For all the hype that has surrounded the issue of SCADA security, a cycle that yours truly has contributed to heartily given the evidence he’s been presented by qualified experts, there haven’t been a ton of real-world examples to point to about the real potential for critical grid infrastructure systems to come under actual cyber-attacks.
The April article in the Wall St. Journal which confirmed that hackers had infiltrated the U.S. national power grid – with one unnamed U.S. intelligence source placing blame squarely on China – fairly well blew the lid off the issue after years of far more low-profile incidents and reports. Most notably, a CIA official said in a 2008 speech that electronic attacks on power systems in an unnamed foreign nation had previously been successful, crippling electricity in multiple cities in the region as part of a targeted set of cyber-attacks.
There were murmurings that someone, potentially the Chinese, had played a similar role in the massive U.S. blackouts of 2003, but as many people disagreed with those arguments as those who initially made the claims. Other than that it’s mostly been speculative beyond the repeated warnings of very credible experts, such as those who spoke on the topic at this year’s RSA Conference. [full disclosure: the panel was hosted by one of my colleagues at Core Security]
The recent move by Congress to forward the Critical Electric Infrastructure Protection Act, which directly addresses possible cyber-attacks on critical infrastructure, is clear proof that this is a serious issue that has gained recognition on the highest levels. But it’s been challenging at times to point to the looming danger of the overall infrastructure security situation without a less blurry collection of reports and incidents to highlight in outlining the proposed risks.
But, every once in while something small happens that helps illustrate the reality of something much larger.
Researchers at McAfee have stumbled onto something related to the problem that seems pretty innocent in terms of its overall impact, but which highlights the true gravity of the IT security challenges facing the infrastructure industries moving forward.
Last week, McAfee researcher Francois Paget discovered a video posted to YouTube in November 2008 in which two hackers gain access to the controls for a municipal central light system and then start playing a takeoff on the video game Space Invaders by manipulating it and turning building lights off and on.
Even though Paget openly questions the veracity of the videos, which he describes as “light-show attacks on unprepared buildings,” the expert concedes that the video “confirms that hackers and cybercriminals have got their eyes on SCADA networks.”
And while this simple gaming of a set of lights clearly carried out merely to prove hacking expertise is pretty benign in terms of its effect, Paget observes that no matter how harmless it may be, the tactics involved show off just the level of access that can be achieved in these environments – and by far less advanced groups than those who are suspected of doing so, such a those backed by foreign governments.
“Perhaps the first demo was just for fun, but the others will have less juvenile goals. An attack can involve nationwide damage, a terrible effect on the public’s morale, and huge financial losses. Modern SCADA networks are more vulnerable than ever because they use open networking standards (such as TCP/IP), are now deployed under less secure operating systems (Windows), are connected to other networks (including Internet), and cannot be easily updated and rebooted,” Paget writes.
He also contends that McAfee’s recent acquisition of Solidcore will help these types of customers as white-listing may help keep attackers out. But of course we all know that it probably won’t, at least not across the board or forever.
But, from a big picture standpoint, from federal regulation to local hijinks, it’s clear that infrastructure security is finally getting its due.
It’s about time.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.