Industrial control systems seen as vulnerable

The US Department of Homeland Security and the private sector still have not developed a comprehensive strategy for securing the...

The US Department of Homeland Security and the private sector still have not developed a comprehensive strategy for securing the real-time control systems which manage much of the nation's critical infrastructure.

In a hearing on the security of Supervisory Control and Data Acquisition (SCADA) systems, which are used to manage infrastructure such as the electric power grid and oil and gas pipelines, senator Adam Putnam said the lack of a national strategy to deal with SCADA system security makes the nation "undeniably vulnerable" to cyberterrorism.

Putnam is chairman of the House Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census.

"The more I've learned [about the lack of SCADA system security], the more concerned I've become," said Putnam. "I've learned that today's SCADA systems have been designed with little or no attention to computer security. Data are often sent as clear text; protocols for accepting commands are open, with no authentication required; and communications channels are often wireless, leased lines or the internet."

The General Accounting Office has also released a detailed study of SCADA system security. In its report, "Critical Infrastructure Protection: Challenges and Efforts to Secure Control Systems", the GAO concluded that the DHS has not moved as fast as it could to work with the private sector to improve SCADA security.

James McDonnell, director of the Protective Security Division at the DHS, told Putnam and other lawmakers that it is his job to co-ordinate both physical and cyber security for more than 1,700 facilities identified so far as containing critical national security infrastructure systems. Of those facilities, 565 contain SCADA systems that must be protected.

McDonnell outlined a series of physical security efforts, such as site security assessments and buffer zone protection mechanisms, underlying the DHS's existing strategy for SCADA security.

According to McDonnell, the National Communications System (NCS) is working with the Idaho National Engineering and Environmental Lab to conduct communications modelling and simulation of SCADA systems, known as the National SCADA Test Bed.

The NCS has initiated a study of vulnerabilities in the natural gas pipeline system throughout the eastern US. Other efforts are under way to identify the high-power microwave vulnerabilities of commercial SCADA systems, McDonnell said.

One big concern identified by the GAO is that it may not be economically feasible for many utilities and other companies that operate critical infrastructure to undertake security upgrades on their own.

In addition, Robert Dacey, the GAO's director of information security issues and the primary author of the study, said software suppliers which develop applications for use on SCADA systems are not promoting security because they do not think companies want to spend the money needed.

"Several suppliers suggested that since there have been no reports of significant disruptions caused by cyberattacks on US control systems, industry representatives believe the threat of such an attack is low," said Dacey.

This has led to the absence of a formal process of collecting incident data on SCADA systems, "further contributing to the skepticism of control systems suppliers", he said.

Gerald Freese, director of information security at American Electric Power, said SCADA systems remain "open books" to any terrorist organisation that wants to learn how to exploit them.

In fact, US energy companies assisted Pakistan in developing that country's SCADA and supporting telecommunications infrastructure. Modelling the Pakistani electric power infrastructure on the US, these companies used many of the same technologies and many of the same suppliers to do the work, Freese said.

Richard Clarke and Howard Schmidt, the two former chairmen of the President's Critical Infrastructure Protection Board, acknowledged in interviews that raids conducted during the war on terrorism have uncovered evidence that al-Qaeda has been actively studying vulnerabilities in US SCADA systems.

Read more on IT risk management