4 Things the Roman Aqueducts Can Teach Us About Securing the Power Grid
In this excerpt from Infrastructure Protection in the Ancient World, two CSOs argue that we still need to heed the security lessons that Romans learned 2,000 years ago
By Michael Assante and Mark Weatherford
February 05, 2008 — CSO —
Some time around 313 B.C., the Romans built the first of eleven aqueducts--engineering marvels that would become critical to their capitol and to the influence of the Roman Empire. This first aqueduct was built completely underground for what historians have concluded were three main advantages: first, to conceal and to protect the water supply from enemies; second, to provide an additional level of protection from erosion and pollution; and finally, to be less disruptive to life above ground.
Back then, as now, the perception of risk had a direct correlation to how systems were designed. Over time, a decreased sensitivity to security risk in ancient Rome resulted in design modifications that made the aqueducts more vulnerable to disruption. Roman engineers began to incorporate architectural "advances" into the aqueduct system, adding magnificent arcades with arches and other above-ground structures that advertised Roman greatness.
Unfortunately these structures also made the aqueducts vulnerable to exploitation, because the water supply was no longer protected underground. Thus, the infrastructure changed from a hidden and purpose-built system into a visible symbol that invading forces found appealing. Eventually those vulnerabilities were exploited by invading German tribes, who damaged the aqueducts, disrupting water supplies. The disruption of large portions of Rome's aqueducts contributed to the symbolic capitol's diminished role in the western Empire and imposed further limits to Rome's military, economic and political power--all of which played a part in the fall of the Roman Empire. As the flow of water dwindled, so did the hope of Rome's ability to repel the foreign invaders. Ironically, the only aqueduct left in commission after these invasions was the Aqua Virgo, which had been built underground.
Just as the Romans made their aqueducts vulnerable, so too have we left exposed our contemporary equivalent: the power grid. Just last month, the Central Intelligence Agency acknowledged that criminals already have been able to hack into computer systems outside the United States via the Internet and cut power to several cities. Recent no-warning cyber attacks on Estonian government web sites and online banking infrastructures demonstrate that cyber-capable state enemies can target military forces, government institutions, critical infrastructures or commercial entities. Given the current risks and vulnerabilities, we feel that the history of the Roman aqueducts--both as they were originally built and as they changed over the centuries--holds great lessons for the security community today.
Lesson 1: Infrastructures are critical to the security of a state and represent a common good.
Academic experts have concluded that Rome could not have built cities as large as it did without the aqueducts. Some of their cities would not have existed at all. The aqueducts were critical to Roman society because of the essential service they provided and because they could not be easily replaced. It is said that at Rome's peak, nearly 200 cities within the Empire received portions of their water supply by aqueducts, far surpassing the capability of any civilization before or after for nearly another 2 millennia.
Much like water to the Romans, cheap and abundant electric power is required to enable growth and support a large and prosperous population in the United States today. If Rome needed access to water to maintain its empire, then it can be said that America needs access to energy to be a successful world power. A common good would suggest that federal or state governments would assist utilities in making investments in more resilient, survivable and secure systems.
Lesson 2: Incorporating new technology can introduce vulnerabilities.
Over the last century, the modern power grid has evolved from electro-mechanical and analog switches to digital devices that enhance reliability and control, provide data, and achieve greater efficiencies. Most of the power grid processes are now controlled by computers and remotely networked systems, and they have advanced to the point where they could no longer realistically operate very long without the economy and reliability of digital technology. In fact, computer technology provides immediate global reach and exponentially decreases the constraints of time, distance, and power required.
But just as the arch and above-ground aqueduct construction introduced vulnerabilities to the Roman system, the use of information technology in the U.S. power grid architecture has also resulted in new types of weaknesses throughout the national electric grid infrastructure. These vulnerabilities, for instance, allow cyber-adversaries to attack the infrastructure without the need to be geographically close. In fact, the potential of these cyber attacks may now rival the long-term consequences of physical attacks on the power grid.
Lesson 3: Infrastructures are built to last and are seldom replaced, even when they may need to be.
