Critical Infrastructure Critical Vulnerabilities Dr Barry S Hess

Critical Infrastructure, Critical Vulnerabilities Dr. Barry S. Hess November – December 1996

Perspective o o o Team had no a priori knowledge of the critical infrastructure and its vulnerabilities Initial search plan focused on attaining background information on the various aspects of the critical infrastructure “Target” choice driven by information n Quantity and fidelity of information were sufficient for a vulnerability analysis

Information Vulnerabilities o o The physical “Fortress America” does not protect U. S. in the information age Several national-level “IW” wargames have examined this issue, and each has run to the same probing question: n o “Can we defend ourselves against an IW attack? ” Executive Order 13010 of 15 July 96 “Critical Infrastructure Protection” and its President’s Commission on Critical Infrastructure Protection are steps in the right direction

Critical Infrastructure Gas and oil storage and transport Electrical power systems Continuity of Government Telecommunications Transportation Emergency services Banking and Finance Water supply

Critical Infrastructure Electrical power systems o o Information about power generation and distribution easily found Nuclear Power intriguing n o Previous government statements (FBI Intelligence Division Congressional testimony March 19, 1993) seemed to dismiss potential of attack, yet on-line information showed vulnerabilities Web sites from the Nuclear Regulatory Commission (NRC) and Florida Power and Light (FPL) expanded knowledge base

Context Defense Science Board Task Force on Information Warfare-Defense: o o o Threat of “IW” attack “significant” Nation’s “vulnerabilities are numerous, [and] the countermeasures are extremely limited. . . ” “. . . current practices and assumptions are ingredients in a recipe for a national security disaster. . . ”

DSB Threat Assessment* Validated Existence* Existence likely but not validated Incompetent Hacker Disgruntled Employee Crook Organized Crime Political Dissident Terrorist Group Foreign Espionage Tactical Countermeasures * = Validated by DIA = Widespread = Limited

Information Age Terrorism o Terrorism thrives on fear o Double-edged sword o The possibilities……. Source: www. businessmonitor. co. uk/docs/proc/HD 02/TERROR. html

Methodology Use the Internet for intelligence collection on high impact “targets” o o o Totally unclassified Internet-based “collection” Identify “cyber” vulnerabilities Identify physical vulnerabilities Assess impact of two taken together

Perspective 7 February 1993 “FBI considers nuclear power plants unlikely targets for terrorist attack because they are relatively wellprotected and hard to attack without great risk to the attackers. ” 26 February 1993 Senate Testimony 19 March 1993 FBI Intelligence Division spokesman 20 March 1995 19 April 1995

Target Selection o Criteria: n n n Accessibility Plausible deniability Maximum fear potential Combination of cyber and physical attack possible Ease of reconnaissance

Target St. Lucie Nuclear Power Plant Source: www. nrc. gov/AEOD/pib/reactors/335 toc. html

Target Selection o Florida Power and Light (FPL) n n o Serves about 50% of Florida (7 million people) Nuclear power provides 25% of FPL’s energy One megawatt meets the electric needs of 300 homes and businesses One Nuclear Plant outside of Fort Pierce, the St. Lucie plant, has recently had some problems Nuclear plant attack: high physical and psychological impact Source: www. fpl. com/fplpages/aboutus. htm (and others)

St. Lucie Nuclear Power Plant Source: www. co. st-lucie. fl. us/bigmap. html Source: www. nrc. gov/AEOD/pib/reactors/335 toc. html

Recent Incidents St. Lucie Nuclear Power Plant o o o o o 26 Sep 1995: Two pressurized valves improperly installed 2 Nov 1995: NRC cited seven violations 24 Jan 1996: 61 positions eliminated 31 Mar 1996: 350 -gallon spill of “slightly radioactive” water 14 Aug 1996: Back-up control room safety switches glued shut $10, 000 reward offered to find/convict saboteur 10 Jan 1997: As a result of November 1996 NRC special design review NRC fines Florida Power & Light $100 K … security, emergency preparedness, instrumentation modification 27 Mar 1997: NRC Region II met with FPL to discuss recent plant performance 16 May 1997: NRC Region II met with FPL to discuss worker complaints filed with NRC, 41 in 1996 double the 1995 number 2 Sep 1997: Unauthorized entry into the protected area occurred Source: www. pbpost. com/pbbiz/top 50/(assorted) www. fpl. com/fplpages/news. htm

