Use of Underground Facilities to Protect Critical Infrastructures: Summary of a Workshop (1998)

Moderator: George Baker, Springfield Research Facility Defense Special Weapons Agency

Mr. Werth provided a brief history of the FBI's involvement in infrastructure protection in the United States. In 1992 the FBI created the National Computer Crime Squad at its Washington, D.C., field office. Since then, the number of computer intrusions investigated by the FBI has increased significantly, resulting in the establishment of regional computer squads in New York and San Francisco in 1995. Other computer squads were then established in Boston, Atlanta, Dallas, and Los Angeles, and computer investigative teams have been established in 56 field offices throughout the United States.

Expansion of the national computer crime squads was accompanied by creation of the National Security Threat List (NSTL). Addition of the NSTL made it possible for the FBI, working within its foreign counterintelligence program authority, to investigate infrastructure-related incidents perpetrated by foreign intelligence services. These attacks might be directed against the U.S. government, corporations, establishments, or individuals. Targets could include physical facilities, personnel, information, computers, cables, satellites, or telecommunications systems. Attackers range from teenage hackers to members of organized crime to domestic or international terrorists to individuals or groups intent on sending a political message by misinforming or disrupting or denying service. Also, foreign intelligence services may attempt to obtain proprietary data or sensitive government information.

These computer squads were responsible for criminal, investigative, and national security implications of computer intrusions. In 1996 the FBI created the Computer Investigations and Infrastructure Threat Assessment Center (CITAC) at FBI headquarters. CITAC operations encompassed counterterrorism, foreign counterintelligence, and law enforcement. CITAC was made up of the two operational investigative divisions of the FBI and focused on potential threats and assisting authorities with warnings and technical support.

In the interim between the establishment of the President's Commission on Critical Infrastructure Protection (PCCIP) and presidential action on the matter of infrastructure protection, the FBI has been designated as the chair of the Infrastructure Protection Task Force (IPTF). The IPTF is an interagency body charged with the coordination and management of

infrastructure protection. In July 1997 the Office of Computer Investigations and Infrastructure Protection was established to bring computer intrusions and infrastructure protection under one umbrella organization at the FBI that would continue to report to the national security and computer investigations divisions.

Establishment of the National Infrastructure Protection Center (NIPC) by the FBI in February 1998 will facilitate a government-industry partnership by providing mechanisms for assessing, warning of, investigating, responding to, and preventing attacks on our nation's critical infrastructures. The NIPC incorporates and expands the mission and personnel of the FBI's former computer investigations and infrastructure threat assessment center, the CITAC. The NIPC is an interagency public-private partnership comprised of representatives from the FBI, U.S. Department of Defense (DoD), the intelligence community, other federal departments and agencies, state and law enforcement groups, and private industry. NIPC's critical objectives are:

• investigations of incidents,

• emergency responses to incidents,

• coordination and application of technical tools,

• analysis and information sharing,

• monitoring and warning,

• providing training and continuing education,

• conducting outreach and providing field support.

Mr. Werth noted that the number of pending investigations that represent many major potential national and economic security risks to the United States has increased. The investigations involve exploitation of technologies that threaten both the public and the private sectors and that are both national security and criminal in nature. Investigative cases and successful prosecutions also have increased. In fiscal year (FY) 1997 the FBI noted the following changes:

• a 120 percent increase in pending cases (from 263 to 453 cases); a 254 percent increase from the beginning of FY 1996 (from 128 to 453 cases);

• a 950 percent increase in arrests in cases involving cyber-intrusions; and

• an 88 percent increase in convictions.

Mr. Werth identified the following future FBI initiatives:

• increasing the number of computer crime squads at field offices throughout the United States;

• improving the ability of computer squads to analyze and respond to conflicts and threats to telecommunications and information systems;

• developing technologies that assist the NIPC in responding to high-technology investigations;

• developing watch and warning capabilities for threats to the nation's critical infrastructures, with real-time alert capabilities for both the public and the private sectors;

• coordinating and developing a trusted communications network for the exchange of threat and warning data with government and the private sector; and

• operating the NIPC program at full speed by October 1998 (Michael Vattis will be the director).

Mr. Minehart' s presentation focused on the issue of infrastructure protection in the future. He began by crediting the PCCIP with defining the issue of infrastructure protection and information warfare, which would have been very difficult to do just three years ago. Mr. Minehart said that he would present some findings to support an argument for using underground facilities (UGFs) for the protection of critical infrastructures.

