final cybersecurity paper
-
Upload
cameron-corbin -
Category
Documents
-
view
52 -
download
0
Transcript of final cybersecurity paper
![Page 1: final cybersecurity paper](https://reader036.fdocuments.in/reader036/viewer/2022082907/589e4b411a28ab1c7f8b5501/html5/thumbnails/1.jpg)
To: Estevan López1 (Commissioner of the Bureau of Reclamation)
From: Cameron Corbin (Lead Hoover Dam Security Auditor)
RE: Updated perimeter and system security needed following growing number of domestic terrorists.
The Hoover Dam is considered one of the most critical infrastructures under the command of
the Bureau of Reclamation and with a budget of 1.17 billion dollars2 allocated from the U.S. Department
of the Interior, the Bureau is fortunately able to allocate resources when need be. The Hoover Dam
generates on average about 4 billion kilowatt-hours of hydroelectric power each year for the states of
Nevada, Arizona, and California and serves the power needs of over 1.3 million people.3 The dam is also
a main source of water for 28.5% of Southern California and is crucial to continue functioning at the
current capacity due to prolonged drought conditions in the area that have persisted for over four years
now. The Bureau has enlisted the power of one of the largest international security companies, G4S,
alongside the Hoover Dam Police who report directly to the bureau are responsible for all areas of
security including network, physical, and tourist security.4 Although this system has worked for many
years, I fear that due to recent events of increased domestic terrorism and the radicalization of what
appeared to be normal American Muslims such as occurred with the recent San Bernardino mass
shooting as well as numerous other examples including the Ft. Hood Shooting back in 2009 we must
make drastic changes to our security policy. Besides the physical threat of a mass shooter or car
bombing at a site that sees more than 1 million visitors a year5, we also must focus on protecting the
systems that control the turbines as well as the various tunnels that draw water into the dam, all of
which is controlled by a mix of relatively new security software as well as legacy programs that are
1 http://www.usbr.gov/newsroom/presskit/bios/biosdetail.cfm?recordid=12 Budget Justifications and Performance Information, Fiscal Year 2013 (PDF). U.S. Department of the Interior. 2012. p. 11.3 http://www.usbr.gov/lc/hooverdam/faqs/powerfaq.html4 http://www.g4s.com/~/media/Files/4pg%20PDF%20Case%20Studies/g4s_case_HooverDam1_200310%20FINAL.pdf5 http://www.usbr.gov/lc/hooverdam/service/
![Page 2: final cybersecurity paper](https://reader036.fdocuments.in/reader036/viewer/2022082907/589e4b411a28ab1c7f8b5501/html5/thumbnails/2.jpg)
decades old. With large governmental agencies such as the DoD, NSA, and FBI facing large scale hacking
attempts and thousands of files stolen by rogue employees as well as outside malicious attackers6, we
must upgrade our policies in order to combat this threat. This is where the main problem falls in. The
last time G4S updated their emergency security protocols was in 2010 7and has since yet to be updated
with newer technology as replacing some of the legacy systems and older software would cost tens of
millions of dollars and thousands of hours of manpower. The other issue that we face is that the bulk of
the physical security is performed by The Hoover Dam Police who only are given at the maximum 12
weeks of law enforcement training8 which is this day and age is not enough training for the vast amount
of visitors and the cornucopia of problems that could arise if malicious intent is exercised upon the
Hoover Dam. In order to bolster the security and prepare for the future of new threats, there needs to
be either updates to G4S’s security protocols or hiring their competitors instead, enhancing the
background check and vetting process for all security employees including the Hoover Dam Police and
Security Agency, and finally there needs to be increased surveillance and security on the physical
perimeters of the Hoover Dam in order to combat any orchestrated car or truck bombing.
