Utilities could be open to attack
The movie Live Free or Die Hard
featured the concept of the Fire Sale, a fictional coordinated plan to shut down the critical infrastructure by attacking its computer systems.
The Hollywood depiction was sensationalized, but the basic plan of attack could be feasible, at least given the state of security on utility control systems, said Jerry Dixon, former acting director of the Homeland Security Department's National Cyber Security Division. He is now director of analysis at Internet security consulting firm Team Cymru.
Dixon, speaking at the SANS Security 2008 conference last week in New Orleans, said the control systems of utility companies, many in remote locales, are often controlled by dial-in modems, and their systems have outdated or nonexistent security and authentication technologies.
Those on a network could be sharing equipment with other less-sensitive systems and, hence, vulnerable to a crossover attack.
Also, control system management software tends to be poorly designed and filled with points of vulnerability.
Dixon cited an infrastructure vulnerability found last fall by the Energy Department's Idaho National Laboratory, in research work funded by DHS. The work demonstrated how a megawatt generator could be broken from afar by calling into the substation system and executing a number of malicious commands to alter the workflow logic of the generator.
Joab Jackson is the senior technology editor for Government Computer News.