Aurora Study Finds Dangerous Holes in Security Net

Researchers who launched an experimental cyber attack, meaning the attack was completely carried out on remote computers, were able to cause an electrical generator to self-destruct.^[1] This development has greatly alarmed the government and electrical industry about what might happen if such an attack were carried out on a larger scale.^[2]

Sources familiar with the experiment said the same attack scenario could be used against huge generators that produce the country's electric power.^[3] Some experts fear bigger, coordinated attacks could cause widespread damage to electric infrastructure that could take months to fix.^[4]

The experiment, named "Aurora," was conducted in March at the Department of Energy's Idaho lab.^[5] The Department of Homeland Security (DHS) acknowledged the experiment involved controlled hacking into a replica of a power plant's control system.^[6] Sources familiar with the test said researchers changed the operating cycle of the generator, sending it out of control.^[7]

The White House was briefed on the experiment, and DHS officials said they have since been working with the electric industry to devise a way to thwart such an attack. "I can't say it [the vulnerability] has been eliminated. But I can say a lot of risk has been taken off the table," said Robert Jamison, acting undersecretary of DHS's National Protection and Programs Directorate.^[8]

Government sources said changes are being made to both computer software and physical hardware to protect power generating equipment; the Nuclear Regulatory Commission said it is conducting inspections to ensure all nuclear plants have fixed the issues.^[9] Industry experts also assert that “Aurora” shows large electric systems are vulnerable in ways not previously demonstrated.^[10]

"What people had assumed in the past is the worst thing you can do is shut things down. And that's not necessarily the case. A lot of times the worst thing you can do, for example, is open a valve -- have bad things spew out of a valve…the point is, it allows you to take control of these very large, very critical pieces of equipment and you can have them do what you want them to do," said Joe Weiss of Applied Control Solutions.^[11]

Adding to the vulnerability of control systems, many of them are manufactured and used overseas, thus giving many foreign parties access to control system schematics and even software program passwords, before they even reach the U.S.^[12]

Weiss and others hypothesize that multiple, simultaneous cyber-attacks on key electric facilities could knock out power to a large geographic area for months, harming the nation's economy. "For about $5 million and between three to five years of preparation, an organization, whether it be transnational terrorist groups or nation states, could mount a strategic attack against the United States," said O. Sami Saydjari of the nonprofit Professionals for Cyber Defense.^[13]

Computer experts have long warned of the vulnerability of cyber attacks, and many say the government is not devoting enough money or attention to the matter.^[14] However, while acknowledging some vulnerability, Jamison said "several conditions have to be in place. ... You first have to gain access to that individual control system. [It] has to be a control system that is vulnerable to this type of attack…….You have to have overcome or have not enacted basic security protocols that are inherent on many of those systems. And you have to have some basic understanding of what you're doing. How the control system works and what, how the equipment works in order to do damage. But it is a concern we take seriously….It is a serious concern. But I want to point out that there is no threat, there is no indication that anybody is trying to take advantage of this individual vulnerability," Jamison said.^[15]

Destruction of government property is covered under two statutes,^[16] the first is 18 U.S.C § 1361. This law covers government property or contracts and makes it a crime for a person to willfully injure or commit any depredation against any property of the United States, or of any department or agency thereof, or any property which has been or is being manufactured or constructed for the United States, or any department or agency thereof, or attempts to commit any of the foregoing offenses, shall be punished as follows:

If the damage or attempted damage to such property exceeds the sum of $1,000, by a fine under this title or imprisonment for not more than ten years, or both; if the damage or attempted damage to such property does not exceed the sum of $1,000, by a fine under this title or by imprisonment for not more than one year, or both.^[17]

The second statute is 18 U.S.C. § 1362 which covers communication lines, stations or systems. This law makes it a crime for a person to willfully or maliciously injure or destroy any of the works, property, or material of any radio, telegraph, telephone or cable, line, station, or system, or other means of communication, operated or controlled by the United States, or used or intended to be used for military or civil defense functions of the United States, whether constructed or in process of construction, or willfully or maliciously interferes in any way with the working or use of any such line, or system, or willfully or maliciously obstructs, hinders, or delays the transmission of any communication over any such line, or system, or attempts or conspires to do such an act, shall be fined under this title or imprisoned not more than ten years, or both.

In the case of any works, property, or material, not operated or controlled by the United States, this section shall not apply to any lawful strike activity, or other lawful concerted activities for the purposes of collective bargaining or other mutual aid and protection which do not injure or destroy any line or system used or intended to be used for the military or civil defense functions of the United States.^[18]

In these cases actual damage to government property is a requisite for conviction under the statute.^[19] The government is required to prove beyond a reasonable doubt that not only was there willful intent to commit the crime, but that the intent was very specific to the crime committed.^[20] Furthermore the government is not required to prove that the defendant knows that the property destroyed is government property for conviction under the statute.[21]

---

^[1] Jeanne Meserve, Mouse click could plunge city into darkness, experts say, CNN, September 27, 2007, available at http://www.cnn.com/2007/US/09/27/power.at.risk/index.html?eref=rss_topstories (last visited September 27, 2007).
^[2] Id.
^[3] Id.
^[4] Id.
^[5] Id.
^[6] Id.
^[7] Id.
^[8] Id.
^[9] Id.
^[10] Id.
^[11] Id.
^[12] Id.
^[13] Id.
^[14] Id.
^[15] Id.
^[16] 18 U.S.C. §§ 1361-1362 (2007).
^[17] Id. § 1361
^[18] Id. §1362
^[19] United States v. Beneke, 449 F.2d 1259 (8th Cir. 1971).
^[20] United States v. Jones, 607 F.2d 269 (9th Cir. 1979).
^[21] United States v. LaPorta, 46 F.3d 152 (2nd Cir. 1994).