Published February 12, 2013
When the lights went out at the Super Bowl in New Orleans earlier this month, more than a few security professionals instinctively feared it was caused by a cyber attack on a crucial part of the nation’s aging and largely exposed critical infrastructure.
While the Super Bowl blackout turned out not to be the work of cyber villains, the incident illustrates just how vulnerable this crucial and heavily-regulated batch of the U.S. economy remains.
A successful cyber attack on physical infrastructure like power stations, water treatment plants or hydroelectric power stations could cause the loss of life, cripple parts of the economy or even be used to amplify traditional terrorist attacks.
“This one scares me more than anything. There is a clear and obvious present threat,” said Carl Herberger, vice president of security solutions at Radware (RDWR).
Despite the continued onslaught of cyber attacks on everything from banks like J.P. Morgan Chase (JPM) to newspapers such as The New York Times, industry insiders believe the U.S. physical infrastructure sector is badly trailing the cyber readiness of other industries like financial services and defense contractors.
“That’s a sector that hasn’t really woken up yet. The security exposure is tremendous,” said Scott Register, director of marketing strategy at cyber security solutions company Ixia (XXIA). “The infrastructure sector is way, way behind.”
The White House is expected to address the security shortfall in a highly-anticipated executive order set to be unveiled on Wednesday.
It’s easy to imagine the economic damage and cost in terms of human life that an attack on the nation’s physical infrastructure could inflict. Business could grind to a halt and critical services like 911 systems and hospitals could be in left in the dark.
There haven’t been many well documented cases of successful cyber attacks impacting infrastructure such as power systems, but few believe tight-lipped IT professionals would admit as much.
“There have been a few things that have been shady but no one has definitively said this was cyber,” said Dave Aitel, a former computer scientist at the National Security Agency and currently CEO of Immunity. “Unexplained is always code for: it could be cyber.”
Published reports have blamed cyber attacks for a number of high-profile power outages in Brazil between 2005 and 2007 that left tens of thousands in the dark.
“An electrical grid hack is something I spend a lot of time worried about. I worry about it a lot more than I used to,” said Christopher Bronk, a fellow at Rice University’s Baker Institute.
In 2011 U.S. officials investigated whether a foreign cyber attack may have caused a failure of a water pump at a public water district in Illinois.
Around that same time, a hacker appeared to successfully infiltrate a South Houston water utility in 2011, displaying screenshots of critical instruments to prove the attack.
While no damage was done, officials from the Department of Homeland Security reached out to Bronk for his take on the incident. Bronk said he believed it looked very credible and urged DHS to “hire that guy.”
Interestingly, the hacker said in a blog post that he was trying to prove a point about vulnerabilities, saying he dislikes “immensely how the DHS tend to downplay how absolutely [messed up] the state of national infrastructure is.”
In another incident, an Australian man in 2000 successfully infiltrated a waste water treatment plant outside of Brisbane, causing millions of liters of raw sewage to spew into the local environment.
“It is absolutely possible to cause damage of that type,” said Cedric Leighton, former deputy training director at the NSA and now CEO of a Washington D.C.-based consultancy.
Much of the concern centers on Supervisory Control and Data Acquisition, or SCADA, an archaic type of industrial control system that is used in many critical infrastructure areas like pipelines, electric grids and factories.
“Stuxnet was a big wakeup call,” said Herberger, referring to the computer worm reportedly sent by the U.S. and Israel to disrupt Iranian nuclear facilities.
Why Infrastructure Lags Behind
All of this begs the question: why isn’t the infrastructure sector ready for the cyber threat?
Among other reasons, security professionals point to a cautious attitude at public utilities, a lack of public resources and the heavily-regulated nature of the industry.
“Regulated industries are often very conservative industries in terms of mindset and company culture,” said Leighton. “The regulatory mechanisms have had the perverse effect of insulating them culturally from change. It doesn’t mean they are not interested. It means they are slower to adapt to changes.”
Bronk said industries that aren’t as heavily regulated such as banking and oil and gas are more motivated to beef up security in an effort to avoid the costly loss intellectual property, the seizure of customer funds, embarrassing PR events and the threat of further regulation.
“I guess there isn’t the same incentive structure there,” he said.
Whatever the reason, physical infrastructure companies don’t seem to be willing or able to invest the resources needed to lure coveted security talent and acquire advanced systems.
“Protecting our critical infrastructure should be a priority but they just pay it lip service,” said Pat McGarry, principal systems engineer at Ixia, which sells a sophisticated system that allows clients to simulate cyber attacks on their networks. “None of those companies that I’m aware of buy this stuff but every single one of them should have it.”
Will New Regulation Help?
Given the hodgepodge nature of the critical infrastructure sector, some believe Washington needs to give these companies further guidance on how to respond to the cyber threat.
“Sometimes it’s not that the technology is behind, it’s that the policy is behind,” said Aitel. “They don’t want to use the word regulation but deep down regulation is what they need.”
With Congress deadlocked on the cyber issue (and many others), President Obama has decided to move ahead with an executive order on cyber security that would establish a voluntary program where companies can choose to meet best practices.
But it’s unclear what kind of actual impact such an executive order, especially without the backing of Congress, will have.
“Cyber security standards by their nature have to evolve and they have to evolve very quickly. It’s hard to write that into law,” said Leighton.
Bronk, formerly a diplomat in the State Department, said he would tell the White House “don’t bother.” He’s worried action from Washington “will end up being far too blunt of an instrument.”
Security professionals believe that one of the best ways to bolster security in this sector is to mandate increased transparency and information-sharing.
“There is no way for the population to know how at risk they are right now. There’s not even a report card,” said Aitel.