Do Government and Critial Infrastructure Sectors Communicate?
In the Spring 2007 edition of FrontLine Security, I described the work underway to develop voluntary partnerships between those who own and operate our critical infrastructures and their U.S. and Canadian governments. These partnerships will help establish trusted mechanisms to share information between governments and the critical infrastructure (CI) sectors; information that is essential to address the threats and hazards that could disrupt the reliable delivery of basic services such as telecommunications, electricity, water, fuel, and natural gas.
In the United States, the partnership framework has been formally established since June 2006 by the Department of Homeland Security’s (DHS) National Infrastructure Protection Plan. Regular meetings take place between the CI sectors (see table below) and their U.S. government counterparts. Joint accomplishments were publicly presented at a July 2007 conference in Washington DC. In Canada, Public Safety Canada has held continuing consultations with the provinces on its National Strategy for Critical Infrastructure Protection.
There was some hope the Strategy would be adopted at the January 2008 meeting of the Federal/Provincial/Territorial ministers in Halifax. This did not occur, however, certain Provinces, with the support of some of the more proactive CI sectors, continue to encourage and pursue the development of critical infrastructure assurance programs.
Why Share Information?
The ability to share information quickly with the right people is an essential tool that is absolutely critical when responding to emergencies. In fact, it is our strongest defence against physical and cyber threats. If there is a clear picture of the threats we face, the CI sectors can describe to governments the actions they are taking, and the extent of any residual risks. Governments learn who they need to work with in the CI sectors, and develop confidence that the sectors can effectively respond to threats and incidents. The result: we are all forewarned, forearmed, and better able to help ensure secure, safe, and reliable critical infrastructure services.
Sharing Routine Information
Since 9/11, both the U.S. and Canadian governments have established some mechanisms to routinely share information with the CI sectors. Daily summaries of open-source material related to emergencies and security events are distributed by email, classified as For Official Use Only (FOUO). Both governments also issue declassified intelligence assessments on specific topics; these could be further enhanced by involving the CI sectors as reviewers to help ensure the information is relevant and actionable. In some instances, government agencies have sponsored industry representatives to obtain Secret level clearances, and periodic classified briefings are held. Although well intended, these briefings have limited value. Secret level briefings have rules; classified information cannot be distributed further within the CI sector, except to others with secret level clearances on a need-to-know basis, which inherently limits the usefulness for CI sector use.
These briefings have proved helpful in other ways, however, providing benefits that don’t necessarily require a level of secrecy. They provide a forum for government and industry representatives to meet, share and collaborate. They also provide an opportunity for the CI sector representatives to get to know each other and discuss issues of common interest, such as interdependencies. Such face-to-face conversations form the beginnings of the trusted relationships that are invaluable when responding to the next emergency or incident. It’s all about knowing whom to call during the early stages of an emergency, when it is too late to exchange business cards for the first time.
When Real Incidents Occur
During real incidents, the U.S. Department of Homeland Security is able to quickly reach the leadership of the CI sectors using its Executive Notification Service. This system provides a mechanism to convene a conference call quickly with the CI sectors to exchange information from credible sources, including government intelligence authorities. This process proved successful in 2007 during the U.K. car bomb plots in June, and the California wild fires in October. Perhaps not surprisingly, real events tend to focus attention on solving the right problems.
Security Threats – Real and Perceived
In contrast to the effective information exchange that occurs when actual events arise, sharing information appears to be most difficult when dealing with potential or real security threats. While the benefits of sharing this information seem obvious, for whatever reason, we have had limited experience or success so far. A recent example that eventually attracted intense media interest shows us that the challenges are formidable.
A Case Study: The “Aurora” Vulnerability
In 2006, a U.S. Department of Energy’s national laboratory began researching whether it was possible to disrupt the operation of the grid by remotely accessing the types of digital electronic devices used by the energy sector. The project was named “Aurora.” After months of research, the lab discovered a potential vulnerability and advised the Department of Homeland Security. The lab’s research and computer models indicated that, without proper cyber security protection in place, “hacker” actions could result in the disruption of an electric generator. In early 2007, the lab informed a few electricity industry representatives (that had Secret-level clearances) of their findings, and a field test in March demonstrated that physical disruption of a small generator was possible under the right circumstances.
The industry representatives had a different view of the potential threat. The need for cyber security was not new to the electricity industry; voluntary guidelines and standards had been in place since 2002, and more comprehensive standards were in the process of being implemented (enforced through sanctions and penalties for non-compliance). For all practical purposes, with the right protection in place, the vulnerability did not exist. Industry experts did agree that in order to prompt companies to take any necessary action, information describing this potential vulnerability needed to be shared more broadly across the industry than could be done by maintaining the Secret-level clearance.
To that end, DHS supported a briefing of the members of the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection Committee in a closed-door session for members only.
Just the Right Information
Obviously, the details of the vulnerability and the specific “hacking” method and the technical details remain today a tightly guarded secret. But, individual electricity companies needed to understand the threat.
It was a struggle to decide what information needed to be shared, and the limits of its distribution. If all the information was classified, the industry would not have the access it needed to take the appropriate action. At first, the information dissemination did not involve an important third party – manufacturers of the digital devices that were subject to the potential threat. This was troubling to the electricity industry which knew the device manufacturers were in the best position to provide advice on how to secure their devices and develop necessary security enhancements. The electricity companies own and operate the generation, transmission and distribution facilities that make up the electricity grid, but they don’t design and manufacture the devices. Excluding the manufacturers precluded a key and knowledgeable resource addressing this risk, until they were finally brought into the picture in mid-2007.
Under the leadership of NERC, a small team of government and industry cyber security experts developed written guidance describing actions that owners and operators across North America could take to eliminate or mitigate this vulnerability.
Then came the hard part – addressing vulnerabilities meant sharing at least some of the details with a thousand electric utility companies across North America. It was one thing to share sensitive info with a small number of industry experts, quite another to spread it across an entire industry sector. However, enough detail needed to be shared so that companies would examine their own equipment and take action. Given the necessarily broad distribution, this guidance had to be written in a way that would conceal details that could further fuel the risk, yet still provide enough info to be helpful to the industry. This “ES-ISAC Advisory,” as it became known, was distributed widely to the industry on June 21, 2007.
At this stage, the ES-ISAC Advisory would soon become public, and the electricity sector agreed to refer any media enquiries to DHS officials. CNN interviewed a DHS Under Secretary, and broke the story on September 21st by also showing dramatic video footage of the March field test that destroyed the small generator. Well-intended efforts to limit the information to a “need to know” audience were incorrectly interpreted by some as being an attempt to conceal even greater threats.
The lack of clear and consistent information describing the vulnerability created a fog of misperceptions that frustrated both government and industry – now, it threatened to unnecessarily alarm the public.
Overcoming the Challenges
The Aurora experience has helped us identify the challenges associated with sharing information, but it’s certainly not the only example. At this point in the evolution of the government/private sector partnership, such challenges might seem insurmountable to some. While government agencies and the private sector may appear to have differing agendas, this is not the case. Both parties want and need to demonstrate leadership in addressing security and public safety issues. Both want to manage costs, and in doing so, and they must effectively assess the risk of potential or actual threats so that appropriate and preventive actions are taken.
Stuart Brindley is the Manager of Training and Emergency Preparedness at Ontario’s Independent Electricity System Operator, and past Chairman of the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection Committee.
© FrontLine Security 2008