Mr. Minehart has helped the Army War College develop advanced courses on information warfare. In February 1998 infrastructure owners participated in a war gaming exercise that showed that the infrastructures the government must protect are owned primarily by commercial entities (63 percent of the participants were infrastructure owners). Owners and operators at this exercise were adamant that the responsibility to protect the infrastructures was theirs. Except for government regulations that are already in place and that must be enforced in the areas of detection and the disclosure of attacks, private owners had a knee-jerk response against the imposition of more regulations or being told how to conduct their business. They stressed that industry is completely focused on meeting customers' needs and that government regulations would inhibit their ability to be responsive to their customers.

Mr. Minehart cited an example of the variety of threats facing infrastructure owners. In March 1998 two teenagers in California broke into government and DoD databases. About two weeks later, it was learned that they had received help from a mentor in Israel known as ''The Analyzer,'' whom they had met via the Internet. Many computer hackers have outsiders helping them and the identities and affiliations of these mentors cannot always be determined. The threat posed by mentoring networks and their supporters is an issue that requires evaluation.

As systems become more secure against outside threats, adversaries will look for other ways to break in. If a network is difficult to hack into from the outside, whether because of a fire wall or isolation, an easy way to gain access to the system is to recruit someone on the inside. Training workers to be aware of this possibility can be difficult. Individual infrastructure owners do not have the money, time, or resources to monitor such threats, from a foreign

intelligence service for instance. A policy of requiring polygraphs and rejecting workers on the basis of the results is difficult to implement in the private sector. Even though the screening programs used by government for classified programs have proved to be effective, industries have had a hard time adopting similar screening processes.

Turning to the issue of UGFs, Mr. Minehart suggested that the workshop participants consider an attack on a large manufacturing company that relies heavily on robotics and CAD-CAM (computer-aided design, computer-aided manufacturing) machines. The attackers would first corrupt the backup system. Once they have corrupted every tape in backup, they would attack the main system and delete all the programs that automate the machines. All of the machines would simply stop working and the cost to reprogram them would be enormous. In a coordinated strategic attack the first targets would be the backup databases, and they would be corrupted in a way that was not immediately detectable. The World Trade Center attack showed that many companies have built-in backups, but they are kept in the same building. In fact, backup services may be contracted to multiple customers in the same building. The upshot is that in an attack the backup service either cannot restart everyone at once or the backup service also would be attacked.

Mr. Minehart noted several potential benefits that UGFs offer for system protection:

• Physical access is controlled. Controlled-access areas prevent casual access to systems.

• Workers are well trained. Workers in secure facilities are generally well trained to understand and respond to threats.

• System architecture is protected. After a physical attack, whether it be a sprinkler system going off or an explosion, the way a system is designed or a network configured is just as important as the data on it. Having the system architecture well protected is critical to returning to operation. UGFs can provide this protection.

One of the challenges to using UGFs or any remote backup facility is finding a way to secure data, so that only the owners have keys. This would protect the data and provide security to both the information owner and the storage provider. On balance, UGFs offer a potentially interesting and useful approach to meeting the needs of both industry and government.

Mr. Reingruber noted that because the workshop had an unclassified forum, he could present very little information about deep underground (DUG) facilities. Instead, he focused on threats to infrastructures in general terms. The good news, he said, is that the probability of a terrorist attack on a DUG facility is quite low. Therefore, he could state that a DUG facility would be a very effective foil to terrorist attacks. Mr. Reingruber acknowledged that some of his colleagues might disagree with him, but he believes that terrorists would be more likely to look for an easier target.

In a global sense, terrorism now includes acts by both criminals and disaffected employees. Traditional terrorists have had political motives and used terrorism to influence peace-loving governments. Ad hoc terrorists, however, may be trying to make a personal statement, such as showing their anger at an oppressive government or a former employer. No terrorist, however, will select targets that are very difficult to bring down. A DUG facility, for example, would only be attacked during a war.

Mr. Reingruber identified several factors that must be taken into account in considering the use of UGFs for the protection of critical infrastructure:

• Threat. The threat is a function of capability and intent. The capability to disable an infrastructure does not mean that the infrastructure is threatened. Capability must be coupled with intent to do harm.

• Cost. Does the threat to the infrastructure justify the cost of protecting it, and who is going to pay to protect it?

• Effect on the American psyche. Americans would reject the idea of building a "Fortress America." Therefore, we can protect some infrastructures using DUGs, but the costs of protecting all of them would be astronomical.

