Bridging the Gaps

Security experts nervously eye critical infrastructure that is increasingly vulnerable to failure and sabotage.

After the bridge carrying Interstate 35W across the Mississippi River in Minneapolis collapsed on Aug. 1, 2007, during the evening rush hour, killing 11 people and injuring more than 100, there was a lot of hand-wringing about the state of the country's infrastructure. The American Society of Civil Engineers estimates the nation has to invest $1.6 trillion over a five-year period just to bring bridges, roads, waterways, dams, and water and sewage systems up to par. More than 160,000 bridges alone are in need of repair.

But those numbers mask an even deeper problem with the nation's infrastructure, security professionals say. The growing interdependence of various economic sectors-banking, energy, transportation and others-and vulnerabilities in the electronic bridges that link them are exposing Americans to ever more serious threats.

If a bridge collapse in the middle of the country appears to be a local tragedy (and regional transportation headache) but not a national threat, consider what happened when a tree branch fell onto electric transmission lines in Ohio in August 2003. The subsequent local power failure triggered a massive blackout across much of the Midwest and Northeast and Ontario, Canada. More than 50 million people lost power and much of the affected area was out for days. More than 100 power plants, 22 of them nuclear facilities, shut down. Officials in the United States and Canada estimated economic losses at $6 billion.

The main cause of all this turmoil? First Energy Corp.'s failure to trim trees in the path of its transmission lines, according to the 2004 final report of the U.S. Canada Power Systems Outage Task Force.

"Critical infrastructure is overworked, out of date and crumbling in so many ways," says Richard Cooper, formerly the business liaison director for the Homeland Security Department's Private Sector Office and now a principal at the Washington-based public relations firm Olive, Edwards and Cooper.

But the biggest vulnerability, Cooper believes, is in the computer systems and networks that undergird all that vital physical infrastructure. "The cyber piece has become the central nervous system to everything else. One person at the stroke of a key can literally send infrastructure into a tailspin. We look at weapons of mass destruction as things that can cause a lot of carnage. I would argue there are people capable of creating [the same kind of] effects with the stroke of a key."

In January, Tom Donahue, a CIA cybersecurity analyst, created a stir at the Process Control and Security Summit, a meeting in New Orleans of utility industry engineers and security managers, when he described at least two cases in which hackers had infiltrated electric utility networks outside the United States to create power outages in schemes to extort money from foreign governments.

Casey Potenzone, who attended the briefing as the chief information officer at Uniloc USA, a technology security company in Irvine, Calif., says government needs to be working with industry to establish security standards that go beyond traditional stovepipes. This is especially an issue at the municipal level, where the business focus has been on improving efficiency and public access to information by linking formerly closed technology systems to the Internet, he says.

"When you look at the capacity for disruption, it's huge," says Potenzone. He cites the case of two high-ranking transportation engineers in the Los Angeles automated traffic surveillance center now facing felony charges stemming from unauthorized access to the city's computer system in the fall of 2006. On the eve of a transportation workers strike, they allegedly tampered with signal settings at busy intersections to create traffic chaos unprecedented even in Los Angeles. It reportedly took authorities four days to undo the damage.

While Homeland Security and other federal agencies have been working with industry leaders to shore up critical infrastructure in specific sectors, such as energy, transportation, agriculture and banking (a year ago this month DHS issued 17 sector-specific plans to improve infrastructure protection), networked municipal-level systems have largely remained out of the loop, Potenzone says: "These are traditional engineers serving their communities. They aren't hard-core IT [professionals]."

Potenzone believes the government should impose security standards as a condition for receiving federal money: "You should not be able to accept federal funds, process taxpayer records, if you don't follow certain standards."

Standards are an important part of the solution, Cooper agrees, but notes that changes in technology generally outpace the ability of standards-setting bodies to adopt rules. "I think the biggest difficulty you have with standards associated with any infrastructure is the length of time it takes to get them assembled, approved and out. Most standards literally take years. It's not a process for the impatient," he says. For standards to be effective, "they've got to be on the fast track."

In addition, Cooper and others advocate the need for greater resiliency-the ability to bounce back from a crisis-among critical infrastructure operators in both the public and corporate realms. Resiliency is achieved by developing viable continuity of operations plans and alternative business operations that can be used in a crisis, whether that's a natural disaster or a terrorist attack. Darryl Moody, president and chief operating officer of Resilient Corp. in Washington, says, "The nation must accept that 100 percent protection and security is unattainable, but maximizing resiliency is a must."

Insurance companies, credit rating organizations, shareholders and other entities need to begin measuring and demanding resiliency, Cooper says. In the meantime, the nation is taking a huge gamble by failing to address the risk inherent in its aging infrastructure, he says: "We're hoping the cards come up the way we want, but at some point we're going to lose our shirt, if not more."