The United States lacks appropriate security for infrastructure control systems, leaving the country vulnerable to a coordinated attack on utilities, a former high-level government official said yesterday, reports Government Computer News.
Jerry Dixon, the former acting director of the Homeland Security Department’s National Cyber Security Division, told the SANS Security 2008 conference in New Orleans that the security vulnerabilities are so glaring, someone with "[a]verage hacking skills could cause some significant problems."
A big concern for Dixon are the control systems of utility company substations. Frequently located in remote areas, the substations are controlled by archaic dial-in modems and do not have the proper security and authentication technologies. When integrated into a larger network, a control system is vulnerable to cross-over attacks from lesser systems it shares equipment with. And when the control system fails, it's often difficult to determine its cause because many stations don't keep up-to-date activity logs.
The problems don't end there though.
Control system management software tends to be poorly designed and filled with points of vulnerability. Machines may be running older, unpatched software—a problem that only grows more severe as time passes as organizations don't have the money to update to newer, more secure versions. Also troubling is that organizations may only have fuzzy conceptions of how large their network is, or what outside parties they are connecting with to conduct business.
Why, according to Dixon, has the United States not experienced a significant attack? "We've been lucky. If the bad guys were to get better organized, we'd have some serious challenges."