420 likes | 729 Views
Critical Infrastructure, Critical Vulnerabilities. Dr. Barry S. Hess November – December 1996. Perspective. Team had no a priori knowledge of the critical infrastructure and its vulnerabilities
E N D
Critical Infrastructure, Critical Vulnerabilities Dr. Barry S. Hess November – December 1996
Perspective • Team had no a priori knowledge of the critical infrastructure and its vulnerabilities • Initial search plan focused on attaining background information on the various aspects of the critical infrastructure • “Target” choice driven by information • Quantity and fidelity of information were sufficient for a vulnerability analysis
Information Vulnerabilities • The physical “Fortress America” does not protect U.S. in the information age • Several national-level “IW” wargames have examined this issue, and each has run to the same probing question: • “Can we defend ourselves against an IW attack?” • Executive Order 13010 of 15 July 96 “Critical Infrastructure Protection” and its President’s Commission on Critical Infrastructure Protection are steps in the right direction
Gas and oil storage and transport Electrical power systems Telecommunications Transportation Continuity of Government Emergency services Water supply Banking and Finance Critical Infrastructure
Critical InfrastructureElectrical power systems • Information about power generation and distribution easily found • Nuclear Power intriguing • Previous government statements (FBI Intelligence Division Congressional testimony March 19, 1993) seemed to dismiss potential of attack, yet on-line information showed vulnerabilities • Web sites from the Nuclear Regulatory Commission (NRC) and Florida Power and Light (FPL) expanded knowledge base
Context Defense Science Board Task Force on Information Warfare-Defense: • Threat of “IW” attack “significant” • Nation’s “vulnerabilities are numerous, [and] the countermeasures are extremely limited...” • “. . . current practices and assumptions are ingredients in a recipe for a national security disaster . . .”
Validated Existence* Existence likely but not validated Incompetent Hacker Disgruntled Employee Crook Organized Crime Political Dissident Terrorist Group Foreign Espionage Tactical Countermeasures = Limited * = Validated by DIA = Widespread DSB Threat Assessment*
Information Age Terrorism • Terrorism thrives on fear • Double-edged sword • The possibilities……. Source: www.businessmonitor.co.uk/docs/proc/HD02/TERROR.html
Methodology • Totally unclassified • Internet-based “collection” • Identify “cyber” vulnerabilities • Identify physical vulnerabilities • Assess impact of two taken together Use the Internet for intelligence collection on high impact “targets”
Perspective “FBI considers nuclear power plants unlikely targets for terrorist attack because they are relatively well-protected and hard to attack without great risk to the attackers.” Senate Testimony 19 March 1993 FBI Intelligence Division spokesman 7 February 1993 26 February 1993 20 March 1995 19 April 1995
Target Selection • Criteria: • Accessibility • Plausible deniability • Maximum fear potential • Combination of cyber and physical attack possible • Ease of reconnaissance
Target St. Lucie Nuclear Power Plant Source: www.nrc.gov/AEOD/pib/reactors/335/335toc.html
Target Selection • Florida Power and Light (FPL) • Serves about 50% of Florida (7 million people) • Nuclear power provides 25% of FPL’s energy • One megawatt meets the electric needs of 300 homes and businesses • One Nuclear Plant outside of Fort Pierce, the St. Lucie plant, has recently had some problems • Nuclear plant attack: high physical and psychological impact Source: www.fpl.com/fplpages/aboutus.htm (and others)
