Tuesday, December 25, 2012

'Perfect Citizen' program checks for vulnerabilities in U.S. utility infrastructure

Are you afraid that hackers will attack your local public utility? It's something that's been claimed before, and the government has its concerns as well. The National Security Agency (NSA) has a program in place to search for such vulnerabilities.

Although the secret program, named Perfect Citizen, can be used to protect the u>S against such attacks, data gleaned from it could also be utilized disrupt the infrastructure of other nations, the documents -- obtained by the Electronic Privacy Information Center (EPIC) and provided to CNET on Sunday -- show.

Perfect Citizen conducts "vulnerability exploration and research" against the SCADA (supervisory control and data acquisition) computerized controllers that control "large-scale" utilities. Those systems include power grids and natural gas pipelines. Perfect Citizen is scheduled to run through at least September of 2014.

The NSA can both defend and attack using information from the program. It's already been reported that the NSA -- along with Israel -- developed Stuxnet, a virus which has been used to infiltrate and attack the SCADA systems of Iran's nuclear program.

EPIC obtained through the 196 pages of the NSA's Perfect Citizen files through a Freedom of Information Act (FOIA) request last week. Heavily redacted, at least 98 pages were completely deleted for a number of reasons, including being information that was "classified top secret," or could "cause exceptionally grave damage to the national security" if released, according to a letter that accompanied the document from Pamela Phillips, chief of the NSA's FOIA office.

An NSA spokeswoman said that Perfect Citizen is "purely a vulnerabilities assessment and capabilities development contract" that "does not involve the monitoring of communications or the placement of sensors on utility company systems." In other words, the monitoring -- or whatever is involved -- takes place withoout the NSA having to add hardware on the systems of PG&E or other utilities. That statement does not rule out software monitoring.

In fact, Marc Rotenberg, EPIC's executive director, said that the newly declassified documents "may help disprove" the NSA's assertion that the Perfect Citizen program does not include the monitoring of private networks.

It is true, however, that there is concern that a foreign agent can attack private utilities and disrupt the U.S. power and water system in a cyberattack. Thus, the need for Perfect Citizen, the documents said, as "understanding the technologies utilized in the infrastructure nodes to interoperate on the commercial backbone enables the government to protect the systems."

No comments: