Posted on Wed, Feb 10, 2010 @ 09:32 AM
The Department of Energy (DOE) has a goal to secure control systems used in the energy sector from malicious cyber attacks-attacks that could lead to potentially catastrophic disruptions in our critical infrastructures. As part of this effort, DOE created a document called "Roadmap to Secure Control Systems in the Energy Sector." As I was reading it I came across some interesting nuggets about previous attacks on utilities (Source: GAO 2004, Reed 2005). Some things you may not hear on David Letterman.
- 1. Unsuspected code hidden in transferred product (USSR, 1982)
While the following cannot be confirmed, it has been reported that during the Cold War the CIA inserted malicious code into control system software leaked to the Soviet Union. The software, which controlled pumps, turbines, and valves on a Soviet gas pipeline, was programmed to malfunction after a set interval. The malfunction caused the control system to reset pump speeds and valve settings to produce pressures beyond the failure ratings of pipeline joints and welds, eventually causing an enormous explosion.
- 2. Hacker exploits cross-sector interdependence (Massachusetts, USA, 1997)
A teenager hacked into and remotely disabled part of the public switching network, disrupting phone service for local residents and the fire department and causing a malfunction at a nearby airport.
- 3. Insider hacks into sewage treatment plant (Australia, 2001)
A former employee of the software developer hacked into the SCADA system that controlled a Queensland sewage treatment plant, causing a large sewage discharge over a sustained period. He was caught and sentenced to two years in prison in 2001.
- 4. Worm exploits interconnected business and operations networks (Ohio, USA, 2003)
The SQL Slammer worm infiltrated the operations network of the Davis-Besse nuclear power plant via a high-speed connection from an unsecured contractor's network (after the corporate firewall had previously blocked the worm). After migrating from the business network to the operations network, the worm disabled the panel used to monitor the plant's most crucial safety indicators for about five hours and caused the plant's process computer to fail; recovery for the latter took nearly six hours. Luckily, the plant was off-line at the time.
These stories were used to illustrate the concern by the U.S. government about the potential for cyber attacks on the energy sector. And as smart grid technology evolves that will tie everyone and everything together in a futuristic, postmodern indulgence of technology in daily life-we will need all the security we can get.
GAO. 2004. Government Accountability Office. Critical infrastructure protection: Challenges and efforts to secure control systems (GAO-04-354)
Reed, T. 2005.
At the abyss: An insider's history of the cold war. Random House
Posted on Wed, Jan 28, 2009 @ 11:28 AM
There are plenty of security products on the market--from firewalls to IDS/IPS to NAC, etc.--that are designed to identify and alert suspicious events. Network traffic is being analyzed deeper and deeper in order to identify this type of traffic (a fair amount of which is correlated back to internal users some authorized and some not).
While I think these devices are necessary, I wonder what is being done both proactively and reactively to the offending user and, more broadly, the user population? Yes, there will always be malicious users regardless of what is done but I am curious to know what programs are directed at the user population from a security point of view.