US: Cyber attacks on utilities, industries rise

U.S. utilities and other crucial industries face an increasing number of cyber break-ins by attackers using more sophisticated methods, a senior Homeland Security Department official told reporters during the first tour of the government's secretive defense labs intended to protect the nation's power grid, water and communications systems.

Acting DHS Deputy Undersecretary Greg Schaffer told reporters Thursday at one of several nondescript buildings that house Control System Security Program facilities that the world's utilities and industries increasingly are becoming vulnerable as they wire their industrial machinery to the Internet.

"We are connecting equipment that has never been connected before to these global networks," Schaffer said. Disgruntled employees, hackers and perhaps foreign governments "are knocking on the doors of these systems and there have been intrusions."

According to the department, the number of private organizations asking for the department's help in protecting their automated control systems rose from 57 last year to 81 so far this year.

The number of times that the department's Computer Emergency Response Team for industrial systems has deployed rose from one in 2009 to six in 2010. So far this year, the team has responded to seven reported instances of attacks or vulnerabilities in control systems.

Department officials declined to give details about emergency response team deployments, citing confidentiality agreements with the companies involved. Under current law, the reporting of cyber attacks by private organizations is strictly voluntary.

The Obama administration has proposed making reporting mandatory, but the White House is likely to find the idea difficult to sell at a time when Republicans complain about increased regulation of business.

Officials said they knew of only one recent criminal conviction for corrupting industrial control systems, that of a former security guard at a Dallas hospital whose hacking of hospital computers wound up shutting down the air conditioning system. The former guard was sentenced to 110 months in prison in March.

The Homeland Security Department's control system security program at the Idaho National Laboratory includes the emergency response team, a Cyber Analysis Center where control systems are tested for vulnerabilities, a malware laboratory for analyzing cyber threats and a classified "watch and warning center" where data about threats are assessed and shared with other cyber security and intelligence offices.

Marty Edwards, chief of the control system security effort, said the malware lab analyzed the Stuxnet virus that attacked the Iranian uranium enrichment facility in Natanz last year. He did not describe the group's findings in detail, except to say that they confirmed that it was "very sophisticated."

Edwards and other officials denied reports that the cyber research at Idaho National Laboratory, which included studying the vulnerabilities of the kind of industrial control systems Iran used at Natanz, had aided in the development of Stuxnet.

Many independent experts and former government officials suspect that Stuxnet was created by the United States, perhaps with the help of Israel, Britain and Germany.

The U.S. and other nations believe Iran is building a nuclear weapons program, but Tehran insists it is interested only in the peaceful uses of nuclear technology.

While U.S. officials talk frequently about America's vulnerability to cyber attack, they seldom discuss the country's offensive cyber weapons capability. The U.S. is thought to be the world's leader in cyber warfare, both defensive and offensive.

U.S. officials and others long have feared that future wars will include cyber attacks on the industries and economies of adversaries, and the potential targets include power plants, pipelines and air traffic control systems.

Cyber warfare also would likely target military control systems, including for communications, radar and advanced weaponry.

Because of its advanced industrial base, the U.S. is thought to be among the countries most vulnerable to a cyber attack on its infrastructure.

In a 2007 test at the Idaho National Laboratory, government hackers were able to break into the control system running a large diesel generator, causing it to self-destruct.

A video of the test, called Aurora, still posted on YouTube, shows parts flying off the generator as it shakes, shudders and finally halts in a cloud of smoke.

James Lewis, a former State Department official now with the Center for Strategic and International Studies in Washington, said in an interview that the Aurora test ushered in a new era of electronic warfare.

Before the test, he said, the notion of cyber warfare "was mainly smoke and mirrors. But the Aurora tests showed that, you know what? We have a new kind of weapon."

Homeland Security officials said they have not conducted such a test on that scale since. But they demonstrated Thursday how a hacker could tunnel under firewalls in computer systems to take command of industrial processes.

"All systems deployed have vulnerabilities," said Edwards, the control systems security chief.

Schaffer said that not all attempts to take over control systems are reported to the department's security program, but he said they typically hear of them at some point through other channels.