[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] Secret cyber-terror test is now revealed
Infowar.de, http://userpage.fu-berlin.de/~bendrath/liste.html
-------------------------------------------------------------
Das war eine Stabsübung, wie sie auch in Deutschland schon mehrfach mit
Hilfe der IABG durchgeführt wurde. Man testet dabei nicht die
technischen Aspekte, sondern die Reaktionen der Behördenmitarbeiter:
"What is known about the test conducted in Robstown is that employees
present
at the exercise were given no warning about the simulation, and no clear
indications as to what might be causing the mock power outage, Fabro
said.
They were given a series of false data sets about the company's
electricity
delivery system, real and fictional news about international, national
and
local events, and asked to respond."
RB
---------------------------
http://www.caller.com/ccct/local_news/article/0,1641,CCCT_811_2589623,00.html
Secret cyber-terror test is now revealed
State paid firm for fake attack on power grid
By Janell Ross
Corpus Christi Caller Times
January 20, 2004
A mock cyber-terrorist attack temporarily took over the flow of
electricity
in a large section of northwest Nueces County late last year but only
became
public this month.
Tension between the public's right to know and the shared
government/public
interest in national security has taken local meaning in the days since
the
simulation was revealed by the private company that was paid by the
Texas
Department of Information Resources to conduct the test.
On Sept. 16, 2003, those involved in the drill pretended that traffic
lights
along with power in large retail facilities and homes on either side of
Farm-to-Market Road 624 were out. There were no lines down, no storms in
the
area and the Robstown offices of the company that delivers power to much
of
the area, the Nueces Electric Cooperative, had not been physically
damaged
or invaded.
How should electric cooperative, state and federal officials react to
the
situation?
That was the problem more than 30 Nueces Electric employees faced during
the
test, said Mel Mireles, director of enterprise operations for the
Department
of Information Resources.
That is also the question that Mireles and other officials involved in
the
September simulation have declined to answer publicly. A report
detailing
the vulnerabilities and strengths in the software system and employee
network that controls Nueces Electric Cooperative's power delivery grid
will
be released to the company some time this month, Mireles said.
The results of the test will not be made public because of the detailed
information that it will contain about the way that the company's
system,
employees and equipment work.
"I think we can have quite a debate about whether the public is safer
when
things are secret," said Charles Davis, the executive director of the
Freedom of Information Center at the University of Missouri School of
Journalism.
Davis said that documents much like this one are being withheld from the
public with increasing regularity. The post-Sept. 11 hope is that
secrecy
will make the country safer and make its critical infrastructure less
vulnerable to sabotage or terrorism, Davis said.
Disclosing specific lessons learned during the September exercise,
suggestions to the company about how to reduce the system's
vulnerability to
cyber attack, and changes the company needs to make would only increase
the
power grid's vulnerability, said Mark Fabro, chief security scientist
for
Virginia-based American Management Systems.
"For all intents and purposes, this was like a war game," Fabro said.
The Texas Department of Information Resources paid American Management
Systems $57,000 to design and conduct the Robstown simulation as a part
of
its efforts to identify vulnerabilities in the state's critical
infrastructure systems such as water, power, banking and transportation.
"This was a detailed exercise dealing with highly sensitive information
about a part of the country's critical infrastructure," Fabro said.
"There
are some things that cannot be revealed because of national security
concerns. But I assure you that these exercises are tremendously useful
tools. Tests allow us to evaluate vulnerabilities in a controlled
environment."
Although the test was paid for with public funds, the Department of
Information Resources' decision not to make the simulation results
public
may be covered under an exemption to the state's freedom of information
act
that passed the Texas Legislature in May 2003.
The Legislature passed a homeland security bill that includes Freedom of
Information exemptions for a number of documents including information
regarding the assembly of weapons, encryption codesand documents
revealing
the technical details of vulnerabilities to critical infrastructure. The
exemptions apply only to information that is collected or maintained by
or
for a governmental entity for the purpose of preventing, detecting,
responding to, or investigating an act of terrorism.
Davis said that the effectiveness of homeland security provisions that
restrict access to information is in the details.
"The sort of instinctive response after Sept. 11 was 'close it and we
will
be safer,' " Davis said. "And there may be some cases where secrecy is
necessary. But we need also to be having conversations about the value
of
access."
What is known about the test conducted in Robstown is that employees
present
at the exercise were given no warning about the simulation, and no clear
indications as to what might be causing the mock power outage, Fabro
said.
They were given a series of false data sets about the company's
electricity
delivery system, real and fictional news about international, national
and
local events, and asked to respond. The exercise stretched over eight
hours
and simulated the effects of a cyber-based attack.
The Department of Information Resources commissioned the test because of
the
large role computer systems, software, the Internet and satellites play
in
controlling everything from the flow of water into homes to the ability
to
purchase gas at the pump without ever going inside a store, Mireles
said.
"Convenience allows us to overlook how much technology really controls,"
Mireles said. "In truth, you can have guards, all kinds of security and
alarms at physical facilities. But, without cyber-protection, these
systems
remain vulnerable."
Robstown was selected for the test after an American Management Systems
analysis showed that the city had the type of physical facilities needed
for
a high-tech fire drill but lacked some of the infrastructure safeguards
put
in place in larger cities after Sept. 11.
Fabro said that power or other system failures in one small city or area
could easily lead to the sort of cascading power failure that occurred
in
the northeastern United States in August.
Nueces Electric Cooperative delivers power generated by the South Texas
Electric Cooperative to about 9,000 residential and commercial customers
in
eight South Texas counties. The electric cooperative's power delivery
network is part of a nationwide power grid.
David Cotz, a director of research and development at the Institute for
Security Technology Studies at Dartmouth College, said the threat of
cyber
terrorism or infrastructure system sabotage is difficult to quantify but
does exist.
In addition to the potential for system sabotage, the possibility of
equipment failure and human operator error make tests like the one
conducted
in Robstown more and more necessary, Cotz said.
"The average person probably doesn't need to be worried about it," Cotz
said. "But it is essential that people who work in critical
infrastructure
begin to prepare themselves for the possibility."
Companies of all kinds, particularly those involved in industries that
the
Department of Homeland Defense has earmarked critical infrastructure,
are
increasingly concerned about system and information security, Chris
O'Connor
said. O'Connor is the director of corporate security strategies for IBM.
Davis said that in order for people to feel truly protected by events
such
as the September test, people need some sense of where the company's
system
stood and what sort of rating or assessment the company's system
received
from the Texas Department of Information Resources after the test.
As it stands, only personal concern, professionalism and desire to
preserve
the company drives employees and officials of private companies to
eliminate
vulnerabilities, Davis said. Public scrutiny can and should also play a
role
in homeland defense.
This view of anti-terrorism activity is somewhat unpopular and leads
some
people to challenge his patriotism, Davis said.
"It is the obligation of citizens to check on government and make sure
it is
effective," Davis said. "That is the job of a real patriot. There may be
a
legitimate need for some secrecy here. But blind deference to
bureaucrats
imperils us all."
Contact Janell Ross at 886-3758 or rossj -!
- caller -
com
---------------------------------------------------------------
Liste verlassen:
Mail an infowar -
de-request -!
- infopeace -
de mit "unsubscribe" im Text.