Book Read Free

Cyber Attack

Page 16

by Bobby Akart


  The Callaway Nuclear Power Plant is located near the state capital of Missouri, Jefferson City, and services almost the entire state. Greenpeace monitored the facility for over a year and successfully shut it down twice due to nonemergency leaks in a reaction control system. Now, Callaway faced a new issue. After a recent transformer fire, thousands of gallons of oil leaked into the surrounding monitoring wells. Residents called in the Environmental Protection Agency to investigate and Callaway promptly contained the spill and cleaned up the transformer fluid. Greenpeace demanded additional testing of the wells, and radioactive tritium was found.

  Tests of the exterior monitoring wells were normally run on a quarterly basis. The Nuclear Regulatory Commission, at the insistence of the EPA, ordered Ameren Missouri, the utility that operates Callaway, to conduct the tests on a monthly basis.

  The additional testing was insufficient to satisfy Greenpeace, so they contacted the Zero Day Gamers. Initially, they wanted Lau to create a breach, resulting in the permanent shutdown of the facility. After Lau discussed the project with the rest of the Gamers, they concluded a risk of nuclear meltdown along the lines of Fukushima was too great. Lau provided Greenpeace an alternative to raise awareness of the vulnerability without causing potential harm to innocent residents in Missouri or wherever the prevailing winds may take the fallout.

  The importance of cyber security for nuclear plants had been addressed for years. The goal of Greenpeace was to successfully attack the facility, which would undermine the confidence in the ability of the utility to operate Callaway in a safe and secure manner.

  Contemporary nuclear power plants relied extensively on a large and diverse array of computers for a host of tasks. Some computers might play a role in monitoring or controlling the operation of the reactor itself, as well as ancillary systems. Operating and technical support staff commonly used a computer network within the facility to perform these tasks.

  Following the terrorist attacks of 9/11, the Nuclear Regulatory Commission mandated that all nuclear plants become closed networks in order to protect them from potential intrusions via the Internet. Callaway, which came online in 1984, complied with this requirement by 2005.

  “Let’s walk through the sequence,” said Lau. Wearing his signature Boston Red Sox jersey and cap, Lau paced from one side of the loft to the other. He was nervous about this operation because a mistake in their calculations could kill tens of thousands of innocent people.

  “Greenpeace provided lots of intelligence and we supplemented their information with our own research,” said Fakhri. “The Callaway facility is operated by Ameren Missouri. As part of their normal operations, they contract with GZA GeoEnvironmental to conduct the tests upon the monitoring wells. The details of the NRC monitoring mandate, Commission Order CLI-16-15, were obtained from the NRC website.” Fakhri held up several pages of the NRC order.

  “The order required testing of the outside monitoring wells and internal temperatures, particulates, and water quality,” said Malvalaha. “All of the testing must be performed between the first and fourth day of the month.”

  Fakhri continued. “GZA assigned the project to its subsidiary in Oak Brook, Illinois—Huff & Huff. The environmental engineers at Huff & Huff will act as our Trojan horse.”

  “Every utility which operates a nuclear power plant must submit a Cyber Security Plan to the NRC,” said Malvalaha. “We found the detailed plan in pdf format on the NRC.gov website. It was submitted by AmerenUE for the Callaway facility four months ago. The plan prohibits the entry of flash drives, cell phones, etc. into certain parts of the facility. Because their network is closed to outside Internet connections, their primary concern was the introduction of a malicious program via an employee’s handheld device.”

  “The argument for a closed network is that isolation of a utility’s network from any external communication makes it secure,” said Lau. “But we all know it is very difficult to air gap a system by keeping it electronically isolated. An air gap makes a system subject to physical access or electronic compromise.”

  An air gap was a network security measure employed within a computer network to physically isolate it from unsecured networks such as the Internet. Typical uses included government servers containing high-side classified information and life-critical systems such as nuclear power plants. The Gamers learned the Hoover Dam utilized air-gapping to insulate its internal servers from intrusions. One option to circumvent this protocol was to use cellphone-based malware to remotely access any data stored in the targeted system. The Ameren cybersecurity plan prohibited the use of cell phones in the Callaway facility.

