Schneier on Security
A blog covering security and security technology.
« Report on Chinese Cyberwarfare Capability |
| Article on Me »
October 30, 2009
Attacking U.S. Critical Infrastructure
We have a cognitive bias to exaggerate risks caused by other humans, and downplay risks caused by animals (and, even more, by natural phenomena.)
Posted on October 30, 2009 at 12:36 PM
• 35 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
we look or act more when there is someone to blame. Man against Man. That's personal.
Man against Self is too touchy feely liberal rubbish. Man against Nature? Some would say we won that fight so any failure there must be an internal, a personal, a moral failing...now that it's that persons fault we can heap blame on the failee.
Me? I make my risk assessors look at photo's like these on their way out the door . . . http://www dot mgx dot com/blogs/wp-content/uploads/2008/03/icestorm23gm dot jpg
http://earthobservatory dot nasa dot gov/NaturalHazards/view dot php?id=11982
and recently for gease - http://upload dot wikimedia dot org/wikipedia/commons/thumb/0/0f/Plane_crash_into_Hudson_River_(crop) dot jpg/800px-Plane_crash_into_Hudson_River_(crop) dot jpg
We can spin this. After all, a terrorist could conceal his sabotage by sneaking into a power station and then placing walnuts and peanut butter in strategic locations.
It's actually a lot harder to defend against rodents than against humans. The success of the common rat at thriving in proximity to humans for millennia, despite our best efforts, is evidence enough. Just be thankful that cockroaches don't chew on cables...
Enough with the squirrels! When are we getting our dose of squid?
It's not just the squirrels: I've had essential components of my domestic communications infrastructure compromised by the nibbling actions of Rats.
And then there was the deliberate sabotage carried out by uncounted hordes of Pigeons - whose 'deposits' inside a feedhorn significantly raised the noise-floor of one of my long-haul microwave circuits.
Ah, attack squirrels. They love chewing electrical cables on parked vehicles.
Suicide squirrels are particularly devastating. By throwing their little bodies between live power lines, they can disrupt electrical infrastructure for hours at a time.
Fortunately, there is a Web site devoted to fighting this menace:
Sometimes you feel like a nut. Sometimes you don'tBZZZZZZZZZZZZZZZT!!!
Don't trust the cats, either. Half of south-east England was once blacked out by a cat that got into a power substation and went out in a blaze of glory in the cause of eventual feline world domination.
Counterargument: Shark Week.
No, what we (U.S.) have experience in is to blame nameless individuals and/or organizations (def: 'terrorists' and 'terrorism'), and constantly/consistently hone on buzzwords such as 'cyberterrorism', 'cybersecurity', 'SCADA', 'smart grid', 'critical infrastructure', and 'critical infrastructure protection' - WITHOUT understanding their TRUE meaning.
The political circuits have managed to snag onto their buzzwords and are using them in colorful metaphors without any understanding. Ask yourselves this question: how many times have you heard the buzzword of 'infrastructure', 'the power grid' or 'SCADA' used by U.S. politicians over the past year (or so)?
We (that being the U.S. - private and public sectors alike) focus on the 'force protection' doctrine (use of physical force to protect an infrastructure asset), focus on cybersecurity-related issues, and anti/counter-terrorist activities, rather than focus on assuring that operations continue to operate.
It is NOT so much about assuring the 'protection of an infrastructure asset', but rather, it is about assuring the 'protection of an infrastructure service'. Therefore, I submit to those reading this comment that we re-train our thoughts and focus on the term 'critical infrastructure assurance', rather than on 'critical infrastructure protection'.
Since 9/11, only a handful of activities have been attributed to intentional and willful destruction of infrastructure assets and property. However, I have lost count as to the number of of occurrences in which a tornado, flood, hurricanes - have caused regional-wide outages of energy, fresh and potable water, waste removal services, transportation supply chains, telecommunications, and more. It should be PAINFULLY obvious that both private and public sectors have little or no inclination of how to provide redundancy and resiliency capacities to our infrastructures. it is far EASIER for their to install more perimeter fencing, rather than replace a 70-year old switch, a 50-year pump or a 35-40-year old valve. This is partially due to the 'outta sight / outta mind' mindset, and is obvious that it is running amok today throughout not just the U.S., but other countries that have similar infrastructure programs such as Canada, the U.K, Australia, the E.U., and more.
