critical infrastructure, critical vulnerabilities
DESCRIPTION
Critical Infrastructure, Critical Vulnerabilities. Dr. Barry S. Hess November – December 1996. Perspective. Team had no a priori knowledge of the critical infrastructure and its vulnerabilities - PowerPoint PPT PresentationTRANSCRIPT
Critical Infrastructure, Critical Vulnerabilities
Dr. Barry S. HessNovember – December 1996
Perspective Team had no a priori knowledge of the
critical infrastructure and its vulnerabilities Initial search plan focused on attaining
background information on the various aspects of the critical infrastructure
“Target” choice driven by information Quantity and fidelity of information were
sufficient for a vulnerability analysis
Information Vulnerabilities The physical “Fortress America” does not
protect U.S. in the information age Several national-level “IW” wargames have
examined this issue, and each has run to the same probing question: “Can we defend ourselves against an IW
attack?” Executive Order 13010 of 15 July 96
“Critical Infrastructure Protection” and its President’s Commission on Critical Infrastructure Protection are steps in the right direction
Critical Infrastructure
Gas and oil storage
and transportElectrical power systems Telecommunications
Transportation
Water supplyBanking and Finance
Emergency services
Continuity of Government
Critical InfrastructureElectrical power systems
Information about power generation and distribution easily found
Nuclear Power intriguing Previous government statements (FBI
Intelligence Division Congressional testimony March 19, 1993) seemed to dismiss potential of attack, yet on-line information showed vulnerabilities
Web sites from the Nuclear Regulatory Commission (NRC) and Florida Power and Light (FPL) expanded knowledge base
Context
Threat of “IW” attack “significant” Nation’s “vulnerabilities are numerous,
[and] the countermeasures are extremely limited...”
“. . . current practices and assumptions are ingredients in a recipe for a national security disaster . . .”
Defense Science Board Task Force on Information Warfare-Defense:
DSB Threat Assessment*
* = Validated by DIA= Widespread = Limited
Incompetent
Hacker
Disgruntled Employee
Crook
Organized Crime
Political Dissident
Terrorist Group
Foreign Espionage
Tactical Countermeasures
ValidatedExistence*
Existence likelybut not validated
Information Age Terrorism
Terrorism thrives on fear
Double-edged sword
The possibilities…….
Source: www.businessmonitor.co.uk/docs/proc/HD02/TERROR.html
Methodology
Totally unclassified Internet-based “collection” Identify “cyber” vulnerabilities Identify physical vulnerabilities Assess impact of two taken together
Use the Internet for intelligence collection on high impact “targets”
Perspective
“FBI considers nuclear power plants unlikely targets for terrorist attack because they are relatively well-protected and hard to attack without great risk to the attackers.” Senate Testimony
19 March 1993 FBI Intelligence Division spokesman
7 February 1993
20 March 199519 April 1995
26 February 1993
Target Selection
Criteria: Accessibility Plausible deniability Maximum fear potential Combination of cyber and
physical attack possible Ease of reconnaissance
Target
St. Lucie Nuclear Power Plant
Source: www.nrc.gov/AEOD/pib/reactors/335/335toc.html
Target Selection