Operating Parameters (St. Lucie Nuclear Power Plant) Reactor #1 Reactor #2 NRC docket number 50 -335 50 -389 Electric capacity (MW) 830 Initial criticality 22 April 1976 2 June 1983 Commercial operations 21 December 1976 8 August 1983 Reactor type Pressurized Water Reactor (2 -loop) Reactor manufacturer Combustion Engineering* Number of fuel assemblies 217 Number of fuel rods / assembly 176 236 * = CE is now a subsidiary of ABB Atom AB, Source: www. nrc. gov/AEOD/pib/reactors/335/a/335 atxt. html www. nrc. gov/AEOD/pib/reactors/389/a/389 atxt. html Sweden www. abb. se/atomweb 2. htm

St. Lucie Nuclear Power Plant Site Plan Source: www. nrc. gov/AEOD/pib/reactors/335 toc. html Source: www. nrc. gov/AEOD/pib/reactors/335/b/335 b 010. html

St. Lucie Nuclear Power Plant Blueprints Source: www. nrc. gov/AEOD/pib/reactors/335 toc. html Source: www. nrc. gov/AEOD/pib/reactors/335/d/335 d 021. html www. nrc. gov/AEOD/pib/reactors/335/d/335 d 028. html

St. Lucie Detail Mapping Graphic Representation of Power Line Route source: www. landinfo. com

Fuel Storage o o New fuel stored dry in vertical racks in Fuel Handling Building Spent fuel stored on-site in borated water pools (also located in Fuel Handling Building) n n o Reactor #1 has 300. 1 MTU irradiated fuel stored on-site Reactor #2 has 175. 9 MTU irradiated fuel stored on-site Fuel moved between Fuel Handling Building and Reactor Building via fuel transfer tubes Source: www. nrc. gov/AEOD/pib/reactors/335/c/335 c 002. html www. nrc. gov/AEOD/pib/reactors/389/c/389 c 002. html www. prop 1. org/prop 1/radiated/fl 0 rept. htm

Key FPL Personnel o o Art Stall—Florida Power & Light Vice President, St. Lucie Plant John Scarola—Plant Manager, St. Lucie Plant n o 2400 S Ocean Drive Fort Pierce, FL 34949 -8019 (561) 465 -8052 Ed Gambon—Technical Support Supervisor, FPL n 1501 S Ocean Blvd. Pompano Beach, FL 33062 -7432 (954) 941 -2015 Source: www. pbpost. com/pbbiz/top 50/(assorted) www. fpl. com/fplpages/news. htm www. switchboard. com

Key Plant Personnel John Scarola 2400 S. Ocean Drive Fort Pierce, Fl 34949 (561) 465 -8052 St. Lucie Nuclear Power Plant Source: www. pbpost. com/pbbiz/top 50/(assorted) www. fpl. com/fplpages/news. htm www. switchboard. com www. streetatlasusa. com

Evacuation Routes Source: www. nrc. gov/AEOD/pib/reactors/389/b/389 b 011. html Source: www. nrc. gov/AEOD/pib/reactors/389/b/389 b 015. html

Emergency Response Mr. Joseph F. Myers 4010 Harpers Ferry Drive Tallahassee, FL 323089440 (904) 386 -6632 myersj@dca. state. fl. us Source: www. nrc. gov/AEOD/pib/reactors/389/b/389 b 018. html www. nrc. gov/AEOD/pib/reactors/389/b/389 b 021. html www. worldpages. com/worldsearchrl