Over time, ancient Rome's aqueducts became old and in need of constant repair. Disrepair, compounded by assaults from German invaders, exacerbated the maintenance problem. Portions of our nations' power system is also old, requiring more diligence, care and maintenance. Some power systems in the United States rely on components that were a part of the originally installed power grid more than 88 years ago. These older systems are generally under more stress and show the same signs of brittleness that eventually plagued ancient Rome.
This has become one of our greatest challenges, and one that reinforces the need for us to decide who has authority over the protection of the nation's infrastructure. Experts acknowledge that one of the major issues defining the modern U.S. infrastructure protection challenge concerns the division of ownership between public and private responsibilities and resources. In the United States, more than 80 percent of the nation's critical infrastructure is owned or managed by private organizations. This raises the question, how involved and responsible should the government be in the security of the systems? Answering this question is a crucial first step to protecting the power grid. Rome experienced the same challenge, with essential public services being developed in part by the state and then typically turned over to private organizations and entities for their stewardship.
Lesson 4: Security in the design is directly tied to how designers perceive security risk.
The aqueduct story that evolved over a period of almost 600 years also demonstrates the lifecycle impacts of risk decisions. The first and longest lasting aqueduct was built at a time where security risk was much easier to perceive and therefore mitigations were built into the design. In essence, security mattered to early Romans. Later aqueducts would be built in a time when the Romans no longer feared invasions, since the barbarians were being held at bay thousands of miles away in the "frontier." The reduced sensitivity to security risk resulted in design modifications and the use of more vulnerable-- however efficient and appealing--design choices.
It took hundreds of years for Rome's security situation to change, but the rise of international terrorism in the modern world has been measured in mere tens of years. The change in cyber threats can be frighteningly measured in individual months. There are very real and unsettling implications to such a rapid change in the security. While we hope that the terrorism and cyber threats facing America represent only a temporary challenge to our way of life, we must be prepared for the alternative. The changes in our approach to security are dramatic enough to declare that a new reality exists, both in respect to physical threats to our homeland and cyber threats to our information systems. Much like the ancient Romans, peace has not prepared us well for the adversaries that have found their way to our real and virtual shores.
Modern day engineers should learn from this example and draw from it the understanding that design decisions should anticipate changes over time to environmental and system factors, including security. Perceptions often lag reality, and it can be costly to weigh your options or implement changes only after security threats become too great to ignore. Built-in security is cheaper and more effective than trying to retrofit it after the system has already been placed into operation. Once the last brick has been placed, infrastructure design decisions have been "cast in stone," and like the aqueducts, are built to last and hence not easily changed or replaced.
A Call for Action
It is historically unknown whether or not the Romans understood the risk posed to the aqueduct system and why they did or did not take action to address the vulnerabilities that were eventually exploited by invading German tribes. The closest answer is probably that they used a traditional national security tactic of trying to defeat the threat with a traditional field army, rather than developing a proactive homeland security view of the to be problem. It is possible that their decreased perception of a threat resulted in their being surprised by the exploits, and therefore they were unable to plan for and muster the necessary resources required to combat it.
Given the rate and volume of change and magnitude of exposure by security threats capable of negatively impacting our nation's critical infrastructures, it is more than prudent to re-evaluate our existing perceptions of security risk. America must avoid the plight of ancient Rome by taking a clear inventory of what is truly at stake and by making wise investment decisions to remove unacceptable risk. More importantly, we should take the mistakes of ancient Roman designers to heart and take a more proactive approach to anticipating changes environmental risk factors.
It is a challenge for people living in the present day to look at the past and recognize parallels between potentially similar negative outcomes. The story of ancient Rome's aqueducts is important and provides us with critical lessons to consider as we wrestle with the importance of protecting our own critical infrastructures. Recognizing the similarities and differences between the Roman aqueducts and the modern electric power grid gives us the chance to learn and evaluate how we should think about infrastructure protection.
Michael Assante is a member of the President's Commission on Cyber Security, an infrastructure protection strategist at the Idaho National Lab, and the former CSO of a major U.S. utility company. Mark Weatherford is CISO of the state of Colorado. To read the whole paper from which this article is excerpted, you can download the PDF from the Idaho National Laboratory.
Editor's note: See also What Information Security Can Learn from a Bronze-Age Fort.
Read more about emergency preparedness in CSOonline's Emergency Preparedness section.