Several initiatives to help secure the control systems will be rolled out by the government and federally-funded organizations in the next year, Andy Purdy, acting director of the National Cyber Security Division (NCSD) at the U.S. Department of Homeland Security, told members of the House of Representatives' Subcommittee on Economic Security, Infrastructure Protection, and Cybersecurity during a hearing last week.

"The exposure of these systems to malicious actors in cyberspace is greater than in the past, because these systems are more often connected to the Internet," Purdy said in an interview with SecurityFocus. "With the profit margins of many of the owners and operators, it is a challenge to convince them to spend to reduce the risk."

The DHS has become increasingly concerned over the lack of security of such control networks--amongst which the best known is the supervisory control and data acquisition (SCADA) system--because the lion's share of such control systems are owned by private companies and are increasingly being interconnected to improve efficiency.

Because SCADA and other types of control systems regulate real world activity, such as the amount of water flowing though a dam or the electricity flowing through a transformer, their lack of security has worried experts for some time. Yet, in the past few years, attacks by external sources, such as online attackers, have jumped to 70 percent of incidents involving SCADA systems, up from 31 percent of incidents recorded between 1980 and 2001, according to a paper published by the British Columbia Institute of Technology.

Sources interviewed for this article maintained that there have been SCADA system attacks, but such incidents are almost never made public. Perhaps the most well-known public incident is that of an information-technology contractor who used his knowledge of control systems to release a million liters of sewage into a river basin in Australia. And U.S. authorities investigated online reconnaissance of U.S. critical infrastructure systems by attackers thought to be linked to al Qaeda in Pakistan, Saudia Arabia and Indonesia.

However, other breaches have happened and the industry has paid the price for secrecy, said Lori Dustin, vice president of marketing and services for control system maker Verano.

"The cost of these breaches is huge--in the millions of dollars," Dustin said. "But the industry will not talk about it, unless the utility makes it public and that will not happen."

The electric power industry is perhaps the most obvious target, because the electric utilities are major users of sensor and control networks. Nearly 1,700 of the 3,200 power utilities have some sort of SCADA system in place, according to a recent survey by industry researcher Newton-Evans. Almost a quarter of companies with SCADA systems did not have a firewall separating the control network from the corporate network, leaving the systems open to attack from the Internet. In addition, only 40 percent of power utilities with such networks bothered to keep detailed access and network-data logs, according to Newton-Evans.

"Is this enough? I have to side with the government officials who tell us that we are not yet secure enough to thwart significant cyber attacks on our energy infrastructure," said Chuck Newton, president of the Ellicott City, Maryland, research firm.

The older networks of control systems have not adapted well to the needs of a deregulated power industry, Samuel Varnado, director of the Information Operations Center at Sandia National Labs stated in written testimony to the Congressional subcommittee.

"Under restructuring, the grid is now being operated in a way for which it was never designed," Varnado said. "More access to control systems is being granted to more users, the demand for real-time control has increased system complexity, and business and control systems are interconnected."

Sandia has demonstrated a way to use SCADA system vulnerabilities to turn out the lights in most major cities, Varnado told the subcommittee last week.

With an aim toward improving the situation, the NCSD has established a clearinghouse for information about control systems security and vulnerabilities under the U.S. Computer Emergency Readiness Team (US-CERT) and Idaho National Laboratory (INL). Known as the Control Systems Security Center (CSSC), the group aims to reduce the risk of cyberattack on control systems through assessments, educations and incident support, the DHS's Purdy said.

In 2006, the DHS plans on releasing a document outlining the best practices for control-system operators through the Cybersecurity Protection Framework. Also next year, the U.S. agency will determine if a third-party academic institute is needed to act as a central hub for reporting vulnerabilities and incidents, Purdy said.

"If we have a picture of failures in more than one place, we can connect the dots and figure out there is an attack going on," Purdy said.

Legislators have also taken a hand. The latest energy bill passed in August has a provision requiring that the U.S. Department of Energy create an electric reliability organization. The frontrunner for the job is the North American Electric Reliability Council (NERC), which has already created a set of documents on critical infrastructure protection, known as CIP-002 through CIP-009.

The government could give NERC the ability to levy penalties against companies that do not comply with the standards, essentially creating regulations similar to the Sarbanes-Oxley rules that have cause corporations to spend more on security, said Richard Lord, CEO of security consulting and analysis firm The Steadfast Group.

The lack of reports of security incidents has made such legislative efforts necessary, Lord said.

"People have the same attitude--they have not heard about anything going on, so they are not worrying about it," Lord said. "They can't get a budget for it, so why even try to tackle it, is the thinking."

Fixing the problem will not be easy. SCADA systems are expensive to upgrade or to replace, which results in a large number of legacy systems that can be up to 20 years old, William Rush, a physicist for the Gas Technology Institute said in his written testimony to the subcommitte.

"Because many of these systems were designed before critical infrastructure security was a major concern, they often have significant vulnerabilities to unauthorized electronic operations," Rush said in his testimony. "The question confronting the skilled cyberattacker is less 'Can we enter the system?' and more 'How long will it take us to penetrate it?'"

The American Gas Association (AGA) has sponsored a standard for protecting SCADA systems from attack using encrypted communications. Despite the need for additional work, funding problems and industry resistance has slowed the progress of the AGA standard, Rush said.

Asking companies to make extensive changes is unlikely to get industry support, said William Sanders, a professor of electrical and computer engineering at the University of Illinois at Urbana-Champaign and the director of the Information Trust Institute. Sanders and researchers at three other major U.S. universities received a $7.5 million grant from the National Science Foundation in August to pursue ways of securing the power grid from cyberattack.

Proposed solutions need to allow companies to make small steps to secure their systems today, with more in-depth proposals for the long term, Sanders said.

"If we think too far out, saying that you have to completely redesign the infrastructure of the grid, then it is going to be hard to have those companies come on board," he said. "I think the answer is to look for small changes in the short term to better security and to design in security for the long term."

With all the initiatives and the legislative pressure, the owners of critical infrastructure are starting to take the issue much more seriously, said Verano's Dustin.

"The problem is on people's radar now, where it wasn't before," she said.