Emergency Response * * St. Lucie County = Local Emergency Planning Committee, FL District 10 Source: www. nrc. gov/AEOD/pib/reactors/389/b/389 b 019. html www. nrc. gov/AEOD/pib/reactors/389/b/389 b 023. html

Florida State Warning Point o Communications Capabilities n Commercial Telephone System (POTS) n Hot Ring Down System (HRD)* n Emergency Satellite Communications System (ESATCOM)** n Computer-Based Bulletin Board (dial-up capability) n High Frequency Radio n VHF-UHF-800 Radio (regional relay stations) n PROACTiv Decision Line (e. g. , tele-conference) n Sun. Com Network (e. g. , DSN with 11 switches) n National Alerting and Warning System (NAWAS) n Amateur Radio * = Primary emergency comm link ** = Secondary emergency comm link Source: www. state. fl. us/comaff/DEM/RESPONSE/SWP/(assorted)

Key Emergency Contacts o Local FEMA POC n o FEMA Region 4, Atlanta GA Local NRC POC n n o o n n n Richard Prevatte, St. Lucie Plant Senior Resident Inspector Mark Miller, St. Lucie Plant Resident Inspector State of Florida Emergency/Disaster POC Joseph Myers, Director, FL Div. of Emergency Management William O’Brien, Area 7 Coordinator (includes St. Lucie County), FL Bureau of Preparedness & Response Local City Government Leaders n n n o Dennis Beach; City Manager, Ft. Pierce Edward Enns; Mayor, Ft. Pierce Donald B. Cooper; City Manager, Port St. Lucie Robert E. Minsky; Mayor, Port St. Lucie Local Fire/Haz. Mat POC n Paul Haigley Jr. , St. Lucie County Fire Chief Source: www. state. fl. us/comaff/DEM/HTML/emerge. html www. state. fl. us. DEM/RESPONSE/SWP/perlist. html www. pbpost. com/fyi/slgovt. htmrl

Key Emergency Contacts o St. Lucie County Government officials n n n Tom Kindred, County Administrator Ron Brown, Public Works Manager Morris Adger, Port Director Curtis King, Airport Director William Blazak, Utilities Services Manager o Local Sheriff/Police Chief n n n R. C. Knowles, Sheriff of St. Lucie County J. Mahar, Chief of Police Ft. Pierce C. L. Reynolds, Chief of Police Port St. Lucie Source: www. pbpost. com/fyi/slgovt. htmrl www. co. st-lucie. fl. us/DIRECTORY/GOV. HTML www. co. st-lucie. fl. us/DIRECTORY/POLICE. HTML

Power Delivery System Comms Backbone o FPL Le. Jeune-Flagler office outside Miami controls network n o o 9250 W Flagler St, Miami FL 33174 2 Synchronous Optical Networks (SONET) ATM backbone - 8 Northern Telecom (Nortel) Magellan Passport Model 160 switches to integrate/improve capacity of 2 SONETs n n 16 slot design, voice and data Unit-specific cooling required Know installed unit size, network protocols and power requirements Reconstitution extremely difficult: Nortel engineers spent months configuring network www. nortel. com/home/press/19996 c/9_30_96_283 FPLMagellan. ht www. nwfusion. com/cgi-bin/gate 2? I 33 x. E/1 Wb. Ueg 01/1 Ek 1 Eb/x 3 www. nortel. com/entprods/magellan/products/pp-glo. html

Disaster Recovery of Data o FPL uses an IBM ADSTAR Distributed Storage Manager for data back-up and recovery n n n Back-ups done on a IBM 3390 Model 9 in Miami, then sent over a T-3 line to an auto tape library 110 miles away Backup volumes and basic databases then physically moved off-site for storage Daily back-ups for entire company are done on 239 platforms o o o 105 AIX and HPUX servers 93 Novell servers 41 Windows, O/S 2, and Macintosh workstations Source: www. storage. ibm. com/storage/software/adsmfpl. htm