  The Gamers were provided with another option courtesy of the EPA.

  “The security dynamic changed when the EPA insisted upon this extraordinary monitoring regiment,” said Walthaus. “By requiring both external monitoring of the water quality as well as internal comparisons of particulates, the EPA inadvertently created an opportunity for us—an air gap.”

  “The EPA’s good intentions have resulted in unintended consequences for the cyber security of the Callaway facility,” added Fakhri.

  The television screen flashed darkness—momentarily catching everyone’s attention. In unison, the Gamers looked at their watches. Too early.

  “Must have been a solar flare.” Lau laughed. “This program better hurry up before a CME beats us to the punch.”

  “A solar flare would be ironic,” said Walthaus. “Anyway, this is our most sophisticated project to date because it involves all of the aspects of the blended threat we discussed earlier. Tonight, our weapon of choice is the Aurora vulnerability.”

  “Ironic indeed.” Lau laughed. “How did we exploit the opportunity so graciously provided by the EPA?”

  “Recently, Huff & Huff received an award from the American Council of Engineering Companies at a conference in Chicago,” said Malvalaha. “We were there, sort of.”

  “One of Huff’s biological engineers was asked to give a PowerPoint presentation on some type of environmental waste project,” said Fakhri. “He used the Wi-Fi system at the McCormick Place convention center—the conference venue. We infected their network by burying a keylogger Trojan in a rootkit on his laptop the moment his presentation began.”

  “Very stealthy,” said Lau.

  “Yes. Once he returned to the company’s office in Oak Brook, we monitored his keystroke activities and easily gained the information necessary to access the Huff & Huff servers,” said Malvalaha.

  “What was the next step?”

  “We did not know for certain which of the Huff & Huff personnel would be conducting the Callaway testing, so Malvalaha created one of his beloved worms to infect all of the Huff computers with a Trojan carrying the Aurora code,” replied Fakhri. “Every laptop in the company became our Trojan horse.”

  “When the inspector entered the facility numerous times this weekend, he connected to the Callaway internal network,” said Walthaus. “Once he accessed the main servers to gather data, our Trojan was carried from servers to stations throughout the nuclear power plant. Aurora is waiting on the clock to hit 11:11 Central Daylight Time.”

  “Why 11:11?” asked Lau.

  Walthaus sat up in his chair to note the location of the ISS on the NASA live feed. “From Missouri’s perspective, the International Space Station will appear at twenty-three degrees on the north-northwest horizon and five minutes later it will disappear at ten degrees above the east horizon. The ISS will have maximum exposure over Callaway at 11:11 CDT.”

  “At 11:11, Aurora will be unleashed,” added Fakhri.

  Lau was very familiar with Aurora. The Aurora Project was a 2007 research effort led by the Idaho National Laboratory, demonstrating how easy it was to hack elements in the nation’s critical infrastructure such as power and water systems. In 2015, in response to a Freedom of Information Act request about Operation Aurora, an unrelated cyber attack initiated by the Chinese, some government official inadvertently release
d more than eight hundred pages of detailed documents and schematics related to the Aurora Project.

  The Aurora Project exposed a vulnerability common to many electrical generators, water pumps and nuclear power facilities wherein an attacker remotely opened and closed key circuit breakers, throwing the internal machinery of the facility out of sync with other timed functions within the utility.

  Lau recalled a report on the release of the details of Aurora. The word used by the head of Homeland Security was breathtaking. The Aurora report included three pages of critical infrastructure locations that could bring the United States power grid to virtual collapse. The report revealed, for example, which Pacific Gas and Electric substations you could shut down to create a cascading collapse of the entire West Coast power grid.

  “Perpetrating an Aurora attack is not easy,” added Malvalaha. “Based upon our research of publicly available information, this will be the first. I suspect it will send shockwaves throughout the world.”