Florida Power and Light (FPL) Serves about 50% of Florida
(7 million people) Nuclear power provides 25%
of FPL’s energy One megawatt meets the
electric needs of 300 homes and businesses
One Nuclear Plant outside of Fort Pierce, the St. Lucie plant, has recently had some problems
Nuclear plant attack: high physical and psychological impact
Source: www.fpl.com/fplpages/aboutus.htm (and others)
St. Lucie Nuclear Power Plant
Source: www.nrc.gov/AEOD/pib/reactors/335/335toc.htmlSource: www.co.st-lucie.fl.us/bigmap.html
Recent IncidentsSt. Lucie Nuclear Power Plant
26 Sep 1995: Two pressurized valves improperly installed 2 Nov 1995: NRC cited seven violations 24 Jan 1996: 61 positions eliminated 31 Mar 1996: 350-gallon spill of “slightly radioactive” water 14 Aug 1996: Back-up control room safety switches glued shut -
$10,000 reward offered to find/convict saboteur 10 Jan 1997: As a result of November 1996 NRC special design
review NRC fines Florida Power & Light $100K … security, emergency preparedness, instrumentation modification
27 Mar 1997: NRC Region II met with FPL to discuss recent plant performance
16 May 1997: NRC Region II met with FPL to discuss worker complaints filed with NRC, 41 in 1996 double the 1995 number
2 Sep 1997: Unauthorized entry into the protected area occurred
Source: www.pbpost.com/pbbiz/top50/(assorted) www.fpl.com/fplpages/news.htm
Operating Parameters(St. Lucie Nuclear Power Plant)
Reactor #1 Reactor #2
NRC docket number 50-335 50-389Electric capacity (MW) 830 830Initial criticality 22 April 1976 2 June 1983Commercial operations 21 December 1976 8 August 1983Reactor type Pressurized Water Reactor (2-loop)Reactor manufacturer Combustion Engineering* Number of fuel assemblies 217 217Number of fuel rods / assembly 176 236
* = CE is now a subsidiary of ABB Atom AB, Sweden
Source: www.nrc.gov/AEOD/pib/reactors/335/a/335atxt.html www.nrc.gov/AEOD/pib/reactors/389/a/389atxt.html www.abb.se/atomweb/atomweb2.htm
St. Lucie Nuclear Power PlantSite Plan
Source: www.nrc.gov/AEOD/pib/reactors/335/b/335b010.html
Source: www.nrc.gov/AEOD/pib/reactors/335/335toc.html
St. Lucie Nuclear Power PlantBlueprints
Source: www.nrc.gov/AEOD/pib/reactors/335/d/335d021.html www.nrc.gov/AEOD/pib/reactors/335/d/335d028.htmlSource: www.nrc.gov/AEOD/pib/reactors/335/335toc.html
St. Lucie Nuclear Power PlantBlueprints
Source: www.nrc.gov/AEOD/pib/reactors/335/d/335d021.html www.nrc.gov/AEOD/pib/reactors/335/d/335d028.htmlSource: www.nrc.gov/AEOD/pib/reactors/335/335toc.html
St. Lucie Detail Mapping
source: www.landinfo.com
Graphic Representation of Power Line Route
Fuel Storage New fuel stored dry in vertical racks in Fuel
Handling Building Spent fuel stored on-site in borated water
pools (also located in Fuel Handling Building) Reactor #1 has 300.1 MTU irradiated fuel stored
on-site Reactor #2 has 175.9 MTU irradiated fuel stored
on-site Fuel moved between Fuel Handling Building
and Reactor Building via fuel transfer tubes
Source: www.nrc.gov/AEOD/pib/reactors/335/c/335c002.html www.nrc.gov/AEOD/pib/reactors/389/c/389c002.html www.prop1.org/prop1/radiated/fl0rept.htm
Key FPL Personnel Art Stall—Florida Power & Light Vice
President, St. Lucie Plant John Scarola—Plant Manager, St. Lucie Plant
2400 S Ocean DriveFort Pierce, FL 34949-8019(561) 465-8052
Ed Gambon—Technical Support Supervisor, FPL 1501 S Ocean Blvd.
