A report this week on CNN that showed how a software vulnerability in a control system could be used to physically destroy power grid equipment refocused attention on an issue that some have been quietly trying to fix for several years.
The CNN segment, which aired Thursday, showed a turbine being reduced to a smoking, shuddering, metal spewing mess as the result of malicious code execution on the computer controlling the system.
The Idaho National Laboratory prepared the demonstration in March for the U.S. Department of Homeland Security (DHS). The simulated attack took advantage of a known software vulnerability -- since fixed -- in a Supervisory Control and Data Acquisition (SCADA) system. The demonstration was designed to show how hard a well-executed digital attack could hit the nation's critical infrastructure.
Though no details are available on how exactly the attack was launched, the scenario it depicts and the outcome are pretty accurate, said Amit Yoran, CEO of network security monitoring vendor NetWitness Corp. "I think the scenario is more realistic than a lot of academic papers on this topic have been.
"People have talked about how this is possible; now, we have a physical simulation," said Yoran, who is a former director of the National Cyber Security Division of the DHS.
At the same time, it would be wrong to conclude that all control systems are susceptible to such cyberattacks or that all attacks would have such drastic consequences, he said. "Just because this turbine was affected in such a dramatic way, it shouldn't imply that all turbines will be," Yoran said, noting that many have limiting technologies and mechanical governors designed to prevent the sort of meltdown depicted on TV. "The video is important. There is a lesson to be learned here. But it is one piece of information," and does not represent all possible eventualities.
The simulated attack shows the sort of damage that can be inflicted on utility infrastructure if a malicious attacker gains access to a control system, said Dale Peterson, CEO of SCADA security consultancy Digital Bond Inc. in Ft. Lauderdale, Fla.
SCADA and industrial control systems, with their traditional reliance on proprietary networks and hardware, have long been considered immune to the kinds of cyberattacks that can plague corporate information systems.
Many SCADA systems typically run on segmented proprietary networks and hardware that are not directly accessible via the Internet. As a result, gaining logical access to control systems from the outside can be more of a challenge compared to systems in most commercial companies. But for someone who does gain administrative access, SCADA systems -- especially older ones -- present several exploitable vulnerabilities, Peterson said.
Digital Bond itself has discovered and disclosed a few such flaws in the past, Peterson said. And the United States Computer Emergency Readiness Team occasionally lists vulnerabilities related to SCADA systems. But there is debate in the industry on how -- and how much -- information should be disclosed because of fears about vulnerability data falling into the wrong hands, he said. As a result, there is relatively little public information on flaws affecting SCADA and process control systems.
"There are a lot of risky systems out there and generally a lot of systems that can't be secured," even if patches were available, he said. That's because many of the control systems still in use at utility companies have been around for 12 to 15 years and applying security patches would simply break them. Companies using SCADA systems typically tend to focus on reliability and availability when rolling out such systems and often fail to replace or update associated security controls because of the need for continuous uptime. In such cases, the only real way to ensure security would be install new systems at a cost many companies are not ready to make, he said.
SCADA systems are not as insulated as they were a few years ago, said Jigar Shah, chief strategy officer and co-founder of SunEdison LLC, a Beltsville, Md., provider of solar energy. The continuing digitization of analog architectures within the utility industry is making control systems less immune to cyberattacks than some in the industry might concede, according to executives like Shah.
For instance, "right now, most of the switching gear is on closed-loop systems, but the goal in the future is to make them connected to the Internet," Shah said. Doing so could broaden their exposure to externally launched attacks, he noted.
The move to Ethernet, TCP/IP and Web technologies is giving hackers and virus writers "lots of backdoors and pathways" to core control systems at utility companies, said Eric Byres, CEO of Byres Security Inc., a Lantzville, British Columbia-based consultancy that focuses on SCADA security.
A white paper written by the company for Symantec Corp. analyzed security information contained in the Industrial Security Incident Database (ISID) maintained by the British Columbia Institute of Technology. The analysis showed that the number of cyberincidents against SCADA and other control systems has increased significantly since 2001.
"The majority of these incidents are coming from the Internet by way of opportunistic viruses, Trojan horses and worms, but a surprisingly large number are directed acts of sabotage," the paper noted. "In addition, the analysis indicates that many SCADA/process control networks have poorly documented points of entry that provide secondary pathways into the system."
According to Byres, if one were to extrapolate the numbers in the ISID numbers, it is reasonable to assume that between 2,000 and 3,000 industrial cybersecurity incidents are occurring each year at Fortune 500 companies.
"The government is paying attention to this and some of the companies are paying phenomenal attention to the issue," Byres said. A few companies such as DuPont, Dow and British Petroleum "have been really trying to take the bull by the horns, and have been taking aggressive steps to secure their process control environments. The biggest risk to the power industry is not the leaders. It's the second-tier companies that aren't making a good effort."
Entities such as the DHS and the North American Electric Reliability Council (NERC) have also been working to address cybersecurity issues. NERC, for instance, last year adopted eight new cybersecurity standards around asset identification, security management controls, personnel and training, perimeter security, systems security, incident reporting and response planning.
There are other efforts, as well. The Multi-State Information Sharing and Analysis Center, which is focused on cyberthreats to critical infrastructure, last year established the SCADA Procurement Project. The joint effort among public and private sector companies is focused on the development of common procurement language to help ensure that security is integrated into SCADA systems at the time of purchase.
"It's important to point out that a lot of work is being done" to bolster the security of SCADA systems, Yoran noted. "These are not simple systems to secure. These are very tightly embedded systems that are intertwined and interconnected with other systems, with mechanical components and with the physical infrastructure itself. They take years to design and deploy and that is why they are so resilient."
Trying to apply security measures without fully understanding the complexities could lead to "far greater damage and outage" than a cyberattack would, he said.
This story, "Simulated Attack Shows U.S. Vulnerabilities" was originally published by Computerworld.