  “It will certainly please our client, who has paid handsomely,” added Lau. “What happens when Aurora is activated?”

  “After the June visit by the inspector, we analyzed the internal power system interconnections of Calloway,” replied Walthaus. “The data downloaded onto the Huff & Huff servers for reporting purposes provided all the information we needed on load and impedance conditions, access alarms and their passwords.”

  “It’s 11:09 local time,” said Lau. “Let me start the recording.”

  “The Aurora malware is set to shut down the generators connected to the Calloway turbines shortly,” said Walthaus. “When it does, most of Missouri will go dark, leaving a huge black void in the middle of the United States. In about ten minutes, the malware will release control of the system pending a reboot by Callaway’s engineers.”

  “We also have developed a calling card for you, Professor,” said Malvalaha. “A surprise.”

  “What did you do?”

  “We created a hybrid of the Prism Software used by Revival Control Systems,” replied Malvalaha. “Revival Control is the company that developed the software for the computer-generated Christmas light shows set to music.”

  “Okaaay,” said Lau as his voice trailed off. It’s Christmas in July.

  “You’ll see.”

  Lau heard Fakhri’s watch alarm go off and immediately drew his attention to the television monitor. At night, the view of the United States is very telling of its population density. The lights illuminated the majority of the eastern half of the country and the extreme West Coast. The western half of the U.S. and Mexico was predominantly dark. As the clock struck 11:11 in Missouri, an irregular dark shape appeared on the screen. It gave the appearance of a black hole in a sea of lights. Lau watched in awe as the ISS made its way across the central United States.

  Suddenly, after a minute of pitch blackness, the lights began to flicker in a slow, methodical pattern. The flashing pattern repeated itself until there was darkness again. The pattern seemed familiar to Lau, but he couldn’t pinpoint it.

  --.. . .-. --- / -.. .- -.-- / --. .- -- . .-. …

  “Do you see the pattern, Professor?”

  “I do, it’s repeating,” he replied. “Tell me what it means.”

  “It’s Morse code, sir,” said Walthaus. “It reads Zero Day Gamers.”

  Chapter 33

  July 9, 2016

  100 Beacon

  Boston, Massachusetts

  “I’m sorry the Sox-Yankees game got rained out,” said Sarge. “I am not sorry about the alternative festivities.” Julia draped her leg over Sarge as the two lay in bed next to each other. Her nakedness felt good against him, as always.

  “We were both soaking wet and the bed looked inviting.” She laid her head on his chest.

  Sarge rubbed his fingers through her still-wet hair and stared mindlessly at the start of Justice with Judge Jeanine on the Fox News Channel.

  “They’re playing a doubleheader tomorrow, but I think I’ll pass,” said Sarge.

  “I’ll play a doubleheader with you.” Julia was still wound up and ready to play ball. Sarge paused the television and enjoyed Julia for a little while longer. After they both finished, she left to get them a glass of wine. He followed her silhouette as she walked away. I am one lucky guy.

  Sarge stared at the screen for a moment. When Sarge first started following Jeanine Pirro’s program, she annoyed him a little bit. Perhaps she was too brash and combative. He couldn’t put his finger on it. Over time, she grew on him, especially for her raising awareness of the threats to our power grid.

  Tonight her special guests included retired General Thomas McInerney, the founder of a consulting firm dealing with high-tech companies, and Frank J. Gaffney, founder of the Center for Security Policy. Both of these men repeatedly sounded the alarm of the fragility of our power grid and its susceptibility to terrorist attack. These two men, along with former Speaker of the House Newt Gingrich, were instrumental in the formation of the EMP Commission, which brought before the public eye the threats we face to the grid.

  Now, a new threat to America’s critical infrastructure emerged in the form of cyber terror. The President made a major policy speech at the NATO summit in Warsaw, Poland, today. Julia returned with the wine.

  “I see you forgot all about me,” said Julia. She handed him his glass with a kiss on the cheek. He patted her lovingly on the rear.