The exaggeration of labeling EVERYTHING as a 'terrorist' activity nowadays continues to run rampant, esp. with federal organizations such as DHS, DOJ/FBI, etc. It is far easier to state that someone was the cause of the problem, rather than face the issue that we (as a country, as an economy) have NO IDEA how to fix our 50+ year old Post-WW2 rapidly aging infrastructures. And, if we decide to fix the problems, we run the risk of destroying these very assets. Why? Because many of the architects who had originally created our Nation’s infrastructures, have long since retired or no longer living. No notes, no diagrams, no maps or charts have been kept or recorded, some of which were destroyed or simply thrown out years ago because a public works department felt that it might have taken up too much clutter, or was no longer considered valid information.
BTW, this requires constant upkeep and maintenance, as well as constant infusion of funds to maintain upkeep. Politicians have sucked dry and funneled funding that should have gone to their infrastructure projects to other projects on what they considered greater importance. Now faced with a looming issue of fixing an already broken state, IMHO, in agreement with the ASCE, it will take TRILLIONS of dollars to bring the U.S. infrastructures back to the current state that we have so enjoyed all these decades.
Additionally, the U.S. is about to make even more grave mistakes by ramrodding the ‘smart grid’ without fully testing its implementation. There are vulnerabilities, which publicly exist, on the very technologies that are currently being implemented – right now – on ‘smart grid’ deployments. Personally, this sort of lack of future-thought has me cringing at the very notion that external entities have now been given easier access to our Nation’s power grid.
For the record, I am a ‘critical infrastructure’ researcher, and this subject is very near ‘n dear to me. I suspect that within the next 20-30 years that the U.S. will experience even more significant outages, or in greater numbers of occurrences either between outages, or in sheer numbers. Why? Politicians continue to ignore the subject that implementing fixes to our Nation’s infrastructures is NOT about fixing it merely ONCE, but a continuing process that requires revisiting about every 20-30 years, depending on several issues: capacity, how operations are defined, how often operations are interrupted, resiliency, redundancy, etc.
I'm not sure it's cognitive bias towards humans being a greater danger (or non-human animals being a lesser one). Rather, I think that the important thing here is that with non-human animals, we KNOW there is no motivation to cause damage, especially no political motivation, so we're more likely to see clearly, see the damage for what it actually is and rationally assess its importance.
I think this is supported by the fact that we don't usually care about other things we know aren't being done intentionally, too. For example, compare the number of murders with the number of deaths in traffic accidents: the latter is higher, yet people are much more worried about the former, even though they're both unpredictable, due to humans, and so on. Why? I think it's the lack of intent in the latter case; and I'm also sure that if somebody started causing car accidents on purpose, we'd see those in a very different light than we'd see them if they were just random accidents, even if they otherwise were exactly the same.
That cognitive bias may not be unfounded; animals are not malicious, or at least they mostly lack the maliciousness + intelligence + long term planning combination that humans possess. Using the safety/security terminilogy of your book, Beyond Fear, IIRC, I'd say animals and natural phenomena are a safety problem, and humans are both a safety and security problem.
Most people also know how people behave, but know very little about animals. I believe people in daily contact with wildlife wouldn't have any illusions about wild animals.
@mitrandir and Tanuki "The success of the common rat at thriving in proximity to humans for millennia"
You're RIGHT! they eat 33% of the food we cultivate...the only way to control them? Make 'em fashionable...rat skin coats, rat ta toullie, rat skin hats and get Nike to make sneakers out of rat. You'd see those populations drop like crazy
"What is their motivation? We will probably never understand."
That's easy. The mantra of the squirrels is, and always has been, the same: protect your nuts!
We have been attacked by two suicide terrorist squirrels in the last 4 years. I figure it is to deny my company of electricity and disrupt our capitalistic, imperialistic work.
Rats are lefty communists? I'd've never guessed.
That's no cognitive bias, that's common sense. Nature doesn't deliberately and maliciously switch from tornadoes to floods just because you have a storm cellar. Human opponents do. Consequently historic trends are an adequate guide to preparing for natural phenomena, but not for human opponents. It is essential to pay actual attention to what your human opponents are getting up to.
Alright then.... Squirrel is terrorist.
What about Moose? Moose is terrorist too?
..."maliciousness + intelligence + long term planning"
I swear I once saw a group of squirrels set a diversion while one liberated a bag of chips. Their playful scampering anthropomorphic highfiving are a cute cover for deep dark devious minds cunningly looking to seperate rubes from whatever they desire at the moment.
Their clear faith in a righteous afterlife leads them to make bold sacrifices for large scale diversions, power outages.
You didn't think those were humans doing all that looting did you?
@ Mike Licht,
"Dogs, unlike squirrels, can be trained."
