Hello,
McAfee recently sponsored and published a report on global cybersecurity gives some startling statistics on the preparedness of critical infrastructure in various countries to attack. It is available for free download, as a PDF. Here is a brief excerpt on security for Supervisory Control And Data Acquisition (SCADA) and Industrial Control Systems (ICS) , which run our infrastructure:
Executives generally reported very high levels of connection of SCADA systems to IP networks or the Internet, despite widespread acknowledgment about the risks involved. Seventy-six percent of respondents with SCADA/ICS responsibilities said their networks were “connected to an IP network or the Internet.” Nearly half of those connected, 47 percent, admitted that the connection created an “unresolved security issue.”
Connections to IP networks pose a vulnerability because they might allow unauthorized users access to the systems at the heart of critical infrastructure, said one veteran IT security executive. “The original SCADA design generally didn’t assume that the control systems would be exposed on networks where untrusted people had at least some level of access to them.” Much SCADA software was written “quite some time ago and has not been modified since.” The systems “are not [running] on the newest platforms, so they have those vulnerabilities that have been discovered over time.”
Because SCADA systems often combine hardware and software, they cannot be updated like regular software can be and replacing them is “hugely complex and hugely expensive,” said the veteran. There is “no mechanism for revisiting the system and changing them once vulnerabilities are discovered.”
It is important to note that the sample size for this survey is not very large, as only a handful of the overall sample of interviewed IT executives had SCADA/ICS related work. But it is still quite shocking. – N.R.
JWR Replies: The SCADA and ICS vulnerabilities to cyber attack must be one of the most ignored and under-reported news stories of the early 21st Century. Within the related industries, (like electric power, refining, water utilities, et cetera) management awareness of the threat seems to be lacking. In many cases, designers have added an IP interface to existing SCADA systems, but without any robust protection from external attack. This created an essentially unlocked “back door” to their systems. (By unlocked, I mean interfaces that can be compromised by only moderately sophisticated hackers.) For many years, embedded software writers lived in the fantasy land that they were somehow isolated and insulated from cyber attack. Open architectures changed all that. Any connection to “the cloud” is a threat. And they need to learn that that a manually-generated seven digit password is insufficient security! There are a few notable exceptions in the industry. One is the software work being done by Schweitzer Engineering Labs (in my old stomping grounds). Another is the work being done by Sandia National Laboratories. But generally, SCADA users are behind the power curve on the threat posed by terrorists and even just prankster hackers. It will be many years before a robust follow-on to SCADA is fielded. This will presumably have high security inherently designed into all layers and nodes. In the interim, we will continue to see cobbled-together systems that have huge hacking vulnerabilities.
Don’t be surprised if someday our nation’s power grids simultaneously go down for weeks, and we find out later that it wasn’t EMP, and it wasn’t a Carrington-scale solar flare. No, it was the Bu wei ren zhi team from Jiaotong University, or perhaps just a pimply-face teenager from Minot, North Dakota that stayed up late nights, drinking Red Bull.