• Other options. The first obvious option is to increase security measures to protect existing infrastructures. A second option would be to design infrastructure architectures that are less vulnerable to terrorist activities, such as, supervisory control and data acquisition (SCADA) systems that are designed to mitigate the effects of attack. The design philosophy of SCADAs builds in fire walls and redundancy. A third option would be to reconsider which of our infrastructures should be made invulnerable (e.g., national security information.) Hackers who breach national security systems should be punished, but sabotage by an insider remains a risk.

Mr. Reingruber described the group he cochairs, the technical support working group (TSWG), which conducts the national interagency program for combating terrorism and coordinates government R&D. One of the eight subgroups of the TSWG is the infrastructure protection group, which is

currently developing a capability road map that will recommend useful projects in the area of infrastructure protection that can be funded over the next few years. The road map is being developed by Booz Allen, Inc., and will be ready in June 1998. Although the TSWG will probably not have an effect on big architectural schemes, it could influence some aspects of infrastructure protection.

Dr. Daddazio described Weidlinger Associates' involvement with UGFs and infrastructure protection as well as the central artery project in Boston. The company has developed analytical methods for hardened underground structures in particular and UGFs in general, for both the military and civilian sectors. Many of Weidlinger's projects in the field of protective structures involve blast-hardening conventional buildings, and Dr. Daddazio outlined some of the differences between the protection afforded by UGFs and modified above-ground structures and suggested that a case could be made for protecting infrastructures in shallow-buried facilities.

He identified cost as a major factor in the decision to locate facilities underground, particularly in a densely populated urban area. These costs include:

• Buried utilities. Municipal electrical and telephone lines are sometimes as shallow as 18 inches, water supplies are typically located below the frost line, and sewers are generally a bit deeper. These utilities must be moved or protected during construction.

• Trenching and backfill. The major costs of putting a distributed system underground are excavation and backfill. The cost curve from a 4-foot trench to an 8-foot trench is not linear (i.e., unit costs increase more rapidly with depth). Other costs include sheet piling and protecting construction workers.

• Safety and maintenance. Stringent Occupational Safety and Health Administration requirements, shoring and underpinning of adjacent structures and utilities, and maintenance of existing utilities during excavation and repair all add to the cost of burying a distributed system.

• Geology. The cost of burial can be complicated by geological conditions, such as groundwater and rock.

An above-ground building is a more centralized system. The following measures designed to protect buildings from large vehicle bombs and small external devices can add to the costs:

• Glazing protection. Flying glass is a major cause of injury in an explosion. Putting films or blast net on glass may reduce the danger of flying glass.

• External site planning. Most buildings are located on sites about twice as large as the floor plan of the building itself. This extra area can provide standoff distance, room for defensive bollards, and reduced access to the site (the White House is a example of this approach).

• Facade detailing. Generally the amount of glazing should be minimized to reduce cost.

• Internal planning. Critical internal areas such as control centers and utility rooms can be blast-hardened. Such structural hardening requires the use of additional structural steel and reinforced concrete; internal walls also can be constructed of reinforced concrete to minimize the vulnerability of critical systems.

In a typical seven-story, 100,000-square-foot building constructed to the specifications of the General Services Administration (GSA), a reasonable level of blast protection would increase the cost of the building by 8 to 10 percent for these types of structural considerations. About 60 percent of the cost increase is for glass and glazing, either for films or higher-quality laminated or tempered glass.

Locating a building or a critical system underground can reduce the need for and cost of blast hardening. With the exception of physical site planning, all other protective measures are minimized or eliminated for a UGF. There are no glazing or facade issues, and the internal planning considerations will be the same. A less robust underground structure would be required to provide a similar level of protection as a hardened above-ground facility because of the energy attenuation offered by the soil cover and backfill material. Simple reinforced concrete burster slabs also can be used to protect underground structures.

Dr. Daddazio concluded by stating that the protection of infrastructures by UGFs has advantages and disadvantages:

• No single issue, either financial or physical, should preclude the use of a UGF for infrastructure protection.

• Every application must be considered individually from a risk and cost standpoint.

• Locating critical infrastructures underground, especially a centralized system, should always be considered an option.

