Note from Tom:
I have moved to Substack as my
primary blog platform. If you want to see all my new posts, as well as my 1200+
legacy posts starting in 2013, please support me by becoming a paid subscriber
to my Substack blog. The cost is $30 a year. Thanks!
The “Links” section of Dale Peterson’s weekly newsletter today
contained this bullet point: “MITRE’s
Project Homeland is trying to map US critical infrastructure.” Even
though mapping critical infrastructure is a worthwhile goal that could bring
lots of benefits, I must admit that, when I saw this, a bunch of red flags
immediately appeared in my field of vision. After all, wouldn’t a map of US
critical infrastructure be an early Christmas present for Valdimir Putin, Xi Jinping,
and Kim Jong-Un?
I started to read the article, expecting to be quickly
reassured that the leaders of this project, MITRE Corporation (whom I praised in
my post just yesterday
– for something completely different, of course) have security considerations
firmly in mind and are going out of their way to protect this treasure trove of
critical infrastructure data. I was reassured when I read the second and third paragraphs:
“As MITRE’s senior principal scientist, Philp has spent four
years working to understand how America’s critical infrastructure systems are
interconnected and where they’re most vulnerable.
“We’re more at risk today than we were in 2001,” said Philp,
who has spent much of his career working on infrastructure vulnerability
assessments. “The question is, with less money, how do we reduce the greatest
amount of risk?””
However, I was soon disappointed. Here are some further
quotes, in the order in which they appear in the article (my comments are in italics).
What emerged was something unprecedented: a spatial knowledge
graph that could power dynamic visualizations showing exactly where critical
infrastructure exists, how it’s all connected, and where those connections
create the greatest vulnerabilities. (my emphasis)
* * *
“The sheer number of infrastructure points and the intricate
web of connections among them were staggering…The graph revealed not only the
complexity but also enabled staff to see each entity, such as a hospital, in
isolation related to its dependency on water and power.”
When you’re talking about power connections, you need to
be quite clear about what you mean. You could say that, within each
Interconnect in North America (the four are the Eastern Interconnect, Western
Interconnect, ERCOT – which covers a large part of Texas - and Quebec) every
power source, no matter how mighty, is “connected” to every residence, no
matter how humble.
Of course, if you include each of those connections in your
map, or even just the major ones, the map will be close to black with power
connections. However, if you ask the really important question, “How many hospitals
will lose power – or at least have to go on backup generation – if there’s a
total outage at Grand Coulee Dam (the largest power source in North America)?”,
the answer should usually be “None”.
This is because each Interconnect has lots of redundancy
built into it. It’s the job of the ISOs/RTOs
and the Reliability Coordinators to make sure that, at literally every second
of the day and night, there are backup power sources (and preferably backups of
backups) ready to cover for every possible contingency – such as a power plant unexpectedly
going down at that moment. Utilities are closely monitored for how good a job
they do of keeping the lights on.
On the other hand, there’s certainly some combination of
power sources, the loss of which would bring down a substantial number of – say
- hospitals in one of the Interconnects. If you’re trying to cause such an
event, MITRE’s map would probably be very helpful.
* * *
The map and graph together shed light on not just
infrastructure networks but also human networks such as the highly skilled
workers who maintain the infrastructure. The graph can reveal who works with
whom, while the map shows where they work and can even track their location in
real time.
* * *
The team gathered detailed data about critical infrastructure
and then used graph data science tools in ArcGIS Knowledge to analyze
dependencies, revealing the web of vulnerabilities from the national scale down
to individual city blocks. In Fort Lauderdale, for example, the system could
show how a flood affecting one neighborhood’s electrical substation might upset
water treatment systems, hospitals, and emergency services across the region.
Of course, the effects of a flood in a substation would be
similar to those of a cyber or physical attack on the substation. The most
chilling example of the latter is the Metcalf attack.
My guess is that, if someone writing the article had asked MITRE
what risks the map itself might pose, they would have been assured that the
risks were very low, since each of these assets is very well protected against
both cyber and physical attacks. Moreover, the map doesn’t reveal IP addresses,
firewall types, or any other information that could be used to launch an attack
on one or more assets.
That is most likely true, but it completely misses the main
point: The map itself, if it fell into the wrong hands, might be a great tool
for plotting a massive physical or cyber attack on the grid. For example, you
might use the data from the map to answer the question, “Which generating
facilities and substations would we need to take out, to bring down most of the
hospitals in City X?”[i]
I’m sure there’s not enough data to get an exact answer to this question, but at
least the map will put you on the road to having that answer.
Were there any statements in the article that warned of the
dangers of gathering so much critical infrastructure information in one huge
map? Not even one. The closest to a warning statement that I found was this one:
“MITRE needs cutting-edge technology from trusted partners—like Esri—that are
committed to protecting sensitive customer data.” This isn’t a warning about
the map at all, but just a pledge to protect sensitive data of the users of
ESRI’s software.
I’m not saying that MITRE should
abandon this project, since the map will be incredibly useful in the case of
physical disasters like hurricanes. But they obviously need to start thinking
about how they’ll protect access to the map itself, not just “sensitive customer
data”. This isn’t a map of risks; rather, the map itself is the risk.
If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com or comment on this blog’s Substack community chat.
[i] Why
would someone want to execute such an attack? Certainly, a terrorist might want
to. But what’s often overlooked is the opportunity to make money in financial
markets by short selling for example healthcare stocks or municipal bonds,
before launching an attack like that.