Cyberterrorists don't care about your PC

[Dave Farber <dave () farber net>]

Cyberterrorists don't care about your PC
By Robert Vamosi
ZDNet Reviews
July 10, 2002     
 


Hackers have broken into financial institutions' computer systems, and put
popular Web sites temporarily out of business with distributed
denial-of-service attacks. But this is not the sort of thing that keeps most
security experts up late at night.

What keeps them awake is worrying about the underlying systems that control
the local power grids, the local drinking water treatment facilities, and
the gas that's used to heat our homes. These resources are vulnerable, and a
malicious user anywhere in the world could someday bring your day to a
screaming halt--whether or not you use a computer.


Currently, power grids, dams, and other industrial facilities are monitored
by Supervisory Control and Data Acquisition (SCADA) systems; approximately
three million of these exist throughout the world. Based on telemetry and
simple data acquisition, they give scant regard to security, often lacking
the memory and bandwidth for sophisticated password or authentication
systems. SCADA typically runs on DOS, VMS, and Unix platforms, although
vendors are now shipping Windows NT and Linux versions, as well.

ARE SCADA SYSTEMS vulnerable? "Without question," said Stuart McClure,
president and CTO of security company Foundstone. He said many utility
companies that control water and energy supplies use standard operating
systems, such as Windows and Solaris, to run their Web sites. A malicious
user could exploit known vulnerabilities in those OSes to hack into the
utility's server, and then gain access to an unprotected SCADA system within
its network. 

And why do security pros suspect SCADA systems are being targeted? The
government has captured laptops and desktops from Al Qaeda members that
contain structural schematics for dams and nuclear power plants obtained
from the Internet, as well as sophisticated modeling software such as
AutoCAD 2000. The idea, it seems, is not to physically destroy these
facilities--that would require someone going there--but to mess up their
daily operations. 

For example, by jamming a wireless SCADA system, a hacker could cause a
nuclear power plant to go offline at the wrong time, or a dam to suddenly
release millions of gallons of water, or a deformity to be introduced into
an industrial process that might weaken the final product--and go unnoticed
for years. The effects could be minor or catastrophic. Bottom line: It could
undermine faith in some of the nation's core infrastructures.

THERE IS PRECEDENT for this sort of attack. In May of 2001, someone tried to
hack into the CAL-Independent System Operator (ISO) site, the nonprofit
corporation that controls the distribution of 75 percent of the state's
power. While the attacker's motives remain unclear, the attacks came when
California was in the midst of an energy crisis, when cities across the
state were experiencing rolling blackouts every day. If someone had tricked
the CAL-ISO folks into thinking less energy was available than really
existed, it may have led to unnecessary blackouts for hospitals, care
facilities, and fire and police stations (which are all officially exempt
from the planned rolling blackouts).

Security experts have known about vulnerabilities within SCADA systems for
some time. Last October, the Association of Metropolitan Water Agencies
testified before the House Subcommittee on Water Resources and Environment
regarding such flaws. Even earlier, disclosures from within the gas and
electrical industries show some awareness of the potential problems ahead.

But these industries aren't doing much to plug the security holes. "They've
fallen into the regulation trap," said McClure. "Unless the government
regulates it, they're not yet taking <[security]> seriously." Fortunately,
McClure thinks the government is taking potential hack attacks seriously. He
points out that Richard Clarke, adviser to the president on cybersecurity
matters, and Howard Schmidt, vice chairman of the President's Critical
Infrastructure Protection Board, both worked in the security industry before
joining the government.

HOW LIKELY WOULD IT BE for someone to disrupt our electrical grid or water
treatment facilities using SCADA? McClure said it's realistic, though it
would be difficult to pull off. "On a 1-10 scale, it would be a 4 or 5 in
simplicity," he said.

Ultimately, McClure and other security experts would like to see the
government, as well as the gas and electrical industries, ferret out the
underlying SCADA problems--not just patch them. McClure thinks the SCADA
problem is as serious as Y2K.

Some industries, such as finance and health, are already governed by
legislation that forces them to address inherent security vulnerabilities.
Maybe it's time to legislate water, energy, and other critical
infrastructures--before we find ourselves in the dark. 

-------------------------------------
You are subscribed as interesting-people () lists elistx com
Archives at: http://www.interesting-people.org/archives/interesting-people/