[ISN] Weak control system security threatens U.S.

From: InfoSec News (alerts@private)
Date: Wed Jan 16 2008 - 23:11:20 PST


http://www.gcn.com/online/vol1_no1/45670-1.html

By Joab Jackson
GCN.com
01/16/08

NEW ORLEANS -- Weak security on infrastructure control systems may 
eventually put the country at risk for a coordinated attack on 
utilities, warned Jerry Dixon, former acting director of the Homeland 
Security Departments National Cyber Security Division.

Dixon, who now is director of analysis of Internet security consulting 
firm Team Cymru, spoke yesterday at the SANS Security 2008 conference, 
being held this week in New Orleans.

Those who saw the movie Live Free or Die Hard might remember the concept 
of the "Fire Sale," a fictional coordinated plan by evil-doers to shut 
down the critical infrastructure by attacking its computer systems. 
While the Hollywood depiction was sensationalized, the basic plan of 
attack could be feasible, at least given the present state of security 
on today's utility control systems, Dixon said.

The action movie contained more than a few similarities to DHS' Cyber 
Storm, a public exercise held in 2006 that simulated attacks on the 
critical infrastructure. DHS picked up a number of important lessons 
from that exercise, Dixon said.

One particular concern Dixon pointed out are the control systems of 
utility company substations. Since many are located in remote locales, 
they are often controlled by dial-in modems, and their systems have 
outdated or nonexistent security and authentication technologies. Those 
that are on a network of some sort may be their sharing equipment with 
other less-sensitive systems and, hence, vulnerable to a crossover 
attack. Worse, comparatively little logging goes on with control 
systems. So when a failure happens, it is sometimes hard to determine if 
it came about due to attack or to misconfiguration.

There are a number of other areas of concern as well, he pointed out. 
Control system management software tends to be poorly designed and 
filled with points of vulnerability. Machines may be running older, 
unpatched softwarea problem that only grows more severe as time passes 
as organizations don't have the money to update to newer, more secure 
versions. Also troubling is that organizations may only have fuzzy 
conceptions of how large their network is, or what outside parties they 
are connecting with to conduct business.

Dixon pointed to an infrastructure vulnerability found last fall by the 
Energy Department's Idaho National Laboratory, in research work funded 
by DHS. The work demonstrated how a megawatt generator could be broken 
from afar by calling into the substation system and executing a number 
of malicious commands to alter the workflow logic of the generator. Such 
an attack may require, in addition to the right phone number to dial 
into, expertise in electrical engineering and network security, two 
different yet fairly common skill sets, one industry observer noted.

"Average hacking skills" could "cause some significant problems," Dixon 
added.

Dixon also pointed to other recently publicized attacks on the 
infrastructure, such as a 2006 internal computer attack that took out 
traffic lights at four intersections in Los Angeles, and an event that 
took place earlier this when month a teenager diverted Polish tram 
trains from their normal routes by way of a computer hack.

A member of the audience asked Dixon why we haven't experienced a 
widescale attack yet. "We've been lucky," he responded. "If the bad guys 
were to get better organized, we'd have some serious challenges."


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Wed Jan 16 2008 - 23:28:18 PST