Pompano Beach, FL 33062-7432(954) 941-2015
Source: www.pbpost.com/pbbiz/top50/(assorted) www.fpl.com/fplpages/news.htm www.switchboard.com
Source: www.pbpost.com/pbbiz/top50/(assorted) www.fpl.com/fplpages/news.htm www.switchboard.com www.streetatlasusa.com
John Scarola2400 S. Ocean DriveFort Pierce, Fl 34949(561) 465-8052
St. Lucie Nuclear Power Plant
Key Plant Personnel
Evacuation Routes
Source: www.nrc.gov/AEOD/pib/reactors/389/b/389b015.htmlSource: www.nrc.gov/AEOD/pib/reactors/389/b/389b011.html
Emergency Response
Source: www.nrc.gov/AEOD/pib/reactors/389/b/389b018.html www.nrc.gov/AEOD/pib/reactors/389/b/389b021.html www.worldpages.com/worldsearchrl
Mr. Joseph F. Myers4010 Harpers Ferry DriveTallahassee, FL 32308-9440(904) [email protected]
Emergency Response
Source: www.nrc.gov/AEOD/pib/reactors/389/b/389b019.html www.nrc.gov/AEOD/pib/reactors/389/b/389b023.html
*
* St. Lucie County = Local Emergency Planning Committee, FL District 10
Florida State Warning Point Communications Capabilities
Commercial Telephone System (POTS) Hot Ring Down System (HRD)* Emergency Satellite Communications System
(ESATCOM)** Computer-Based Bulletin Board (dial-up capability) High Frequency Radio VHF-UHF-800 Radio (regional relay stations) PROACTiv Decision Line (e.g., tele-conference) SunCom Network (e.g., DSN with 11 switches) National Alerting and Warning System (NAWAS) Amateur Radio
Source: www.state.fl.us/comaff/DEM/RESPONSE/SWP/(assorted)* = Primary emergency comm link** = Secondary emergency comm link
Key Emergency Contacts Local FEMA POC
FEMA Region 4, Atlanta GA Local NRC POC
Richard Prevatte, St. Lucie Plant Senior Resident Inspector
Mark Miller, St. Lucie Plant Resident Inspector
State of Florida Emergency/Disaster POC Joseph Myers, Director, FL
Div. of Emergency Management
William O’Brien, Area 7 Coordinator (includes St. Lucie County), FL Bureau of Preparedness & Response
Local City Government Leaders Dennis Beach; City Manager,
Ft. Pierce Edward Enns; Mayor, Ft.
Pierce Donald B. Cooper; City
Manager, Port St. Lucie Robert E. Minsky; Mayor, Port
St. Lucie Local Fire/HazMat POC
Paul Haigley Jr., St. Lucie County Fire Chief
Source: www.state.fl.us/comaff/DEM/HTML/emerge.html www.state.fl.us.DEM/RESPONSE/SWP/perlist.html www.pbpost.com/fyi/slgovt.htmrl
Key Emergency Contacts St. Lucie County
Government officials Tom Kindred, County
Administrator Ron Brown, Public
Works Manager Morris Adger, Port
Director Curtis King, Airport
Director William Blazak,
Utilities Services Manager
Local Sheriff/Police Chief R.C. Knowles, Sheriff
of St. Lucie County J. Mahar, Chief of
Police Ft. Pierce C.L. Reynolds, Chief
of Police Port St. Lucie
Source: www.pbpost.com/fyi/slgovt.htmrl www.co.st-lucie.fl.us/DIRECTORY/GOV.HTML www.co.st-lucie.fl.us/DIRECTORY/POLICE.HTML
Power Delivery System Comms Backbone FPL LeJeune-Flagler office outside
Miami controls network 9250 W Flagler St, Miami FL
33174 2 Synchronous Optical Networks
(SONET) ATM backbone - 8 Northern
Telecom (Nortel) Magellan Passport Model 160 switches to integrate/improve capacity of 2 SONETs 16 slot design, voice and data Unit-specific cooling required Know installed unit size, network
protocols and power requirements Reconstitution extremely difficult:
Nortel engineers spent months configuring network
www.nortel.com/home/press/19996c/9_30_96_283FPLMagellan.htwww.nwfusion.com/cgi-bin/gate2?I33xE/1WbUeg01/1Ek1Eb/x3
www.nortel.com/entprods/magellan/products/pp-glo.html
Disaster Recovery of Data FPL uses an IBM ADSTAR
Distributed Storage Manager for data back-up and recovery Back-ups done on a IBM 3390
Model 9 in Miami, then sent over a T-3 line to an auto tape library 110 miles away
Backup volumes and basic databases then physically moved off-site for storage
Daily back-ups for entire company are done on 239 platforms 105 AIX and HPUX servers 93 Novell servers 41 Windows, O/S 2, and
Macintosh workstations
Source: www.storage.ibm.com/storage/software/adsm/adsmfpl.htm
St. Lucie CountyTelecommunications
Radio: Commercial & Infrastructure Frequency assignments Physical locations
TV: Broadcast & Cable Frequency assignments Physical locations
