May 19, 2011

U.S. Infrastructure Is Vulnerable to Cyber Attack, but No One Will Do Anything


The nation’s electrical grid is vulnerable to cyber attack, according to a recentDepartment of Energy report. Yawn. Not that the problem isn’t real — it’s a potentiallyhuge issue, as recent malware infections of infrastructure systems have proven.
However, nothing will come of this report and the pile on by the experts and the Wall Street Journal and the rest of the press because nothing ever comes of this everything-old-is-new-again information. And managers at any high tech company that thinks finally, finally, someone gets it and will be receptive to even the perfect product or service to lock things down are fooling themselves.
Many of the security vulnerabilities are strikingly basic and fixable problems, including a failure to install software security patches or poor password management. Many of the fixes would be inexpensive, according to the Idaho National Lab, an Energy Department facility that conducted the study.The report reinforces concerns that intelligence officials have raised in recent years about growing surveillance of the electric grid by Chinese and Russian cyber-spies, which The Wall Street Journal reported last year. One worry is that a foreign country could shut down power in parts of the U.S.
Disconcerting findings? Yes. New? No. I covered the same topic forNewsweek in 2002. Back then, someone broke into California’s state manager of long-distance electrical transmission — a test system unconnected to the grid, but certainly a warning shot. Five years before, a kid in Massachusetts gained access to a phone switch at an airport in the center of the state and accidentally cut all communications to the control tower for hours.
The problem of cyber attacks, whether terrorism or old fashioned curiosity-based hacking, targeting infrastructure has been an ongoing problem. This is particularly true in utilities and energy concerns, including gas pipelines and oil refineries, that rely on computerized control systems — called SCADA — that don’t have the heavy defensive mechanisms. Furthermore, to save money, companies have connected their systems to the Internet rather than go to the time and expense of building private networks. Cyber terrorists can work from the comfort of their homes, hotel rooms, and nearby Wi-Fi hot spots rather than attempt to physically connect to a control system.
From a security view, this is completely nuts — and well known for at least eight years. Probably longer. So what has the industry done since then? Studies by the DOE coming to the conclusion that things are bad and a realization that when a major vendor like Siemensuses known hard-wired passwords in its SCADA systems, it’s probably a poor idea.
Virtually nothing has been done about infrastructure security and, given history, nothing will be until there is a major disaster. At that point, everyone will run around trying to find a scapegoat and implementing quick fixes in ill-planned reaction. Remember 9/11? Some security experts had begun to warn in the mid 1990s of the possibility that suicidal hijackers could take over a plane and turn it into a flying bomb. No one in charge wanted to listen … until it was too late.

No comments:

Post a Comment