New docs show DHS was more worried about critical infrastructure flaw in ’07 than it let on

The Department of Homeland Security (DHS) mistakenly released hitherto little-known details on an experiment conducted in 2007 in which researchers destroyed a 27-ton diesel generator via a cyberattack on its control system.

Details about the experiment, code-named Aurora, were inadvertently released by DHS in response to a Freedom of Information Act request for information about Operation Aurora, a completely different issue involving a series of cyberattacks against Google and other entities in 2010.

MuckRock posted a copy of the 840-page documentfrom DHS earlier this week.

The document suggests that DHS was considerably more concerned about the threat to critical industrial control systems highlighted by Aurora than it generally let on. Security experts have long maintained that the DHS and industry stakeholders have downplayed potential threats to critical infrastructure and have done nothing to address the problem.

The document highlights facts that are difficult to reconcile, said Dale Peterson, founder and CEO of Digital Bond, a company that specializes in control systems security.

“The error by DHS in releasing the wrong Aurora documents is a bit embarrassing for them,” Peterson said, noting that the document suggests that the agency considered the Aurora vulnerability to be a significant threat to industrial control systems.

“They classified the program after they understood the impact,” he said. The document shows that DHS set up tiger teams, attended Congressional hearings and White House briefings, and created action plans to address issues highlighted by the experiment.

Even so, little has happened by way of remedial action in the seven years since, Peterson said. “So one of two things happened. Aurora was, in fact, not a significant control system vulnerability. It was an expensive demo with hyped results. Or, Aurora was a significant control system vulnerability that has not yet been addressed seven years later.”

The DHS did not respond to a request for comment.

The Aurora experiment made headlines in 2007 when CNN aired video footage of a generator being reduced to smoking, metal-spewing junk as the result of malicious code execution on the computer controlling the system.

The Idaho National Laboratory prepared the demo for the DHS to show how malicious attackers could take advantage of control system vulnerabilities to cause physical damage to critical infrastructure .

The newly public document shows that DHS spent some $2.8 million on the test and considered the vulnerability that allowed the generator to be destroyed as a significant flaw affecting utilities, refineries, pipelines and water systems. The greatest potential for exploitation exists in the utility sector, the DHS document noted.

One document notes how an actual attack could be carried out quickly. “There were intentional pauses between each iteration of the attack in order to assess damage and maintain safety protocols. An actual attack could have been conducted much faster,” DHS officials noted.

Another compares the test to “shifting a car into reverse while it is being driven on a highway, or the effect of revving the engine up while the car is in neutral and shifting it into drive.” The test resulted in a total loss of generating capability with extensive damage to equipment in just three minutes.

Results from the tests were expected to generate significant follow-up activities, with then-DHS secretary Michael Chertoff, Congress and the White House Homeland Security Council being briefed on the experiment.

Joseph Weiss, managing partner at Applied Control Systems LLC, a firm specializing in industrial control systems, said the new document refocuses attention on a problem that affects every utility substation in the U.S. and which the DHS and industry has known about for years.

Ever since the CNN video went public, the government and stakeholders in the utility industry have systematically attempted to downplay the seriousness of the threat, Weiss maintained. With the exception of two utilities that are in the process of implementing a fix for the vulnerability highlighted by the Aurora experiment the rest are doing nothing, he said.

The new documents show everybody, including potential attackers, that the vulnerability affects not just utilities but other critical infrastructure players, as well, Weiss said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar’s RSS feed. His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

Read more about cybercrime and hacking in Computerworld’s Cybercrime and Hacking Topic Center.