County preps for cyberattacks

-A A +A

LANL > Connection to experts provides extra security

By Arin McKenna

First in a series


Recent news cycles have been filled with reports of increasing cyberattacks against the United States infrastructure — energy, water, communications and transportation sectors — that the government is ill-prepared to deal with.

According to RT.com, the ICS-CERT Monitor — a newsletter published by Homeland Security Department’s Industrial Control Systems Cyber Emergency Response Team — reported that United States government cyber experts confirm that attacks waged against America’s essential sectors rose 52 percent in 2012. The report also notes that the number of qualified personnel able to respond to these attacks is inadequate.

“Over the course of my career, these kinds of attacks have gotten more and more sophisticated,” said former Los Alamos resident Brian Zaugg. Zaugg is senior director of IT security for Applied Micro, a semi-conductor chip design company, who also spent seven years working for defense contractor Raypheon.

“A long time ago, it was destructive, but it was just pranks. Today it’s an organized, highly coordinated kind of thing, where it’s either nations or criminal organizations that have much more organized goals and the attacks get more and more sophisticated and try to do more specific things.”

In spite of that, Los Alamos County officials believe the county is fairly well prepared to counteract cyber attacks.
“We presently experience upward of 1,000 attacks a day, not necessarily serious,” County Administrator Harry Burgess said. “We feel we have a mostly robust security protocol. We walk a fine line between being accessible to the public without exposing ourselves to attack. We’ve segregated publicly available data such as the library or county websites from our operational needs.”

Burgess said the county has both internal and outside experts regularly testing the system to identify and correct weaknesses.

The county is under further scrutiny for federal hardware it utilizes, such as the system integrating the fire department with the National Interagency Fire Center.

“These are subjected to review and audits by program inspectors and the investigator general and we have to date passed those audits,” Burgess said.

“That is not to say we haven’t been vulnerable,” Burgess conceded. “We’ve learned from experience.”

A few years ago someone managed to hack into the library system and change all the passwords, preventing residents from accessing their accounts. Information Technology (IT) discovered that not only the library system but several other systems were outside the county’s firewall, and moved them within the firewall.

“Security is a challenge in a democracy, because democracies want to be open and security wants to close things off,” Zaugg said. “For a county administrator or state officials it is a big challenge, because they don’t want to give away information that could facilitate attacks, but at the same time that might be the kind of information people want to ask, such as water sources and what kind of electrical generation mix they use. That also gives the attacker information about what types of facilities and equipment they might have.”

Department of Public Utilities staff believes our system is fairly secure. DPU is regulated by the Western Energy Coordinating Council, which also places it under the jurisdiction of the North American Electric Reliability Coordination and the Federal Energy Regulatory Commission.

Those agencies required energy companies to tighten security protocols after the Stuxnet virus was discovered in 2010.

The computer worm spread indiscriminately, but had highly specialized malware designed to attack Siemens industrial software and equipment, including the supervisory control and data acquisition system.

Los Alamos County uses the SCADA system for both its electrical delivery system and its water production infrastructure. Those SCADA systems are now stand alone systems, not connected to the county server, and password protected with only a limited number of employees having access.

Both systems are also monitored 24/7, so if they are subject to a cyberattack, the operator can simply shut them down and the system can be operated manually.

The electrical grid also has a fully redundant backup operations center with a separate SCADA system that can take over in the event the main system goes down.

NERC sends out alerts about potential security risks, as well as how to check for possible breaches by newly discovered malware.

The county has an added level of protection through its relationship with Los Alamos National Laboratory. After the Stuxnet scare, Andrew Erickson offered to bring in LANL cybersecurity experts.

“We have a huge resource there,” said Deputy Utilities Manager Steve Cummins. “We have people who do this for a living is try to hack into this stuff. So we want them on our team.”

LANL and DPU went through an exercise to evaluate their operating procedures for the shared electrical pool and finalized more secure protocols a year ago.

Cummins believes that the stringency of the WECC audits for entities under its authority, including PNM, should help prevent cyberattacks.

Backup systems are also in place in case a major supplier such as PNM should go down. The county is part of the Southwest Reserve Sharing Group, another NERC requirement. Every member of the group must have a certain percentage of “spinning reserves” — a generator running and in sync with the grid.

“So at any given moment, if you lose generation, you can call on this spinning reserve and it will be there within less than 10 minutes,” Cummins said. “So if they lose San Juan, everybody in the pool brings their spin to the table and make up that 1.800 megawatts that was just lost.”

All of these systems do not guarantee that the worst case scenario cannot happen.

“There are parts of the system that, if they are damaged, huge areas of the country could be affected,” Zaugg said. “And huge parts of our world are connected, which provides an opening to attack.”

Burgess said that if a worst case scenario should happen, the county’s emergency management system would kick in.

“It’s a practice in municipal government, given the things we’re involved with, to consider these contingencies and develop backup plans,” Burgess said.

“We would have officers on the street. The functionality of our system would remain with radio contact. In our fleet we have emergency communications. The vehicles have a power source and a radio system and all have a local band programmed in there. So we have the ability to pull a vehicle on the scene and use it as a dispatch center.

“Through statewide structures we have access to resources from elsewhere, and we back each other up,” Burgess said. “Even 911 calls can be routed through dispatchers throughout the state if one county’s system goes down.”

Burgess said one of the greatest weaknesses is citizens’ reliance on cell phone systems. When an emergency happens, people tend to overload the system beyond its capacity, making it impossible to get through.

Burgess suggested that residents should remember that most people have access to a radio connected to a self-contained generator in their car. During emergencies, the county broadcasts updated information on KSFR radio and AM1610, which is also connected to the National Oceanic and Atmospheric Administration system.

Residents might also want to consider keeping a NOAA capable radio in their homes, as well as food and water supplies to see them through an extended emergency.

Follow the Los Alamos Monitor for part two of this series, a look at attacks on banking systems.