Forbes is running an interesting article right now about the weaknesses in many of the critical points in our countries infrastructure.
“The first time Scott Lunsford offered to hack into a nuclear power station, he was told it would be impossible. There was no way, the plant’s owners claimed, that their critical components could be accessed from the Internet. Lunsford, a researcher for IBM’s Internet Security Systems, found otherwise.”
“It turned out to be one of the easiest penetration tests I’d ever done,” he says. “By the first day, we had penetrated the network. Within a week, we were controlling a nuclear power plant. I thought, ‘Gosh. This is a big problem.’”
It’s a dangerous combination. Unpatched and outdated control software, plus a poor understanding of needed security and a splash of good old fashioned US ego(tm). The Achilles heal in many of these cases is the Supervisory Control and Data Acquisition software, or SCADA. With more and more of our infrastructure connected to the internet along with vendors making it difficult or impossible to patch SCADA software, it puts key locations within our infrastructure at serious risk.
This article covers the problem but doesn’t go into talking about solutions. Security is, or at least should be a multi-layered approach. For the incident in the article it seems the nuclear power plant was incredibly vulnerable. I imagine the security put in place was far below what most of us would consider adequate for a mid to large sized company, more less a nuclear power plant. Hopefully articles like this will open the eyes more about how vulnerable we really are. Whether it be a terrorist attack, Russian mafia, or just another nasty worm like Slammer, we need to start looking at ways to seal these small holes huge gaps in security, in a consistent and secure manor, esp when it comes to critical pieces of our countries infrastructure.
Kevin Blanchard national security, research
The Washington Post is running a story about hackers targeting U.S. Power grids. When it comes to my own beliefs about security in the news, any news is good news. Not that weak security in critical systems is a “good thing” but the fact that these kind of stories help to raise public understanding and to put a little fire under the feet of the people implementing security policies for these places, which in my mind is a good thing.
I will start by discussing what I like about these types of articles. For too many years, security has been put on the back burner. Unless you are a company that offers security services, many companies have difficulties justifying the costs involved in properly securing your systems and training employees on updated security policies. In the past, trying to explain money spent on “potential security issues” to the accountants and people who signed off on budgets in large companies was an uphill battle, if not a brick wall. In the recent years an increasing number of non-security personal have become aware of the important of security. The costs of recovering from a “security incident” generally are much higher then the initial cost to prevent such incidents from happening in the first place. I like articles like this because it increases awareness of such issues even more. Any time a company gets hacked, or a new worm makes it’s rounds, people take notice. I am hoping in the future it won’t always take the “penny in a light socket” approach for a company to change its ways. I’d like to see a more pro-active method used to focus on keeping hackers out BEFORE you find your confidential company info on some website along side Paris Hilton’s recent cell phone pictures.
Awareness is step one. In the US, we have been making a slow climb towards awareness that everyone is at risk. Whether it is your grandma’s PC being used as a zombie in a DoS attack or a high profile credit card company, everyone needs to be aware that they are at risk. That said, we move into phase 2, the attackers. Now that CEOs understand they need to beef up security, the next question is “who” is trying to hack us? This leads into the problem I had with these types of articles. Since 9/11, “terrorism” has been used as the primary “scare tactic”/cheerleader in pushing security agendas. As I said earlier, I strongly agree with any plan [as long as it's the truth] that encourages companies to take a second look at their security and make sure it is not being neglected. The problem with pushing the terrorism angle over and over is, they do not represent that total threat. My concern with focusing too much on one security “enemy” is that you can easily forget about the others. Organized crime syndicates, intelligent bored 16 year old kids in China hacking sites from their parents basement, and even new high tech gangs provide as much [and some would argue more] threat to security in the US. I am not down playing the threat of cyber terrorism by any means. I do feel that if we focus too much on it, we are not preparing ourselves for the full range of targets approaching and the tactics they will be using. As we reach a new dawn of understanding in the US about security we need to further the education and take a good look at ALL threats to security and not just focus on terrorists. Sometimes the biggest threats come from with in your own country. Let’s hope companies in the US don’t require a Julius Caesar like event to realize this.
Kevin Blanchard hackers, national security