Critical Infrastructure Exposed
We take the ready availability of fuel, telecommunications, power and water for granted. Disasters like Hurricane Katrina remind us that entirely too many people in this country could not survive for very long if those systems were shut down for even a few days, which makes news that computer security researchers recently discovered a new vulnerability in Supervisory Control and Data Acquisition (SCADA) systems all the more disturbing.
SCADA systems include the computers, switches and controls that are used to control dams and water treatment plants, rail systems, power plants and other elements of our national critical infrastructure. The flaw in question could allow an attacker to remotely launch a denial-of-service (DoS) attack against a given SCADA system, potentially shutting down the system or causing it to react in such a way as to endanger lives.
It was a DoS attack that temporarily shut down two of the computers used to manage the Internet’s addressing system last month, and DoS attacks are routinely used by criminal hackers to hold poorly defended networks hostage while they extort money from the network owners. As far back as 1998, non-state actors have used DoS attacks against US government, including the White House and Department of Defense. Captured al-Qaeda computers have reportedly revealed extensive research had been conducted on SCADA systems.
How difficult is it to bring down or at least degrade the operations of a SCADA system? Such systems have been compromised to varying extents for years (PDF). In 1999 the Russian government noted that hackers had gained control over Gazprom’s natural gas pipeline. Safety and monitoring systems associated with oil and power systems in the US have been disabled, as have municipal emergency communications systems. Formerly trusted insiders have been the cause of some attacks, but by and large it is outsiders without special knowledge of SCADA systems that have wrought the most havoc.
There would be less of a concern over SCADA security if such systems were not configured insecurely by default. For the sake of convenience and speed, most such systems do not bother with separate user accounts or passwords (who wants to bother with login credentials at 3 A.M. when people are without water or heat?). Penetration testing carried out by computer security firms regularly expose these and other weaknesses that could be readily exploited by those with malicious intent and modest technical skills.
Most of the critical infrastructure at risk is owned and operated by the private sector, which places a premium on efficiency in operation and availability of service. Traditional approaches to security tend to hamper both of those factors, which is why more original thinking is needed in order to secure these systems from compromise. For motivation the SCADA industry would do well to remember what has happened to the business world since the fall of firms like Enron: A dramatic compromise will come, and with it will follow expensive and burdensome regulation.