Net security beefed up to thwart possible cyberterrorism

Carrie Kirby, Chronicle Staff Writer Friday, October 12, 2001

Power providers, phone companies and other firms that run the nation's infrastructure are quietly stepping up Internet security to prepare for potential cyberterrorism.

"We increased our cyber security and physical security measures day one. We re-emphasized our security measures Sunday when the bombings began," said Jennifer Ramp, spokeswoman for Pacific Gas and Electric.

Like most companies, PG&E won't say just what it's doing for fear of tipping its hand to those who might want to break into their computer systems.

But changes are being made at many power companies, said Tim Belcher, an Internet security executive who spoke last week with power executives at an energy summit held by the Conference of Western Attorneys General in Phoenix.

"Power companies there said they were increasing their monitoring," said Belcher, chief technical officer for Riptech, a Alexandria, Va., company that provides security services to power companies, telecom firms and government agencies.

On Tuesday, President Bush appointed Richard Clarke as White House special adviser for cyberspace security, reporting to Tom Ridge, director of Homeland Security. The move indicates the government is elevating Internet attacks to the level of national security, instead of considering them merely a threat to business.

The kind of trouble caused by computer criminals in the past fit more in the category of a nuisance, especially when compared with the horrors of the Sept. 11 real-world terrorist attacks. Viruses have caused corporate e-mail servers to crash, and hackers have made Web sites temporarily unavailable.

But if hackers bent on committing terrorism set their sights on the computer systems that run the air traffic control system and the power grid, they could cause power outages or maybe even plane crashes.

Tests run by government and private industry have shown that it's technically possible for hackers to shut down power and phone systems by breaking in through the Internet. And doing so would be even easier for an employee with access to these networks from the inside, warned Winn Schwartau, author of several books about cyberterrorism, including the soon-to-be- released "Pearlharbor.com."

The most foolproof defense against cyberterrorism, Schwartau said, is to make sure the computers that run a critical system are physically not connected to any other computers that might, in turn, be hooked up to the Internet.

"More people today are willing to do something they were not willing to do a few weeks ago: unplug. Isolation and air gaps are very strong defenses," Schwartau said.

PG&E and San Francisco's 911 system both say the computers controlling their critical functions are physically separated from computers used by employees to send e-mail and access the Internet.

But according to Belcher, whose company audited the network security of more than 20 power companies in the past year, the norm is for companies and agencies of all kinds to have the critical computers networked to other systems and, somewhere down the line, to the Internet. That puts them at risk, he said.

"I would be surprised if a single entity had their (network) completely disconnected," Belcher said.

But even if security holes exist, that doesn't mean that attackers could break in unnoticed by the staff who watch over our nation's critical systems --

especially if those employees are indeed increasing their monitoring of network intrusions, experts say.

"If someone were to break into a power company today, it would take some time to worm their way into critical systems and conduct abuse. It's not going to be done in seconds. (The staff) need to be able to detect and repel that attack," Belcher said.

Dorothy Denning, a Georgetown University computer science professor who specializes in information warfare, said security staff might also be able to thwart terrorist attacks by restoring power or other service quickly.

"You have to keep them down for a long period of time to have any real impact. Otherwise, it's going to be like a thunderstorm," Denning said.

http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2001/10/12/BU137527.DTL&type=tech

-- Martin Thompson (mthom1927@aol.com), October 15, 2001