  “I’m busted. I traded you in for my pal Judge Jeanine.”

  “I know better. What did the President say in Warsaw today?”

  “If you’ll hold me, I’ll let you watch.”

  “What a guy,” she said. Sarge pushed play.

  “This summit comes at a crucial time for the Alliance as the tectonic plates of Euro-Atlantic security have shifted both in the East and the South. We are already implementing the biggest reinforcement of our collective defenses since the end of the Cold War. While in Warsaw, the member states of NATO will chart the course for the Alliance’s adaptation to the new security environment so that NATO remains ready to defend all Allies against any threat from any direction.

  “We will build on our valuable work with partner nations to keep all of our neighborhoods stable. We will strengthen the bond between Europe and North America on which our Alliance is founded. Since joining in 1999, Poland has been a staunch ally of NATO and I thank them for hosting our meeting.”

  Sarge paused the television.

  “He sounds like he’s justifying a build-up of NATO forces in the region,” said Sarge. “Did you notice the phrase biggest reinforcement of our collective defenses?”

  “I did. I also caught the caveat against any threat from any direction. Katie tells me the White House is fed up with these cyber attacks. They tried to diminish them once as cyber vandalism. Cyber terror escalated to new levels Monday night when the hacker group Zero Day Gamers took over the computers of a nuclear power plant.”

  “Very brazen and arrogant,” said Sarge. “They threw their abilities in our faces with the Morse code stunt.”

  “Katie tells me the President ordered an entire task force to hunt them down. She has been named to head it up.”

  “Good for her! She’ll keep us posted, I’m sure.” Sarge continued the show.

  “In cyberspace, where the risk of getting caught is low and the rewards are potentially great, these hackers are driven by simple economic forces. Breaking into computer networks, whether public or private, generates a payday. I intend to up the consequences and penalties for this activity. The member nations of NATO will make bad actors pay a price that will far outweigh the benefit.

  “Let me be clear. What might be recommended for one scenario is not necessarily recommended in another. But from this point forward, there are many options on the table, including the use of conventional military weapons.

  “Today, I am urging my fellow NATO leaders to order a ramp-up of their cyber-defense capabilities. Make no mistake, a cyber attack against a NATO member s
tate will be considered military aggression and could trigger a collective military response.”

  “Well, there you have it,” said Sarge. “I’ve always asked the question when does a cyber attack become an act of war? The President just said it depends on the scenario.”

  “That’s pretty nebulous.”

  “Well, it was a speech, but you always have to question the man’s intentions. I don’t trust him. When he talks tough militarily, I believe he has ulterior motives.”

  “His biggest problem is proof,” said Julia. “These computer hackers are shrewd and easily cover their tracks. A particular cyber attack may have all the markings of the Chinese, but it may simply be initiated by a pimple-faced teenager in mommy’s basement.”

  “This is a new era, Julia. For the first time in history, the correlation between the capital spent and the military power it produces is undermined. Cyber attacks are low-cost alternatives to physical attacks, providing lesser nation-states a coequal ability to bring a superpower to its knees.”

  “For what purpose?” she asked.

  “Never underestimate the power of jealousy and envy to destroy what others have.”

  Never underestimate that.

  Chapter 34

  July 16, 2016

  Triple Q Ranch, Prescott Peninsula

  Quabbin Reservoir, Massachusetts

  Steven and Brad walked the entire fence line in about an hour. As part of a military training exercise, Brad used 3rd Battalion’s Logistical Support Regiment and their Caterpillar D5 bulldozers to clear a two-mile-long, thirty-foot-wide swath through the forest about a half mile south of Highway 202.

  Brad suggested a company called Fiber Fence to Donald. After the Homeland Security boys paid their visit several months ago, Brad learned the Fort Devens perimeter fence was deemed inadequate to protect the base in the event of social unrest. The bid specifications for the project were released by the GAO, but Brad knew it would take years to come to fruition. After reviewing the specs, he researched the fiber-optic perimeter fencing systems.

 

‹ Prev