St. Lucie Nuclear Power Plant Source: www.nrc.gov/AEOD/pib/reactors/335/335toc.html Source: www.co.st-lucie.fl.us/bigmap.html
Recent IncidentsSt. Lucie Nuclear Power Plant • 26 Sep 1995: Two pressurized valves improperly installed • 2 Nov 1995: NRC cited seven violations • 24 Jan 1996: 61 positions eliminated • 31 Mar 1996: 350-gallon spill of “slightly radioactive” water • 14 Aug 1996: Back-up control room safety switches glued shut - $10,000 reward offered to find/convict saboteur • 10 Jan 1997: As a result of November 1996 NRC special design review NRC fines Florida Power & Light $100K … security, emergency preparedness, instrumentation modification • 27 Mar 1997: NRC Region II met with FPL to discuss recent plant performance • 16 May 1997: NRC Region II met with FPL to discuss worker complaints filed with NRC, 41 in 1996 double the 1995 number • 2 Sep 1997: Unauthorized entry into the protected area occurred Source: www.pbpost.com/pbbiz/top50/(assorted) www.fpl.com/fplpages/news.htm
Operating Parameters(St. Lucie Nuclear Power Plant) Reactor #1 Reactor #2 NRC docket number 50-335 50-389 Electric capacity (MW) 830 830 Initial criticality 22 April 1976 2 June 1983 Commercial operations 21 December 1976 8 August 1983 Reactor type Pressurized Water Reactor (2-loop) Reactor manufacturer Combustion Engineering* Number of fuel assemblies 217 217 Number of fuel rods / assembly 176 236 Source: www.nrc.gov/AEOD/pib/reactors/335/a/335atxt.html www.nrc.gov/AEOD/pib/reactors/389/a/389atxt.html www.abb.se/atomweb/atomweb2.htm * = CE is now a subsidiary of ABB Atom AB, Sweden
St. Lucie Nuclear Power PlantSite Plan Source: www.nrc.gov/AEOD/pib/reactors/335/335toc.html Source: www.nrc.gov/AEOD/pib/reactors/335/b/335b010.html
St. Lucie Nuclear Power PlantBlueprints Source: www.nrc.gov/AEOD/pib/reactors/335/d/335d021.html www.nrc.gov/AEOD/pib/reactors/335/d/335d028.html Source: www.nrc.gov/AEOD/pib/reactors/335/335toc.html
St. Lucie Nuclear Power PlantBlueprints Source: www.nrc.gov/AEOD/pib/reactors/335/d/335d021.html www.nrc.gov/AEOD/pib/reactors/335/d/335d028.html Source: www.nrc.gov/AEOD/pib/reactors/335/335toc.html
Graphic Representation of Power Line Route St. Lucie Detail Mapping source: www.landinfo.com
Fuel Storage • New fuel stored dry in vertical racks in Fuel Handling Building • Spent fuel stored on-site in borated water pools (also located in Fuel Handling Building) • Reactor #1 has 300.1 MTU irradiated fuel stored on-site • Reactor #2 has 175.9 MTU irradiated fuel stored on-site • Fuel moved between Fuel Handling Building and Reactor Building via fuel transfer tubes Source: www.nrc.gov/AEOD/pib/reactors/335/c/335c002.html www.nrc.gov/AEOD/pib/reactors/389/c/389c002.html www.prop1.org/prop1/radiated/fl0rept.htm
Key FPL Personnel • Art Stall—Florida Power & Light Vice President, St. Lucie Plant • John Scarola—Plant Manager, St. Lucie Plant • 2400 S Ocean DriveFort Pierce, FL 34949-8019(561) 465-8052 • Ed Gambon—Technical Support Supervisor, FPL • 1501 S Ocean Blvd.Pompano Beach, FL 33062-7432(954) 941-2015 Source: www.pbpost.com/pbbiz/top50/(assorted) www.fpl.com/fplpages/news.htm www.switchboard.com
John Scarola 2400 S. Ocean Drive Fort Pierce, Fl 34949 (561) 465-8052 St. Lucie Nuclear Power Plant Key Plant Personnel Source: www.pbpost.com/pbbiz/top50/(assorted) www.fpl.com/fplpages/news.htm www.switchboard.com www.streetatlasusa.com
Evacuation Routes Source: www.nrc.gov/AEOD/pib/reactors/389/b/389b011.html Source: www.nrc.gov/AEOD/pib/reactors/389/b/389b015.html
Mr. Joseph F. Myers 4010 Harpers Ferry Drive Tallahassee, FL 32308-9440 (904) 386-6632 myersj@dca.state.fl.us Emergency Response Source: www.nrc.gov/AEOD/pib/reactors/389/b/389b018.html www.nrc.gov/AEOD/pib/reactors/389/b/389b021.html www.worldpages.com/worldsearchrl
