses (some 350 of them), and state, local, federal, and foreign agencies that has been getting together on the University of Washington campus since 1995 to discuss their security vulnerabilities and share solutions—to help him get a handle on the problem. Agora led an effort to test the security of the Seattle Police Department’s systems. Agora’s people got in in two days. Not surprisingly, these results were not publicized, but they did lead to the Alki exercise.
Alki was a two- day tabletop exercise. The Seattle City government participants included the emergency management organizations, as well as the transportation people, the police, fire department, the utilities, the library, etc. Also participating were the US Department of Defense, the National Security Council, the Department of Justice, four unspecified intelligence agencies and the US Secret Service. As if that weren’t enough, more than 15 private companies, some of which still won’t allow their names to be released, also took part.
Alki’s attacker teams were modeled on the attackers from the US Government’s 1997 exercise UNIFIED QUEST. In that exercise the NSA-led attackers reduced the Defense Department defenders to “road kill” in 30 minutes and then “drove their semi-trailer back and forth over the roadkill to see how flat they could make it.” These attackers were assumed to be offshore and thus beyond the immediate reach of US law enforcement. It was also assumed that the attackers had done two years of “low and slow” reconnaissance of their targets and were now ready to act.
There were 130+ participants in the Alki exercise, broken up into four teams.
- “Short Dwell.” This team looked for ways to cause short notice disruption of short duration.
- “Long Dwell.” This team looked for ways of causing “long term pain.”
- “Trust.” This team searched for ways of eroding the trust of the citizens in the government’s ability to protect them.
- “Kill.” The Kill Team tried to maximize the number of Seattleites that it could notionally kill.
Each team had at least one member of an intelligence agency; one military member; one network expert; several “codies,” a polite term for hackers; and a number of municipal employees. Many of these hackers, according to Schaffner, operated in the gray zone of the law much of the time. The biggest, baddest of the lot, a person who was immensely skilled at doing very bad things, had never even graduated high school. Schaffner opined that it was the diversity of these groups that made them so effective.
The results of this exercise were jaw-dropping. Access to Seattle’s critical infrastructure was easy. Internet interfaces were not centrally managed, so doorways in existed that nobody knew of. It turned out that the Seattle Public Library and the city’s Parks and Recreation Department were particularly useful entry points into much more dangerous stuff. One example of the ease of entry related to a pumping station at a lake some 30 miles outside the city. This pumping station was involved in providing drinking water for the city and also in the running of a nearby dam. Because the pumping station was so remote, nobody wanted to work there, so the city had arranged to run it remotely. For technical reasons that I couldn’t grasp, this involved the use of a wireless network. The vendor who sold Seattle the network told them that the wireless network could not be detected outside of about 150m from the pumping station. Since this was out in the middle of the woods, this didn’t seem to be a problem. Nobody would ever know the wireless system existed, so its technical protections weren’t important. One of the Alki teams succeeded in injecting a signal into it from two miles away and thereby gained control of the system.
Another gaping security hole was in something called the Washington State Inter-Governmental Network or IGN. This linked together Seattle agencies, other cities in Washington, rural areas, etc. Because so many entities needed to use the IGN it had been found to be convenient to provide it with almost no security. This fact allowed Alki teams to access some really scary places that Schaffner chose not to specify.
Schaffner specified three general tactics that emerged from the exercise.
- “Ruining IT’s day.” The notion here was that the first responders when an attack came would be the IT professionals. Accordingly, the attackers decided to ensure that that response would be slow and unenthusiastic by opening up a social gulf between the users at the various city agencies and their IT support people. The attackers were able create pseudo-random glitches in the system that the IT people were unable to fix because they couldn’t reproduce them. This caused friction between users and IT professionals. The attackers were also able to break into city email systems and send fake emails about the IT people, spreading scurrilous rumors, unfair criticisms, etc.
- Making large areas of the city uninhabitable for lengthy periods of time. This involved the creative use of sewage. Ewwww. Doing this was technically complex, but feasible. It depended on two things: the fact that Seattle has just the right topography to allow sewage to flow down hills (or not get pumped up hills) and the attackers’ ability to purchase just the right modeling software they needed to model the city’s sewer systems.
- Eroding public confidence. The aim here was to create public panic. This involved things like denial of service attacks on the 911 system, the government phone systems, etc. It also entailed screwing with the traffic lights, the water, electrical, and sewage system, the fire department, and emergency medical systems. Once all of these were tied in knots, the attackers would start creating all sorts of false alarms about emergencies here and there.
Some of the unexpected observations that emerged from the exercise were that it was hard to case mass casualties, but very easy to produce chaos that would be hard to recover from without actually stringing new cables (and not connecting them to the outside world) or without the extensive use of the good old “sneaker net.” Furthermore, the exercise found that “common” IT infrastructure systems don’t always treat all their parts equally. The Mayor’s office and the Police Department might be quite secure, but the libraries and the parks weren’t and they talked to the mayor and the police. The court systems were especially open to attack. They, of course, also were connected to the police systems. Moreover, it was found easy to get into the court’s databases and start changing evidence. Finally, it proved very easy to mess with financial transactions. This, in fact, provided a major way of messing with the public’s confidence in government. Imagine how you’d feel if you’d sent your tax payment to the government but they had no record of it. Or if they wanted to boot your car because of apparently unpaid parking tickets that you’d actually paid. All quite easy to arrange.
By the way, the biggest vulnerability that Seattle had was so glaring that they choose to exclude it from the exercise as being too easy. Shooting fish in a barrel. I won’t mention it here. However, Schaffner did say that that problem had been substantially, though not totally, remediated since 2002.
In fact, Seattle apparently has fixed or improved most of these problems since the Alki exercise ran eight years ago. The big question, however, is how secure is YOUR home town today?