Err untrue, I have trained rats, squirrels and ferrets and some mice.
Gram for Gram of grey matter I'd say your average rat is the most intelegent of mamals and the ferret a close second.
Squirrels are the hardest to train, the easiest way is to set them a chalange bit by bit so they learn for themselves what to do and belive me they do it 8)
More recently somebody else I know who trains ferrets has started a quite profitable business training them for wiremen. You fit them out with a little harnes which enables them to pull light weight monofiliment fishing line through ducts etc.
One way to get them to go to the right place is with a small fan and "treat drops" you put one in the end of the duct you want the ferret to come out of and blow air across it into the duct pop the ferret in the other end of the duct and it just follows it's nose 8)
But the real acrobats of the rodent world have to be young rats believe me when I say they can get virtually any where with little problem including climbing up the insides of walls in houses and drain pipes, up the underneath of wooden stairs and between gaps in brick walls. And as some people have found out to their horror they can quite happily go around the U-Bend in your toilet and get out of some toilet bowls...
The rats natural inquisitiveness makes them quite easy to train, and their natural socialness makes them ideal pets/companions for those who don't have an "Ugh rat" prejudice.
And yes like ferrets they can be toilet trained and also trained to always come back to their "home box". Unlike ferrets they do not need to be "vetted" or "serviced" to keep them healthy.
And the only reason my son currently does not have a rat or a ferret as a pet is his mother and her "Ugh rat" prejudice (along with Eek!! mouse and Argh!!! spider run!!!).
That is one of the funniest comments I've seen on this blog in a long time. :P If you are the same person behind other such efforts, thanks and please keep them up!
The linked article reads like a Dave Barry column.
@ Bruce / Moderator,
Has there been a change in the blog software / configuration recently?
It's just that whilst editing on my mobile I accidently trigered a post.
I had left the name field blank and got the post error page.
However for some reason the page got posted as well as the error page being displayed which is different behaviour to normal.
(BTW the reason I usualy leave the name field blank untill finishing editing is to catch the occasional "pocket fluff" problem on this mobile which has a "menu" and tracker ball "mouse over" issue that I'm told is a "feature". Without going into all the details it is a problem with the "thumb ball" sensor treating a change of direction as a mouse click due to fluff, combined with a software "helper feature"...).
@ Bob Radvanovsky,
"It should be PAINFULLY obvious that both private and public sectors have little or no inclination of how to provide redundancy and resiliency capacities to our infrastructures."
The reason for this is two fold,
1) Short term outlook.
2) Free Market mantra.
The idea that "markets know best" is a concept that only works in one direction (maximise shareholder value). And as we know shareholders are very fickle and very very short term.
Of slightly longerterm outlook are the business execs who know that their renumeration in it's various forms is related to "stock value".
Therefore it is in their own interest to maximize shareholder value as much as possible over the short term. It goes by many different names such as "efficiency" but in reality it is "cut costs" and "sell assets" to make more short term profit, then jump ship before the inevitable happens.
With regard to,
"it is far EASIER for their to install more perimeter fencing, rather than replace a 70-year old switch, a 50-year pump or a 35-40-year old valve. This is partially due to the 'outta sight / outta mind' mindset, and is obvious that it is running amok today... "
Err I think you have missed the main reason for the strong fences, it's not to keep terrorists out but knowledge in.
A terrorist can do a degree of physical damage, but no where near as much damage to shareholder confidence as "health and safety" violations. Employees both direct and contract can usualy be relied on to keep quite as "whistle blowers" find they cannot get employment.
"Politicians continue to ignore the subject"
No they like the business execs are deliberatly taking a calculated risk bassed on the likleyhood of it going wrong on their watch.
The reason being is that they do not understand the implications of the free market mantra any more than they understand how the telephone on their desk works.
They also have that other hang up about regulation has to be perscriptive, in that they legislate the specific "how" not the general "why".
Which means that,
" that implementing fixes to our Nation’s infrastructures is NOT about fixing it merely ONCE, but a continuing process that requires revisiting about every 20-30 years."
Even if they do get around to fixing it the legislation will be out of date before the ink is dry and be totaly irrelevant within ten let alone twenty or thirty years.
But does this matter to a politician?
Not realy with perhaps the shortest political outlooks of all Western Nations the US politicos are not going to worry about such "longterm" issues unless it lands in their watch and the electorate notices.
And as we have seen in recent times the lack of foresight by their predecessors has come home to roost with Katrina and the Banking Crisis.
Like a good whisky the real investment secret is "time to mature" not "bottle it*" for a quick proffit.
