Cyberattack—the silent nightmare

December 24, 2012 by Melissa Maynard

In Michigan's worst techno-horror story, the state's major utilities get hacked in the wintertime. Power in the state shuts down, and nobody can figure out how to regain control of the systems needed to turn it back on. Millions of people are left in the dark and in the cold.

, the business of protecting the Web-based systems that now run much of the world, has emerged as an important function of state governments. States have to worry not only about the safety of their own networks and the data that is housed there, but also about the security of privately owned systems that control within their borders.

It's the kind of low-profile problem for which it's often difficult to rally public support until it's too late. But Michigan has enlisted the help of everyone from the major utility companies to the state police to launch what it sees as a multi-pronged pre-emptive strike. Gov. Rick Snyder used to be the president of Gateway computers; he is leading cybersecurity efforts for the National Governors Association. That has brought key players to the table from both the public and private sectors.

"You will fail if you're an island," says Dan Lohrmann, Michigan's chief security officer. "You've got to be working with other states, you've got to be working with the , you've got to be working with the private sector, you've got to be looking at , because the bad guys, you might stop them today, you might stop them tomorrow, but you might not stop them the next day. They're always getting better. They're looking at your castle and they're always trying to get across your moat."

In fact, it's no longer precisely accurate to call Michigan's anti-hacking efforts pre-emptive. The state is already experiencing 185,000 cyberattacks on its state-owned infrastructure every day, says John Nixon, director of the state's department of technology, management and budget. The vast majority of those attacks are thwarted, and some are multiple attempts from the same source. "Now what are we housing as a state?" Nixon asks rhetorically. "We're housing tax records, health records, pretty much everything there is about people and their lives. Cybersecurity is the number one issue for us."

Information technology managers in Michigan can't help noticing scary events that are taking place around the country almost all the time. The scariest took place in South Carolina this October, when a hacking at the department of revenue compromised social security numbers, bank account numbers and other data for 3.8 million residents. It is widely believed to be the largest computer breach any state government has faced. Mandiant, the security firm hired by the state to investigate the breach, told South Carolina legislators this month that the techniques used by the hackers were "not that sophisticated." The incident was likely the result of a state employee clicking on an attachment in a bogus "phishing" email.

Over the course of the next year, all 50,000 Michigan employees will be completing a series of interactive, video game-like training modules aimed at preventing them from making equally costly mistakes. In one session, employees have to find missing laptops in an airport terminal - an exercise aimed at reminding them not to leave technology behind on airport shuttles and in bathrooms, as many travelers do.

Michigan is the only state to have completely merged cybersecurity with physical security, though such practices are fairly common in the private sector. The same state unit is responsible for providing the security guards who oversee access to state buildings and the cybersecurity professionals who monitor state networks for suspicious activity.

"The merger of the physical and cyber world is happening at all levels," says Lohrmann, who oversees both functions and blogs about cybersecurity for Government Technology magazine. "Any kind of crime that you may want to commit in the real world, you can now use cyber to gain information to support that crime, to enhance that crime, to multiply that crime in the cyber world."

In a similar way, the state has focused on sharing information between cybersecurity professionals at private companies and government cybersecurity personnel. The state will soon be physically centralizing these efforts in a Cyber Command Center housed with the state police.

"It's just like a serial killer in the old days," says Inspector Dean Kapp, assistant division commander of the Michigan State Police, Emergency Management and Homeland Security Division. "They'll kill one in California, Michigan and New York, and they were all separate until somebody figured it out. Well, we have systems in place now to link those."

Still, gathering evidence and finding hackers remains a huge challenge. Kapp jokes that for law enforcement personnel, even bank robberies are easier to tackle than cybercrimes. "Cybercrime is on such a tidal wave roll right now that it's going to overtake everything else," he says. "If I can sit back in my living room and commit a crime and not have to scale a catwalk or break into somebody's house to steal something, why wouldn't I do it that way?"

Federal cybersecurity legislation has repeatedly stalled in Congress because of sensitivities around asking private companies to share information that they say could put them - and their stock prices - at risk. But Michigan companies are willingly collaborating with the state on a range of cybersecurity initiatives aimed at bolstering protections and developing coordinated response plans for when breaches happen.