Emergency Response * Source: www.nrc.gov/AEOD/pib/reactors/389/b/389b019.html www.nrc.gov/AEOD/pib/reactors/389/b/389b023.html * St. Lucie County = Local Emergency Planning Committee, FL District 10
Florida State Warning Point • Communications Capabilities • Commercial Telephone System (POTS) • Hot Ring Down System (HRD)* • Emergency Satellite Communications System (ESATCOM)** • Computer-Based Bulletin Board (dial-up capability) • High Frequency Radio • VHF-UHF-800 Radio (regional relay stations) • PROACTiv Decision Line (e.g., tele-conference) • SunCom Network (e.g., DSN with 11 switches) • National Alerting and Warning System (NAWAS) • Amateur Radio * = Primary emergency comm link ** = Secondary emergency comm link Source: www.state.fl.us/comaff/DEM/RESPONSE/SWP/(assorted)
Local FEMA POC FEMA Region 4, Atlanta GA Local NRC POC Richard Prevatte, St. Lucie Plant Senior Resident Inspector Mark Miller, St. Lucie Plant Resident Inspector State of Florida Emergency/Disaster POC Joseph Myers, Director, FL Div. of Emergency Management William O’Brien, Area 7 Coordinator (includes St. Lucie County), FL Bureau of Preparedness & Response Local City Government Leaders Dennis Beach; City Manager, Ft. Pierce Edward Enns; Mayor, Ft. Pierce Donald B. Cooper; City Manager, Port St. Lucie Robert E. Minsky; Mayor, Port St. Lucie Local Fire/HazMat POC Paul Haigley Jr., St. Lucie County Fire Chief Key Emergency Contacts Source: www.state.fl.us/comaff/DEM/HTML/emerge.html www.state.fl.us.DEM/RESPONSE/SWP/perlist.html www.pbpost.com/fyi/slgovt.htmrl
St. Lucie County Government officials Tom Kindred, County Administrator Ron Brown, Public Works Manager Morris Adger, Port Director Curtis King, Airport Director William Blazak, Utilities Services Manager Local Sheriff/Police Chief R.C. Knowles, Sheriff of St. Lucie County J. Mahar, Chief of Police Ft. Pierce C.L. Reynolds, Chief of Police Port St. Lucie Key Emergency Contacts Source: www.pbpost.com/fyi/slgovt.htmrl www.co.st-lucie.fl.us/DIRECTORY/GOV.HTML www.co.st-lucie.fl.us/DIRECTORY/POLICE.HTML
Power Delivery System Comms Backbone • FPL LeJeune-Flagler office outside Miami controls network • 9250 W Flagler St, Miami FL 33174 • 2 Synchronous Optical Networks (SONET) • ATM backbone - 8 Northern Telecom (Nortel) Magellan Passport Model 160 switches to integrate/improve capacity of 2 SONETs • 16 slot design, voice and data • Unit-specific cooling required • Know installed unit size, network protocols and power requirements • Reconstitution extremely difficult: Nortel engineers spent months configuring network www.nortel.com/home/press/19996c/9_30_96_283FPLMagellan.ht www.nwfusion.com/cgi-bin/gate2?I33xE/1WbUeg01/1Ek1Eb/x3 www.nortel.com/entprods/magellan/products/pp-glo.html
Disaster Recovery of Data • FPL uses an IBM ADSTAR Distributed Storage Manager for data back-up and recovery • Back-ups done on a IBM 3390 Model 9 in Miami, then sent over a T-3 line to an auto tape library 110 miles away • Backup volumes and basic databases then physically moved off-site for storage • Daily back-ups for entire company are done on 239 platforms • 105 AIX and HPUX servers • 93 Novell servers • 41 Windows, O/S 2, and Macintosh workstations Source: www.storage.ibm.com/storage/software/adsm/adsmfpl.htm
St. Lucie CountyTelecommunications • Radio: Commercial & Infrastructure • Frequency assignments • Physical locations • TV: Broadcast & Cable • Frequency assignments • Physical locations • Telephone • Wire • Wireless • Infrastructure • Telephone numbers, frequency assignments • Physical locations
