BUTLERVILLE, Ind. -- Imagine somebody has hacked into your water utility and made your water undrinkable…or worse. Critical Infrastructure Exercise 16.2, also known as Crit-Ex, is helping utility companies learn where those cyber weaknesses might be.
"What this exercise is really formulated to do is explore the intersection between critical infrastructure and cyber security," explained Jennifer De Medeiros, Emergency Services Program Manager for the Indiana Department of Homeland Security. "Crit-Ex is meant to explore the ramifications and the consequences of a cyber incident which affects one sector or one critical infrastructure organization."
Crit-Ex 16.1, which was a table-top exercise, dealt with electrical utilities and where any weaknesses might be in their systems. Crit-Ex 16.2 pushed the exercise from the theoretical world into a real-world scenario wherein water utilities were being hacked in real time in order to show exactly how a cyber intrusion could deal a serious, possibly life-threatening blow, to the water supply.
In the Crit-Ex control room, monitors showing every possible variable in the water plant at Muscatatuck Urban Training Center showed updates and let the attendees see every line of code being input by the "hackers", in this case, members of the security teams from Pondurance and Rook Securities. The water plant on the facility had been taken offline the year before as Muscatatuck was hooked to the Jennings County, Ind., water lines, creating an absolutely realistic training venue for just this kind of demonstration.
Cliff Campbell, Vice-President and General Manager of the Frakes Engineering systems integration company, headed up the demonstration, creating some eye-opening situations that left some water utility company executives shaking their heads.
"One of the exploits we do here takes about two and a half seconds if we don't have any time delays built into it," said Frakes. "For them to hack in, compromise the system, and gain access to the programmable logic controller." Frakes explained that the PLC is the system that tells the water plant how much water to release from where, how much of a mixture of chemicals to release into the water, and when to shut down or run wide open.
The possibility of a hack into America's water utilities is not just a local problem, but is a nation-wide security issue. The visibility of the problem and the solutions brought up by Crit-Ex 16.2 have attracted the attention of the Federal Bureau of Investigation's Deputy Assistant Director of the Cyber Division Eric W. Sporre, who came to Muscatatuck in order to see it first-hand.
"From the Cyber Division perspective at FBI headquarters, we know that cyber intrusions are something that have to be responded to in a collaborative way," Sporre told us. "This facility has really allowed us to come out today and see how it's happening at the state level to see what some water treatment facilities are doing and how they're addressing cyber intrusions."
The collaboration that Sporre spoke of is in evidence in every aspect of the exercise. While Crit-Ex 16.2 is sponsored by the Indiana Department of Homeland Security, the Indiana Office of Technology, and the Indiana National Guard, eight state agencies, two federal agencies, and 15 private-sector organizations are participating in the exercise, knowing that the partnerships made now could prevent a major incident in the future.
Jay Abbott, Special Agent in charge of the FBI's Indianapolis division, says that the FBI's role in the exercise is to partner with those state, local, private entities who protect and operate critical infrastructure such as the water utilities.
"The FBI can't arrest its way out of a problem like this," Abbott says. "This is something that requires very significant partnerships with all those entities in order to be successful."
Crit-Ex 16.2 is considered a live play exercise because when a hacking attack is initiated on the Muscatatuck water plant, it results in a physical problem, not just a virtual one. During one attack, water could be seen being released from a broken pipe in one part of the facility while the computer monitor being seen by the water plant controller showed no problems. Valves were opened and closed remotely with no indication on the controller's computer that anything was amiss.
The ability to show water plant operators, in real time, what could happen at their facilities invaluable, according to Campbell. "We're able to bring actual operators and superintendents from water facilities and here, they see something that's very familiar to them. They understand a pump running, they understand chemical flows and turbidities. They know what they're looking at and they know what's going wrong when things go wrong. This puts the reality to it that really engages the water utilities."
Sporre agrees that this kind of training needs to be done more often across the United States. "These real-life, practical exercises where we bring people in and we allow them to sit in front of monitors like they would be at their home office and see how a computer intrusion evolves, then be able to come back together at the end and talk about what they saw and have the people who actually conducted the intrusion for the purposes of the exercise explain to them what happened is invaluable."
The FBI and the Indiana Department of Homeland Security are trying to raise the awareness level so that computer hacking breaches can be prevented. According to Special Agent Abbott, having the Muscatatuck Urban Training Center site in Indiana only helps with that realism that makes people stand up and take notice.
"This site is absolutely essential to our ability to be able to train in a manner that simulates real-life conditions," Abbott says. "It gives us the ability to train in a way that comes as close to being the real thing as we possibly can without it actually causing damage to people."