One hope is that as cybersecurity becomes increasingly important in the global marketplace, state efforts will pay off not just in preventing disasters but in economic development opportunities. Michigan economic strategists are particularly excited about the potential of the Michigan Cyber Range, a public-private partnership launched in November that allows for hands-on training and testing of real-world cybersecurity scenarios.

"Aside from giving the good guys and fake bad guys a safe place to shoot at each other, it's giving companies a safe place to test their products," says Gary LaRoy, vice president and chief information officer of the Michigan Economic Development Corporation. "That could be a big economic development advantage for us."

The range, the first of its kind anywhere in the country, will eventually be accessible both remotely through a secure network and on-site at various higher education and military facilities around the state.

"You have to be able to outthink your adversary as a team, so (the Range) goes one step further," says Don Welch, president and CEO of the Merit Network, which hosts and operates the Cyber Range. "This is really where the focus of the range is, to get people practicing outthinking someone. The other part is to get them to do it as a team - because you don't want to work on your teamwork when your normal modes of communication are under attack."

Merit Network is a nonprofit governed by Michigan's public universities, and key partners include other academic institutions, the federal department of homeland security, the Michigan Economic Development Corporation and companies. All will be able to tailor the range to their own needs by building off the curriculum developed by Merit. Sharing and building on lessons learned in the Range is a core requirement for all who use it.

"I can use it to help grow the talent on my team," says Jim Beechey, cybersecurity manager at Consumers Energy, a major power company that is a key state partner. "We can use the range for exercises and simulations and testing. We can do things in a safe environment rather than exposing some of our operational systems to risks."

Beechey also hopes the Range and accompanying academic program development will help him identify and recruit talented cybersecurity professionals, an ongoing challenge. The Range may eventually be used to screen job applicants by testing how they would react in the real world.

Five Michigan higher educational institutions currently are recognized as Centers of Academic Excellence by the National Security Administration for their cybersecurity programs, and the Cyber Range is aimed at further boosting those numbers by making it easier for universities and community colleges to launch programs making use of infrastructure already in place. "The exploits and the vulnerabilities change fairly quickly, and there's a lot of work for instructors and professors to keep those up to date and keep it viable," Welch says.

LaRoy, of the Michigan Economic Development Corporation, says that while companies aren't routinely making location decisions based on cybersecurity considerations now, that will be likely to change if a major incident disrupts peoples' lives and explodes onto the national news, something many in the field consider inevitable.

His pitch to companies considering where to locate or expand includes assurances that Michigan's infrastructure is more secure because of what the state has done to protect it through the Cyber Range and other initiatives.

"It's not enough to have their data in their data center safe if they don't have power to that data center because somebody hit our power grid," he says. "They're at risk. If we can truly make ours more immune or better defended against cyber threats then it's a safer place to do business."

Explore further: US using 'latest tools' for cybersecurity: Napolitano

Related Stories

US Senate in new cybersecurity push

February 15, 2012

US senators, warning of potentially catastrophic cyberattacks, introduced a bill Tuesday aimed at protecting critical infrastructure such as power, water and transportation systems.

US senators call for cybersecurity czar

April 1, 2009

Two US senators introduced legislation on Wednesday aimed at creating a powerful national cybersecurity advisor who would report directly to the president.

US moves to enhance cybersecurity cooperation

October 13, 2010

The Pentagon and Department of Homeland Security unveiled an agreement on Wednesday designed to boost cooperation in defending military and private computer networks from growing cyber threats.

Recommended for you

Technology near for real-time TV political fact checks

January 18, 2019

A Duke University team expects to have a product available for election year that will allow television networks to offer real-time fact checks onscreen when a politician makes a questionable claim during a speech or debate.

Privacy becomes a selling point at tech show

January 7, 2019

Apple is not among the exhibitors at the 2019 Consumer Electronics Show, but that didn't prevent the iPhone maker from sending a message to attendees on a large billboard.

China's Huawei unveils chip for global big data market

January 7, 2019

Huawei Technologies Ltd. showed off a new processor chip for data centers and cloud computing Monday, expanding into new and growing markets despite Western warnings the company might be a security risk.


Adjust slider to filter visible comments by rank

Display comments: newest first

3.3 / 5 (7) Dec 24, 2012
Sounds like a job for --Homeland Security!!!!

