Sunday, June 01, 2008

Yellowcake and SCADA

Back in January, CIA "senior analyst" Tom Donahue published this:

"We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyber attacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet."


These claims are highly suspect.

What does "we have information" mean, exactly? Does it mean that the CIA (and Tom Donahue in particular) have themselves analyzed the facts? Or does it mean they are passing on rumors they've heard from foreign officials?

I've talked to foreign government officials about similar sorts of incidents AND have analyzed the facts. I find that the story gets increasingly mangled the further it gets passed around through government channels. What starts as a simple computer malfunction or operator error quickly gets blown up into a "hacker attack from the Internet".

I've heard of an incident where a hacker had caused a blackout and demanded random money to stop. It was later discovered that the "Internet hacker" was actually being helped by an insider. Both guys were caught and sent to jail. Thus, what appeared to be a hacker attack was in reality an inside job. This tale sounds suspiciously like the one above. The only difference is that my tale has an ending; the CIA's version does not say whether the ransom was paid, if the perpetrators were caught, or what happened. My knowledge of this incident is also second hand, so it may be no more accurate than the CIA's version, but I doubt it's less accurate.

The biggest problem is the CIA's claim that they don't have any details except for the fact that the intrusions involved the Internet. In the real world, this would be the fact they would least likely to know for sure. The computers that control power grids are not connected directly to the Internet. They have private address (like 10.1.2.3) that aren't routable. In order to get to these machines, you must first break into bastion hosts. The result of this is that when hackers cause power outages, it's unlikely that you would be able to conclusively trace it back to an Internet hacker.

Hacking is as little understood today as witchcraft was in the 1600s. In much the same way that witches were blamed for unexplained incidents, hackers are blamed for anything unexplained today. The average corporate network is already infected with hackers in some fashion, so investigations into the unexplained will likely find signs of hacker activity. They might conclude that a hacker was therefore responsible for the power outage because office machines have been infected with a virus, even when the two cases are unrelated.

What we have here is just another example of the yellowcake scandal. In that case, the CIA confidently claimed that Iraq was trying to buy uranium from Niger. It eventually turned out that their claims were based upon rumors and (obviously) forged documents. This is another instance of the CIA putting their reputation behind dubious data.

SIDENOTE: Many of the countries the CIA is talking about still believe in witchcraft. Unexplained crop failures can still lead to witch-trials and resulting hangings - conducted by government officials.

1 comment:

Rafal Los said...

So - the fact that this is out there isn't really surprising. The TSA uses these types of tactics all the time to instill fear and wage a FUD-based campaign.
What's truly sad [and what I think the story should be] is that people will read that - or hear it second-hand - and will be willing to do "whatever it takes to protect our infrastructure"... which typically means throwing misguided support at a non-existent problem.
This reminds me of a Family Guy episode where Lois runs for Mayor... "We have credible intelligence that Osama Bin Laden is conspiring with the Legion of Doom .... " [Response] -"Oooh, those all sound like really bad things, how much do I have to pay before I can be safe?".

:)