ISSSource White Papers

Posts Tagged ‘DOD’

Friday, April 17, 2015 @ 04:04 PM gHale

There is no doubt the next wave of cyberattacks will be more sophisticated, more difficult to detect and more capable of wreaking untold damage on the nation’s computer systems.

With that in mind, the Department of Defense (DoD) gave a $3 million grant to a team of computer scientists from the University of Utah and University of California, Irvine, to develop software that can hunt down a kind of vulnerability that is nearly impossible to find with today’s technology.

Attacks like Dragonfly Show New Security Model Needed
Learning to Navigate OT Security Risks
Finding a Balance: Managing OT Cyber Risk
Employee Training Boosts Security

The team is creating an analyzer that can thwart algorithmic attacks that target the set of rules or calculations that a computer must follow to solve a problem. Algorithmic attacks are so new and sophisticated that only hackers hired by nation states are likely to have the resources necessary to mount them, but perhaps not for long.

“The military is looking ahead at what’s coming in terms of cybersecurity and it looks like they’re going to be algorithmic attacks,” said Matt Might, associate professor of computer science at the University of Utah and a co-leader on the team.

“Right now, the doors to the house are unlocked so there’s no point getting a ladder and scaling up to an unlocked window on the roof,” Might said of the current state of computer security. “But once all the doors get locked on the ground level, attackers are going to start buying ladders. That’s what this next generation of vulnerabilities is all about.”

Typically, software vulnerabilities today rely on programmers making mistakes while creating their programs and hackers will exploit those mistakes. For example, the software will receive a programming input crafted by a hacker and use it without automatically validating it first. That could result in a vulnerability giving the hacker access to the computer or causing it to leak information.

Algorithmic attacks don’t need to find such conventional vulnerabilities. They can, for instance, secretly monitor how an algorithm is running or track how much energy a computer is using and use that information to glean secret data that the computer is processing. Algorithmic attacks can also disable a computer by forcing it to use too much memory or driving its central processing unit to overwork.

“These algorithmic attacks are particularly devious because they exploit weaknesses in how resources like time and space are used in the algorithm,” said Suresh Venkatasubramanian, associate professor of computer science and co-leader on the team.

Most hackers currently are not using algorithmic attacks because they are costly, extremely complex, and take the most amount of time. So attackers take the easier route of exploiting current vulnerabilities.

The team will be developing software that can perform an audit of computer programs to detect algorithmic vulnerabilities or “hot spots” in the code. This analyzer will perform a mathematical simulation of the software to predict what will happen in the event of an attack.

“Think of it as a spellcheck but for cybersecurity,” Might said.

Monday, April 6, 2015 @ 04:04 PM gHale

A former FBI special agent got 10 years for accepting bribes to obstruct a grand jury in an Defense Department (DoD) contractor kickback scheme, officials said.

Former Special Agent Robert Lustyik, a 24-year veteran of the FBI, pleaded guilty to all charges in an 11-count indictment on Sept. 29, said officials from the Justice Department (DoJ).

Hacking Ring Member Pleads Guilty
Guilty Plea in Data Smuggling Case
Hack Case: Russian Pleads Not Guilty
Silk Road Operator Guilty

Lustyik pleaded guilty to conspiracy to commit bribery and obstruction, eight counts of honest services wire fraud, obstruction of a grand jury investigation and obstruction of an agency proceeding.

Lustyik’s co-defendants, Michael Taylor and Johannes Thaler, also received sentences to 24 months and 13 months, respectively, for their roles in this scheme.

The DoJ said from October 2011 to September 2012, Lustyik and Thaler conspired to use Lustyik’s official position as an FBI counterintelligence special agent to obstruct a criminal investigation into Taylor, a businessman who owned and operated American International Security Corporation.

Taylor was under investigation for paying kickbacks to obtain a series of contracts from the DoD worth approximately $54 million, officials said.

Taylor promised Lustyik and Thaler in exchange for their help he would provide them cash and multimillion dollar business contracts.

Monday, February 9, 2015 @ 09:02 AM gHale

By Richard Sale
Chinese hackers are a little engine that knows no rest.

