Foreign actors are probing the networks of key American
companies in an attempt to gain control of industrial facilities and
transportation systems, Defense Secretary Leon Panetta revealed tonight.
"We know that foreign cyber actors are probing America's
critical infrastructure networks," said Panetta, disclosing previously classified
information during a speech in New York laying out the Pentagon's role in
protecting the U.S. from cyber attacks. "They are targeting the computer
control systems that operate chemical, electricity and water plants, and those
that guide transportation thorough the country."
He went on to say that the U.S. government knows of "specific
instances where intruders have gained access" to these systems -- frequently
known as Supervisory Control and Data Acquisition (or SCADA) systems -- and
that "they are seeking to create advanced tools to attack these systems and
cause panic, destruction and even the loss of life," according to an advance
copy of his prepared remarks.
The secretary said that a coordinated attack on enough critical
infrastructure could be a "cyber Pearl Harbor" that would "cause physical
destruction and loss of life, paralyze and shock the nation, and create a
profound new sense of vulnerability."
While there have been reports of criminals using 'spear phishing' email attacks aimed at stealing information about American utilties, Panetta's remarks seemed to suggest more sophisticated, nation-state backed attempts to actually gain control of and damage power-generating equipment.
Panetta's comments regarding the penetration of American
utilities echo those of a private sector cyber security expert Killer Apps spoke
with last week who said that the networks of American electric companies were
penetrated, perhaps in preparation for a Stuxnet-style attack.
Stuxnet is the famous cyber weapon that infected Iran's
uranium-enrichment centrifuges in 2009 and 2010. Stuxnet is believed to have
caused some of the machines to spin erratically, thereby destroying them.
"There is hard evidence that there has been penetration of
our power companies, and given Stuxnet, that is a staging step before
destruction" of electricity-generating equipment, the expert told Killer Apps. Because
uranium centrifuges and power turbines are both spinning machines, "the attack
is identical -- the one to take out the centrifuges and the one to take out our
power systems is the same attack."
"If a centrifuge running at the wrong speed can blow apart"
so can a power generator, said the expert. "If you do, in fact, spin them at
the wrong speeds, you can blow up any rotating device."
Cyber security expert Eugene Kaspersky said two weeks ago that one of his greatest fears is someone reverse-engineering a
sophisticated cyber weapon like Stuxnet -- a relatively easy task -- and he
noted that Stuxnet itself passed through power plants on its way to Iran. "Stuxnet
infected thousands of computer systems all around the globe, I know there were
power plants infected by Stuxnet very far away from Iran," Kaspersky said.
While the utilities have been penetrated, Panetta said that
the Defense Department, largely via the National Security Agency, is "acting aggressively to get ahead of this problem --
putting in place measures to stop cyber attacks dead in their tracks" under a
The Department of Homeland Security, working with the
Department of Energy, has the lead in responding to the attacks that Panetta
disclosed tonight, senior defense officials told reporters during a background
briefing about Panetta's speech. The Pentagon officials believe they know who
was behind the attack but would not reveal who that may be. They did note
however, that Russia, China, and increasingly, Iran have developed worrisome
cyber capabilities. DHS officials were not available for comment.
Panetta added that the Pentagon stands ready to "counter"
cyber threats to U.S. national interests. He did not, however, use the word "offensive"
to describe any of DoD's operations in cyberspace.
"If we detect an imminent threat of attack that will cause
significant physical destruction or kill American citizens, we need to have the
option to take action to defend the nation when directed by the President,"
said Panetta. "For these kinds of scenarios, the [Defense Department] has
developed that capability to conduct effective operations to counter threats to
our national interests in cyberspace."
He went on to insist, though, that the Pentagon has only a
supporting role to civil agencies in defending U.S. civilian infrastructure
from cyber attack and that DoD will not monitor citizens personal computers.
"That is not our mission," said Panetta.
The Defense Department will only have the lead in responding
to cyber attacks when deemed appropriate under the rule of armed conflict, said
one of the defense department officials.
To protect the United States from crippling cyber attacks by
"foreign adversaries," Panetta said the Pentagon will focus on the following:
Developing new cyber capabilities via the more
than $3 billion spent on cyber issues annually;
Establishing policies and organizations that DoD
needs to execute its mission in near real-time with other federal agencies,
such as the Department of Homeland Security and the FBI;
Improving DoD's cooperation with private
industry and international partners via better information-sharing about cyber
threats and the establishment of basic cyber security standards for critical
Panetta also urged Congress to pass the Cyber Security Act of 2012, which would
allow real-time information-sharing between businesses and the government,
restrict the type of information government can collect on private citizens and
how that information may be used, as well as set minimal cyber security
standards that critical infrastructure providers should meet.
A copy of Panetta's speech is below.
SD BENS Cybersecurity Speech as PREPARED