Assessing the G20 manhole incident, and the failure of security through obscurity
Like tens of thousands of other Toronto residents, I spent part of the weekend of the G20 summit out in the streets of our city, and the rest of it glued to television and online news coverage of what was happening in the streets.
As you can imagine, I noted with interest (and some trepidation) media coverage of an incident where, allegedly, "Protesters [were] arrested after emerging from sewer" (see also: video). News broke early Sunday morning that four people had been arrested at 1:30 a.m. after two men were seen by Hudson's Bay Company security guards emerging from a manhole in front of the Cadillac Fairview Tower at 20 Queen West. While the Canadian Press filed a follow-up story on Sunday afternoon with additional comments from an Ottawa-based 'security expert', no additional details on the incident or the subsequent fate of the arrestees have been published.
This incident was universally reported in the media as involving the city's sewer system, but the location of the manhole and the video and photographs presented by the media indicates otherwise. There are no large diameter sewers in the vicinity, and the manhole in question is probably the most well-known in the city, because it has rope lighting that runs the length of the shaft and is often left illuminated. Shoppers and partiers on Queen Street walk over this lid all the time, and I have no doubt that quite a few have stopped and wondered about the lit shaft beneath their feet. What's more, the day before the summit officially began, BlogTO had posted a cheeky story about "10 things you probably shouldn't do in Toronto this weekend" that featured a photograph of this manhole drawn from their flickr pool. I'm sure there are similar photographs that have circulated on flickr and elsewhere. It is also worth noting that McNally Engineering worked extensively at this location in April and throughout the month of May, using a small crane truck as they performed work in the tunnel at the bottom of the shaft.
This manhole provides access to the utility tunnels associated with Enwave's Deep Lake Water Cooling (DLWC) system, which uses cold water from deep within Lake Ontario to drive a heat transfer process to cool large office buildings, hospitals and other institutional clients in the downtown core and as far north as Queens Park. My colleague at pipecleaner.wordpress.com has speculated that the slotted manhole lid (of the sort you'd generally find on a catch basin) must mean that these tunnels are somehow also storm sewers, but I can state emphatically from prior experience in the system that this is not the case, and that the system is equipped only with low-level floor drainage that carries infiltrating groundwater and whatever rain falls through the access manholes to one or more small sump pits. 1
As you can see from the photograph that leads off this article, the tunnels are basically empty -- apart from providing a workspace should anything ever actually break, their main operational purpose appears to be to provide access to mechanical isolation valves that appear to control flow from the system into the cooling plants of client buildings. While Enwave seems to have begun to experiment with running parts of their steam network through the most southerly part of the tunnel system, the main cooling pipes aren't actually in the tunnels, they're buried beneath their concrete floor. There are four main tunnels arranged at different levels beneath Bay, Queen, Wellington, and Simcoe Streets, carrying chilled water from (and returning it to) Enwave facilities at John Street and Simcoe Street.
I have previously posted an extensive set of photographs from within the system. I should probably state here that as far as I know, I don't know the people who are alleged to have accessed the system on June 27th, and that my own explorations of the system took place long before this incident.
Security through obscurity
The Integrated Security Unit would have known about the Enwave tunnel network prior to the summit, and must have determined that these tunnels, despite passing very close to the summit site, did not need to be secured in advance of the incident on Saturday. Media reports tell us that an ISU representative was quick to emphasize that "at no time was there a risk to the safety of summit participants" 2, although that apparent certainty didn't stop authorities from welding shut additional manhole covers in the area the morning after the incident. The Canadian Press' coverage of the event, and the 'security expert' (a former CSIS manager) they quoted in the piece, sought to make an argument that this incident highlighted the vulnerability of urban infrastructure. 3
However, I would speculate that -- silly ideas about 'bombs beneath manholes' aside -- there was probably little practical vulnerability at play here (a point where the 'security expert' agrees with me). However, we can't even be sure of that, because there's no easy way to know where all these manholes actually are, or whether someone visiting the system nefariously could actually do anything sinister with the equipment and manholes they would have access to.
As a result, the incident does emphasize one particular security failure: the misplaced belief in 'security through obscurity'. It's a concept that has been debated somewhat widely (cf. 1, 2, 3) in cryptography and computer security circles, but it is equally prevalent, if much less remarked on, in institutional attitudes towards the design and maintenance of physical infrastructure (but see here for one article that does take this on). When it has been debated, critics of secrecy have noted and expanded on 19th century cryptographer August Kerckhoffs' principle that a successful cryptographic system should not rely on the secrecy of any element of the system save the encryption key itself. In modern cryptography, this means that even the algorithms used to encrypt data are routinely published in public so that they can be extensively and independently tested.
Security critic Bruce Schneier has generalized this principle in the broader context of security and presented it as a maxim: "Minimize the number of secrets in your security system. To the extent that you can accomplish that, you increase the robustness of your security. To the extent you can't, you increase its fragility." 4 Even more generally, what this means is that all sorts of systems should be designed to be robust enough that their location, structure and mechanisms do not need to be kept obscured in order to secure them.
In the instance we're concerned with here, an accessible tunnel should not put the function of the mechanisms it contains into jeopardy, because those mechanisms should themselves be designed to limit any possible damage that could be done to them or with them. Having seen the bulk of the distribution tunnels for Enwave's Deep-Lake Water Cooling system, as I note above my suspicion is that this is already largely the case, that this is a very robust system, and I would hope that this is the reason Enwave decided (at least up until now) to forego placing any kind of physical or electronic security on these tunnels. We can say similar things about the city's sewer system: the system is sufficiently robust that little to no harm can be done within these tunnels, and thus there is no reason of system security to secure them. There may be other reasons (health and safety) to discourage or physically prevent unauthorized access to infrastructure, but these reasons are outside the gamut of the system's physical security (and that of its customers and neighbours).
