Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Intelligent Machines

Old-Fashioned Control Systems Make U.S. Power Grids, Water Plants a Hacking Target

Critical infrastructure is at risk of a cyberattack because of systems that haven’t kept pace with Internet threats.

U.S. defense secretary Leon Panetta warned this week that successful attacks have been made on computer control systems of American electricity and water plants and transportation systems. Panetta didn’t give details about those incidents, but he said they showed that foreign nations or extremist groups could use such tactics to derail trains or shut down power grids. Computer-security experts say those claims are plausible—even if the scenario is not necessarily likely to happen—because of the outdated technology used to operate critical infrastructure.

“Power and water systems have had an entirely different mindset [than] the IT industry,” says Chris Blask, founder and CEO of ICS Cybersecurity, a company that helps infrastructure companies secure their systems. “Stability and reliability are more important than anything—you have to keep the lights on.” That means that while homes and businesses embraced the Internet in the 1990s, and learned to deal with security threats that change rapidly, the operators of power grids and water plants just kept using the same software that had always worked.

Applying software updates was frowned on, leaving vulnerabilities unpatched. And those unpatched systems are not always isolated from the Internet, says Blask. The reason: companies, contractors, and employees have pushed for remote access to their control systems for reasons of convenience and efficiency. “It could be a power engineer who wants to manage a substation without driving through the snow,” says Roy Campbell, who researches the security of critical-infrastructure systems at the University of Illinois at Urbana-Champaign.

Attacks could take many different forms, says Campbell. Some might simply shut down systems, while others can cause physical and sometimes irreversible damage. In 2007 the Department of Homeland Security released a video apparently demonstrating how a power-generating turbine self-destructed in an exercise that illustrated what an attacker could do after gaining access to a control system.

In the case of the power grid, some vulnerabilities arise from the way that different components locally, regionally, and nationally are linked up, says Campbell. For example, the pattern of connections between different parts of the grid can create weak spots that would make it relatively easy for a hacker to bring down a wide area, perhaps for some time. “If you can isolate a power station, for example, it can be difficult to turn it back on because you need power to do that,” says Campbell.

Work to patch up the vulnerabilities in control software and the computer networks around them has been under way for some years now, even before the discovery of the Stuxnet worm designed to target Iranian industrial control systems in 2010, says Campbell. “The major companies are backfilling very rapidly,” he says. But closing every weak point in a complex mix of control software and infrastructure companies’ computer networks is challenging.

One bright spot is that infrastructure-control systems are in some ways less complex than business or home computers, says Blask. “The advantage we have in this area over IT is that industrial networks are relatively static,” he says. “New applications and devices don’t crop up very frequently, so anything else that happens should stand out.”

Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.

Subscribe today

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe to Insider Premium.
  • Insider Premium {! insider.prices.premium !}*

    {! insider.display.menuOptionsLabel !}

    Our award winning magazine, unlimited access to our story archive, special discounts to MIT Technology Review Events, and exclusive content.

    See details+

    What's Included

    Bimonthly magazine delivery and unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

    Special discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

    First Look: exclusive early access to important stories, before they’re available to anyone else

    Insider Conversations: listen in on in-depth calls between our editors and today’s thought leaders

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.