Cyberterrorists don't care about your PC

COMMENTARY--Hackers have broken into financial institutions' computer systems, and put popular Web sites temporarily out of business with distributed denial-of-service attacks. But this is not the sort of thing that keeps most security experts up late at night.

What keeps them awake is worrying about the underlying systems that control the local power grids, the local drinking water treatment facilities, and the gas that's used to heat our homes. These resources are vulnerable, and a malicious user anywhere in the world could someday bring your day to a screaming halt--whether or not you use a computer.

Currently, power grids, dams, and other industrial facilities are monitored by Supervisory Control and Data Acquisition (SCADA) systems; approximately three million of these exist throughout the world. Based on telemetry and simple data acquisition, they give scant regard to security, often lacking the memory and bandwidth for sophisticated password or authentication systems. SCADA typically runs on DOS, VMS, and Unix platforms, although vendors are now shipping Windows NT and Linux versions, as well.

ARE SCADA SYSTEMS vulnerable? "Without question," said Stuart McClure, president and CTO of security company Foundstone. He said many utility companies that control water and energy supplies use standard operating systems, such as Windows and Solaris, to run their Web sites. A malicious user could exploit known vulnerabilities in those OSes to hack into the utility's server, and then gain access to an unprotected SCADA system within its network.

And why do security pros suspect SCADA systems are being targeted? The government has captured laptops and desktops from Al Qaeda members that contain structural schematics for dams and nuclear power plants obtained from the Internet, as well as sophisticated modeling software such as AutoCAD 2000. The idea, it seems, is not to physically destroy these facilities--that would require someone going there--but to mess up their daily operations.

For example, by jamming a wireless SCADA system, a hacker could cause a nuclear power plant to go offline at the wrong time, or a dam to suddenly release millions of gallons of water, or a deformity to be introduced into an industrial process that might weaken the final product--and go unnoticed for years. The effects could be minor or catastrophic. Bottom line: It could undermine faith in some of the nation's core infrastructures.

THERE IS PRECEDENT for this sort of attack. In May of 2001, someone tried to hack into

the CAL-Independent System Operator (ISO) site, the nonprofit corporation that controls the distribution of 75 percent of the state's power. While the attacker's motives remain unclear, the attacks came when California was in the midst of an energy crisis, when cities across the state were experiencing rolling blackouts every day. If someone had tricked the CAL-ISO folks into thinking less energy was available than really existed, it may have led to unnecessary blackouts for hospitals, care facilities, and fire and police stations (which are all officially exempt from the planned rolling blackouts).

Security experts have known about vulnerabilities within SCADA systems for some time. Last October, the Association of Metropolitan Water Agencies testified before the House Subcommittee on Water Resources and Environment regarding such flaws. Even earlier, disclosures from within the gas and electrical industries show some awareness of the potential problems ahead.

But these industries aren't doing much to plug the security holes. "They've fallen into the regulation trap," said McClure. "Unless the government regulates it, they're not yet taking [security] seriously." Fortunately, McClure thinks the government is  taking potential hack attacks seriously. He points out that Richard Clarke, adviser to the president on cybersecurity matters, and Howard Schmidt, vice chairman of the President's Critical Infrastructure Protection Board, both worked in the security industry before joining the government.

HOW LIKELY WOULD IT BE for someone to disrupt our electrical grid or water treatment facilities using SCADA? McClure said it's realistic, though it would be difficult to pull off. "On a 1-10 scale, it would be a 4 or 5 in simplicity," he said.

Ultimately, McClure and other security experts would like to see the government, as well as the gas and electrical industries, ferret out the underlying SCADA problems--not just patch them. McClure thinks the SCADA problem is as serious as Y2K.

Some industries, such as finance and health, are already governed by legislation that forces them to address inherent security vulnerabilities. Maybe it's time to legislate water, energy, and other critical infrastructures--before we find ourselves in the dark.

Do you agree that gas, water, and power are the most vulnerable--and likely--targets for hackers or terrorists? Do you think they will be disrupted? TalkBack to me below.