Secret cyber-terror test is now revealed
By Janell Ross
Date: January 21, 2004
State paid firm for fake attack on power grid.
A mock cyber-terrorist attack temporarily took over the flow of electricity in a large section of northwest Nueces County late last year but only became public this month.
Tension between the public's right to know and the shared government/public interest in national security has taken local meaning in the days since the simulation was revealed by the private company that was paid by the Texas Department of Information Resources to conduct the test.
On Sept. 16, 2003, those involved in the drill pretended that traffic lights along with power in large retail facilities and homes on either side of Farm-to-Market Road 624 were out. There were no lines down, no storms in the area and the Robstown offices of the company that delivers power to much of the area, the Nueces Electric Cooperative, had not been physically damaged or invaded.
How should electric cooperative, state and federal officials react to the situation?
That was the problem more than 30 Nueces Electric employees faced during the test, said Mel Mireles, director of enterprise operations for the Department of Information Resources.
That is also the question that Mireles and other officials involved in the September simulation have declined to answer publicly. A report detailing the vulnerabilities and strengths in the software system and employee network that controls Nueces Electric Cooperative's power delivery grid will be released to the company some time this month, Mireles said.
The results of the test will not be made public because of the detailed information that it will contain about the way that the company's system, employees and equipment work.
"I think we can have quite a debate about whether the public is safer when things are secret," said Charles Davis, the executive director of the Freedom of Information Center at the University of Missouri School of Journalism.
Davis said that documents much like this one are being withheld from the public with increasing regularity. The post-Sept. 11 hope is that secrecy will make the country safer and make its critical infrastructure less vulnerable to sabotage or terrorism, Davis said.
Disclosing specific lessons learned during the September exercise, suggestions to the company about how to reduce the system's vulnerability to cyber attack, and changes the company needs to make would only increase the power grid's vulnerability, said Mark Fabro, chief security scientist for Virginia-based American Management Systems.
"For all intents and purposes, this was like a war game," Fabro said.
The Texas Department of Information Resources paid American Management Systems $57,000 to design and conduct the Robstown simulation as a part of its efforts to identify vulnerabilities in the state's critical infrastructure systems such as water, power, banking and transportation.
"This was a detailed exercise dealing with highly sensitive information about a part of the country's critical infrastructure," Fabro said. "There are some things that cannot be revealed because of national security concerns. But I assure you that these exercises are tremendously useful tools. Tests allow us to evaluate vulnerabilities in a controlled environment."
Although the test was paid for with public funds, the Department of Information Resources' decision not to make the simulation results public may be covered under an exemption to the state's freedom of information act that passed the Texas Legislature in May 2003.
The Legislature passed a homeland security bill that includes Freedom of Information exemptions for a number of documents including information regarding the assembly of weapons, encryption codesand documents revealing the technical details of vulnerabilities to critical infrastructure. The exemptions apply only to information that is collected or maintained by or for a governmental entity for the purpose of preventing, detecting, responding to, or investigating an act of terrorism.
Davis said that the effectiveness of homeland security provisions that restrict access to information is in the details.
"The sort of instinctive response after Sept. 11 was 'close it and we will be safer,' " Davis said. "And there may be some cases where secrecy is necessary. But we need also to be having conversations about the value of access."
What is known about the test conducted in Robstown is that employees present at the exercise were given no warning about the simulation, and no clear indications as to what might be causing the mock power outage, Fabro said. They were given a series of false data sets about the company's electricity delivery system, real and fictional news about international, national and local events, and asked to respond. The exercise stretched over eight hours and simulated the effects of a cyber-based attack.
The Department of Information Resources commissioned the test because of the large role computer systems, software, the Internet and satellites play in controlling everything from the flow of water into homes to the ability to purchase gas at the pump without ever going inside a store, Mireles said.
"Convenience allows us to overlook how much technology really controls," Mireles said. "In truth, you can have guards, all kinds of security and alarms at physical facilities. But, without cyber-protection, these systems remain vulnerable."
Robstown was selected for the test after an American Management Systems analysis showed that the city had the type of physical facilities needed for a high-tech fire drill but lacked some of the infrastructure safeguards put in place in larger cities after Sept. 11.
Fabro said that power or other system failures in one small city or area could easily lead to the sort of cascading power failure that occurred in the northeastern United States in August.
Nueces Electric Cooperative delivers power generated by the South Texas Electric Cooperative to about 9,000 residential and commercial customers in eight South Texas counties. The electric cooperative's power delivery network is part of a nationwide power grid.
David Cotz, a director of research and development at the Institute for Security Technology Studies at Dartmouth College, said the threat of cyber terrorism or infrastructure system sabotage is difficult to quantify but does exist.
In addition to the potential for system sabotage, the possibility of equipment failure and human operator error make tests like the one conducted in Robstown more and more necessary, Cotz said.
"The average person probably doesn't need to be worried about it," Cotz said. "But it is essential that people who work in critical infrastructure begin to prepare themselves for the possibility."
Companies of all kinds, particularly those involved in industries that the Department of Homeland Defense has earmarked critical infrastructure, are increasingly concerned about system and information security, Chris O'Connor said. O'Connor is the director of corporate security strategies for IBM.
Davis said that in order for people to feel truly protected by events such as the September test, people need some sense of where the company's system stood and what sort of rating or assessment the company's system received from the Texas Department of Information Resources after the test.
As it stands, only personal concern, professionalism and desire to preserve the company drives employees and officials of private companies to eliminate vulnerabilities, Davis said. Public scrutiny can and should also play a role in homeland defense.
This view of anti-terrorism activity is somewhat unpopular and leads some people to challenge his patriotism, Davis said.
"It is the obligation of citizens to check on government and make sure it is effective," Davis said. "That is the job of a real patriot. There may be a legitimate need for some secrecy here. But blind deference to bureaucrats imperils us all."
^macro[showdigestcomments;^uri; Secret cyber-terror test is now revealed]