Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo

 

Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

U.S. defense secretary Leon Panetta warned this week that successful attacks have been made on computer control systems of American electricity and water plants and transportation systems. Panetta didn’t give details about those incidents, but he said they showed that foreign nations or extremist groups could use such tactics to derail trains or shut down power grids. Computer-security experts say those claims are plausible—even if the scenario is not necessarily likely to happen—because of the outdated technology used to operate critical infrastructure.

“Power and water systems have had an entirely different mindset [than] the IT industry,” says Chris Blask, founder and CEO of ICS Cybersecurity, a company that helps infrastructure companies secure their systems. “Stability and reliability are more important than anything—you have to keep the lights on.” That means that while homes and businesses embraced the Internet in the 1990s, and learned to deal with security threats that change rapidly, the operators of power grids and water plants just kept using the same software that had always worked.

Applying software updates was frowned on, leaving vulnerabilities unpatched. And those unpatched systems are not always isolated from the Internet, says Blask. The reason: companies, contractors, and employees have pushed for remote access to their control systems for reasons of convenience and efficiency. “It could be a power engineer who wants to manage a substation without driving through the snow,” says Roy Campbell, who researches the security of critical-infrastructure systems at the University of Illinois at Urbana-Champaign.

Attacks could take many different forms, says Campbell. Some might simply shut down systems, while others can cause physical and sometimes irreversible damage. In 2007 the Department of Homeland Security released a video apparently demonstrating how a power-generating turbine self-destructed in an exercise that illustrated what an attacker could do after gaining access to a control system.

In the case of the power grid, some vulnerabilities arise from the way that different components locally, regionally, and nationally are linked up, says Campbell. For example, the pattern of connections between different parts of the grid can create weak spots that would make it relatively easy for a hacker to bring down a wide area, perhaps for some time. “If you can isolate a power station, for example, it can be difficult to turn it back on because you need power to do that,” says Campbell.

Work to patch up the vulnerabilities in control software and the computer networks around them has been under way for some years now, even before the discovery of the Stuxnet worm designed to target Iranian industrial control systems in 2010, says Campbell. “The major companies are backfilling very rapidly,” he says. But closing every weak point in a complex mix of control software and infrastructure companies’ computer networks is challenging.

One bright spot is that infrastructure-control systems are in some ways less complex than business or home computers, says Blask. “The advantage we have in this area over IT is that industrial networks are relatively static,” he says. “New applications and devices don’t crop up very frequently, so anything else that happens should stand out.”

32 comments. Share your thoughts »

Tagged: Computing, Web, hackers, hacking, cyber security, cyber warfare, defense

Reprints and Permissions | Send feedback to the editor

From the Archives

Close

Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me