Foreign actors are probing the networks of key American companies in an attempt to gain control of industrial facilities and transportation systems, Defense Secretary Leon Panetta revealed tonight.
"We know that foreign cyber actors are probing America's critical infrastructure networks," said Panetta, disclosing previously classified information during a speech in New York laying out the Pentagon's role in protecting the U.S. from cyber attacks. "They are targeting the computer control systems that operate chemical, electricity and water plants, and those that guide transportation thorough the country."
He went on to say that the U.S. government knows of "specific instances where intruders have gained access" to these systems -- frequently known as Supervisory Control and Data Acquisition (or SCADA) systems -- and that "they are seeking to create advanced tools to attack these systems and cause panic, destruction and even the loss of life," according to an advance copy of his prepared remarks.
The secretary said that a coordinated attack on enough critical infrastructure could be a "cyber Pearl Harbor" that would "cause physical destruction and loss of life, paralyze and shock the nation, and create a profound new sense of vulnerability."
While there have been reports of criminals using 'spear phishing' email attacks aimed at stealing information about American utilties, Panetta's remarks seemed to suggest more sophisticated, nation-state backed attempts to actually gain control of and damage power-generating equipment.
Panetta's comments regarding the penetration of American utilities echo those of a private sector cyber security expert Killer Apps spoke with last week who said that the networks of American electric companies were penetrated, perhaps in preparation for a Stuxnet-style attack.
Stuxnet is the famous cyber weapon that infected Iran's uranium-enrichment centrifuges in 2009 and 2010. Stuxnet is believed to have caused some of the machines to spin erratically, thereby destroying them.
"There is hard evidence that there has been penetration of our power companies, and given Stuxnet, that is a staging step before destruction" of electricity-generating equipment, the expert told Killer Apps. Because uranium centrifuges and power turbines are both spinning machines, "the attack is identical -- the one to take out the centrifuges and the one to take out our power systems is the same attack."
"If a centrifuge running at the wrong speed can blow apart" so can a power generator, said the expert. "If you do, in fact, spin them at the wrong speeds, you can blow up any rotating device."
Cyber security expert Eugene Kaspersky said two weeks ago that one of his greatest fears is someone reverse-engineering a
sophisticated cyber weapon like Stuxnet -- a relatively easy task -- and he
noted that Stuxnet itself passed through power plants on its way to Iran. "Stuxnet
infected thousands of computer systems all around the globe, I know there were
power plants infected by Stuxnet very far away from Iran," Kaspersky said.
While the utilities have been penetrated, Panetta said that the Defense Department, largely via the National Security Agency, is "acting aggressively to get ahead of this problem -- putting in place measures to stop cyber attacks dead in their tracks" under a whole-of-government effort.
The Department of Homeland Security, working with the Department of Energy, has the lead in responding to the attacks that Panetta disclosed tonight, senior defense officials told reporters during a background briefing about Panetta's speech. The Pentagon officials believe they know who was behind the attack but would not reveal who that may be. They did note however, that Russia, China, and increasingly, Iran have developed worrisome cyber capabilities. DHS officials were not available for comment.
Panetta added that the Pentagon stands ready to "counter" cyber threats to U.S. national interests. He did not, however, use the word "offensive" to describe any of DoD's operations in cyberspace.
"If we detect an imminent threat of attack that will cause significant physical destruction or kill American citizens, we need to have the option to take action to defend the nation when directed by the President," said Panetta. "For these kinds of scenarios, the [Defense Department] has developed that capability to conduct effective operations to counter threats to our national interests in cyberspace."
He went on to insist, though, that the Pentagon has only a supporting role to civil agencies in defending U.S. civilian infrastructure from cyber attack and that DoD will not monitor citizens personal computers.
"That is not our mission," said Panetta.
The Defense Department will only have the lead in responding to cyber attacks when deemed appropriate under the rule of armed conflict, said one of the defense department officials.
To protect the United States from crippling cyber attacks by "foreign adversaries," Panetta said the Pentagon will focus on the following:
- Developing new cyber capabilities via the more than $3 billion spent on cyber issues annually;
- Establishing policies and organizations that DoD needs to execute its mission in near real-time with other federal agencies, such as the Department of Homeland Security and the FBI;
- Improving DoD's cooperation with private industry and international partners via better information-sharing about cyber threats and the establishment of basic cyber security standards for critical infrastructure providers.
Panetta also urged Congress to pass the Cyber Security Act of 2012, which would allow real-time information-sharing between businesses and the government, restrict the type of information government can collect on private citizens and how that information may be used, as well as set minimal cyber security standards that critical infrastructure providers should meet.
A copy of Panetta's speech is below.
SD BENS Cybersecurity Speech as PREPARED