Just Because They Haven’t, Doesn’t Mean They Won’t

March 7, 2008
At the SANS Conference in January, CIA Representative Tom Donahue Revealed that the Agency Had Documentary Evidence of Attacks on Utilities Outside the U.S. Of Course, If Systems Can Be Hacked Outside the U.S., the Same Systems Are Vulnerable Inside. And the Systems Are the Same.
By Walt Boyes, Editor in chief

The lack of specific detail in his disclosure immediately led to discussion and speculation that this was some sort of FUD (fear-uncertainty-doubt) spread for some nefarious purpose of the CIA.

I don’t believe that for a minute, and neither should you. The mere possibility of such attacks is scary. Just think for a minute what would happen if power was shut down to the 11 western states for two months. It’s not only possible, but it could be done, and it could be done tomorrow.

We keep seeing more and more vulnerabilities revealed in control systems and SCADA software. We keep hearing about more creative attack vectors. We keep seeing unsuccessful attacks on systems in the U.S. and abroad. Sometimes, as with the Slammer worm attacks a couple of years ago, we’ve just gotten plain lucky.

It’s hard for me to believe that we’re going to continue to luck out. Until now, process control systems and SCADA have all been designed to be as open as possible. In many instances, the password for control systems is “password,” because when operators needs access to the control system, they may need to have access so quickly they can’t take the time to try to remember their personal passwords. Or that’s the theory.

What we are seeing, though, is that if we are to escape some very serious economy- and population-destroying damage to our infrastructure, we’re going to have to get busy and fill the holes in our open systems, and work to patch the vulnerabilities we know about in our installed control systems and SCADA networks.

In the process industries, several large end-user companies and several of the largest automation vendors have partnered with ISA to create the ISCI, the ISA Security Compliance Institute. Through the SCI, while it will take time, we eventually will have the ability to validate and verify the ability of control systems and SCADA systems in the process industries to withstand attacks.

This is only part of a defense-in-depth initiative in which every owner of a control system and every SCADA operator needs to take part.

On the power utility side, we’re not so far ahead. Although the Federal Energy Regulatory Commission in the U.S. has accepted a set of CIP standards put forward by the North American Electric Reliability Corporation, I believe those standards fall far short of providing adequate protection for North America’s electric grid and the cyber assets that all power utilities maintain. In that sector, there is even debate over what a cyber asset is, and whether power utilities actually have any!

As automation professionals, our first priority should be to make sure that our systems are safe and our vulnerabilities are protected to the best of our ability. Let’s make it so.