When looking at how to proceed in order to fix this glaring issue of security at the Hoover Dam,
we will be viewing solutions through the lens of risks, methods used, as well as transparency. The first
issue is that the Bureau has a current contract with the security company G4S to monitor all networks
and computer systems that help operate and control the dam. The company even proudly states that
they have stopped a few would-be suicides due to their “high tech” solutions9 but for a company that
prides itself as incredibly high tech and innovative as well as is the largest security company in the world,
6 http://www.nytimes.com/2015/07/10/us/office-of-personnel-management-hackers-got-data-of-millions.html7 http://www.g4s.com/~/media/Files/4pg%20PDF%20Case%20Studies/g4s_case_HooverDam1_200310%20FINAL.pdf8 Lower Colorado Region (February 2011). "Hoover Dam Police Department: About Us". Bureau of Reclamation.9 http://www.g4s.com/~/media/Files/4pg%20PDF%20Case%20Studies/g4s_case_HooverDam1_200310%20FINAL.pdf
![Page 3: final cybersecurity paper](https://reader036.fdocuments.in/reader036/viewer/2022082907/589e4b411a28ab1c7f8b5501/html5/thumbnails/3.jpg)
the fact their policies have not changed in 5 years is quite alarming. This brings us to the choice of
negating their contract and forming a new one with one of their competitors such as Securitas or UTC
Building and Industrial Systems. The risk with doing this is that the current security employees would
have to be phased out with those of the new company and the large turmoil created during the
transition period could not only cause chaos but also could be a prime time for an outside insurgency to
attack as the security systems would have to be down for new software to loaded onto the servers. This
process would take quite a bit of time and could include large penalties for cancellation of the contract.
Although a new company could bring in new foresight and expertise, the two competitors to G4S is
distinctively lacking in the size and funding of their cyber security divisions as compared to G4S and
could end up being more expensive than G4S. Changing companies could add to the overall
transparency of the government and could show an initiative for striving for stronger cyber and physical
security of critical infrastructure but overall the cost to taxpayers and increased inherent risk during a
workplace shakeup makes this much less feasible than creating a committee to work alongside G4S in
order to get an updated security threat policy. This is will not only save money in the long run compared
with switching companies entirely but will also occur faster and will not leave any gaps in lowered
security measures.
The next area of improvement that needs to be updated is background checks for all employees.
Currently G4S states that looks at criminal records and work histories for people10 and the Hoover Dam
Police adds on a physical examination, drug screening, and a security clearance check.11 This however is
simply not enough with the growing number of employees leaking classified data to outside malicious
parties as well as employees turning violent and causing either structural harm to the computer systems
or even to other employees. There are two options that one can take in order to combat this. The
10 http://www.abcactionnews.com/news/local-news/i-team-investigates/i-team-g4s-hires-employees-with-troubling-pasts11 http://www.usbr.gov/lc/hooverdam/police/ofcrqual.html
![Page 4: final cybersecurity paper](https://reader036.fdocuments.in/reader036/viewer/2022082907/589e4b411a28ab1c7f8b5501/html5/thumbnails/4.jpg)
cheaper and slightly more effective way would be to change the background checks to mirror the ones
that are given for employment at the FBI. These include interviews with family members and friends as
well as a battery of tests to check one’s mental health among various other issues12. This would be the
quickest to implement as the structure for the process is already developed by the FBI and can simply be
carried over. There would be no issue of transparency as all applicants would be notified of the vetting
process before they even got to that stage of the job application. The other choice would be a much
more insidious and covert monitoring system that would entail not changing the initial process of
background checks from the previous methods but instead focuses on monitoring the employees social
media accounts as well as their phone calls. This would provide the strongest amount of security against
anyone planning an attack on the physical or cyber operation of the Hoover Dam but would be very
expensive as you would need to hire a workforce with a high security clearance that would monitor the
data being sent out by the employees. It would also do the very opposite of creating transparency
among the American public and recent polls show the monitoring of phone calls and internet history as
very unpopular13, even if it could help catch terrorists, which would not be very helpful to the overall
sentiment of the public towards government. Although the 2nd option is much more stronger in terms of
defending against conspirators, the first option of mirroring the background check with the version of
the FBI’s is much more feasible, can be implemented more quickly, is still strong enough to catch
“problem” employees, and does not create any transparency issues with the government.
