Idaho lab concentrates on cyber-security

In a gray office building across from the scenic Snake River, analysts from the U.S. Department of Homeland Security sift through the latest threat information on double-paneled, flat-screen computer monitors.

They are not searching for rogue missile launches or terrorist plots, as other analysts do in other secure government rooms elsewhere in the U.S. Their job at the Idaho National Laboratory is to find and stop what experts warn is a growing risk to America: a cyber-attack that could disable water systems, chemical plants or parts of the electrical grid.

Terrorist groups don’t have that capability yet, but they could one day, experts say. Attacks could come from disgruntled employees or criminal networks intent on extortion, publicity or mischief. China, Russia, Iran and North Korea already have cyber-weapons that can target critical nodes in the U.S. economy, including utilities and private industry.

Outsiders “are knocking on the doors of these systems, and there have been a lot of intrusions,” said Greg Schaffer, a deputy undersecretary of Homeland Security.

The U.S. Cyber Consequences Unit, a government-sponsored think tank, has concluded that hackers conceivably could crash trains, cause chemical spills, and darken the electrical grid. No such disaster has occurred in the United States, but the number of probes is growing.


As more utilities and industries link their computer networks to the Internet, shadowy adversaries regularly probe the control systems that run crucial infrastructure, officials said during a tour of the cyber-security unit at the Idaho lab, long one of the nation’s top nuclear research facilities.

For years, industry leaders doubted a cyber-attack could cause physical harm. In 2007, scientists at the Idaho lab proved otherwise. In an experiment, they hacked the control system for a large diesel electrical generator — the kind used widely in U.S. power plants — causing it to self-destruct.

Further proof came with the so-called Stuxnet attack, computer malware that targeted and caused centrifuges to spin out of control at a uranium enrichment facility in Natanz, Iran. It showed a digital weapon could cause major damage.

Stuxnet was a “game changer,” said Marty Edwards, who leads the cyber-security effort at the lab. It made people recognize the destructive potential of cyber-attacks on industrial control systems.

Many outside experts believe U.S. agencies helped create the Stuxnet virus. The sophisticated malware took advantage of previously unknown vulnerabilities in the Windows operating system and targeted a specific type of Siemens controller used to run Iran’s centrifuges.

Edwards denied speculation that the Idaho lab, which conducted a vulnerability assessment of the Siemens controllers before Stuxnet first appeared in 2009, passed information to U.S. intelligence agencies that helped them target Iran’s nuclear program.

“There was no research that was done [here] that was leveraged to create Stuxnet,” Edwards said. He said the lab had identified “intrinsic system design flaws that have been known in the industry for years.”

More than 90% of U.S. infrastructure is in private hands, and except for nuclear power plants, no regulations govern how to secure systems against cyber-attacks. Companies aren’t required to report attacks unless they compromise consumers’ personal data and trigger state disclosure laws.

Many cyber-attacks go unreported, experts say, because companies fear the financial and public relations consequences of disclosure.

The analysts in the Idaho watch center get their threat information on an ad hoc basis — some from the FBI and intelligence agencies, some from companies, some from news reports.

“Clearly, not everything comes to us,” Schaffer said.

Officials said the lab’s experts responded to 116 requests for assistance in 2010, and 342 so far this year.

The Obama administration has proposed requiring companies and utilities to hire commercial auditors to assess cyber-security risk and mitigation plans. Public companies would have to certify to the Securities and Exchange Commission that their plans were sufficient.

The proposal faces an uphill battle in Congress, where several cyber-security bills are pending. None are expected to pass this year.

“There are still folks who are in denial,” said Mike Assante, former head of cyber-security efforts for the electric utility industry, adding that an attack that damages crucial infrastructure is inevitable. “It’s a matter of time.”