Dr. Baker began by asking the panelists to identify the benefits they thought UGFs offer against cyber-threats. Mr. Daddazio noted that the PCCIP report had described the most effective terrorist threat as a combination of cyber-terrorism and a physical threat. A cyber-threat coupled with a well-placed

physical attack against a target could be very damaging to an infrastructure. Therefore, locating electrical substations, for example, in remote areas or underground could definitely offer protection. Mr. Werth questioned whether a UGF in itself would serve as a defense against a cyber-attack, because if communication went out at three or four different points in the system, the entire system would be vulnerable. But he agreed that attacking a UGF would require a highly sophisticated operation. There are good reasons to vary the locations of infrastructures to defend against physical attacks.

Mr. Minehart restated the importance of backup systems and of storing data in locations separate from operations. The expense to industry could be prohibitive, but if government provided a location where backup electronic tape could be held safely and protected with cryptography, a coordinated attack that would place backup data at risk would be much more difficult. The costs to industry would be reduced and a national asset—UGFs—would continue functioning for a new protective purpose.

Dr. Sevin observed that UGFs make the design process more manageable, greatly easing the job for architects, engineers, and security design professionals. The potential for injury and death to personnel is decreased, and recovery in the event of an attack is improved. The UGF presents a difficult target and probably directs the attacker to a less secure site elsewhere. So UGFs may provide a cost-effective solution along with other advantages.

Mr. Jenssen did not agree that all UGFs are difficult to attack. If they are badly designed, they are easy to assault; if well designed, a strike is difficult. There is a vast difference between good and bad designs, and experience is required to ensure a strong design. Mr. Cicolani concurred with Mr. Jenssen's observations. The Springfield Research Facility has reviewed many poor designs for UGFs worldwide, and its conclusion is that poorly designed facilities are fairly easy targets.

Dr. Baker observed that the PCCIP also identified specific physical threats, including high explosives; small-scale nuclear weapons; chemical, biological, and radiological agents; and electronic weapons designed to attack computer-based systems. Mr. Reingruber said it is difficult to guard against all potential threats and that efforts to rank threats by importance may not be productive. Explosives are still the weapon of choice for terrorists, but there is concern that this will not always be the case. Weapons of mass destruction could be a greater problem in the near future. Dr. Sevin countered that from a design point of view threats will have to be prioritized because comparable design solutions cannot be made for a small truck bomb versus a nuclear weapon. Dr. Daddazio pointed out that a blast engineer would rely on intelligence or statistics from government agencies to help determine the design threat for physically protecting a facility. At present, the greatest danger remains a conventional weapon, and this is the area in which most efforts toward a solution should be directed.

Mr. Ryall emphasized the hazards posed by fire and smoke in UGFs. An arsonist can breach the security of a UGF and start a fire, especially one that

generates a great deal of smoke, and can take down a mission. Many people could be killed in an event that appeared to be an accident.

Mr. Smeallie, who is experienced with embassy security, noted that no glazing or facade treatments are required in unoccupied buildings (e.g., electrical substations), and questioned whether the 60 percent increase in glazing costs cited earlier was a realistic figure. Dr. Daddazio responded that even if glazing and facade requirements are eliminated, the hardening costs in a typical $100-per-square-foot, 100,000-square-foot GSA office building are 8 to 10 percent above the cost of a building without hardening. Reinforced concrete walls above ground will necessarily be thicker than the walls in a UGF. An above-ground building would have to be more strongly constructed than one below ground, but this would be offset by the additional costs of building a structure underground. He emphasized that overall this is a site-specific issue.

Dr. Baker questioned the technological sophistication of the individuals and groups that pose threats to this country's critical infrastructures. Mr. Werth responded that most groups are not highly sophisticated when it comes to UGFs. While that may be a good reason to investigate UGFs and their advantages, he cautioned that a cyber-attack on UGFs was certainly possible. Dr. Baker also asked whether the panel thought UGFs would help reconstitute systems after a cyber-attack. Mr. Minehart concurred that any structure that had been hardened would be critical in such a case.

Dr. Baker concluded the question-and-answer period by noting that a controversial issue in the infrastructure community is whether or not protecting systems can be a deterrent to attack. Dr. Daddazio stated that a mix of solutions should be available for those facing potential physical threats against their infrastructures. Owners and operators must be aware of threats from the very beginning of the process; sometimes a small investment can be made in up-front planning that can ultimately result in large savings. Mr. Reingruber agreed that there is a deterrent value to protected systems, but noted that, if an attack is diverted from one target, it most likely will carried through against another. Mr. Werth agreed that, while deterrence may be enhanced by putting key infrastructures underground, a high priority must be placed on educating employees to be more aware of how infrastructure can be protected.