The last policy that needs to be updated is the monitoring of visitors that come to the Hoover
Dam. Currently there are a couple of checkpoints in which the Hoover Dam Police can check out
suspicious vehicles and turn back anyone who refuses the check. While there are nuclear material
detectors scattered around the visitors parking garage and welcome center and metal detectors in the
12 https://www.fbi.gov/about-us/cjis/identity-history-summary-checks/submitting-an-identity-history-summary-request-to-the-fbi13 https://www.washingtonpost.com/world/national-security/nsa-surveillance-program-reaches-into-the-past-to-retrieve-replay-phone-calls/2014/03/18/226d2646-ade9-11e3-a49e-76adc9210f19_story.html
![Page 5: final cybersecurity paper](https://reader036.fdocuments.in/reader036/viewer/2022082907/589e4b411a28ab1c7f8b5501/html5/thumbnails/5.jpg)
welcome center14, there is no security stopping anyone from parking in the garage, walking to the top of
the dam which is loaded with tourists and begin shooting people. Also, car bombs can still pass through
the security check point as the Police rely on visual cues of comfortableness as red flags15 rather than
the use of large scale X-Ray scanner or infrared detectors which are incredibly expensive. Also, the bulk
of the security is stationed outside and away from the control rooms in which employees work which is
a problem if a rogue employee starts to attack the computer network or even starts randomly shooting
at personnel. There are two different options to fix this issue. The first would be to simply increase the
number of checkpoints and hire more police officers as well as station more police officers below ground
in the dam. This would be the cheapest option and could be introduced very quickly; however it could
cause a huge problem to the large amount of tourists that come to see the Hoover Dam every day. By
creating more security checkpoints it would increase the overall safety but the traffic backup would be
much worse than it currently is 16and the backup of cars could not only cause a security issue in case a
mass shooting or sabotage of the Dam occurred but it could also create a negative sentiment of the
government among the tourists and lead to a worsening of the transparency of the government. The
other option which is much more expensive and will take longer to roll out is the implementation of
newer screening technology as well as the use of bomb sniffing dogs and increased training for the
police officers. This option would not create worse situation of traffic backups and at the same time
would increase the security checks way more than simply adding more personnel. The benefit from
happy tourists and keeping the roadways free from traffic jams as well as creating government
transparency will definitely outweigh the added costs and manpower needed to train the employees on
the use of the new screening technology.
14 http://www.csoonline.com/article/2124482/access-control/how-9-11-shaped-hoover-dam-security-operations.html15 http://www.traveltalkmedia.com/hooverdam_driving.html16 http://www.reviewjournal.com/road-warrior/hoover-dam-bypass-traffic-faces-bottleneck-along-us-highway-93
![Page 6: final cybersecurity paper](https://reader036.fdocuments.in/reader036/viewer/2022082907/589e4b411a28ab1c7f8b5501/html5/thumbnails/6.jpg)
In light of all of this information, the recommended course of action is to work with G4S rather
than hire a new company for security and update the policy one on one with the company which will
save time, money, and will not create a gap in security that changing companies would. Secondly, the
background checks of all employees should be changed to model those that are used by the FBI that will
incorporate mental health checks as well as interviews with friends and family to get a good picture of
the employee rather than use the more invasive option of monitoring the employee’s social media
accounts as well as phone calls which although is more effective, is highly unpopular with the general
public and is seen as a massive damage to rebuilding the transparency and trust in government with the
public. The final recommendation is that new screening technology, as well as the use of bomb sniffing
dogs, is used by The Hoover Dam Police in order to create greater security rather than creating more
check points and simply hiring more employees leading to issues with traffic backups that could turn
deadly if a real tragedy did unfold.
In conclusion, by focusing on the risks, methods, and transparency of the operations at the
Hoover Dam, we the security auditing team have decided on a policy that stresses on saving money by
working with the current security contractor, strengthening background checks by patterning them off
of the tried and true version that the FBI uses and helps promote a friendly atmosphere for the over 1
million tourists that visit by focusing on new screening technology rather than lengthy multiple
checkpoints which could cause not only frustration but also a security risk if a backup occurred during a
real emergency. Although there is a growing threat of not only foreign hackers that attack our security
systems and infrastructure but also domestic terrorists and disgruntled employees looking for revenge,
as long as we stay on top of the innovative curve of security and guarding of threats, than we will be
able to protect and serve the citizens of Arizona, Nevada, and California who rely heavily on the clean
water and power generated by The Hoover Dam but also the tourists who come in droves every day to
![Page 7: final cybersecurity paper](https://reader036.fdocuments.in/reader036/viewer/2022082907/589e4b411a28ab1c7f8b5501/html5/thumbnails/7.jpg)
visit one of the most important structures in American History. If these changes are taken, The Hoover
Dam will continue to operate smoothly into the foreseeable future.