Commercial Local radio stations EAS Local Primary 1 & 2 Call letters & frequencies [LP1]WRMF-FM 97.9/ WJNO-AM 1230 [LP2] WQCS-FM 88.9) Office locations & key personnel WRMF & WJNO P.O. Box 189 West Palm Beach, FL 33401 Lat/long & orientation of transmission towers/antenna(s) WRMF: N263437 W0801432 WJNO: N264336 W0800303 WQCS: N272517 W0802123 Infrastructure Telephone numbers, assigned radio frequencies, and locations of city/county police, fire, and rescue departments Assigned radio frequencies used by local telephone and electric power companies Assigned radio frequencies for FEMA, DOE National Emergency Search Team and other national emergency medical services Radio Source: www.co.st-lucie.fl.us/DIRECTORY/RADIO.HTML www.radiostation.com/cgi-bin/fmcall tiger.census.gov/cgi-bin/mapbrowse fcn. state.fl.us/oraweb/owa/teldir.county_query_22 www.fab.org/opareas.html
PSTN Locator • $100 can purchase software and database containing all U.S. Telecommunication Switching Centers • Company Name • Switch Name & identifier • Area code and exchanges serviced • Lat / Long (To second) • Architecture • Switch features • Distance to other switches
Electric Power Grid • Utilities buy and sell electricity to each other via consortia called power pools • Power pool's principal mission is to coordinate, monitor, and direct the operations of the major generating and transmission (bulk power system) facilities Source: www.epri.com
Joint Transmission Services Information Network (JTSIN) • Federal Energy Regulatory Commission mandated electric utility industry share transmission capacity data on a network • Internet-based because infrastructure exists • JTSIN will use: • Microsoft SQL Server databases and Netscape’s FastTrack Web server • OS is Windows NT on 150-MHz Pentium servers Source: techweb.cmp.com/582/pf97/82ioutl.htm
Inter-Control Center Communications Protocol (ICCP) • Provides utilities a standardized, flexible method for exchange of real-time operational data (basically a WAN) • Has a real-time interface to power plant control systems • Suitable for dispatch and security operations associated with Independent Grid Operators, regional pools and security centers, and transmission control centers • Has open standard interfaces for both real-time and historical power system monitoring • System accepts dial-up modem protocols (TCP/IP) or DECnet protocols • Prototype ICCP version 5.1 uses DEC Alpha computers running Open VMS operating system (Electric Reliability Council of Texas) Source: www.epri.com/pdg/pf97/gop/gop1_18.html www.pacifier.com/~nsrvan/iccp/iccp.htm www.livedata.com/ICCPwp.htm
Collection Plan • What we know • Site plan and schematics; recent history of “insider” problems • Leadership, with addresses, e-mail, fax and phone numbers • Emergency evacuation routes, and notification procedures • Emergency communications plans and frequencies • Plant computer systems and back-up procedures • Details of power distribution monitoring network • Interface into the North American power grid, entry protocols to real-time interface with power generation • What we don’t know... yet • Details “of security plans and equipment, and response weapons and tactics” (March 24 Letter from NRC) • Worker schedules, plant routines, etc.
Not My Problem? • “Congress mandated by the Sunshine Act that much of what your team found should be provided to the public.” • “…an act that preys on public fears… or assassinates key staff… not be regarded by the NRC as “successful” if there is no danger to the public health and safety from the operation of the facility. Furthermore, the NRC does not have the regulatory authority to address these acts.” • NRC letter to my team; 24 March 1997
Assessment • “Intelligence” gathered from the Internet reveals infrastructure vulnerabilities • Continued unrestricted access to information will empower adversaries • Information may not be perfect, but it may give “80% solution” • Collection and integration of information is simplified; agent actions limited and focused