Infrastructure protectionU.S. yet to develop a strategy to secure nation’s critical infrastructure

While recent cyberattacks against Sony Pictures, Target, JPMorgan Chase, and Home Depot have brought to light some of the private sector’s cyber vulnerabilities, an NBC Bay Area investigation raises questions about the security of the nation’s critical infrastructure.

For years, the U.S. government has warned federal and state agencies about the threat posed by hackers who may target computer systems responsible for operating nuclear plants, electric substations, oil and gas pipelines, transit systems, chemical facilities, and drinking water facilities. “It’s those systems, that if we lose them, it’s going to have a serious impact on our way of life,” said Perry Pederson, former director of the Control Systems Security Program at DHS.

In 1998 President Bill Clinton issued a directive warning about the dangers of potential cyberattacks. “I intend that the United States will take all necessary measures to swiftly eliminate any significant vulnerability to both physical and cyber-attacks on our critical infrastructures, including especially our cyber systems,” read the memo. NBC News reports that since then, the Environmental Protection Agency (EPA) and the National Transportation Safety Board (NTSB) have warned about vulnerabilities in computer systems which control drinking water and gas pipelines. In February 2013 President Barack Obama followed Clinton when he issued a directive stating, “It is the policy of the United States to strengthen the security and resilience of its critical infrastructure against both physical and cyber threats.”

Two years later the federal government has yet to develop or adopt a consensus on how to secure America’s critical infrastructure from cyber criminals. The previous Congress failed to move on legislation introduced by Senator Dianne Feinstein (D-California) which would have allowed private companies to share information relating to cyberattacks with government agencies via DHS.

With support of the White House, DHS, business groups, and more members of Congress, a cyber-information sharing bill may pass this year. “Cyber-attacks cost the economy hundreds of billions of dollar a year and this will only get worse,” said Feinstein in a statement in January. “Congress must take steps to minimize the damage.”

Cybersecurity professionals who favor an information sharing bill are also urging DHS to limit the type of cyber information it shares with the public. In 2009 Pederson worked with DHS to design “Project Aurora,” an experiment which involved hacking into a replica of an Idaho power plant’s control system and causing it to smoke, shake, and self-destruct.

“It ultimately proved and demonstrated on video that you can destroy physical equipment with a cyber-attack,” Pederson said. “It’s a type of vulnerability we should be concerned about.”

In July 2014 DHS released 840 documents detailing the vulnerabilities Project Aurora exposed. Soon after, cybersecurity professionals criticized the department for releasing what they believe should have been classified information (see“DHS releases the wrong FOIA-requested documents, exposing infrastructure vulnerabilities,” HSNW, 7 January 2015). “It was an incredibly, incredibly bad thing to have done,” said Joe Weiss, a Bay Area based control system security specialist. “What it did is put all of that information in the hands of the bad guys who never had it.”

DHS has defended the department’s decision to release details of Project Aurora. “The documents were thoroughly reviewed for sensitive or classified information prior to their release to ensure that critical infrastructure security would not be compromised,” the agency wrote in a press release. Weiss disagrees. “This is a roadmap for a bad guy and this is what DHS put out,” Weiss said. “One of (the documents) even had a picture to show where you would go to the substation to destroy the equipment.”

Attacks on critical infrastructure have already begun in several countries. Recently, hackers accessed computer systems at a nuclear power plant in South Korea, and a steel plant in Germany. “Some people worry about we’re on the brink of a cyber-arms race,” Pederson said. “I would say, no, we’re not on the brink of it, we’re in the thick of it. We’re in it.”