Despite the fact that there doesn't appear to be any reason why we should be worried about the security of Enwave's physical system, it is obvious that the specific form of that system has been kept deliberately obscured. While Enwave has published reasonably detailed diagrams and information about their intake system (likely to avoid public concern about its environmental effects on lake ecosystems and water quality), these diagrams either leave off the distribution system or depict it in an abstract fashion. A map of the company's customer base for cooling that is published on their website is no doubt a powerful promotional tool, but again the actual network is glaringly absent.
It is up to Enwave to decide how to physically secure their infrastructure, and I have to assume that it's a subject they have considered in the past. That said, I would suggest that keeping secret (or atleast, obscure) the location and form of their distribution system undermines its general security. There are many reasons why it might be good sense to give ordinary people the chance to know about this system. First, there's the simple promotional angle: it's an impressive undertaking that, properly understood, puts the lie to the common Torontonian cynicism that assumes that any environmental project of this nature can be nothing more than a useless "demonstration project" (see comment here about windmills).
But more than that, Enwave's small workforce cannot be everywhere at once, and should there ever be an actual problem within the system (for instance, a catastrophic pipe break) it might be useful for the public, and certainly for security personnel in their customer buildings, to know that a given manhole leads to Enwave's tunnels rather than the sewers, and should not sound like rushing water. It's a terrible thing that the people who work security at HBC's store and offices on Queen Street apparently haven't been told what the variety of manholes on the sidewalk outside and across the street from their building lead to (HBC is an Enwave client), and that the media and possibly the police services can't differentiate between a sewer shaft and a utility tunnel shaft or can't quickly find the information that might reverse any misinterpretation that might occur (as I said earlier, the lid in the incident does look a lot like a catchbasin, LED rope lights notwithstanding). This isn't and shouldn't be excessively technical or protected information, it concerns the basic details about the environment that surrounds and services a given building, and it may be exceedingly relevant should there ever be an emergency at that location.
Security through openness
Infrastructural security is best realized in an environment where people know what exists, what its purpose is, and what the possible concerns are with unauthorized access. But this information is even more relevant in cases where it affects public participation and decisionmaking. In the case of our sewer systems, these are critical components and determinents for the landscape of our city, and ones that have typically created in their installation as many problems as they have seemed at the time to solve. Understanding that infrastructure is an important prerequisite in making informed decisions not just about sewerage and storm drainage, but about the broader future of the physical landscape and the technologies we use to live in an urban setting. It's also, I believe, an important prerequisite of knowing enough to care and think about these issues, and often the reliance on technical obscurity and expertise is used to stifle the possibility of public involvement, debate, and the formulation of alternate solutions to the problems our infrastructure is built to address.
Whether all these considerations pertain to Enwave's system may be debatable, but it's hard to tell without making it the subject of public knowledge and discussion in the first place. Schneier walks back his criticism of 'security through obscurity' by noting that the benefits of releasing information rely on the existence of "a large group of people who are capable and willing to evaluate" the system in question, and who "can learn from the mistakes of others." 5 As I've suggested, when we are talking about a physical infrastructure system that underlies and serves our cities, the public interest component is unquestionably heightened, but more than that, we can't know whether Enwave should be the subject of public interest without making it knowable. Maybe people should be clamouring for the system's expansion, and its implementation in other Ontario cities? Maybe we should be thinking about a more distributed system that uses our drinking water service for household cooling throughout the city, rather than leaving it to large corporate and institutional tenants (Enwave's lake water is recycled into the city's drinking water system after it passes through the heat-exchanger). There's no opportunity to consider, support, or discuss changes or expansions to the city's relationship with Enwave's cooling system, because it is abstracted out of public existence the minute the coldness drawn from the lake (already transferred at Simcoe Street to Enwave's own closed water loop) reaches the company's John Street pumping station.
It is perhaps ironic that coverage and reaction to the G20 incident would have been much more sensationalist had anyone involved in discovering and covering it been aware that it involved a utility tunnel system. Despite this, my impression remains that our city is more secure, more productive, more sustainable, and more democratically and culturally vibrant when we understand and can talk about, celebrate, or debate the critical infrastructure on which urban life depends. It's a shame, an obstacle, and an unnecessary risk that we can't tell the difference between a utility tunnel and a sewer.
- 1. The simpler explanation is that at the time this part of the Enwave system was installed (c. 2004-2007), Enwave didn't have their own personalized manhole lids, and the contractor that was responsible for finishing this access shaft simply threw on whatever lid they could either procure cheaply or already had rattling around in the back of one of their trucks. The slotted lid is entirely accidental, and if the contractor had known back then how many cigarette butts and other debris would end up at the bottom of this shaft they might have chosen differently.
- 2. Colin Perkel. "Manhole arrests near G20 security zone spotlights infrastructure vulnerability." Canadian Press. 27 June 2010.
- 3. Disclosure: Colin Perkel contacted me by e-mail while working on that story, but my response, which consisted only of background comments, probably wasn't sent until after he had already filed. Some of the observations I sent him are incorporated into this piece.
- 4. Bruce Schneier. 2002. "Secrecy, Security, and Obscurity." Cryptogram Newsletter. 15 May 2002.
- 5. Schneier, 2002.
Michael Cook is available to speak to your organization about infrastructure history, lost creeks, current conditions, and opportunities for change in our management of and communication about urban watersheds, and to work with teams proposing or implementing such change. Get in touch.