Cyberterrorists don't care about your PC
What keeps them awake is worrying about the underlying systems that control the local power grids, the local drinking water treatment facilities, and the gas that's used to heat our homes. These resources are vulnerable, and a malicious user anywhere in the world could someday bring your day to a screaming halt--whether or not you use a computer.
Currently, power grids, dams, and other industrial facilities are monitored by Supervisory Control and Data Acquisition (SCADA) systems; approximately three million of these exist throughout the world. Based on telemetry and simple data acquisition, they give scant regard to security, often lacking the memory and bandwidth for sophisticated password or authentication systems. SCADA typically runs on DOS, VMS, and Unix platforms, although vendors are now shipping Windows NT and Linux versions, as well.
ARE SCADA SYSTEMS vulnerable? "Without question," said Stuart McClure, president and CTO of security company Foundstone. He said many utility companies that control water and energy supplies use standard operating systems, such as Windows and Solaris, to run their Web sites. A malicious user could exploit known vulnerabilities in those OSes to hack into the utility's server, and then gain access to an unprotected SCADA system within its network.
THERE IS PRECEDENT for this sort of attack. In May of 2001, someone tried to hack into
the CAL-Independent System Operator (ISO) site, the nonprofit corporation that controls the distribution of 75 percent of the state's power. While the attacker's motives remain unclear, the attacks came when California was in the midst of an energy crisis, when cities across the state were experiencing rolling blackouts every day. If someone had tricked the CAL-ISO folks into thinking less energy was available than really existed, it may have led to unnecessary blackouts for hospitals, care facilities, and fire and police stations (which are all officially exempt from the planned rolling blackouts).Security experts have known about vulnerabilities within SCADA systems for some time. Last October, the Association of Metropolitan Water Agencies testified before the House Subcommittee on Water Resources and Environment regarding such flaws. Even earlier, disclosures from within the gas and electrical industries show some awareness of the potential problems ahead.
But these industries aren't doing much to plug the security holes. "They've fallen into the regulation trap," said McClure. "Unless the government regulates it, they're not yet taking [security] seriously." Fortunately, McClure thinks the government is taking potential hack attacks seriously. He points out that Richard Clarke, adviser to the president on cybersecurity matters, and Howard Schmidt, vice chairman of the President's Critical Infrastructure Protection Board, both worked in the security industry before joining the government.
HOW LIKELY WOULD IT BE for someone to disrupt our electrical grid or water treatment facilities using SCADA? McClure said it's realistic, though it would be difficult to pull off. "On a 1-10 scale, it would be a 4 or 5 in simplicity," he said.
Ultimately, McClure and other security experts would like to see the government, as well as the gas and electrical industries, ferret out the underlying SCADA problems--not just patch them. McClure thinks the SCADA problem is as serious as Y2K.
Some industries, such as finance and health, are already governed by legislation that forces them to address inherent security vulnerabilities. Maybe it's time to legislate water, energy, and other critical infrastructures--before we find ourselves in the dark.
Do you agree that gas, water, and power are the most vulnerable--and likely--targets for hackers or terrorists? Do you think they will be disrupted? TalkBack to me below.