And in light of new developments uncovered by ISSSource, because of lax intrusion detection, poor reporting by Defense Department (DoD) contractors, company inattentiveness and old fashioned politics, Chinese hackers are continuing their marauding ways and infiltrating systems and learning more details from the military industrial complex every day.

“China has engaged in a sustained investment in technology for thirty years while U.S. investments in science have too often come in fits and starts and been driven by fads,” said James Lewis, senior fellow and director of the Strategic Technologies Program at the Center for Strategic and International Studies. We can find a new example of the “fits and starts’ approach to security and examine its causes.

Solar Companies Under Attack
Security a Differentiator for Users
Security: A Presidential Mandate
Security Spending to Increase in ‘15
Sony: Risk Management in Real Time

When it comes to security for defense-related contractors, there is an impression of strength, but the reality is a bit more suspect.

Relating that impression to the manufacturing automation sector, while security awareness has increased substantially over the past few years, actual programs put into action remain on the back burner. But attacks, discovered or surreptitious, continue.

ISSSource reviewed a Senate Report, and dug deep into the documents and the outcome appears dismaying. The documents reveal a curious lack of thinking things through.

The success of Chinese hackers is not due to their keen deftness and skill, but is often the result of ineptitude of some U.S. companies, Lewis said.

“Verizon each year does a survey that concludes that more than 80 percent of corporate-network penetrations required only the most basic techniques, such as sending a bogus email with an infected attachment, and most breaches went undetected for months – another sign of lax security,” Lewis said. “One more sign: They were usually discovered by an outsider rather than the victimized company.” He added breaches go undiscovered on average of three months.

In other words, China is succeeding not because of their great skill and awareness, but because we are not putting up proper defenses to thwart them. It isn’t difficult to pilfer a safe if it has no locks; it isn’t difficult to burgle a house if it has no doors.

Citing the recent national uproar over the Sony Entertainment breach by North Korea, Lewis added Sony used the word “password” as an administrative “key” when it first ended up hacked in September, with a breach not detected until November. Sony declined to comment.

As we publish, several U.S. states are investigating a massive cyberattack on No. 2 U.S. health insurer Anthem Inc that a person familiar with the matter said is being examined for possible ties to China, but the most startling fact is the data were not encrypted, according to last week’s The Wall Street Journal.

A Case Study
In April of 2013, the Senate Armed Services Committee began a probe into Chinese military hackers who had successfully breached the systems of several transportation companies that do sensitive work for the U.S. military. Its findings, entitled, “Inquiry into Cyber Intrusions Affecting U.S. Transportation Command Contractors,” released last September, and its results have deep strategic implications.

U.S. Transportation Command, or TRANSCOM, the single manager of America’s global defense transportation system, is entrusted with the coordination of people and transportation systems to allow the U.S. to sustain forces, whenever, wherever, and for as long as they are needed, according to its press releases.

TRANSCOM is a little-recognized but vital U.S. military asset: It has the ability to tap civilian air, shipping and other transportation assets to rapidly deploy U.S. forces in times of crisis. Through programs such as the Civil Reserve Air Fleet (CRAF), commercial transportation companies (some of which do little or no CRAF-related business in peacetime), become key elements of TRANSCOM’s plans for moving troops and equipment around the world.

The Senate committee found in a 12-month period beginning June 1, 2012, there were about 50 intrusions or other cyber events into the computer networks of TRANSCOM contractors. At least 20 of those were successful intrusions that involved “advanced persistent threats (APTs),” a term used to designate sophisticated threats. The purpose of the new breach is for malware to find a way into a system, constantly learn how the system operates and then send intelligence back to a command and control center. These APTs are a common attack method employed by nation states or very sophisticated attack organizations.

Other highlights of the study included, a Chinese military intrusion into a TRANSCOM contractor between 2008 and 2010 that compromised emails, documents, user passwords and computer code; a 2010 intrusion by the Chinese military into the network of a CRAF contractor in which documents, flight details, credentials and passwords for encrypted email were stolen; and a 2012 Chinese military intrusion into multiple systems onboard a commercial ship contracted by TRANSCOM.

