In the news: threats to industrial control systems

Public discussion focuses on security vulnerabilities

Phil Carson | Jun 06, 2012

Share/Save  

It was weird—and disconcerting—to see the front page of The Washington Post the other day devoted  to cyber security and the vulnerabilities of industrial control systems. In a series of articles in the Post, much of the discussion around ICSs that we've provided in these pages was echoed and amplified. 

Bottom line: They're connected. They're vulnerable. Utilities in the United States should harden their defenses and understand the nature of threats that are only likely to increase. 

In "Cyber Search Engine Shodan Exposes Industrial Control Systems to New Risks," reporter Robert O'Harrow Jr. described how a programmer developed a search engine named "Shodan" that finds and "exposes" online devices. The Shodan website's tagline is "Expose Online Devices: Webcams. Routers. Power Plants. iPhones. Wind Turbines. Refrigerators. VoIP Phones." Wait, did that list mention power plants, along with iPhones and refrigerators? Yes.

Oh, and, here's a pop quiz: What's the most common ICS in the power industry? (Answer: SCADA, or supervisory control and data acquisition.) 

More from the Post on what the Shodan programmer found with his new toy: 

"Uncounted numbers of industrial control computers, the systems that automate such things as water plants and power grids, were linked in, and in some cases they were wide open to exploitation by even moderately talented hackers.

"The rise of Shodan illuminates the rapid convergence of the real world and cyberspace, and the degree to which machines that millions of people depend on every day are becoming vulnerable to intrusion and digital sabotage."  

The difference between corporate computer networks and industrial control systems and the potential impact of hacking is pretty crucial, as one ICS source told us about this time last year.

In "Cyber Security and Control Systems," Joe Weiss, principal at Applied Control Solutions, LLC, said, "IT systems don't kill people. Control system problems have killed people." 

(Weiss initiated the control system cyber security program at the Electric Power Research Institute  in 2000 and wrote the book, Protecting Industrial Control Systems from Electronic Threats.) 

That column explained: "According to Weiss, IT professionals don't understand ICS. Operations personnel may understand ICS, but not IT and its cyber security implications. That's one disconnect. Another: responsibility for the integrity of ICS at electric utilities tends to be splintered among various roles, in contrast to the chief information officer's clear mandate for IT cyber security, he said. Further, IT cyber incidents leave a forensics trail that can be reconstructed after the fact, while ICS incidents leave only physical evidence without a clear forensics trail.

"Historically, the overriding concerns of those developing industrial control systems was their usefulness, reliability, safety and cost, Weiss said. And the control system engineer's traditional role is to "keep things running," he added. Making ICSs remotely controlled via Ethernet over local area networks and their microprocessors updatable by this method led to their present vulnerabilities, he argued.

"Flexibility and security pull in opposite directions," Weiss told me.

Those are the stakes and that's an abridged history of concerns around ICSs. So, what do we know about the nature or number of actual attacks? The Post report said that 120 "incident reports" from October 2011 to April 2012—a six-month period—equaled the number for all of 2011. I.e., the numbers of documented attacks are increasing. However, noted the Post, "companies are under no obligation to report such intrusions to authorities."

So while the threat seems real and Stuxnet, Duqu and Flame have been cited as proof points to underscore that threat, the situation remains maddeningly vague. Reporting incidents is not required. Many known cyber programs implanted in the U.S. grid by foreign powers only monitor our grid and do not disrupt it. No intentional, catastrophic breaches have occurred in this country so far. 

A skeptic might ask—and folks tell me that utility executives are among the skeptics—if ICSs are so vulnerable, then where's the example of a successful disruption? 

Ah, that's where Stuxnet and Duqu and now Flame come in. We documented the approach taken by Stuxnet and its still-unknown sponsors to Iran's nuclear centrifuges in "Stuxnet's Lessons Learned." That was followed by "'Duqu Reminds Utilities of Unfinished Cyber Work." And now comes "Flame," the focus of a news article last week, "Cyberattacks on Iran - Stuxnet and Flame," in The New York Times. A related discussion panel among international cyber security practitioners debated whether the U.S.—the most capable of launching such attacks—was also the most vulnerable to similar strategies by its enemies.

No doubt much work is taking place behind the scenes. Perhaps solutions are being developed in secret while vulnerabilities are trumpeted publicly, leading to a skewed sense of the actual risks and management thereof.  

On the other hand, if skeptical utility executives really are waiting for a major domestic incident as a proof point before taking action, we're in for quite a ride. 

More background is available in these articles:

"SCADA Vulnerabilities, Redux?

"Cyber Expertise Lacking?

"Security, Part II: Control Systems and IT Systems

Phil Carson 
Editor-in-chief
Intelligent Utility Daily
pcarson@energycentral.com
303-228-4757

 

 

 

 

 

 

 

 

 

 

 

Related Topics

Comments

This News Is Not Really New To The Industry

In my early career days within utilities, the issue of homeland security and other federal agencies monitoring the grid infrastructure has long been a widely whispered rumor by utility personnel.  I’m one of those people who say it is definitely real and most of it is good for America.  Most major US utilities have been locking down their systems since the 80’s or before.  Our military’s and intelligence agencies daily use of the internet has revealed many advantages as well as vulnerabilities of the technologies.  Many of the public protection systems available today are products of lessons learned from internet usage by our military and intelligence agencies.   

 

For those coming from outside the utility industry, this newly revealed public information might seem to be very disturbing.  For those of us who have been deep inside utilities, the often received vendor complaints about the silence and difficulties in extracting information from key sources in the utility is usually an indication on how much emphasis most utilities put on their responsibilities to safe guard this information. 

 

A real issue we should be concerned about is global companies with headquarters and leadership outside of the US which are actively purchasing US utilities and utility holding companies.  Most security breakdowns occur because of the employees within the company.  Global corporations doing mergers and accusations of US companies gain instant access to sensitive information.

 

Richard G. Pate

Pate & Associates, Principle

rgpate@pateassociates.com

www.pateassociates.com

 

Follow us on Twitter: @pateassociates

Connect with Us on LinkedIn: Richard G. Pate

Check out our blog for all the latest news: pateassociates.wordpress.com