Recent CIA reports highlight the agency’s increased focus on the lack of cybersecurity in our nation’s critical infrastructures, including transportation, emergency services and utilities. Following recent blackmail attempts by hackers threatening to shut off power to utilities, as well as actual attacks in unidentified locations in Central and Latin America, the CIA has launched a global search for these hackers, the U.K.’s Daily Mail recently reported.
Industrial Security Incident Database reports indicate that the number of cyberattacks on infrastructure is growing: From 1981 to 2001, the database reported an incidence rate of 27 percent, while from 2002 to 2006, the number jumped to 73 percent.
Casey Potenzone, CIO of security technology provider Uniloc, recalled one example of such an attack: “In Australia, about eight years ago, they fired their waste disposal management engineer. [Then], from home, [he] dialed into the network and was able to turn the sewage pumps backwards, and he literally flooded an entire vacation resort with sewage.”
This is just one example of how a nation’s infrastructure could be compromised by hackers. However, some of the consequences could be more serious than a rotten vacation. “For the first time, these types of hackers have access to real physical implications,” said Potenzone. “[If] you break in and you change a system, you could shut down a power plant; you could shut the flow of water off; you could create gridlocks and a foundation for other problems. Imagine if you could disable emergency services just by changing traffic lights [and] blocking the streets.”
These are the possibilities that have the U.S. government concerned. Most of America’s critical infrastructure is controlled via supervisory control and data acquisition (SCADA) systems. As Potenzone put it, the security of SCADA systems, “[is] almost wide open, like the Wild West and the Internet 10 years ago.”
“Events like [the attacks in Central and Latin America], as well as basically the expansion of the networks inside this country and incidents like the virus outbreaks that have knocked down the power plants, have really brought security to the forefront of minds of organizations,” he said.
The problems arose as SCADA networks – which were originally designed as closed networks – ended up getting connected the Internet, opening up all kinds of vulnerabilities. “[This is] happening from e-mail, it’s happening from getting people’s Web access, it’s happening from whatever machines are controlling the utilities sitting on the same local area network as machines that are servicing” the utilities or being remotely controlled via the Internet, explained Potenzone.
One of the challenges to addressing these cybersecurity concerns is that many of the groups maintaining our critical infrastructure are small municipalities that have small staffs without in-depth IT knowledge, and they are struggling to catch up to the threats. In response to their lack of resources, municipalities and other groups are “starting to employ a consultant and, in a sense, really [looking to] outside vendors and service providers to come in and help them lock down their operations,” said Potenzone.
These vendors provide solutions that help these less-equipped operations deal with cybersecurity. Uniloc has one of its own, called StrongPoint, a mix of hardware and software that creates a secure network through device recognition and provides bi-directional security that can prevent access to these critical networks from field stations or other remote locations.
Another imperative to gaining ground on hackers is that companies create and enforce standards in their daily operations. “Simple day-to-day practical implementations and security have to go hand in hand with these technologies,” said Potenzone. Examples of regulations include data access policies; data destruction policies for outdated information that is no longer needed; and physical access control policies, which can be as simple as making sure computers are in a locked room to prevent unauthorized access.
While Potenzone said there are no government requirements for SCADA security, he believes “security is a constant endeavor” that the industry can regulate for itself. “[SCADA security] is starting to get the attention it deserves.”