, SecurityFocus 2005-10-28
Wary of the increasing number of online attacks against industrial control systems, the U.S. government has begun a major push to secure the systems used to control and monitor critical infrastructure, such as power, utility and transportation networks.
Several initiatives to help secure the control systems will be rolled out by the government and federally-funded organizations in the next year, Andy Purdy, acting director of the National Cyber Security Division (NCSD) at the U.S. Department of Homeland Security, told members of the House of Representatives' Subcommittee on Economic Security, Infrastructure Protection, and Cybersecurity during a hearing last week.
"The exposure of these systems to malicious actors in cyberspace is greater than in the past, because these systems are more often connected to the Internet," Purdy said in an interview with SecurityFocus. "With the profit margins of many of the owners and operators, it is a challenge to convince them to spend to reduce the risk."
The DHS has become increasingly concerned over the lack of security of such control networks--amongst which the best known is the supervisory control and data acquisition (SCADA) system--because the lion's share of such control systems are owned by private companies and are increasingly being interconnected to improve efficiency.
Because SCADA and other types of control systems regulate real world activity, such as the amount of water flowing though a dam or the electricity flowing through a transformer, their lack of security has worried experts for some time. Yet, in the past few years, attacks by external sources, such as online attackers, have jumped to 70 percent of incidents involving SCADA systems, up from 31 percent of incidents recorded between 1980 and 2001, according to a paper published by the British Columbia Institute of Technology.
Sources interviewed for this article maintained that there have been SCADA system attacks, but such incidents are almost never made public. Perhaps the most well-known public incident is that of an information-technology contractor who used his knowledge of control systems to release a million liters of sewage into a river basin in Australia. And U.S. authorities investigated online reconnaissance of U.S. critical infrastructure systems by attackers thought to be linked to al Qaeda in Pakistan, Saudia Arabia and Indonesia.
However, other breaches have happened and the industry has paid the price for secrecy, said Lori Dustin, vice president of marketing and services for control system maker Verano.
"The cost of these breaches is huge--in the millions of dollars," Dustin said. "But the industry will not talk about it, unless the utility makes it public and that will not happen."
The electric power industry is perhaps the most obvious target, because the electric utilities are major users of sensor and control networks. Nearly 1,700 of the 3,200 power utilities have some sort of SCADA system in place, according to a recent survey by industry researcher Newton-Evans. Almost a quarter of companies with SCADA systems did not have a firewall separating the control network from the corporate network, leaving the systems open to attack from the Internet. In addition, only 40 percent of power utilities with such networks bothered to keep detailed access and network-data logs, according to Newton-Evans.
"Is this enough? I have to side with the government officials who tell us that we are not yet secure enough to thwart significant cyber attacks on our energy infrastructure," said Chuck Newton, president of the Ellicott City, Maryland, research firm.