And that's not all. In security terms, the control networks had more holes than a tramp's vest. The GAO found that firewalls weren't properly configured or had been switched off, passwords were implemented ineffectively, servers and workstations didn't have security software and hadn't been updated with security patches, and the main corporate network had an intrusion detection system with "significant limitations". According to the GAO report, the power firm "risks a disruption of its operations as the result of a cyber incident."
IT security consultant Rich Mogull has written extensively about SCADA risks on his security blog Securosis, and highlights two key trends: SCADA systems running Windows, "the same software all the little script kiddies can slice through"; and convergence. SCADA systems are connected to normal networks by "far more companies than you probably think. We're now running everything on standard platforms, on standard networks, with bored engineers surfing porn and reading junk email on the overnight shift."
"This isn't fantasy," Mogull says. "During the Slammer virus a safety system at a nuclear power plant went down. Trains in Sydney stopped running due to the Sasser virus. Blaster was a contributing factor to the big Northeast power outage a few years ago because it bogged down the systems the engineers used to communicate with each other and monitor systems (rumour has it). I once had a private meeting in a foreign country that admitted hackers had gained access to the train control system on multiple occasions and could control the trains."
He continues: "We are definitely vulnerable to just the right kind of attack, but it's a problem we can get our arms around and solve with a little investment and common sense. Not everything is vulnerable yet, and we're early enough on the convergence trend that we can still stop and put the right security precautions in place… unless the bad guys just get jobs at the power plants and flip switches during the midnight shift."
Taking down a hospital
During 2006, 20-year-old Christopher Maxwell was prosecuted after installing malware on hospital computers in Seattle. The software caused thousands of pounds of damage, shut down PCs in the intensive care unit and crippled the hospital's pager system. It's an isolated event, but it shows that the more reliant on technology we become, the more damage an outage can cause.
As Graham Cluley points out, "there is also a risk that government websites designed to share information withthe public on health issues could be affected by a distributed denial of service attack. Again, it's important that fall back systems are in place should a website fall foul of a DDoS assault."
ENISA, the EU Agency for Network Information and Security, issued dire threats in June about the possibility of a "digital 9/11" if European countries didn't get more serious about Internet security. Executive director Andrea Pirotti urged the EU to "introduce mandatory reporting on security breaches and incidents for business, just as the US has already done" and argues that there should be"more cross‑border cooperation".
It's all sensible stuff, but if you look beyond the sensationalist headlines, you'll see that the biggest electronic threats identified by ENISA aren't terrorism or electronic terrorism; they're our old friends, spam and fraud. ENISA also notes that while there were just eight EU countries running "digital fire brigades" to deal with electronic attacks and botnets in 2005, the number has now increased to 14, with a further 10 planned to become operational in the next two years. ENISA has also launched a three-year programme to improve the security and resilience of public communications networks across the EU and address any imbalances between member states.
