WASHINGTON — Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials.

The spies came from China, Russia and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven’t sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.

“The Chinese have attempted to map our infrastructure, such as the electrical grid,” said a senior intelligence official. “So have the Russians.”

The espionage appeared pervasive across the U.S. and doesn’t target a particular company or region, said a former Department of Homeland Security official. “There are intrusions, and they are growing,” the former official said, referring to electrical systems. “There were a lot last year.”

Authorities investigating the intrusions have found software tools left behind that could be used to destroy infrastructure components, the senior intelligence official said. He added, “If we go to war with them, they will try to turn them on.”

Officials said water, sewage and other infrastructure systems also were at risk.

“Over the past several years, we have seen cyberattacks against critical infrastructures abroad, and many of our own infrastructures are as vulnerable as their foreign counterparts,” Director of National Intelligence Dennis Blair recently told lawmakers. “A number of nations, including Russia and China, can disrupt elements of the U.S. information infrastructure.”

Officials cautioned that the motivation of the cyberspies wasn’t well understood, and they don’t see an immediate danger. China, for example, has little incentive to disrupt the U.S. economy because it relies on American consumers and holds U.S. government debt.

But protecting the electrical grid and other infrastructure is a key part of the Obama administration’s cybersecurity review, which is to be completed next week. Under the Bush administration, Congress approved $17 billion in secret funds to protect government networks, according to people familiar with the budget. The Obama administration is weighing whether to expand the program to address vulnerabilities in private computer networks, which would cost billions of dollars more. A senior Pentagon official said Tuesday the Pentagon has spent $100 million in the past six months repairing cyber damage.

Overseas examples show the potential havoc. In 2000, a disgruntled employee rigged a computerized control system at a water-treatment plant in Australia, releasing more than 200,000 gallons of sewage into parks, rivers and the grounds of a Hyatt hotel.

Last year, a senior Central Intelligence Agency official, Tom Donohue, told a meeting of utility company representatives in New Orleans that a cyberattack had taken out power equipment in multiple regions outside the U.S. The outage was followed with extortion demands, he said.

The U.S. electrical grid comprises three separate electric networks, covering the East, the West and Texas. Each includes many thousands of miles of transmission lines, power plants and substations. The flow of power is controlled by local utilities or regional transmission organizations. The growing reliance of utilities on Internet-based communication has increased the vulnerability of control systems to spies and hackers, according to government reports.

The sophistication of the U.S. intrusions — which extend beyond electric to other key infrastructure systems — suggests that China and Russia are mainly responsible, according to intelligence officials and cybersecurity specialists. While terrorist groups could develop the ability to penetrate U.S. infrastructure, they don’t appear to have yet mounted attacks, these officials say.

It is nearly impossible to know whether or not an attack is government-sponsored because of the difficulty in tracking true identities in cyberspace. U.S. officials said investigators have followed electronic trails of stolen data to China and Russia.

Russian and Chinese officials have denied any wrongdoing. “These are pure speculations,” said Yevgeniy Khorishko, a spokesman at the Russian Embassy. “Russia has nothing to do with the cyberattacks on the U.S. infrastructure, or on any infrastructure in any other country in the world.”

A spokesman for the Chinese Embassy in Washington, Wang Baodong, said the Chinese government “resolutely oppose[s] any crime, including hacking, that destroys the Internet or computer network” and has laws barring the practice. China was ready to cooperate with other countries to counter such attacks, he said, and added that “some people overseas with Cold War mentality are indulged in fabricating the sheer lies of the so-called cyberspies in China.”

Utilities are reluctant to speak about the dangers. “Much of what we’ve done, we can’t talk about,” said Ray Dotter, a spokesman at PJM Interconnection LLC, which coordinates the movement of wholesale electricity in 13 states and the District of Columbia. He said the organization has beefed up its security, in conformance with federal standards.

In January 2008, the Federal Energy Regulatory Commission approved new protection measures that required improvements in the security of computer servers and better plans for handling attacks.

Last week, Senate Democrats introduced a proposal that would require all critical infrastructure companies to meet new cybersecurity standards and grant the president emergency powers over control of the grid systems and other infrastructure.

Specialists at the U.S. Cyber Consequences Unit, a nonprofit research institute, said attack programs search for openings in a network, much as a thief tests locks on doors. Once inside, these programs and their human controllers can acquire the same access and powers as a systems administrator.

The White House review of cybersecurity programs is studying ways to shield the electrical grid from such attacks, said James Lewis, who directed a study for the Center for Strategic and International Studies and has met with White House reviewers.

The reliability of the grid is ultimately the responsibility of the North American Electric Reliability Corp., an independent standards-setting organization overseen by the Federal Energy Regulatory Commission.

The NERC set standards last year requiring companies to designate “critical cyber assets.” Companies, for example, must check the backgrounds of employees and install firewalls to separate administrative networks from those that control electricity flow. The group will begin auditing compliance in July.

—Rebecca Smith contributed to this article

http://online.wsj.com/article/SB123914805204099085.html

File this under “It really is less expensive to prevent an attack then to pay for cleaning up an attack”

Pentagon spends $100 million to fix cyber attacks

So I know this post will be a very unpopular among many of my social marketing friends who feel that tweeter is the best thing since sliced bread.  I will admit while I find most technologies coming out today as fairly useful.  I could not find any useful purpose for twitter in my daily life.  Until Today….

