It was weird—and disconcerting—to see the front page of The Washington Post the other day devoted to cyber security and the vulnerabilities of industrial control systems. In a series of articles in the Post, much of the discussion around ICSs that we've provided in these pages was echoed and amplified.
Bottom line: They're connected. They're vulnerable. Utilities in the United States should harden their defenses and understand the nature of threats that are only likely to increase.
In "Cyber Search Engine Shodan Exposes Industrial Control Systems to New Risks," reporter Robert O'Harrow Jr. described how a programmer developed a search engine named "Shodan" that finds and "exposes" online devices. The Shodan website's tagline is "Expose Online Devices: Webcams. Routers. Power Plants. iPhones. Wind Turbines. Refrigerators. VoIP Phones." Wait, did that list mention power plants, along with iPhones and refrigerators? Yes.
Oh, and, here's a pop quiz: What's the most common ICS in the power industry? (Answer: SCADA, or supervisory control and data acquisition.)
More from the Post on what the Shodan programmer found with his new toy:
"Uncounted numbers of industrial control computers, the systems that automate such things as water plants and power grids, were linked in, and in some cases they were wide open to exploitation by even moderately talented hackers.
"The rise of Shodan illuminates the rapid convergence of the real world and cyberspace, and the degree to which machines that millions of people depend on every day are becoming vulnerable to intrusion and digital sabotage."
The difference between corporate computer networks and industrial control systems and the potential impact of hacking is pretty crucial, as one ICS source told us about this time last year.
In "Cyber Security and Control Systems," Joe Weiss, principal at Applied Control Solutions, LLC, said, "IT systems don't kill people. Control system problems have killed people."
(Weiss initiated the control system cyber security program at the Electric Power Research Institute in 2000 and wrote the book, Protecting Industrial Control Systems from Electronic Threats.)
That column explained: "According to Weiss, IT professionals don't understand ICS. Operations personnel may understand ICS, but not IT and its cyber security implications. That's one disconnect. Another: responsibility for the integrity of ICS at electric utilities tends to be splintered among various roles, in contrast to the chief information officer's clear mandate for IT cyber security, he said. Further, IT cyber incidents leave a forensics trail that can be reconstructed after the fact, while ICS incidents leave only physical evidence without a clear forensics trail.
"Historically, the overriding concerns of those developing industrial control systems was their usefulness, reliability, safety and cost, Weiss said. And the control system engineer's traditional role is to "keep things running," he added. Making ICSs remotely controlled via Ethernet over local area networks and their microprocessors updatable by this method led to their present vulnerabilities, he argued.
"Flexibility and security pull in opposite directions," Weiss told me.
Those are the stakes and that's an abridged history of concerns around ICSs. So, what do we know about the nature or number of actual attacks? The Post report said that 120 "incident reports" from October 2011 to April 2012—a six-month period—equaled the number for all of 2011. I.e., the numbers of documented attacks are increasing. However, noted the Post, "companies are under no obligation to report such intrusions to authorities."
So while the threat seems real and Stuxnet, Duqu and Flame have been cited as proof points to underscore that threat, the situation remains maddeningly vague. Reporting incidents is not required. Many known cyber programs implanted in the U.S. grid by foreign powers only monitor our grid and do not disrupt it. No intentional, catastrophic breaches have occurred in this country so far.
A skeptic might ask—and folks tell me that utility executives are among the skeptics—if ICSs are so vulnerable, then where's the example of a successful disruption?
Ah, that's where Stuxnet and Duqu and now Flame come in. We documented the approach taken by Stuxnet and its still-unknown sponsors to Iran's nuclear centrifuges in "Stuxnet's Lessons Learned." That was followed by "'Duqu Reminds Utilities of Unfinished Cyber Work." And now comes "Flame," the focus of a news article last week, "Cyberattacks on Iran - Stuxnet and Flame," in The New York Times. A related discussion panel among international cyber security practitioners debated whether the U.S.—the most capable of launching such attacks—was also the most vulnerable to similar strategies by its enemies.
No doubt much work is taking place behind the scenes. Perhaps solutions are being developed in secret while vulnerabilities are trumpeted publicly, leading to a skewed sense of the actual risks and management thereof.
On the other hand, if skeptical utility executives really are waiting for a major domestic incident as a proof point before taking action, we're in for quite a ride.
More background is available in these articles:
Intelligent Utility Daily