[ISN] Cyberterrorists don't care about your PC

From: InfoSec News (isnat_private)
Date: Fri Jul 12 2002 - 06:06:47 PDT

  • Next message: InfoSec News: "Re: [ISN] Show us the bugs - users want full disclosure"

    By Robert Vamosi 
    ZDNet Reviews
    July 10, 2002
    COMMENTARY -- Hackers have broken into financial institutions'
    computer systems, and put popular Web sites temporarily out of
    business with distributed denial-of-service attacks. But this is not
    the sort of thing that keeps most security experts up late at night.
    What keeps them awake is worrying about the underlying systems that
    control the local power grids, the local drinking water treatment
    facilities, and the gas that's used to heat our homes. These resources
    are vulnerable, and a malicious user anywhere in the world could
    someday bring your day to a screaming halt--whether or not you use a
    Currently, power grids, dams, and other industrial facilities are
    monitored by Supervisory Control and Data Acquisition (SCADA) systems;  
    approximately three million of these exist throughout the world. Based
    on telemetry and simple data acquisition, they give scant regard to
    security, often lacking the memory and bandwidth for sophisticated
    password or authentication systems. SCADA typically runs on DOS, VMS,
    and Unix platforms, although vendors are now shipping Windows NT and
    Linux versions, as well.
    ARE SCADA SYSTEMS vulnerable? "Without question," said Stuart McClure,
    president and CTO of security company Foundstone. He said many utility
    companies that control water and energy supplies use standard
    operating systems, such as Windows and Solaris, to run their Web
    sites. A malicious user could exploit known vulnerabilities in those
    OSes to hack into the utility's server, and then gain access to an
    unprotected SCADA system within its network.
    And why do security pros suspect SCADA systems are being targeted? The
    government has captured laptops and desktops from Al Qaeda members
    that contain structural schematics for dams and nuclear power plants
    obtained from the Internet, as well as sophisticated modeling software
    such as AutoCAD 2000. The idea, it seems, is not to physically destroy
    these facilities--that would require someone going there--but to mess
    up their daily operations.
    For example, by jamming a wireless SCADA system, a hacker could cause
    a nuclear power plant to go offline at the wrong time, or a dam to
    suddenly release millions of gallons of water, or a deformity to be
    introduced into an industrial process that might weaken the final
    product--and go unnoticed for years. The effects could be minor or
    catastrophic. Bottom line: It could undermine faith in some of the
    nation's core infrastructures.
    THERE IS PRECEDENT for this sort of attack. In May of 2001, someone
    tried to hack into the CAL-Independent System Operator (ISO) site, the
    nonprofit corporation that controls the distribution of 75 percent of
    the state's power. While the attacker's motives remain unclear, the
    attacks came when California was in the midst of an energy crisis,
    when cities across the state were experiencing rolling blackouts every
    day. If someone had tricked the CAL-ISO folks into thinking less
    energy was available than really existed, it may have led to
    unnecessary blackouts for hospitals, care facilities, and fire and
    police stations (which are all officially exempt from the planned
    rolling blackouts).
    Security experts have known about vulnerabilities within SCADA systems
    for some time. Last October, the Association of Metropolitan Water
    Agencies testified before the House Subcommittee on Water Resources
    and Environment regarding such flaws. Even earlier, disclosures from
    within the gas and electrical industries show some awareness of the
    potential problems ahead.
    But these industries aren't doing much to plug the security holes.  
    "They've fallen into the regulation trap," said McClure. "Unless the
    government regulates it, they're not yet taking [security] seriously."  
    Fortunately, McClure thinks the government is taking potential hack
    attacks seriously. He points out that Richard Clarke, adviser to the
    president on cybersecurity matters, and Howard Schmidt, vice chairman
    of the President's Critical Infrastructure Protection Board, both
    worked in the security industry before joining the government.
    HOW LIKELY WOULD IT BE for someone to disrupt our electrical grid or
    water treatment facilities using SCADA? McClure said it's realistic,
    though it would be difficult to pull off. "On a 1-10 scale, it would
    be a 4 or 5 in simplicity," he said.
    Ultimately, McClure and other security experts would like to see the
    government, as well as the gas and electrical industries, ferret out
    the underlying SCADA problems--not just patch them. McClure thinks the
    SCADA problem is as serious as Y2K.
    Some industries, such as finance and health, are already governed by
    legislation that forces them to address inherent security
    vulnerabilities. Maybe it's time to legislate water, energy, and other
    critical infrastructures--before we find ourselves in the dark.
    Do you agree that gas, water, and power are the most vulnerable--and
    likely--targets for hackers or terrorists? Do you think they will be
    disrupted? TalkBack to me below.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Jul 12 2002 - 09:15:43 PDT