Forget the risks to company databases; critical infrastructure is more vulnerable to cyber attacks.
“What you gonna write about?” my wife Beth asked as we sat on the couch watching a David Bowie concert on A&E.
“Al Qaeda’s intentions to attack our nation’s critical infrastructure via the Internet,” I replied.
“Does the Pottery Barn’s Web site have an al Quaeda operative?” she asked with a smirk. “You would not believe how slow it loads.” She had spent the better part of a day waiting for Web sites to load as she searched for furniture for the bedroom I’m remodeling. Hence the joke.
Though her question seemed flip in comparison to the seriousness of this column, it does illustrate an important point. Almost all press coverage to date related to Internet security talks about e-business infrastructure: How to protect vital company data and infrastructure from hackers; how to protect customers from various kinds of collateral damage; how to protect brands and other intellectual property from theft and defacement. Most hacking is carried out on this stage using well-known tools to attack well-known architectures. Most news items related to hacking are variations on these themes.
The most vulnerable e-business architecture — the Windows NT family — is far less vulnerable to cyber attack than North America’s critical infrastructure. I’m talking about the power grid, the pipeline grid, the telephone grid, the nation’s dams, and the like. One of the most underreported aspects of the Internet is how extensively it’s used for remote control of these systems. Going back to the ARPANet, energy companies have used the convenience of the Internet to plug into pipeline valves, switching stations, transformers, and other embedded systems. Rather than needing to send hundreds of technicians out into the field to perform diagnostics and change system settings, one technician can check on these systems simply by dialing up and typing in IP addresses. It’s a really easy way for energy companies to increase productivity.
The problem is, none of the roughly 3 million so-called SCADA systems that control this infrastructure are protected with firewalls or other defense mechanisms, as the Washington Post reported on Thursday. Recent discoveries on al Quaeda laptops in Afghanistan, confirmed in interrogations at Guantanamo Bay, show fairly advanced planning to exploit this key vulnerability. You think Y2K was scary? At least we knew that these embedded systems needed updating before a specific date. (In reality, many of them were simply updated via the Internet after the fact. Doomsday prognosticators were ignorant of how easy it is for this stuff to be controlled via the Internet.) The very thing that made Y2K a non-issue makes it a huge issue when it comes to al Quaeda. In this case, we only know of the threat; we don’t know when or where it will be carried out.
Key White House officials such as Tom Ridge have urged private companies that control critical infrastructure to update their systems. Thus far, few are listening. And they are loath to release information about these systems to the government, ironically because of security concerns. They are more confident in their own people than they are in government operatives when it comes to information on key systems. Those that are cooperating say it is almost impossible to add a layer of security to 3 million SCADAs in a reasonable amount of time. And there are technical reasons why they didn’t add security in the first place: security would mess up the timing in the programs. They suggest building a private network that runs parallel to the Internet to control the continents’ critical infrastructure. That may improve things, but what if someone hacks into the private network? One gateway is not nearly as secure as 3 million.
What can we do about this problem? Contact your legislators. We need to bring this problem out into the open and force energy and telecom companies to secure their systems before it is too late.
James Mathewson is editor of ComputerUser magazine and ComputerUser.com