Society has one very critical technological underpinning that goes un-noticed by most people, but not hackers. If you’ve ever seen the most recent die hard movie then you’ll have an idea of what I am talking about. That is, the world’s critical infrastructures are vulnerable to attack by hackers (scary but true). These infrastructures include but are not limited to Water, Power, Communications, Transportation, Chemical Plants, etc.
Critical Infrastructure existed well before the advent of the Internet. The systems that were deployed to support the infrastructure were designed for stability, reliability and redundancy. These are computer systems that are used to control massive pumps, generators, cooling pools, the flow of gas, and other critical devices. A failure in one of those computer systems can translate to a failure in one of those critical devices.
When Infrastructure’s IT Infrastructure was first built, remote measurement devices would report data back home via dedicated network connections. In some cases people would physically go to remote locations and take readings and report those readings back to the headquarters. Recently however, Infrastructural businesses realized the cost benefit of using the Internet in place of the dedicated lines and the traveling meter-reading engineers. What they didn’t consider what the seriousness of the Internet threat, and the capabilities of those who create the threat.
As a result Infrastructure in every developed country contains critical technological vulnerabilities that have yet to be discovered. Those vulnerabilities if exploited successfully could result in damages ranging from basic system outages to the deaths of many people. This is the cost of a premature reliance on technology that people don’t fully understand.
To make matters worse the solution isn’t easily implemented. The problem is clouded with political noise, egos, and old time engineers that resist change. Some of them might actually fear for their jobs as they well should if in fact their skills are not unique. Others should fear for their jobs because they have neglected to protect critical infrastructure from the hacker threat. This problem isn’t a new problem and its existed for quite a while now, but we’re working to turn up the heat.
Yet still its not quite that simple. Many of these systems can’t just be patched, some of them are upgraded with fork lifts. The ones that can be patched, can’t still be patched because for them to go off-line means that you lose power, water, emergency services etc. Worse yet, if a patch is applied and that patch fails 90 days after its running, then it can kill people. So the threat is literally two sided. The fix creates a threat, and the hackers create a threat. How to resolve this without having either threat align with the risk?
If you are interested in following the conversations then you should subscribe to the SCADA Sec mailing list. The list is made up of a wide range of IT experts including Security Specialists, Control System experts, and Control System Security experts. As a group we’ll solve this problem, but if we keep arguing about semantics then we’re all in trouble.