From the outside, the building is easy to miss. It’s a single-story gray structure, off University Boulevard on the outskirts of town.
But inside is one of the nation’s premier cybersecurity research facilities. One room, filled with computer screens and cardboard cutouts of movie characters, was mostly dark on a recent Friday afternoon. That’s how computer hackers — even ones who work for the government — prefer it.
The dozens of Idaho National Laboratory researchers who work here aren’t focused on thwarting the next email breach, or mass credit card theft. Their job is protecting the nation’s critical infrastructure — think electric utilities, water treatment plants or oil pipelines.
It is a realm of cybersecurity that hasn’t received much public attention, and for good reason: There have been few examples of successful critical infrastructure attacks in the U.S. But officials say the consequences of such an attack could be catastrophic. Hackers could trigger a power outage that lasts days, or remotely take control of a nuclear power plant.
“We’re one of the most automated countries in the world, so from a digital standpoint, that gives us additional risk,” Brent Stacey, INL’s associate director for national and homeland security, said in an interview last week.
The lab is still best known for nuclear and renewable energy research. But its fastest-growing research program is now national security, where cybersecurity plays a major role.
In the last two years, the national security program — with an annual budget of close to $300 million — hired 128 new researchers, and officials said most of them touch cybersecurity in some way. In the same period, INL’s nuclear program hired 66 new employees, and the energy and environment program hired 54.
Finding enough qualified candidates to fill open positions is a constant problem. INL has recently begun cybersecurity training and research partnerships with the three biggest Idaho universities, in an effort to grow its talent pool.
“The fact of the matter is, we don’t have the workforce,” Stacey said. “Right now I see it as an unsaturated market. We can’t generate the skill set fast enough to address the need.”
One of the lab’s newest hackers, 23-year-old Stephen Kleinheider, said he had several job offers from the Department of Defense before choosing to come to INL in June. Kleinheider received his bachelor’s and master’s degrees in a specialized cyberprogram at the University of Tulsa, which requires a two-year stint in the government upon graduation. The average age of an INL hacker is about 30, and many are recruited straight out of college.
INL officials hope to see homegrown versions of the cyber program Kleinheider went through at Tulsa get developed at Boise State University, Idaho State University and University of Idaho.
Using $1 million in state funds, Boise State is building a control systems laboratory with computers and critical infrastructure devices mounted on a wall. Students will undergo training and in some cases assist with INL cybersecurity research.
The nation is facing an urgent, complex and evolving cybersecurity challenge. It’s something that really takes partnerships across industry and government.
Brent Stacey, associate director for national and homeland security at INL
‘This can actually happen’
One of the most high-profile examples of a critical infrastructure cyberattack occurred last year in Ukraine. On Dec. 23, a team of unknown assailants took control of three electric utilities, knocking out power to about 230,000 customers for as long as six hours.
“It was the first public example of a cyberattack actually taking down a system,” Stacey said. “It was an enlightenment for people running those types of complicated systems — that this can actually happen.”
INL researchers have long known such a damaging infrastructure hack was possible. In 2007, they conducted the Aurora test, which showed how a few lines of malicious code could destroy a 5,000-horsepower generator in seconds.
The electric grid and other infrastructure is only becoming more sophisticated as new sources of energy such as solar panels and wind turbines are added, Stacey said. It gives hackers more potential places to infiltrate and do damage.
“The only way you can manage (these infrastructure systems) is with intelligent sensors, smart devices, networks, computers,” Stacey said. “So as we’ve evolved, we’ve brought a significant level of complexity into the system. All of these new digital devices have cybersecurity vulnerabilities.”
That doesn’t mean such a hack would be easy. A major infrastructure breach would require a coordinated effort from several hackers who have specific knowledge about whatever type of control system they are trying to disrupt, Stacey said.
Yet just because it’s difficult doesn’t mean hackers aren’t trying. In one instance in 2013, an Iranian hacker was able to easily gain access to a New York dam. And government consultant Booz Allen reported that out of 314 worldwide organizations it surveyed earlier this year, more than a third reported having their industrial control systems breached more than twice in the previous 12 months.
“These infrastructure hacks are very sophisticated,” Stacey said. “They take time. There aren’t a lot of entities that are able to do this.”
Still, he said, the danger is constant: “The protector has to be right every time. The hacker only has to be right once.”
Testing the grid
Tom Anderson, who manages INL’s cyber department, pointed out several research accomplishments displayed in the darkened cyberresearch office. A large flag hangs near the entrance — a reminder of when a team of INL hackers won the prestigious “capture the flag” competition at the famed DEF CON conference in 2010.
Through a door in the back is a “test bay” — a well-lit industrial space with high ceilings that hums with the sound of computer servers. The bay is divided up into several tall cubicles. Each has a door and a unique security pass code. Inside are various electronics being tested and patched for vulnerabilities by the cyberteam.
One of the cubicles is open. Inside is an electric substation control panel and several computers, all hooked up to the lab’s Critical Infrastructure Test Range, which is a small power grid located on the desert site. Put together, these features allow INL researchers to replicate scenarios of how an attack on the grid might occur.
“We can actually go through the process and show, here’s what the hacker sees, here’s how he moves through the process, here’s how they take control,” Stacey said.
Some companies come to INL with cybersecurity problems they can’t solve, Stacey said. Much of the lab’s research focus also involves trying to predict critical infrastructure that could be vulnerable to hackers in the future, and engineering features to thwart attacks. In one project, INL researchers are helping several auto manufacturers design cars immune to hacks that could remotely shut them off or cause other damage.
“We’re so recognized by our nuclear mission,” Stacey said of INL as a whole. “We’re proud of it. It’s good. But we’re having a huge impact on the security side.”