Weak control system security threatens U.S.

NEW ORLEANS'Weak security on infrastructure control systems may eventually put the country at risk for a coordinated attack on utilities, warned Jerry Dixon, former acting director of the Homeland Security Department's National Cyber Security Division.

Dixon, who now is director of analysis of Internet security consulting firm Team Cymru, spoke yesterday at the SANS Security 2008 conference, being held this week in New Orleans.

Those who saw the movie Live Free or Die Hard might remember the concept of the "Fire Sale," a fictional coordinated plan by evil-doers to shut down the critical infrastructure by attacking its computer systems. While the Hollywood depiction was sensationalized, the basic plan of attack could be feasible, at least given the present state of security on today's utility control systems, Dixon said.

The action movie contained more than a few similarities to DHS' Cyber Storm, a public exercise held in 2006 that simulated attacks on the critical infrastructure. DHS picked up a number of important lessons from that exercise, Dixon said.

One particular concern Dixon pointed out are the control systems of utility company substations. Since many are located in remote locales, they are often controlled by dial-in modems, and their systems have outdated or nonexistent security and authentication technologies. Those that are on a network of some sort may be their sharing equipment with other less-sensitive systems and, hence, vulnerable to a crossover attack. Worse, comparatively little logging goes on with control systems. So when a failure happens, it is sometimes hard to determine if it came about due to attack or to misconfiguration.

There are a number of other areas of concern as well, he pointed out. Control system management software tends to be poorly designed and filled with points of vulnerability. Machines may be running older, unpatched software'a problem that only grows more severe as time passes as organizations don't have the money to update to newer, more secure versions. Also troubling is that organizations may only have fuzzy conceptions of how large their network is, or what outside parties they are connecting with to conduct business.

Dixon pointed to an infrastructure vulnerability found last fall by the Energy Department's Idaho National Laboratory, in research work funded by DHS. The work demonstrated how a megawatt generator could be broken from afar by calling into the substation system and executing a number of malicious commands to alter the workflow logic of the generator. Such an attack may require, in addition to the right phone number to dial into, expertise in electrical engineering and network security, two different yet fairly common skill sets, one industry observer noted.

"Average hacking skills" could "cause some significant problems," Dixon added.

Dixon also pointed to other recently publicized attacks on the infrastructure, such as a 2006 internal computer attack that took out traffic lights at four intersections in Los Angeles, and an event that took place earlier this when month a teenager diverted Polish tram trains from their normal routes by way of a computer hack.

A member of the audience asked Dixon why we haven't experienced a widescale attack yet. "We've been lucky," he responded. "If the bad guys were to get better organized, we'd have some serious challenges."

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above