TRANSCOM command relies on a network of large and small private companies and is one of nine unified commands of the U.S. Defense Department. The organization’s knowledge of cyber intrusions into the contractor computer networks depends on the reporting of such breaches by the contractors themselves. But what the probe found was TRANSCOM contractors and subcontractors reported only a small fraction of their breaches. In fact, TRANSCOM, was aware of only one of nine successful intrusions, the Senate report said.

Beginning in 2010, TRANSCOM began to require contractors report certain cyber security incidents. Bearing in mind while 80 U.S companies were subjected to that rule, by August 2013, TRANSCOM had received only two reports of cyber intrusion from the contractors, the report said.

It Gets Worse
The Senate committee also requested information from 11 contractors about cyber intrusions they had experienced between Jan.1, 2013, and June 30, 2013, and asked whether the intrusions should have been reported. The companies are all involved with shippers, airlines and logistic support. Of the 11 contractors, eight companies said they were not aware of any cyber intrusions during the period in question. The remaining three companies identified 32 intrusions, with 11 of them associated with APTs. The Senate report defined an APT as an “extremely proficient, patient, determined and capable adversary including two or more adversaries working together.”

All 32 intrusions were attributed to China. Of the APT 11 intrusions, TRANSCOM was aware of only one.

The muddle originated in “a lack of common understanding” on the part of the companies about what had to be reported to the government. In fact, none of the contractors interpreted the cyber breach reporting obligation in a manner “consistent with TRANSCOM’s intent.”

It Gets Even Worse
Apparently, the TRANSCOM contract clause about reporting of cyber breaches has the effect of limiting the scope of what must be reported, requiring companies to report only intrusions into the networks that are storing or communicating DoD data at the time of the breaches. TRANSCOM concluded that poor sharing of information by U.S. companies “left the command largely unaware of computer compromises by China of contractors that are key to the mobilization and deployment of military forces” in a crisis.

What then follows are twisted, nitpicking, hairsplitting discussions about blind spots or vagueness in sharing information about breaches. The conclusion said, “Common understanding of reporting obligations is lacking.” (We file that under “do tell.”) The report also said China has “exhibited both the capability and intent to comprise private sector computer networks” used to support TRANSCOM operations. Breaches exploit the systems and their partners, networks and personnel that TRANSCOM relies on to carry out its mission.

“We must ensure that cyber intrusions cannot disrupt our mission readiness” said Senator Jim Inhofe, R-OK, the committee’s ranking member. “It is essential that we put into place a central clearinghouse that makes it easy for critical contractors, particularly those that are small businesses, to report suspicious cyber activity without adding a burden to their mission support operations.” He said that last September.

Effective Remedies?
In response to the investigation’s findings, the committee included a provision in its version of the National Defense Authorization Act for Fiscal Year 2015 directed at addressing reporting gaps and improving the way in which the Department disseminates information about cyber intrusions into the computer networks of operationally critical contractors, the Senate report said.

Unfortunately, congressional legislation resembles a huge, sluggish, inert dragon whose shiny coils move extremely slowly. People most familiar with this situation have noted some meetings with the U.S. Chamber of Commerce and companies have taken place. These same people assure us the suggested legislative measures will be put in place. “It usually takes a year,” said a source familiar with the situation.

So by September of this year measures to foil breaches by the Chinese should be put in place and begin operation.

But in the world of APTs, malware can load on to a system and sit for years, learning and sending intelligence back home or even waiting until it gets the code to attack. One wonders how many new breaches will have occurred by September or how deeply they will have penetrated U.S. networks by then.

The operations of crime are incessant and ceaseless. They wait for no one.
Richard Sale is a freelance writer based out of Durham, NC, and was United Press International’s Intelligence Correspondent for 10 years and with the Middle East Times, a publication of UPI. He is the author of Clinton’s Secret Wars and Traitors.

Friday, April 4, 2014 @ 04:04 PM gHale

Outside cyber attacks gain the most publicity, but internal incidents are just as worrisome, just ask the Defense Department (DoD).