* "bottle it" is an expression common in the UK for some one who "cuts and runs" at the first sign of problems.
Australia has sulfur-crested cockatoos, which are not only gorgeous and able to make a noise like a velociraptor, but which just love to rip things apart - lamp-fittings, radio antennas, anything made out of kevlar. They're apparently known to cause a bit of havoc with radar equipment and wireless network gear.
" ...sulfur-crested cockatoos, which are not only gorgeous and... "
Gorgeous in what way?
I can't help feeling if they where gorgeous to eat they would not be as much of a long term problem...
Charles Darwin amongst other slightly odd (by modern standards) habits, used to eat a lot of animals we would most definatly not consider food in the modern western world.
In fact it is uncertain which started first and led to the other, the habit of eating exotic creatures, or studying them. I guess it's one of those "chicken or egg" problems for historians ;)
"2) Free Market mantra."
Oh, yes. As if we had anything like free market in the utilities and infrastructure.
It was a corporatist haven (whereby government bureaucrats give de-facto monopolies to the pals in big business, which then pay back to the same bureaucrats by hiring them or providing funds to their political patrons, etc) for pretty much 70 years now.
Sure, blame the free market. While you're at that, blame the Martians.
Oh, and the whole public corporation scam is the creature of the government too - most notably by means of securities regulations, and by inheritance taxes which destroyed multi-generational family businesses - effectively replacing people whose interest was in increasing long-term capital value (aka "owners") with hired executives and hordes of non-managing shareholders. Who, as you correctly pointed out, do have very short time horizons.
All in the name of "equality", of course. Just like in the good ol' USSR (which also left horrendously crippled infrastructure when it finally fell apart ).
"Gorgeous in what way?"
Gorgeous in the sense they're fairly big, snow-white parrots, with quite a bit of personality and bright yellow feathers on their heads, and they wobble around in large groups on little grey stubby legs, going "BAAAAAAARKK!" and shredding whatever crop you might be trying to grow :-)
"I can't help feeling if they where gorgeous to eat they would not be as much of a long term problem..."
Hmm. They seem like more trouble than they're worth.
@B F Skinner
"Make 'em fashionable...rat skin coats, rat ta toullie, rat skin hats and get Nike to make sneakers out of rat. You'd see those populations drop like crazy"
Errm... no. What you'd see is breeding of rats on a massive scale by entrepeneurs keen to make a fast buck!
By the way, it's spelt "ratatouille" - your spelling is just a Disney bastardisation because they figured (probably correctly) that the bulk of the intended audience would fail to pronounce it correctly. And there's no rat or any other meat in it!
"I can't help feeling if they where gorgeous to eat they would not be as much of a long term problem..."
If it were that simple then rabbits wouldn't be such a problem is Australia :)
Years ago one of the biggest problems that I had in keeping my fiber WAN up was squirrels chewing through the shielding and breaking the fiber.
"Oh, yes. As if we had anything like free market in the utilities and infrastructure."
Exactly that's why it is a "mantra"...
Like any pseudo belief it cannot be seen to be wrong by it's preachers.
Therefore irrespect of the reason for failure it cannot be due to the "free market".
As any "old fule" knows a free market only has a chance of working where there is,
A) a low cost of entry,
B) No restrictions/controls on entry into the market.
C) No restrictions/controls on raw materials.
D) No restrictions/controls on consumption of available goods.
As you and others have pointed out for obvious reasons infrastructure cannot be a free market, but this does not prevent the politicos genuflexing at the alter of the word unto the profits...
"Sure, blame the free market. While you're at that, blame the Martians."
No it's not the market I blaim (free or otherwise) it is the pretence to support the mantra as an unchalangable good.
It is up with the best in hypocratic self decit that the politicos have signed onto as part of their unoficial pay masters bidding.
The only freedom for the "comman man" in this "rigged" market is to bleed through the wallet to maintain the minimum level of utilities required to participate in a supposed modern society.
There is no "right of entry" into this market you cannot set up an alternative suply of utilities you are restricted at every turn by regulation and the fiat of existing players.
Mystery solved--Bruce says he rescued that comment from the moderation queue, presumably before you posted the finished version. So filtering of comments with blank name fields is still working as usual.
There's an interesting report by NERC on long term trends in electricity reliability here: http://www.nerc.com/files/2009_LTRA.pdf (warning: huge PDF). The leading cause of disturbance events? Not terrorist squirrels, terrorist trees, or even human error. Instead, it's "Protection Misoperation", when the safeguards built into the grid misfire or fail to operate. They're using our own relays against us.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.