At this time last year, the bugaboo was all about Y2K meltdown. However, as the dreaded midnight hour struck-and for the most part passed uneventfully- the world’s revelry in welcoming year 2000 soon eclipsed all fears of sabotage and crashing information systems.
Now, as we’re poised on the threshold of 2001, security experts at the POWER-GEN International conference in Orlando last month cautioned against a lackadaisical attitude about system integrity. Joe Weiss, technical manager of EPRI’s enterprise security project, advised against being lulled into a false sense of security, noting hackers wormed into Microsoft and the intrusion went undetected for 12 days.
If the attendance at this finale (one of three concurrently running mega-sessions) was any indication of the extent of the industry’s interest in or attention to infrastructure security, we’re in big trouble.
I’m not suggesting that the future of coal or the gangbuster gas turbine market (the other mega-sessions) weren’t worthy topics, but if your systems are vulnerable-and become the bull’s-eye for someone’s devilish intent-coal and gas turbines will not be what keep you awake at night.
Weiss asserted no competitive data is secret. Because technology is moving to more automation (i.e., more remotely operated facilities, etc.), vulnerability is increased. Those systems designed to be open and user-friendly often bring with them “back door” access to your operations.
He pointed to deregulation and the way it changed the business of utilities as another factor resulting in new means of boring into your secrets. Most generating plants now sell power to more entities than they did before deregulation. Electronic information connections are common-and are like sieves in terms of security, according to Weiss. And the much ballyhooed real-time data, well, that’s not secure either.
Who’s on the prowl looking for those back doors? According to the Federal Bureau of Investigation’s LeVord Burns, likely sources of attack include disgruntled employees, U.S. competitors, independent hackers, foreign corporations and foreign governments.
Weiss added that a disgruntled employee isn’t only a problem for you, he’s a problem for other plants because many of the systems are the same due to the limited number of suppliers.
The warnings aren’t just hype; hacking has already occurred. For example, hackers hit Salt River Project’s water SCADA. And there may be other instances, which were never identified as such.
Weiss said you might never know you’ve been hacked; one of your systems went down, but you were unaware that the root of the evil was a hacker. Unless you had technology installed to indicate hacking, you were unlikely to have recognized the intrusion.
You might mistakenly find solace in the idea that it would take someone with technical know-how to access the industry’s specialized systems. Not so, according to Weiss. “Hacker tools on the Web are directly relevant to hacking into a SCADA or DCS [distributed control system]. We thought we were different, but those tools directly apply.”
Weiss went on to propose a different angle in approaching access vulnerabilities. He said vendors should be concerned about their own liability in the risks associated with vulnerability.
One major obstacle is that currently there are no specifications that could be taken to vendors to assure development of a secure system.
What are the required security profiles? That’s one of the questions the industry is just now beginning to explore, but Weiss predicted no real change in the status of security until the next generation of software is developed-starting with a completely fresh slate. In his opinion, piggybacking software on already installed systems won’t do the job.
Clearly this is an area in which you can’t afford to become complacent-there’s no reason to expect hackers to become gentler and kinder in 2001. This is an example where what you don’t know, will hurt you.
P.S. I’m guessing either of the presidential candidates, prompted for his response to this topic, might have thought, “Where are the hackers when you really need them?”