Other

U.S. Critical Infrastructure in Serious Jeopardy

Our electrical service, transportation, refineries and drinking water are at serious risk from very simple hacker attacks.

By Sandy Kendall

May 04, 2007 — CSO —

Editor’s Note: Materials in this article taken from Aaron Turner’s Congressional testimony given before the Homeland Security subcommittee.

By Aaron Turner, Idaho National Labs

Today, we find ourselves at a crossroads, where millions of infrastructure components are connected to networks, allowing hackers access to systems that were never designed to be exposed to network attacks.

While recent cybersecurity incidents, such as theft of personal information, denial-of-service attacks and large-scale system compromises have impacted the Internet and connected computing systems, it needs to be emphasized that there has not yet been a widespread focus by hackers on the control systems that underlie our nation’s infrastructure. Currently, vendors, asset owners, incident responders and information security experts do not fully appreciate the potential threat that exists to our infrastructure due to the risks created by vulnerabilities in control system technologies. The pervasive use of technology, drive to ubiquitous connectivity and reduction in human oversight in control systems have introduced critical vulnerabilities in our infrastructure. The electricity we depend on, the water we drink, the petroleum we use to get from place to place, and financial systems we use for trade are all at some risk of being targeted and compromised.

The Departments of Energy and Homeland Security have funded 12 separate control system security reviews, during which Idaho National Labs (INL) experts have found that all of the evaluated systems suffer from high-impact security vulnerabilities that could be exploited by a low-skill-level attacker, using techniques that do not require physical access to systems. In reviewing the design and implementation of these control systems, the INL team discovered that in currently deployed systems, enhanced security controls cannot easily be implemented while still assuring basic system functionality.

With computer attackers constantly looking for new targets, they will follow the path of least resistance, which could lead them to the control systems that underlie our infrastructure. Information security experts, such as Alan Paller of the SANS Institute, agree that without implementing risk mitigations, control systems will continue to be vulnerable. Based on historical examples of cybersecurity incidents in other technology domains, the corrections will most likely begin with small-scale incidents focused on economic gain, followed by the release of publicly available vulnerability discovery tools, and then transition to large-scale incidents designed to reduce confidence in the infrastructure systems themselves.

As was reported by a government analyst in 2006 at a discussion in Williamsburg, Va., criminal extortion schemes have already occurred, where attackers have exploited control system vulnerabilities for economic gain. In December 2006, an automated control system vulnerability scanner was released, allowing individuals with relatively little experience in control systems to quickly identify vulnerabilities. Following past correction trends, we may be on the path toward widespread vulnerability and exploitation.

• Email
• Print
• Comments
• Digg This
• SlashDot