The CIA dropped a bombshell in January 2008, when CIA senior analyst Tom Donahue told a gathering of 300 U.S. and
European government officials, engineers and security managers from electric, water, oil and gas utilities that the agency had credible evidence that cyberattacks had been used to compromise utilities for the purposes of extortion.
In at least one case, the power supply was disrupted as a result of cyberattacks, he said. Donahue was careful to note that none of the attacks monitored by the CIA occurred within the U.S., but his report still set off a media firestorm and raised questions about whether hackers played a role in domestic incidents, like the 2003 East Coast blackout, as well.
The issue of critical infrastructure protection has only grown larger in the intervening months, with articles in The Wall Street Journal and elsewhere about how foreign spies had penetrated the U.S. electrical grid and critical servers used by the government. The Obama administration has also put cybersecurity and critical infrastructure on the front burner, issuing a policy review that called for creating a cybersecurity czar, forging closer public-private partnerships and improving cybersecurity incident response.
SCADA systems targeted
Today, private and public entities that manage critical infrastructure face both increasing threats and increasing oversight by auditors. On the threats side: Security experts like Team Cymru, based in the U.S. and U.K., have noted a high level of attack traffic directed at Supervisory Control and Data Acquisition (SCADA) systems --systems that control aspects of critical infrastructure. Cymru, which operates an IP darknet -- essentially a large block of routed but dormant IP space -- says it has captured a large volume of scans for SCADA-related ports. An unknown number of SCADA-focused attacks may also be hiding in the background noise of malicious activity on the Internet, the group says.
The attacks emanate from China, in large part, but also Eastern and Western Europe, Russia and the U.S. Attacks against SCADA systems have stepped up as the communications infrastructure supporting them has shifted to the public Internet, using standard communications protocols like TCP/IP from more closed systems like dedicated modems, satellites and radio transmissions that use lesser-known, proprietary protocols to communicate. The U.S. Government Accountability Office has also issued reports on SCADA and critical infrastructure vulnerabilities, going back more than 10 years.
Alan Paller, director of research at the SANS Institute and chairman of the U.S. and European Union SCADA Security Summit, said increased scrutiny of SCADA systems stems from recognition that "bad guys" have shown the ability to take control of elements of the critical infrastructure for use in blackmail or, potentially, as an offensive weapon during a conflict between nation states.
That said, changes that improve cybersecurity have been slow to come and uneven. For bulk generators of electric power, the North American Electric Reliability Corp. (NERC) is leading the way. NERC requested self-assessments for compliance with the NERC Reliability Standard CIP-002-1 -- Critical Cyber Asset Identification in the second half of 2008. That self-assessment suggested that power generators and transmitters have work to do to properly identify critical assets on their networks (defined as elements of the electric grid that "if destroyed, degraded or otherwise rendered unavailable," would affect the reliability or operation of the bulk electric system) and "cybercritical assets," the systems used to control and manipulate those assets.
NERC compliance audits of power generators are set to begin July 1. In the chemical industry, the federal Chemical Facility Anti-Terrorism Standards (CFATS) calls for site vulnerability assessments of chemical facilities that are designed to spot vulnerabilities in the SCADA systems, among other things. Improved legislation is anticipated this year to update CFATS, which expires in October, and toughened cybersecurity is expected to be part of that. Both the NERC and CFATS guidelines put emphasis on risk-based security assessments: identifying and prioritizing critical physical and IT assets, then making sure they are secure and not vulnerable to compromise or attack.
But compliance is still largely a matter of conducting assessments rather than hardening infrastructure. "I don't see NERC CIP generating anything but consulting," Paller said. "The bottom line is that you can meet the standard by writing a report."
Increased scrutiny of SCADA systems stems from recognition that 'bad guys' have shown the ability to take control of elements of the critical infrastructure to use for blackmail or as an offensive weapon.
In other critical industries -- mass transportation, for example -- the progress on cybersecurity around SCADA and other systems is less clear and less uniform, Paller noted. More prescriptive guidelines are needed and Paller, among others, said that's what critical infrastructure providers should expect.
In the meantime, IT vendors of all stripes smell profit in security SCADA systems and other critical infrastructure and are rushing into the space. Intrusion prevention, vulnerability assessment, network access control and endpoint control vendors have all added SCADA support to their product messaging in recent months. In May, antimalware firm McAfee Inc. acquired Solidcore Systems, an application control company, in part for its strength-securing SCADA systems.
But selling to critical infrastructure providers will prove much more difficult than selling to companies, Paller warned. For one thing, the costs of any error or disruption in SCADA systems can be astronomical, making those in charge of maintaining such systems reluctant to tinker. Change may come eventually, through closer partnership between SCADA systems providers like General Electric Co., Siemens AG and IT security firms, rather than layering security on top of SCADA and industrial control systems.
Customers (and the government) also have to push back, informing themselves and asking tougher questions of their SCADA providers. More attention to security will drive the market in that direction, as happened in the desktop computing world with Microsoft Windows. The Multi State Information Sharing and Analysis Center maintains a SCADA and Control Systems Procurement Project that provides guidance on which security questions to ask your SCADA vendor, and advice on securing SCADA systems and holding workshops.
Paul F. Roberts is a senior analyst at The 451 Group. Let us know what you think about the story; email: firstname.lastname@example.org.