What concerns DoD officials the most is careless or poorly trained insiders as a source of threats, one survey found, according to a survey by SolarWinds, an IT management software provider.

Smart Grid; Vulnerable Grid
NIST Seeks Smart Grid Comments
Cyber Security Framework Released
NIST to Update Role-Based Security Training

In the survey, which addressed cyber security threats and preparedness across the federal government, 41 percent of DoD respondents named insider data leakage/theft as a threat, not far below the 48 percent who identified external hacking.

And although those responses may have come with the disclosures of Edward Snowden and Chelsea Manning in mind, it seems inept co-workers, rather than intentional leakers, are the biggest concern.

Fifty-three percent of DoD respondents cited careless/untrained insiders as a source of security threats, more than foreign governments (48 percent), terrorists (31 percent) or the general hacking community (35 percent). Malicious insiders were at 26 percent of respondents.

SolarWinds conducted the online survey earlier this year of 200 IT and IT security professionals in the federal government, 40 percent of whom worked in the military. The results showed similarities in the concerns of civilian and military agencies, as well as some notable differences.

Overall, the respondents were pretty confident in their IT defenses, with 94 percent rating their cyber security readiness as good or excellent (though more good, at 50 percent, than excellent, at 44 percent).

External hacking was the most common threat in the overall survey, with 50 percent of the respondents naming it, followed by malware (46 percent), social engineering (37 percent) and spam (36 percent), with similar results coming from civilian and Defense agencies.

Differences cropped up in a few areas, though. Only 21 percent of civilian respondents cited insider data leakage/theft as a threat, compared with DoD’s 41 percent. And twice as many civilian respondents (25 percent to 12 percent) named mobile device theft as a threat, perhaps reflecting the fact that DoD has to date eschewed the bring your own device trend. DoD respondents showed more concerned than their civilian counterparts about physical security attacks, 25 percent to 13 percent.

Click here to review the survey.

Wednesday, October 2, 2013 @ 10:10 AM gHale

Seventeen Carnegie Mellon University (CMU) graduate students earned cyber security scholarships from the National Science Foundation, the Department of Homeland Security’s CyberCorps Scholarship for Service (SFS) Program and the Department of Defense’s Information Assurance Scholarship Program (IASP).

The SFS awards went to nine students in CMU’s Information Networking Institute (INI) and six students at CMU’s Heinz College. The IASP awards went to two INI students.

Grant to Boost Wireless Security
DoE Awards to Boost Security Tools
Petrobras Moves to Hike Security
NIST Grants to Improve Security, Privacy

Both programs share a common goal and that is to increase and strengthen the amount of federal information assurance professionals that protect the nation’s critical infrastructures and national defense.

“As future federal employees, the SFS and IASP scholars delve into challenging engineering and information assurance coursework and engage in interdisciplinary cyber security research. In addition to the emphasis on the technologies and strategies related to cyber defense and cyber offense, CMU’s cyber security curricula explore risk management, economics and policy issues related to reducing vulnerability and securing our national information infrastructure,” said Dena Haritos Tsamitis, INI director and director of education, training and outreach for CyLab. She is also the principal investigator of the grants.

Increased global cyber attacks make the training and retention of cyber security experts a priority of the U.S. government. The National Security Agency (NSA) and the United States Cyber Command designated Carnegie Mellon as a National Center of Academic Excellence (CAE) in cyber operations for 2013-2018. The National Security Agency designated the university as a CAE in Information Assurance Education and a CAE in research.

More than 160 students in the SFS program have graduated from CMU in the past decade. One student in the IASP graduated from the INI in 2012.

Both programs provide full-tuition scholarships and stipends to scholars in exchange for working for the federal government after graduation.

Wednesday, May 8, 2013 @ 09:05 PM gHale

This may not come as a big surprise, but China’s government and military appear to be an active participant in cyber attacks against the U.S., a new report said.

The conclusion, contained in the Department of Defense’s (DoD) annual report that evaluates China’s military capabilities, marked another pointed claim by the U.S. government amid rising tensions between the two nations over cyberspace.

