Matt Blaze, a well-known and respected researcher in computer security, has a very interesting post on his “Exhaustive Search” blog, about a visit he made to the Titan Missile Museum in Sahuarita, AZ. The museum is a decommissioned Titan II missle site, complete with missile (no longer functional!) and silo. It is possible tp take a complete tour of the site, to get a first-hand look:
If you can climb a fifteen foot ladder and fit through a two foot diameter hole, you can, with a bit of advance planning, take an extensive “top-to-bottom” tour of a Titan II ICBM launch complex, complete with missile silo and missile.
Mr. Blaze took the tour, and his account of the visit is fascinating and a bit disturbing. At the height of the Cold War, there were more than 1,000 ICBMs equipped with nuclear warheads, in silos scattered across sparsely-populated areas. This included, from 1963 to 1984, 54 Titan II missiles, each with a 9-megaton warhead.
He was particularly interested in looking at the security systems used at the launch site, as an extreme example of the role of security trade-offs:
The control of strategic nuclear weapons can thus be considered an extreme case study in one of the most difficult — and in this case most dramatic — tradeoffs in designing secure systems: balancing high availability with strong access control.
The missiles must be ale to be launched on very short notice for a counter-attack, lest they be destroyed in an enemy “first strike”; yet, because the adversary’s missiles are at the same state of high alert, an accidental launch is unthinkable.
One of the interesting things that came out of the tour is the degree to which many of the security safeguards, once inside the silo, were procedural rather than technical. One of the key policies was that, with a few exceptions, like the toilets, no crew member was allowed to be alone in any section of the silo.
Similarly, there was a safe containing the launch codes that required two keys to be opened, but the locks were just ordinary padlocks. The launch consoles that required two keys to be turned to launch the missile did exist (just like in War Games), but the equipment itself was not especially secure physically. It seems clear that the underlying security assumption was that the major danger was one of the crew more or less suddenly going crazy. There were of course blast doors and the underground location to protect the crew and missile from external attack.
The security mechanisms once past the exterior blast doors appear to have been designed to deter individual malfeasance in the presence of other trusted people, not to resist a sustained military attack or sabotage effort. As with many computers and networks, the focus was on strong perimeter security, with far weaker mechanisms protecting against insider attack.
Of course, much of the original motivation for building these sites has disappeared, but there are still a few hundred Minuteman III ICBMs in silos in the US. Matt Blaze puts it well in his closing comment:
Looking up from the bottom of the silo at the little crack of sunlight 150 feet above, an obvious fact hit home for me. I realized at that moment that these things are actually aimed somewhere, somewhere not at all abstract.
(The image is Copyright © 2009 Matt Blaze, and licensed under a Creative Commons license.)