On Saturday the Washington Post reported on the CIA's divulgence of information relating to cyber attacks on utility companies (electricity, oil, gas and water) outside of the US. The CIA's comments were obviously meant to alert service providers to an increasingly serious threat that in at least one case has led to a power outage blacking out multiple cities.At a New Orleans security conference for utility firms, Tom Donahue, the CIA's top Cyber-Security analyst told an audience of over 300 government officials, engineers and security specialists: "We do not know who executed these attacks or why, but all involved intrusions through the Internet," It's suspected that inside information may have been involved in many of the know cases although there's no evidence to back that up at present.
Ralph Logan, principle of Cyber-Security firm the Logan Group explained that over the past year to 18 months there has been "a huge increase in focused attacks on our national infrastructure networks . . . coming from outside the United States," It's important to remember that probing and attacks from outside of the US don't necessarily indicate terrorist activity—in fact there are many groups who would value the ability to disrupt utilities including foreign governments and organised criminals whose target would be extortion.
Poor security practice and the rapid increase in remote control and monitoring systems have left utility firms exposed. Power sub-stations, dams and pipelines can all see running costs reduced substantially and reliability increased through the use of remote control and monitoring, however it seems that the additional exposure and vulnerabilities introduced could offset those benefits.
I have to wonder why anybody in their right mind would connect an essential control system to the Internet in any way, shape or form. Obviously cost reduction comes to mind as one obvious answer-using the Internet could significantly reduce communications costs when compared to a proprietary point to point networks but aren't those savings offset by the risk of massive disruption should those control systems be compromised?