Federal Security Guidelines Reworked
Firing Up a Security Framework
Obama Inks Cyber Security Order
Hackers ‘Declare War’ on U.S.

The DoD said last year “numerous computer systems around the world, including those owned by the U.S. government, continued to be a target of intrusions, some of which appear to be attributable directly to the Chinese government and military. These intrusions were focused on exfiltrating information.”

The stolen information is useful to a range of Chinese entities, including its defense and technology industries, U.S. policy makers in China as well as military planners, the report said.

Cyber warfare capabilities could complicate efforts to respond during a military confrontation, including causing slow response times by constraining the communication and commercial activities of an adversary, the report said.

China denies it is coordinating hacking campaigns, but computer security researchers point directly to the nation when describing intrusions.

The DoD report also said Russia and China were playing a “disruptive role” in international forums aimed at establishing confidence-building measures and transparency in cyberspace.

Both nations are also pushing an Information Security Code of Conduct, which would give governments sovereign authority over content and information on the Internet. The proposal has quite a few critics.

The U.S. argues existing international humanitarian law should apply in cyberspace. China doesn’t agree, but “Beijing’s thinking continues to evolve,” the report said.

In March, U.S. President Barack Obama’s national security advisor Tom Donilon said U.S. businesses have serious concerns about “cyber intrusions emanating from China on an unprecedented scale.” He called on China to recognize the threat cyber attacks pose to the two countries’ relationship and trade.

In February, computer security vendor Mandiant released a comprehensive report that named a specific Chinese military unit called “61398” as conducting an extensive, seven-year hacking campaign that struck 141 organizations.

The hacking group, also called the “Comment Crew,” was extremely active in targeting U.S. companies and other organizations despite China’s claims it does not permit state-sponsored hacking.

Monday, April 29, 2013 @ 04:04 PM gHale

A policy through which federal departments offered prosecutorial immunity to companies that helped the U.S. military monitor Internet traffic on private networks of defense contractors expanded by Executive Order to include other critical infrastructure industries, according to the Electronic Privacy Information Center (EPIC).

EPIC said the pilot-version of the program run with the Departments of Justice (DoJ), Defense (DoD), and Homeland Security (DHS) came to light in June 2011 after The Washington Post published a report detailing the implementation of a new program by National Security Administration that let them monitor traffic flowing from some defense contractors through certain Internet service providers. At the time, The Washington Post quoted Deputy Defense Secretary William J. Lynn III saying the program was to help thwart attacks against defense firms and the government hoped to expand the program moving forward.

Web Access Means More Attacks
Phishers Hide Real Links with Javascript
APT Attacks Shut Down
Cyber Attack Against S. Korea

The documents obtained in the a Freedom of Information Act (FOIA) request, EPIC said, reveal the DoD advised private industry organizations on the ways in which they circumvent federal wiretap laws in order to aid the DoD and DHS in their surveillance of private Internet networks belonging to defense contractors.

EPIC, digital rights group the Electronic Frontier Foundation, and others fear the program’s expansion would apply to the broad swath of organizations that potentially fall under the vague category of critical infrastructure.

The government has not yet named the program, but EPIC said the NSA has partnered with AT&T, Verizon, and CenturyLink in order to keep tabs on the Internet traffic flowing into and out of some 15 defense contractors, including Lockheed Martin, CSC, SAIC, and Northrop Grumman.

For its part, the NSA said it is not directly monitoring these networks, but is rather filtering their traffic in order to detect the presence of suspicious packets based on a number of malicious code signatures the agency has developed.

EPIC issued a FOIA request in July 2011 requesting the following information: “All contracts and communications with Lockheed Martin, CSC, SAIC, Northrop Grumman, or any other defense contractors regarding the new NSA pilot program; All contracts and communications with AT&T, Verizon, and CenturyLink or any other ISPs regarding the new NSA pilot program; All analyses, legal memoranda, and related records regarding the new NSA pilot program; Any memoranda of understanding between NSA and DHS or any other government agencies or corporations regarding the new NSA pilot program; Any Privacy Impact Assessment performed as part of the development of the new NSA pilot program.”

