The red lights are flashing, the gates are coming down, the train is approaching, but traffic still hasn’t moved out of the way.
IT systems, and their many inherent IT security vulnerabilities, have encroached the United States grid infrastructure to the extent that our most critical electrical, water, transportation and communications systems are likely already vulnerable to cyber-attacks that could produce disastrous results, top experts in the field maintain.
A panel of some of the most influential leaders in the arena of securing U.S. infrastructure systems from electronic assault painted a dire picture at the RSA Conference 2009 in San Francisco this week, warning that organizations operating in the utilities, manufacturing and telecommunications verticals, among others, need to address matters of IT security today.
“Many organizations in the grid industries have a large IT staffs, but they typically have small security teams, which speaks to the problems that we’re having in identifying and responding to the types of threats that we’re facing,” said Jerry Dixon, a former U.S.-CERT Director who currently works for security research specialists Team CYMRU. “We’re seeing a huge increase of probing looking for SCADA systems, mostly coming from Asia.”
Makers of infrastructure-oriented technologies such as the Supervisory Control and
Data Acquisition (SCADA) systems referenced by the expert, whose job at CERT involved performing security assessments for the federal government, are adding remote access features and ties to shared networks such as the Internet, making them more exposed to potential attacks.
Michael Assante, CSO for the North American Electric Reliability Corporation (NERC), which is driving regulation of IT security in the electrical industry, recently sent a fairly critical letter to many of his constituents and has been waging a public campaign for power providers and their partners to take a long hard look at their IT security practices. The electrical industry is failing to meet its existing security requirements, let alone improve its defenses for a future landscape that involves even a broader set of threats, the expert said.
“There’s very little authentication in many of these environments, in many of their controls there is an inherent level of trust, they can accept commands from anywhere, and a compromised system can send commands to control,” Asante said. “We need to look at securing the authentication protocols, eliminating the potential for man-in-the-middle attacks; we’re getting some of these lessons learned into the development cycles of companies that provide technologies in these fields – that we have to get away from some of these inherent trusts.”
The experts pointed out that underlying architecture supporting everything from the nation’s major branch telecommunications networks to wireless hospital equipment have been made vulnerable to even today’s most ubiquitous attacks, let alone targeted threats aimed at those assets.
The Conficker worm virus wasn’t merely discovered on traditional IT infrastructure, but also on devices such as heart monitors and MRI systems that feature embedded wireless features, noted Marcus Sachs, Executive Director for National Security Policy at consulting giant Verizon Business, which published a detailed report on emerging cyber-attack trends last week.
“We must address the movement of previously private network technologies to Ethernet; it’s disturbing when you go to the Web site of one of the manufacturers of these control systems and the only reason why they’re moving to Internet protocols is so an engineer can work from home,” Sachs said. “We must work with the vendors; there’s nothing wrong with going to networked components, but when you cross that with public networks, that’s where the mistakes are being made.”
The experts said that major cyber-attacks affecting grid infrastructure have been largely avoided based on the vigilance and experience of those people ultimately responsible for the oversight of grid systems, who have had the ability to minimize emerging problems based on their traditional controls, most of which are aimed at monitoring performance, not security.
However, as the ubiquity of IT connectivity continues to saturate grid control networks, and attacks reach new levels of sophistication and volume, organizations in the infrastructure space will be forced to improve their defenses or tempt fate, said Matthew Luallen, a co-founder of Encari, which provides specialized services in the space.
“The threat landscape has truly changed in the last year; we really need to ensure that we’re securing the physical, cyber, operational and human elements,” Luallen said. “We really need to augment the human controls, at this point we’re still the biggest threat.”
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.