The lack of specific detail in his disclosure immediately led to discussion and speculation that this was some sort of FUD (fear-uncertainty-doubt) spread for some nefarious purpose of the CIA.
I dont believe that for a minute, and neither should you. The mere possibility of such attacks is scary. Just think for a minute what would happen if power was shut down to the 11 western states for two months. Its not only possible, but it could be done, and it could be done tomorrow.
We keep seeing more and more vulnerabilities revealed in control systems and SCADA software. We keep hearing about more creative attack vectors. We keep seeing unsuccessful attacks on systems in the U.S. and abroad. Sometimes, as with the Slammer worm attacks a couple of years ago, weve just gotten plain lucky.
Its hard for me to believe that were going to continue to luck out. Until now, process control systems and SCADA have all been designed to be as open as possible. In many instances, the password for control systems is password, because when operators needs access to the control system, they may need to have access so quickly they cant take the time to try to remember their personal passwords. Or thats the theory.
What we are seeing, though, is that if we are to escape some very serious economy- and population-destroying damage to our infrastructure, were going to have to get busy and fill the holes in our open systems, and work to patch the vulnerabilities we know about in our installed control systems and SCADA networks.
In the process industries, several large end-user companies and several of the largest automation vendors have partnered with ISA to create the ISCI, the ISA Security Compliance Institute. Through the SCI, while it will take time, we eventually will have the ability to validate and verify the ability of control systems and SCADA systems in the process industries to withstand attacks.
This is only part of a defense-in-depth initiative in which every owner of a control system and every SCADA operator needs to take part.
On the power utility side, were not so far ahead. Although the Federal Energy Regulatory Commission in the U.S. has accepted a set of CIP standards put forward by the North American Electric Reliability Corporation, I believe those standards fall far short of providing adequate protection for North Americas electric grid and the cyber assets that all power utilities maintain. In that sector, there is even debate over what a cyber asset is, and whether power utilities actually have any!
As automation professionals, our first priority should be to make sure that our systems are safe and our vulnerabilities are protected to the best of our ability. Lets make it so.