The government failed to provide any of this information. So, EPIC filed a FOIA lawsuit on March 1, 2012 and eventually gained access to thousands of pages of previously unreleased documents, which they have posted on their website.

Wednesday, January 30, 2013 @ 05:01 PM gHale

Cyber threats are real and abundant and the government is keenly aware it needs to lock in security policies and procedures.

Just look at what is going on. The Senate keeps pushing for legislation to improve information-sharing on threats and attacks. President Barack Obama is looking to issue an executive order on cyber security and the Department of Defense (DoD) is looking for a massive increase in the number of trained cyber security professionals to defend the country’s private and public networks.

Back to Basics: Security 101
Drive-bys Tops EU Threat Reports
Agencies Join in Security Plan
Ensuring Software Security Policies

Security professionals working on these assignments right now is difficult to narrow down as quite a few work in agencies that don’t discuss their operations. Also, some work in dual-tasked positions and don’t focus on just one assignment. However, officials from the Department of Defense have been pushing for more funding to hire more trained security professionals.

Now, that push seems to be paying dividends. The Pentagon’s goal is to increase the number of security professionals from fewer than 1,000 to 5,000 in the next few years. Those personnel will comprise military and civilian security professionals, and the goal will be to defend the country’s critical infrastructure as well as government and military networks.

This all comes just a few days after Janet Napolitano, secretary of the Department of Homeland Security, warned a nation-level incident of the scale of 9/11 could occur sometime soon as a result of a cyber attack. Napolitano is not the first to warn about the possibility of such an attack, but is rather the latest in a long line of government officials, presidential advisers and security experts to raise that specter. Security researchers also have warned in recent years about serious vulnerabilities in the SCADA and ICS systems that run much of the network infrastructure in utilities, financial systems and other critical areas.

In October, DHS officials warned SCADA system operators about an increase in the level of malicious activity targeting those systems.

“Asset owners should not assume that their control systems are secure or that they are not operating with an Internet accessible configuration. Instead, asset owners should thoroughly audit their networks for Internet facing devices, weak authentication methods, and component vulnerabilities,” the alert said.

The new plan from the Pentagon contemplates the creation of several separate groups of cyber security personnel, each with a different set of responsibilities. One group will defend networks used by critical infrastructure entities like utilities. Another team will be responsible for defensive and offensive military operations in cyberspace, and the third group will work on fortifying the DoD’s networks.

All of the groups will report up to the U.S. Cyber Command, a relatively new arm of the military headed by Gen. Keith Alexander, the director of the National Security Agency.

Friday, November 9, 2012 @ 09:11 AM gHale

A new program is starting up to implement automated monitoring of a set of critical security controls in government IT security this year, to provide a standardized cyber security baseline for agencies.

The effort, launched by the Department of Homeland Security (DHS), will include a set of technical specifications developed in cooperation with industry that would enable the automation of the controls in off-the-shelf products. There also would be a governmentwide dashboard to provide visibility into each agency’s status on the controls and help establish priorities for improvement during the current fiscal year.

Ensuring Software Security Policies
Trojan that Supports Windows 8
Tracking Software Settlement
Pushdo Trojan a Master of Disguise

DHS unveiled the plans in conjunction with the release Nov. 5 of the latest version of the top 20 Critical Controls for Effective Cyber Defense and the news of a new international organization to oversee development of the consensus controls and promote their use in government and industry.

DHS, along with the National Security Agency, the Defense Department, the Defense Information Systems Agency and the DoD Cyber Crime Center, are among the members of the Consortium for Cybersecurity Action, which will maintain and update the list.

The critical controls, formerly the Consensus Audit Guidelines, are a set of security requirements developed in cooperation by government and private sector experts and published by the Center for Strategic and International Studies (CSIS) and the SANS Institute. Growing adoption of the controls in both government and industry has created the need for a more formal organization to house and maintain them, said former NSA official Tony Sager, who will lead the effort.

“It had to be a little more standardized,” said Sager, who retired as chief operating officer of the NSA’s Information Assurance Directorate in June. “If major organizations are going to make IT policy and spending decisions based on it, they have to know it will be there in two or five years.”

