HomeFeaturesDailyBriefingsRapidReconSpecial ReportsAbout Us

Critical Infrastructure Exposed

We take the ready availability of fuel, telecommunications, power and water for granted. Disasters like Hurricane Katrina remind us that entirely too many people in this country could not survive for very long if those systems were shut down for even a few days, which makes news that computer security researchers recently discovered a new vulnerability in Supervisory Control and Data Acquisition (SCADA) systems all the more disturbing.

SCADA systems include the computers, switches and controls that are used to control dams and water treatment plants, rail systems, power plants and other elements of our national critical infrastructure. The flaw in question could allow an attacker to remotely launch a denial-of-service (DoS) attack against a given SCADA system, potentially shutting down the system or causing it to react in such a way as to endanger lives.

It was a DoS attack that temporarily shut down two of the computers used to manage the Internet’s addressing system last month, and DoS attacks are routinely used by criminal hackers to hold poorly defended networks hostage while they extort money from the network owners. As far back as 1998, non-state actors have used DoS attacks against US government, including the White House and Department of Defense. Captured al-Qaeda computers have reportedly revealed extensive research had been conducted on SCADA systems.

How difficult is it to bring down or at least degrade the operations of a SCADA system? Such systems have been compromised to varying extents for years (PDF). In 1999 the Russian government noted that hackers had gained control over Gazprom’s natural gas pipeline. Safety and monitoring systems associated with oil and power systems in the US have been disabled, as have municipal emergency communications systems. Formerly trusted insiders have been the cause of some attacks, but by and large it is outsiders without special knowledge of SCADA systems that have wrought the most havoc.

There would be less of a concern over SCADA security if such systems were not configured insecurely by default. For the sake of convenience and speed, most such systems do not bother with separate user accounts or passwords (who wants to bother with login credentials at 3 A.M. when people are without water or heat?). Penetration testing carried out by computer security firms regularly expose these and other weaknesses that could be readily exploited by those with malicious intent and modest technical skills.

Most of the critical infrastructure at risk is owned and operated by the private sector, which places a premium on efficiency in operation and availability of service. Traditional approaches to security tend to hamper both of those factors, which is why more original thinking is needed in order to secure these systems from compromise. For motivation the SCADA industry would do well to remember what has happened to the business world since the fall of firms like Enron: A dramatic compromise will come, and with it will follow expensive and burdensome regulation.

1 Comment

Part of the problem (primarily with SCADA and control systems) is strong interdependencies between each other, as well as other non-computational devices. Take for instance the Energy Sector, most notably the electrical generation and transmission capabilities of the sector. The electrical companies have (traditionally) been reluctant to impose any security "mechanism" of any kind whatsoever. It was wasn't until within the last 2-3 years that NERC (the council responsible for ensuring that everyone gets electricity within North America, which includes the U.S., Canada and part of Mexico) started implementing security protocols. This has been an ongoing endeavor for well over 12 years now. The fact is -- they are far from complete.

Does this represent a risk? It depends primarily as to how you are viewing it, and from where. Within the electrical industry, efforts made, quietly and under cover, without the public knowing about this. Part of the problem is that these companies view security as an expense rather than as a method of conserving resources. Some might argue their point that the public does not know anything, of which part of this is due to "spin-doctoring" from the very same industry stating that "everything is [or will be] OK" (using the circumstance surrounding Katrina "victims". Fact is, New Orleans and Mississippi areas affected by Katrina still (to this day) are not operating at the same capacity that they were prior to Katrina. This is not a security issue, but one of capacity.

There are several factors, which are driving security in certain key critical infrastructure sectors, of which Energy is one of the more important ones. One factor is the sheer, immense numbers of devices that would need to be modified just to be considered “secure”. Honestly, I do not think anyone really know the exact number, and have heard varying numbers upwards of millions of devices. These devices can be as dumb as a simply relay switch with a serial connection, to a smart device, such as a dedicated server at a relay or substation. The sheer size of having to ensure that all of these devices as secured is a significant undertaking, and will take many years to complete, with large financial outlays to the electrical service providers. Another factor is that most electrical service providers are taking a more “backseat” approach (similar to many healthcare providers that I work with), in that they will simply pay out through their insurance companies if they have an issue, and remediate after the problem has occurred. This is bad logic. If you have a large enough of a disaster that is widespread, say over several states, the net result could (potentially) be devastating for everyone, including the electrical service providers. And here’s the kicker. If there are problems, and they have to fork out cash for security and/or safety assurance issues, YOU -- as the consumer -- will (ultimately) PAY for it through raised energy rates. Either way, they win. How fair is that?

I strongly feel that we are about to get another "rude awakening" within next few years, and this time, it will cost us dearly, so, yes, I agree with your views on this subject. The problem is the industry is reluctant to do anything about it, because it costs $$$ to fix it and they are too cheap to do anything to fix it.

It comes down to one thing: money. And, unless government specifically tells the electrical industry that they MUST be “compliant”, they won’t until the next problem, situation or issue. If they are required, the consumers will pay for their expenses outlaid through security remediation efforts. If you have a better solution as to how this will be accomplished, I welcome any offline discussion with you as how we could take on an entire industry to make them more secure. My email is smith-cip@hotmail.com, and I am a published author on this very topic. Again, I’m readying my family for the worst, which I feel we’re only a few years away from. I’m ready – I’m not so certain the rest of the nation is, though.

Mike