By Joab Jackson
NEW ORLEANS -- Weak security on infrastructure control systems may
eventually put the country at risk for a coordinated attack on
utilities, warned Jerry Dixon, former acting director of the Homeland
Security Departments National Cyber Security Division.
Dixon, who now is director of analysis of Internet security consulting
firm Team Cymru, spoke yesterday at the SANS Security 2008 conference,
being held this week in New Orleans.
Those who saw the movie Live Free or Die Hard might remember the concept
of the "Fire Sale," a fictional coordinated plan by evil-doers to shut
down the critical infrastructure by attacking its computer systems.
While the Hollywood depiction was sensationalized, the basic plan of
attack could be feasible, at least given the present state of security
on today's utility control systems, Dixon said.
The action movie contained more than a few similarities to DHS' Cyber
Storm, a public exercise held in 2006 that simulated attacks on the
critical infrastructure. DHS picked up a number of important lessons
from that exercise, Dixon said.
One particular concern Dixon pointed out are the control systems of
utility company substations. Since many are located in remote locales,
they are often controlled by dial-in modems, and their systems have
outdated or nonexistent security and authentication technologies. Those
that are on a network of some sort may be their sharing equipment with
other less-sensitive systems and, hence, vulnerable to a crossover
attack. Worse, comparatively little logging goes on with control
systems. So when a failure happens, it is sometimes hard to determine if
it came about due to attack or to misconfiguration.
There are a number of other areas of concern as well, he pointed out.
Control system management software tends to be poorly designed and
filled with points of vulnerability. Machines may be running older,
unpatched softwarea problem that only grows more severe as time passes
as organizations don't have the money to update to newer, more secure
versions. Also troubling is that organizations may only have fuzzy
conceptions of how large their network is, or what outside parties they
are connecting with to conduct business.
Dixon pointed to an infrastructure vulnerability found last fall by the
Energy Department's Idaho National Laboratory, in research work funded
by DHS. The work demonstrated how a megawatt generator could be broken
from afar by calling into the substation system and executing a number
of malicious commands to alter the workflow logic of the generator. Such
an attack may require, in addition to the right phone number to dial
into, expertise in electrical engineering and network security, two
different yet fairly common skill sets, one industry observer noted.
"Average hacking skills" could "cause some significant problems," Dixon
Dixon also pointed to other recently publicized attacks on the
infrastructure, such as a 2006 internal computer attack that took out
traffic lights at four intersections in Los Angeles, and an event that
took place earlier this when month a teenager diverted Polish tram
trains from their normal routes by way of a computer hack.
A member of the audience asked Dixon why we haven't experienced a
widescale attack yet. "We've been lucky," he responded. "If the bad guys
were to get better organized, we'd have some serious challenges."
Subscribe to InfoSec News