The critical controls are a reflection of the 80/20 rule at work in cyber security: Twenty percent of the effort produces 80 percent of the results. The controls are an effort to identify the 80 percent payoff that can prevent or mitigate the bulk of the attacks against IT systems today. By automating the application and monitoring of these basic security functions, resources and manpower could be free to address remaining more sophisticated challenges that require greater attention.

Development of the critical controls began in 2008 under the auspices of the CSIS in cooperation with other groups including NSA, US-CERT, DoD, Energy Department Nuclear Laboratories and the State Department. Their use at the State Department has gained attention as a way to measure and reduce meaningful vulnerabilities in widespread IT systems. The new consortium will have no power to require use of the control list, and its authority will come from the combined weight of its members.

Such a system does not provide complete security, but advocates said it helps focus security investment in the most needed areas and frees needed resources for more complex threats. By updating the list regularly to reflect changes in the threat landscape, the consortium will try to ensure that priorities remain properly focused.

The DHS program for implementing an initial set of five critical controls has been funded for fiscal 2013, which began Oct. 1. Capabilities will expand to other controls if funding is available. The department expects to issue a request for proposals that would provide a blanket purchase agreement for off-the-shelf automated monitoring tools for the initial set of controls:
• Hardware asset management
• Software asset management
• Configuration management
• Vulnerability management
• Network access control management

Monday, September 17, 2012 @ 04:09 PM gHale

U.S. power grids and other civilian infrastructure are not prepared for electromagnetic pulses (EMP) that could result from weapons or violent space weather, according to a congressional subcommittee hearing last week.

There are serious flaws in the nation’s infrastructure that could allow for EMP events to shut down power and communications for extended periods of time, said panelists at the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies, headed by Chairman Dan Lungren R-CA.

Profile on Civilian ‘Cyber Warriors’
Hacktivists Could Bring Down Grid
Schoolboys Behind Greek Hack
Tear Gas Maker Hacked

“Our civilian grid, which the Defense Department relies upon for 99 percent of its electricity needs, is vulnerable to these kinds of dangers,” Rep. Trent Franks, R-AZ, testified during the hearing. Franks, one of the leaders of the Congressional EMP Caucus, sponsored legislation in 2011 to protect U.S. infrastructure in the event of an attack by an EMP weapon.

Michael Aimone, a director of business enterprise integration at Defense, said the Pentagon had pursued a “two-track approach” to mitigate the impact an EMP attack could have on Defense facilities. He said his plan relied on in-house capabilities to maintain power and electronics and a means to communicate and coordinate with outside partners.

“DoD recently adopted an explicit mission assurance strategy, which is focused on ensuring operational continuity in an all-hazard threat environment,” Aimone said.

EMP disruptions and attacks can come from different types of events, including high-altitude or low-altitude nuclear weapons detonations, locally based radio frequency weapons, and solar weather. One of the largest impacts from an EMP-based disruption was in Quebec in 1989, when nearly 6 million people lost power because of a geomagnetic storm.

Brandon Wales, of the Homeland Security Department’s National Protection and Programs Directorate, said DHS was working with federal agencies on contingency plans for an EMP event. He said Federal Emergency Management Agency was establishing lines of communication with key agencies in case an EMP event occurs, and that Homeland Security Secretary Janet Napolitano had commissioned a report in 2011 to study the impact of space-based EMP attacks.

“DHS has pursued a deeper understanding of the EMP threat, as well as its potential impacts, effective mitigation strategies, and a greater level of public awareness and readiness in cooperation with other federal agencies and private equipment and system owners and operators through various communications channels,” Wales said.

Common standards for power grid equipment are a major issue, said Joseph McClelland, director of the Office of Electric Reliability at the Federal Energy Regulatory Commission. He said current standards to protect infrastructure and equipment do not address the many levels within the power grid and should undergo an update.

“Protecting the electric generation, transmission and distribution systems from severe damage due to an EMP-related event would involve vulnerability assessments at every level of electric infrastructure,” McClelland said.

Archived Entries