St. Lucie County Telecommunications o o o Radio: Commercial & Infrastructure n Frequency assignments n Physical locations TV: Broadcast & Cable n Frequency assignments n Physical locations Telephone n Wireless n Infrastructure o o Telephone numbers, frequency assignments Physical locations

Radio o Commercial n n Local radio stations o EAS Local Primary 1 & 2 Call letters & frequencies o [LP 1]WRMF-FM 97. 9/ WJNOAM 1230 [LP 2] WQCS-FM 88. 9) Office locations & key personnel o WRMF & WJNO o P. O. Box 189 o West Palm Beach, FL 33401 Lat/long & orientation of transmission towers/antenna(s) o WRMF: N 263437 W 0801432 o WJNO: N 264336 W 0800303 o WQCS: N 272517 W 0802123 o Infrastructure n n n Telephone numbers, assigned radio frequencies, and locations of city/county police, fire, and rescue departments Assigned radio frequencies used by local telephone and electric power companies Assigned radio frequencies for FEMA, DOE National Emergency Search Team and other national emergency medical services Source: www. co. st-lucie. fl. us/DIRECTORY/RADIO. HTML www. radiostation. com/cgi-bin/fmcall tiger. census. gov/cgi-bin/mapbrowse fcn. state. fl. us/oraweb/owa/teldir. county_query_22 www. fab. org/opareas. html

PSTN Locator o $100 can purchase software and database containing all U. S. Telecommunication Switching Centers n Company Name n Switch Name & identifier n Area code and exchanges serviced n Lat / Long (To second) n Architecture n Switch features n Distance to other switches

Fort Pierce, Florida PSTN Location

Electric Power Grid o o Utilities buy and sell electricity to each other via consortia called power pools Power pool's principal mission is to coordinate, monitor, and direct the operations of the major generating and transmission (bulk power system) facilities Source: www. epri. com

Joint Transmission Services Information Network (JTSIN) o o o Federal Energy Regulatory Commission mandated electric utility industry share transmission capacity data on a network Internet-based because infrastructure exists JTSIN will use: n n Microsoft SQL Server databases and Netscape’s Fast. Track Web server OS is Windows NT on 150 -MHz Pentium servers Source: techweb. cmp. com/582/pf 97/82 ioutl. htm

Inter-Control Center Communications Protocol (ICCP) o Provides utilities a standardized, flexible method for exchange of real-time operational data (basically a WAN) n n n Has a real-time interface to power plant control systems Suitable for dispatch and security operations associated with Independent Grid Operators, regional pools and security centers, and transmission control centers Has open standard interfaces for both real-time and historical power system monitoring System accepts dial-up modem protocols (TCP/IP) or DECnet protocols Prototype ICCP version 5. 1 uses DEC Alpha computers running Open VMS operating system (Electric Reliability Council of Texas) Source: www. epri. com/pdg/pf 97/gop 1_18. html www. pacifier. com/~nsrvan/iccp. htm www. livedata. com/ICCPwp. htm

Collection Plan o What we know n n n n o Site plan and schematics; recent history of “insider” problems Leadership, with addresses, e-mail, fax and phone numbers Emergency evacuation routes, and notification procedures Emergency communications plans and frequencies Plant computer systems and back-up procedures Details of power distribution monitoring network Interface into the North American power grid, entry protocols to real-time interface with power generation What we don’t know. . . yet n n Details “of security plans and equipment, and response weapons and tactics” (March 24 Letter from NRC) Worker schedules, plant routines, etc.

Not My Problem? o o “Congress mandated by the Sunshine Act that much of what your team found should be provided to the public. ” “…an act that preys on public fears… or assassinates key staff… not be regarded by the NRC as “successful” if there is no danger to the public health and safety from the operation of the facility. Furthermore, the NRC does not have the regulatory authority to address these acts. ” o NRC letter to my team; 24 March 1997

Assessment o o “Intelligence” gathered from the Internet reveals infrastructure vulnerabilities Continued unrestricted access to information will empower adversaries n n Information may not be perfect, but it may give “ 80% solution” Collection and integration of information is simplified; agent actions limited and focused