Just how vulnerable are we?By Mike Brennan
Security. Some form of the word makes headlines on a daily basis as threats to the world’s security grow more and more alarming. The following pages present a host of topics related to security — both cyber and physical — in Michigan and beyond. We offer a look at everything from issues surrounding personal mobile devices in the workplace and the growing threats to our nation’s corporations, governments and infrastructure, to the safety of cloud computing, the Michigan Cyber Range and the region’s notable defense industry.
Meet the people and companies in the state who are playing vital roles in protecting not only critical intelligence, but lives as well.
In June 2010, a computer worm was launched against the Iranian nuclear power facilities, targeting the supervisory control and data acquisition (SCADA) systems that operated the centrifuges used to process the enriched uranium. The worm, dubbed Stuxnet, damaged the equipment enough to slow nuclear development for months, if not years.
In December 2011, a hack resulted in the burnout of a water pump at a Public Water District plant in Illinois that served about 2,200 customers. Only after the pump failed did plant operators discover that their SCADA systems had been exploited in an attack launched from a server based in Russia.
In November 2012, a study by the National Research Council concluded the U.S. power grid is susceptible to terrorist attack, whether physical or cyber, that could cause much more damage than Super Storm Sandy.
These three incidents illustrate the vulnerability of the nation’s critical infrastructure that monitors and controls power, water and industrial systems, and much more. Experts warn these vulnerabilities make it a matter of when, not if, terrorists and other nations launch cyber attacks against the United States aimed at these essential systems that sustain life and the economy. They also warn government and utilities aren’t spending enough money to guard against cyber attack.
Case in point, a recent study done of network managers at 21 energy companies, including 14 utilities, found the companies spend an average of $45.8 million a year on computer security and are able to prevent 69 percent of known cyber strikes against their systems. The survey was commissioned by Bloomberg Government and performed by Traverse City, MI’s Ponemon Institute.
Over the next 12 to 18 months, the power companies estimate they could increase annual cyber security spending to an average $69.3 million per company and be able to avert 88 percent of attacks. But it would take an average annual budget of $344.6 million per company to stop 95 percent of the threats, the survey found, a sum that exceeds the $277 million in profit that Atlanta-based Southern Co., the largest U.S. utility by market capitalization, reported for the fourth quarter of 2011.
Cyber attackers have easy access
The news gets worse. Richard Stiennon, founder of Birmingham, MI-based IT Harvest and a widely followed security expert and analyst, said an anonymous hacker bragged online that he or she had done a quick search of popular computer interfaces that access building control systems and found 30 open for cyber attack at hospitals and shopping centers nationwide.
“What that means is a hacker could shut off the power at hospitals,” Stiennon says. “Think about what this would mean for a hospital providing oxygen to patients. Or to a prison where the cell doors are controlled by industrial control systems. Or even power grids. Hackers could cycle generators up and down rapidly, triggering overloads, like the Illinois water district attack.”
Cyber vulnerabilities to critical infrastructure are a result of connecting the Internet to industrial controls that could be decades old and were never meant to be monitored or controlled remotely, Stiennon says. Opening SCADA to remote access has provided hackers, cyber criminals and state-sponsored terrorists with an opening to launch cyber attacks against the nerve centers of the industrial world. And it’s only the beginning, Stiennon says.
“Despite the knowledge utilities now have, they still are connecting critical infrastructures to business systems,” he says. “Somebody in the head office wants instantaneous reports on how many watts the nuclear reactor core is putting out. ‘Why call somebody from the plant when I can do that from my desk,’ they reason? When you do that, you’ve opened yourself up to a Stuxnet-type attack.”
The sophisticated worm was meant to be a precision cyber weapon that would shut itself off after delivering its payload, sources tell Stiennon. Unfortunately, thousands of other companies using the same SCADA industrial controls (distributed by Germany-based Siemens) also were hit by the worm. Perhaps even more chilling, cyber criminals and nation states, sources tell Stiennon, are re-engineering the worm for use against critical infrastructure worldwide, including the United States.
Protection from cyber attacks
What should factories, utilities, hospitals, governments and other organizations using SCADA technology do to protect themselves from cyber attack? Here are some tips from Stiennon:
• Segment your computer networks to prevent the spread of malware.
• Never do remote access. Make sure management of the industrial system is done inside the network, not outside.
• Install strong firewalls and strong authentication to access the computer system.
• Install intrusion detection on your networks. Do 100 percent network monitoring to detect suspicious behavior and track down any intrusions to make sure they don’t happen again.
“Businesses, utilities and government have to adopt a cyber defense posture,” Stiennon says. “They have to follow best practices of some of the defense contractors that constantly watch for attacks through intelligence gathering. They must look for key indicators on their network and tie them all together into a campaign. Cyber defense has become measures and countermeasures and only the most proactive defenses will protect critical infrastructure.”
Mike Brennan, an Automation Alley member since 2000, is editor and publisher of MITechNews.com. He has written extensively about security topics.
