As international crime syndicates and foreign nations wage cyberwarfare, intelligence officials warn that a catastrophic cyberattack on the United States' IT infrastructure could happen in the not-too-distant future. In state and local government, power grids, natural gas utilities, and water and sewage systems pose tempting targets for hackers around the globe.
Since 2001, a handful of private and state-owned utilities (including a power plant, a canal authority, and a water treatment plant) have been attacked, according to the Project Grey Goose report from GreyLogic. The report forecasts attacks against the power grid to increase in the next year. Meanwhile, a report from McAfee and the Center for Strategic and International Studies reveals that 20 percent of companies and government agencies have suffered a cyberattack associated with an extortion demand.
The McAfee report, "In the Crossfire: Critical Infrastructure in the Age of Cyber War," notes that attacks on supervisory control and data acquisition networks are especially serious because they create the potential for large-scale power outages or man-made environmental disasters. SCADA systems were designed to maximize performance, reliability and safety; until recently, security hadn't been a major consideration because systems often were "air gapped" from other networks, and hardware and protocols were proprietary.
But these days, SCADA systems are typically connected to business networks so employees can use commercial off-the-shelf products and open protocols. According to the survey, 76 percent of respondents with SCADA responsibilities reported that those networks are connected to an IP network or the Internet despite the risks involved. This has put utility managers on guard.
With such risk in mind, state and local governments are taking several security measures to protect networks so critical services never go down.
Patrick Ellis, director and chief security officer of Broward County Water and Wastewater Services in Florida, stays vigilant by employing the full suite of McAfee security products, as well as products from Cisco Systems and Check Point.
The Broward County water and wastewater organization uses an air gap that separates its network from the county's line-of-business applications. In extreme cases, networks do not touch at all, but that's a drastic situation the county tries to avoid. "The ability to share data is really hampered in those situations," says Ellis.
The utility uses Check Point Endpoint Security software on notebooks and computing devices that leave the office to guarantee that information is encrypted. That stops new files from being copied to or from a notebook, preventing data leakage. If a notebook is stolen, the thief won't be able to obtain any data without a USB token or a password.
The utility uses McAfee for antivirus protection and e-mail filtering. Intrusion detection and prevention systems also allow it to whitelist applications on the system, "so they recognize them as friendly," Ellis says.
Intrusion prevention systems are designed to close ports and shut down services when anomalies are detected. That's a problem in a utilities environment where systems run 24x7, 365 days a year, running plants, turning motors on and off and opening valves. "We cannot run the risk of one of those devices shutting down," Ellis says. "We can't have things just stop working."
Not long ago, the website of a gas utility was hacked with a SQL injection attack. Fortunately, no information was stolen, according to the utility manager, who didn't want his name or utility revealed because of security concerns. "They gained access and they disabled it," he says. "We fixed it and prevented future attacks by hardening our SQL."
To protect his network, the manager uses Symantec and Cisco products and isolates the way software is configured. Hopefully, any intrusion is limited to areas that do not contain information that would be damaging," the manager says.
Often, the most dangerous attacker is a disgruntled employee, notes Frances Cleveland, president of Xanthus Consulting International, who spoke at the California Public Utilities Commission Smart Grid Symposium. Security must be end to end and layered, Cleveland says, so that if one layer is breached, the next one will protect a utility from attack.
In addition to malicious attacks, Cleveland points out that inadvertent attacks can be caused by careless users, equipment failures or employees who bypass security. There's no perfect solution to guard against every threat, but a utility benefits if it can deter and delay attacks long enough to employ countermeasures.
Vigilance is key. "If you're looking for a silver-bullet solution, you're not likely to find it," says Don Ryan, senior information security project lead for the University of Texas at San Antonio's Center for Infrastructure Assurance and Security, which runs cybersecurity exercise programs and has worked with utilities in California, Delaware and Texas.
The center tries to increase awareness about cybersecurity and emphasizes that the threat doesn't affect just the organization but reaches across boundaries to communities at large. Governments have to approach the problem from several directions. "You have to use technology and educate your user community," Ryan recommends.
Some basic technologies include two-factor authentication or active monitoring of intrusion detection/prevention systems.
One of the biggest hurdles for utilities is finding the funds to procure security technologies. "The expense is like insurance," Broward County's Ellis says. "There's no real return on investment until the day something goes wrong."
Ellis likes to tell funding committees that the government and the utility do get something back from their investment. "We're going to get safer drinking water for our citizens. It's tough to put a price tag on that."