Electronic Survellance

When you are trying to pull off an attack, any attack, the first thing you have to do is gain as much intelligence about your target as you can.  When performing a social engineering attack, we have to find as much information about our victim employees as   possible.  If I am going to successfully trick you into clicking an unsolicitated email, I must send you an email that will perk your interest.  Before, this involed scouring websites, forums, and social networking sites.  While these were very useful, it could be static, you were into cars 6 months ago, but now not so much.   The key to a successful social engineering based attack is simple – If you know enough information, the victim will never suspect you are an attacker.

So what is Twitter?  It is a micro blogger that only allows 140 characters at a time.  So people are forced to blog on very small timely subject.  From what they ate for breakfast to about current events, ”Tweets” are frequent and the subjects are far reaching.  This can be likened to a cyber glimpse into someone’s life.  And that is a dream for a malicous attacker.  If I as an attacker am trying to find information about you that I can use,  then twitter becomes a must read for me.  Granted it may seem like what song your listening to doesn’t seem like a security issue.  Remember, a successful social engineering attack conviences you I am someone harmless.  Sending an email from the Hannah Montanna fan club saying to join may not be a draw for alot of people, but if I find that employee who is Tweeting about Hannah Montana then I have found my ticket in.

The key to gathering successful intelligence is to first linking the employee’s business information to a personal identity.  Tweeter can again help.  If I am trying to find information on a  Dr. Jane Doe who is a chemical engineer.  I do a search for a Jane Doe on Twitter and I find a tweeter who is tweeting about working on a chemical molacule chances are I have found a match.  From there I would look at her handle and see if that handle is used anywhere else on the internet.

Tweeter to a Jailbird

Your employees are twittering, do you know what they are saying?  Have they said anything negative about your company?  Have they let out any company/trade secrets? I did a twitter search for Layoffs and check out some of these hits I found. (These are hits from within the last hour) 

Most companies have a procedure in place to determine  what company information is release, when it is release, and who releases it.  I find it highly unlikely that these  tweets were approved by the company’s management as offical statements from the company.  Let’s think about other instances, is your company about ready to release a new offering that is secret right now?  Do you have an expected new offering that has some issue?  Were your financials not quite where they were expected? 

If your company is a publically traded company, Tweets of secret information could be seen as insider information.  At that point you better have a PDA that will survive 5-7 years (with good behavior ).

Plugging the holes

Again as with many security fixes it comes down to your end-user employees.  Security Awareness training and proper policies put in place.  Have policies that state what business information that should not be release by unauthorized employees under any form.  Make sure your employees know the risks of tweeting business information and ensure these policies are enforced.

Over the weekend while listening to my Zune, an audio book of The Art of War started playing.  It had been awhile since I had actually listened to it, so I sat back grabbed a soda and let it played.  For those of you not familiar with this book let me give a brief overview.  Written sometime between 500 – 350 BCE the Ancient Art of War was written by the legendary Chinese General Sun Tzu.  Written as a military strategy guide for his officers, the Art of War has flourished for twenty five centuries.  Listing the military leaders who are considered students of Sun Tzu would sound like a history lesson. Napoleon, Lord Cornwallis, Gen Patton, Dwight Eisenhower, and Gen Colin Powell.  Recent readers include business professionals who incorporate the strategies into their “Business Conquests”.

Fighting for the King of Wu, Sun Tzu fought in a violate time when the provinces of what would become China were constantly at war with one another.  Losing a battle could mean the end of your province.  Therefore The Art of War conveys a win at all cost attitude, which I don’t believe is useful for many aspects of business.  In the realm of Cyber-Security though I believe we find an exception.  We have a real threat of forces that want to defeat us in order to obtain, sabotage, or destroy our treasures. Unlike sales, where you win one you lost one is a fact of life, in defending our company against cyber threats we must maintain a defend at all cost attitude.  We never know if the next incursion will be the blow that you or your company cannot bounce back from.

Throughout the next few post we’ll examine the strategies of Sun Tzu and delve into how we can use them in designing our Cyber strategies.

Lesson 1 – It’s not a matter of if, but when…

The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.

- Sun Tzu- Sun Tzu “The Art of War” 500 BCE

Growing up my father used to say “There are two certainties in life, death and taxes”.  I want to add a third, your network will be attacked.  In this day and age your network is under attack constantly.  The average network will be attacked hundreds if not thousands of times in a given day.  Your network is your modern castle and you are definitely under siege.  Yet I still hear business owners and IT professionals say something like “We don’t have to worry about cyber security; A. we’re too small of a company B. we don’t have any sensitive data C. we’re located in the middle of nowhere D. add your own lame excuse. 

First things first, most attacks are random.  From the internet side of things, you are an IP address.  It doesn’t matter if you are a stock firm in New York or a Farm store in Nebraska you connect to the same public network where scans for vulnerabilities are consistently being performed.  At Parameter our testing network drops a scan from the internet about once a minute.  That’s nearly 1500 scans a day.  Most attackers will hack first and if successful they will then look for their spoils, financial data, employee information, or even create a platform for future attacks on other systems, it doesn’t matter your system has been breached and your reputation has been tarnished.

The art of war teaches us to understand that we will be attacked; therefore we must focus on successfully detecting, evading, and repelling any attack that comes our way.  We must understand that no network is impenetrable. We must know our network’s weaknesses and if we cannot mitigate those dangers we must ensure we can detect any attempt to exploit the vulnerabilities and respond quickly.

Identify your companies “treasures” and ensure the proper defenses are in place.  If you do not know your treasures, cannot detect attempted attacks, or don’t employ defense in depth, you have no choice but to admit defeat and assume your treasure has been stolen.