Perfect Citizen, US vulnerability assessment program on critical infrastructures

CNET web site has published a news on a secret National Security Agency program named Perfect Citizen that is targeting on large-scale the control systems inside utilities, including power grid and gas pipeline controllers, with the purpose to discover security vulnerabilities.

The program was revealed by new documents from EPIC (the Electronic Privacy Information Center), the purpose is the exploration of national utilities to discover security vulnerabilities that could be exploited to attack US infrastructure.

The Perfect Citizen documentation, according CNET, is composed of 190 pages and it has been obtained by EPIC in respect of Freedom of Information Act. Most of file is “classified top secret,” and has been deleted for obvious reasons.

Perfect Citizen program was originally reported to be a program to develop a smart network of sensors (named Einstein) to detect cyber attacks against critical infrastructures in both the private and public sector. It is funded by the Comprehensive National Cybersecurity Initiative and thus far Raytheon,  the major American defense contractor and industrial corporation, has received a contract for up to $91 million to establish the project.

The program is very interesting and is the demonstration of the great interest on cyber security of US Government that fears cyber attacks and their consequences on Homeland Security, the program will go on at least until September 2014.

The knowledge of control systems vulnerabilities could increase defense cyber capabilities of the country but in the same time gives to the US a further option for its military offensive in the cyberspace.

The case of Stuxnet virus has for first time demonstrated to worldwide security community the real meaning of cyber weapon, concept until then much discussed but almost never used in military operations between states.

But if Stuxnet was developed by US with support of Israel, it’s normal to expect that the analysis of the possible impact of a cyber attacks against a control system inside a facility isn’t a new concept, the Perfect Citizen program is just an new phase of a study initiated many years ago, probably during the Bush’s Government, as many experts argue.

U.S. intelligence have warned for years both government and private sector about the possibility that an attacker, a group of terrorist or a group of foreign state-sponsored hackers, could exploit vulnerabilities inside control system of critical infrastructures.

Despite the high level of attention of US government SCADA system inside critical infrastructures of the countries are still too vulnerable.  Recently I published on The Hacker News web site an article titled “Hunting vulnerabilities in SCADA systems, we are still too vulnerable to cyber attacks” in which I describe how is simple to identify possible targets of a cyber attacks and how much simple is to retrieve also exploit designed to hit particular categories of control systems. Theoretically everyone today could acquire necessary knowledge to build its cyber weapon at home and attack a critical infrastructure.

Offense and defense don’t proceed at same speed that this could cause serious problems, Gen. Martin Dempsey, the chairman of the Joint Chiefs of Staff, told a congressional committee in February:

“I know what we [the U.S.] can do and therefore I am extraordinarily concerned about the cyber capabilities of other nations.” If a nation gave such software to a fringe group, “the next thing you know could be into our electrical grid.”

The divulgation of information on cyber warfare operations by U.S. government is clear signal of the formalization of its effort in the fifth domain of warfare, several governments and agencies sources are spreading information on new ongoing projects characterized by high technological content. Recently I wrote on the solicitation of US intelligence for the definition of new exploiting methods mainly focused on mobile devices meanwhile NSA is public recruiting Control System Network Vulnerability Analyst to involve in “building proof-of concept exploits”.

The order is to improve cyber capabilities and inform US citizens of government projects and risk related to a cyber attacks.

The President Obama has confirmed US intent to invest in the development of cyber capabilities, according The Washington Post he secretly signed a directive in October that regulate offensive “cyber-operations” and Rules of Engagement in the cyberspace.

The document “A Framework for Assessing and Improving the Security Posture of Industrial Control Systems (ICS)” published by NSA reiterates the need of protect Industrial Control Systems, following some a meaningful statements form the report:

“Much of the United States’ critical infrastructure is dependent on industries that employ networked ICS systems. Sabotage or disruption of these industries can have wide-ranging negative effects including loss of life, economic damage, property destruction, or environmental pollution. Our reliance on ICS networks makes them attractive targets for electronic attack. Because of this, it is important for industrial control system owners and operators to systematically assess the threat of electronic attack against their critical networked assets and to apply defensive technologies to reduce the threat. Cost-benefit analysis allows us to prioritize defensive efforts by identifying security improvements that provide the greatest benefit for a given cost. The “cost” is the expenditure required to implement and maintain the security improvement (financial, manpower, etc.) The “benefit” is the empirical savings gained by having the security improvement in place..” 

In reality in the past the press already proposed news on the program, in 2010 The Wall Street Journal revealed the existence of Perfect Citizen in article, but the project in the years has concentrated the media attention and multiple charges to be a dangerous surveillance system deployed by government. It is described by critics as “Big Brother” and raised privacy concerns for government intervention in the private sector.

CNET post proposed the declaration of an NSA spokeswoman about the project:

[Perfect Citizen is] “purely a vulnerabilities assessment and capabilities development contract” that “does not involve the monitoring of communications or the placement of sensors on utility company systems.”

Projects like this are vital for the protection of critical infrastructure of a country, while I understand the concerns of private industry for the interference of governments, the possible effects of a cyber attack on the nation are devastating. Prevention and the development of a proactive defense is an obligation for each country that really wants to ensure the safety of its facilities.

As always, similar projects should involve all stakeholders, in some countries, such initiatives may lead to dangerous government interference in private industry from unforeseen consequences.

Pierluigi Paganini