The sheer idiocy of letting this goal of hardening infrastructure be done piecemeal is mind-numbing. That's what HS is supposed to be for, and there is certainly enough money in its budget to fund development of an overall policy, standards, and implementation of critical infrastructure physical and cyber security.
2.3 / 5 (6) Dec 24, 2012
Stop watching zoo porn on the control-rod workstation
4.2 / 5 (5) Dec 24, 2012
Sounds like a job for --Homeland Security!!!!

I couldn't agree more. What are we paying them for, anyway?
1 / 5 (2) Dec 25, 2012
Actually having a decentralized approach to cyberspace security has some distinct advantages. While it undoubtedly makes identifying an intruder, or plugging holes faster and more streamlined the likelyhood that an intruder will find and exploit a hole that exists accross the entire infrastructure is far more likely. The damage potentially caused by a breach is far higher as well.

As it stands now an attacker could potentially attack the electric grid and kill power to say the north east. That is bad. Now if that same system is in place nationwide the problem is times of magnatude worse.

A Federal learning center of some kind where these things can be studied and scenarios can be simulated isn't a bad thing depending on how it's implemented. Inflicting the bureaucratic mess that comes with the federal government on something of this nature is bound to catastrophically fail at some point.
not rated yet Dec 25, 2012
Here you are--NAME-- Federal Bureau of CyberInvestigation! FBCI
4.1 / 5 (13) Dec 25, 2012
So what ever happened to this?

Anonymous - Project Mayhem 2012 December 21st

-Stillborn? Preempted? Hoax? NO GUTS?? Does the NSA have a steeper learning curve than so many amateurs?
1 / 5 (2) Dec 25, 2012
Actually having a decentralized approach to cyberspace security has some distinct advantages. While it undoubtedly makes identifying an intruder, or plugging holes faster and more streamlined the likelyhood that an intruder will find and exploit a hole that exists accross the entire infrastructure is far more likely. The damage potentially caused by a breach is far higher as well.

Actually, it has the distinct advantage of putting those sweet pork dollars into the pockets of the gubment contractors that will be grossly overpaid to develop your decentralized/localised
infrastructure grids, and absolutely guaranteed to drive up costs to the end users, without any value whatsoever added during the process of creating a clumsy, inefficient, non cross-compatible/communicating distribution system for vital utilities.

A unified standard is the way to go.

Are you aware of any hacks or breakdowns in the Armed Services/ National Intelligence communications systems?

Answer: No.
1 / 5 (1) Dec 25, 2012
The amount of data required for maintaining the publicly useful services, like the health insurance is actually quite low. The cyberattacks can be sometimes useful as the weapon against various big-brother technologies, which are collecting large amount of data about their users on background. Which is why these organizations are getting so nervous about it.
1.7 / 5 (6) Dec 26, 2012
I was amazed to read that drones used in Afghanistan were controlled by terminals using Microsoft Windows. That's akin to the US military equipping their front line forces with toy guns with everyone shouting bang when they "fire" at the enemy.
3 / 5 (2) Dec 26, 2012
I was amazed to read that drones used in Afghanistan were controlled by terminals using Microsoft Windows. That's akin to the US military equipping their front line forces with toy guns with everyone shouting bang when they "fire" at the enemy.

You've gotta give Microsoft a bit of credit...
More like "bang" every 3rd shot, with a "part not found" announcement every 100.
5 / 5 (1) Dec 30, 2012
There IS an agency tasked with this, but like so many things in government, they're not chartered in such a way that they can actually do the work one might expect of them. It is called ICS-CERT and it is affiliated with the National SCADA Test Bed at Idaho National Labs.

This problem is not trivial. It involves the intersection of two very broad and surprisingly deep fields of study: Control Engineering and IT Security. Getting anywhere in either of these fields takes a decade of experience. Getting anywhere in BOTH fields is so unusual that the experts world wide are measured in the low hundreds.

There are no easy solutions here. And for you NERC CIP advocates, give it a rest. Compliance is not the same thing as real security.
not rated yet Jan 02, 2013
I was amazed to read that drones used in Afghanistan were controlled by terminals using Microsoft Windows. That's akin to the US military equipping their front line forces with toy guns with everyone shouting bang
when they "fire" at the enemy.

once more, you bug me. I'm a 5 year unix user and yet I have no problem with Microsoft. . . you need to get over it.
1 / 5 (1) Jan 02, 2013
The cyberattacks are the only way, which may prohibit the implementation of Big Brother technologies, which would follow every steps of yours.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.