U.S. defense secretary Leon Panetta warned this week that successful attacks have been made on computer control systems of American electricity and water plants and transportation systems. Panetta didn’t give details about those incidents, but he said they showed that foreign nations or extremist groups could use such tactics to derail trains or shut down power grids. Computer-security experts say those claims are plausible—even if the scenario is not necessarily likely to happen—because of the outdated technology used to operate critical infrastructure.
“Power and water systems have had an entirely different mindset [than] the IT industry,” says Chris Blask, founder and CEO of ICS Cybersecurity, a company that helps infrastructure companies secure their systems. “Stability and reliability are more important than anything—you have to keep the lights on.” That means that while homes and businesses embraced the Internet in the 1990s, and learned to deal with security threats that change rapidly, the operators of power grids and water plants just kept using the same software that had always worked.
Applying software updates was frowned on, leaving vulnerabilities unpatched. And those unpatched systems are not always isolated from the Internet, says Blask. The reason: companies, contractors, and employees have pushed for remote access to their control systems for reasons of convenience and efficiency. “It could be a power engineer who wants to manage a substation without driving through the snow,” says Roy Campbell, who researches the security of critical-infrastructure systems at the University of Illinois at Urbana-Champaign.
Attacks could take many different forms, says Campbell. Some might simply shut down systems, while others can cause physical and sometimes irreversible damage. In 2007 the Department of Homeland Security released a video apparently demonstrating how a power-generating turbine self-destructed in an exercise that illustrated what an attacker could do after gaining access to a control system.
In the case of the power grid, some vulnerabilities arise from the way that different components locally, regionally, and nationally are linked up, says Campbell. For example, the pattern of connections between different parts of the grid can create weak spots that would make it relatively easy for a hacker to bring down a wide area, perhaps for some time. “If you can isolate a power station, for example, it can be difficult to turn it back on because you need power to do that,” says Campbell.
Work to patch up the vulnerabilities in control software and the computer networks around them has been under way for some years now, even before the discovery of the Stuxnet worm designed to target Iranian industrial control systems in 2010, says Campbell. “The major companies are backfilling very rapidly,” he says. But closing every weak point in a complex mix of control software and infrastructure companies’ computer networks is challenging.
One bright spot is that infrastructure-control systems are in some ways less complex than business or home computers, says Blask. “The advantage we have in this area over IT is that industrial networks are relatively static,” he says. “New applications and devices don’t crop up very frequently, so anything else that happens should stand out.”