The industrial control systems that run the United States' critical infrastructure, such as electrical grids and nuclear plants, are woefully vulnerable to cyberthreats, intentional and unintentional, a nuclear engineer told a Senate committee yesterday.
The industrial control systems (ICSs) that run the United States' critical infrastructure, such as electrical grids and nuclear plants, are woefully vulnerable to cyberthreats, whether intentional or unintentional, a nuclear engineer told a Senate committee yesterday.
"One should view current ICS cybersecurity as where mainstream IT security was fifteen years ago—it is in the formative stage and needs support to leapfrog the previous IT learning curve,” said Joseph M. Weiss (pdf), managing partner of Applied Control Solutions, a control systems security consultancy.
Although many incidents have not been publicly documented, Weiss told the Senate Committee on Commerce, Science, and Transportation he has verified over 125 incidents involving ICSs, the most known being supervisory control and data aquisition (SCADA) systems.
“The impacts,” Weiss said, "whether intentional or unintentional, range from trivial to significant environmental discharges, serious equipment damage, and even death.”
In an unidentified case, Weiss said, a denial of service (DoS) attack shutdown the computers controlling pumps at a nuclear plant. It resulted in plant shutdown.
In another incident in Bellingham, West Virginia, in 1999, a pipeline ruptured and over 200,000 gallons of gasoline poured into a creek. The creeks eventually ignited, killing three people and destroying $45 million worth of property. The National Safety and Transportation Board investigation into the accident (pdf) determined the rupture occurred because of the SCADA system.
The current vulnerabilities started with the business decision to connect ICSs with other computer networks without consideration of the cybersecurity risks involved, Weiss said.
But traditional IT security practices cannot protect ICSs and may even damage them. This owes to a difference in design philosophy. ICSs were designed to be “idiot proof” because engineers feared system failure rather than attackers, the main threat in the IT world.
“The purpose of enterprise security is to protect the data residing in the servers from attack,” Weiss said. “The purpose of ICS security is to protect the ability of the facility to safely and securely operate, regardless of what may befall the rest of the network.” But as the two worlds have converged, ICSs must now be impervious to cyberthreats and cyberattacks.
Weiss also expressed concern at the limited, but open culture surrounding ICSs. There’s only a handful of ICS suppliers, which means that other countries use the same systems as the United States.
“The ICS systems provided internationally are the same systems provided in North America with the same architecture, same default vendor passwords, and same training,” he said. “Sales of electric industry SCADA/Energy Management Systems include the system source code, meaning that software used in North American SCADA systems is available worldwide,” including areas hostile to the United States, such China and the Middle East.
Add to this that there are non-U.S. companies that remotely control ICS systems in the United States combined with the willingness of ICS engineers to share information to anyone and “this truly is a global issue,” Weiss said.
Although the potential for malicious attacks exist, most cyberincidents occurred from “system interconnections or inappropriate policies or testing—not by mainstream IT cybervulnerabilities." This means that critical infrastructure owner and operators need both IT security and ICS expertise to protect their assets, he said.
According to the U.S. Department of Homeland Security, 85 percent of U.S. critical infrastructure is privately owned and operated. Despite the clear and present threat to ICSs, many operators do not invest adequately in cybersecurity, experts say.
Because of the danger associated with a system failure, Weiss also told lawmakers that industry must be regulated, but regulation should come from a global nongovernmental organization that has ICS expertise. Many infrastructure owner and operators fear the government will not protect critical commercial information.