Telephone Wire Wireless Infrastructure
Telephone numbers, frequency assignments
Physical locations
Radio Commercial
Local radio stations EAS Local Primary 1 & 2
Call letters & frequencies [LP1]WRMF-FM 97.9/ WJNO-
AM 1230 [LP2] WQCS-FM 88.9)
Office locations & key personnel WRMF & WJNO P.O. Box
189 West Palm
Beach, FL 33401 Lat/long & orientation of
transmission towers/antenna(s) WRMF: N263437 W0801432 WJNO: N264336 W0800303 WQCS: N272517 W0802123
Infrastructure Telephone numbers,
assigned radio frequencies, and locations of city/county police, fire, and rescue departments
Assigned radio frequencies used by local telephone and electric power companies
Assigned radio frequencies for FEMA, DOE National Emergency Search Team and other national emergency medical services
Source: www.co.st-lucie.fl.us/DIRECTORY/RADIO.HTML www.radiostation.com/cgi-bin/fmcall tiger.census.gov/cgi-bin/mapbrowse fcn. state.fl.us/oraweb/owa/teldir.county_query_22 www.fab.org/opareas.html
PSTN Locator $100 can purchase software
and database containing all U.S. Telecommunication Switching Centers Company Name Switch Name & identifier Area code and exchanges
serviced Lat / Long (To second) Architecture Switch features Distance to other switches
Fort Pierce, FloridaPSTN Location
Electric Power Grid
Utilities buy and sell electricity to each other via consortia called power pools
Power pool's principal mission is to coordinate, monitor, and direct the operations of the major generating and transmission (bulk power system) facilities
Source: www.epri.com
Joint Transmission Services Information Network (JTSIN)
Federal Energy Regulatory Commission mandated electric utility industry share transmission capacity data on a network
Internet-based because infrastructure exists
JTSIN will use: Microsoft SQL Server databases and Netscape’s
FastTrack Web server OS is Windows NT on 150-MHz Pentium servers
Source: techweb.cmp.com/582/pf97/82ioutl.htm
Inter-Control Center Communications Protocol (ICCP) Provides utilities a standardized, flexible method for
exchange of real-time operational data (basically a WAN) Has a real-time interface to power plant control systems Suitable for dispatch and security operations associated with
Independent Grid Operators, regional pools and security centers, and transmission control centers
Has open standard interfaces for both real-time and historical power system monitoring
System accepts dial-up modem protocols (TCP/IP) or DECnet protocols
Prototype ICCP version 5.1 uses DEC Alpha computers running Open VMS operating system (Electric Reliability Council of Texas)
Source: www.epri.com/pdg/pf97/gop/gop1_18.html www.pacifier.com/~nsrvan/iccp/iccp.htm www.livedata.com/ICCPwp.htm
Collection Plan What we know
Site plan and schematics; recent history of “insider” problems Leadership, with addresses, e-mail, fax and phone numbers Emergency evacuation routes, and notification procedures Emergency communications plans and frequencies Plant computer systems and back-up procedures Details of power distribution monitoring network Interface into the North American power grid, entry protocols
to real-time interface with power generation What we don’t know... yet
Details “of security plans and equipment, and response weapons and tactics” (March 24 Letter from NRC)
Worker schedules, plant routines, etc.
Not My Problem? “Congress mandated by the Sunshine Act
that much of what your team found should be provided to the public.”
“…an act that preys on public fears… or assassinates key staff… not be regarded by the NRC as “successful” if there is no danger to the public health and safety from the operation of the facility. Furthermore, the NRC does not have the regulatory authority to address these acts.”
NRC letter to my team; 24 March 1997
Assessment “Intelligence” gathered from the
Internet reveals infrastructure vulnerabilities
Continued unrestricted access to information will empower adversaries Information may not be perfect, but it
may give “80% solution” Collection and integration of information
is simplified; agent actions limited and focused