Collaboration

Are utilities too well connected?


On Saturday the Washington Post reported on the CIA's divulgence of information relating to cyber attacks on utility companies (electricity, oil, gas and water) outside of the US.  The CIA's comments were obviously meant to alert service providers to an increasingly serious threat that in at least one case has led to a power outage blacking out multiple cities.At a New Orleans security conference for utility firms, Tom Donahue, the CIA's top Cyber-Security analyst told an audience of over 300 government officials, engineers and security specialists: "We do not know who executed these attacks or why, but all involved intrusions through the Internet," It's suspected that inside information may have been involved in many of the know cases although there's no evidence to back that up at present.

Ralph Logan, principle of Cyber-Security firm the Logan Group explained that over the past year to 18 months there has been "a huge increase in focused attacks on our national infrastructure networks . . . coming from outside the United States," It's important to remember that probing and attacks from outside of the US don't necessarily indicate terrorist activity--in fact there are many groups who would value the ability to disrupt utilities including foreign governments and organised criminals whose target would be extortion.

Poor security practice and the rapid increase in remote control and monitoring systems have left utility firms exposed.  Power sub-stations, dams and pipelines can all see running costs reduced substantially and reliability increased through the use of remote control and monitoring, however it seems that the additional exposure and vulnerabilities introduced could offset those benefits.

I have to wonder why anybody in their right mind would connect an essential control system to the Internet in any way, shape or form.  Obviously cost reduction comes to mind as one obvious answer-using the Internet could significantly reduce communications costs when compared to a proprietary point to point networks but aren't those savings offset by the risk of massive disruption should those control systems be compromised?

5 comments
Michael Kassner
Michael Kassner

I find the comments rather alarmist. I do not feel that using probes and attacks in the same sentence are conducive to any logical conclusion, especially without any proof of compromise in the US. Any of the hundreds of IDS system I have setup will record multiple probes on a daily basis, yet this fact has no real significance unless an actual penetration has occurred.

seanferd
seanferd

I often wonder why sensitive networks are so bloody well connected to the public Internet. As to this bit where the Prez wants more cash to study or bolster security for government and industry networks, I can't understand why they don't just remove the connections to the sensitive materials, and secure their own systems. They aren't in the old Arpanet anymore, Toto. I haven't looked yet, but I'm betting that a lot of the info the CIA says it cannot divulge is accessible in foreign media. I'm too lazy to check right now, and must leave the comfort of my computer to work elsewhere.

Justin Fielding
Justin Fielding

If a device is so sensitive that interference could mean losing power to an entire city, or, even worse could put people in direct danger then physically secure it and secondly do not connect it to a network--especially not a publicly accessible one. Simple really!

jmgarvin
jmgarvin

How much do you miss? How many false negatives? How many things get through? Sure setting up an IDS is great, but sometimes we'll never know we've been penetrated. A prime example is the USB drive in the parking lot trick. All it takes in one to be plugged in...

Michael Kassner
Michael Kassner

I agree and in reality I should have defined what I consider a probe and an actual penetration.

Editor's Picks