Skip Links

U.S. infrastructure vulnerable to attack

With Congress bickering over a cybersecurity bill, the national infrastructure is said to be ripe for cyberattack

By Network World Staff, Network World
August 07, 2012 08:46 AM ET

Network World - If it is left to the politicians, the door to the nation's utilities might be left open. Almost telling terrorists, like in those motel commercials, "We'll leave the light on for you."

The ironic part is that a terrorist attack on the nation's infrastructure would mean those lights would go out, along with other catastrophic possibilities. A cybersecurity bill has been largely declawed by Congress, leaving a watered-downed version barely alive.

A recent survey showed that security experts have little faith that government regulation will be the answer. Critical infrastructure has been defined as natural gas, electricity, water, roads and highways, air traffic, railroads and the Internet.

Operators of America’s vital power, water and manufacturing facilities use industrial control systems (ICS) to manage them, and the security of these systems, increasingly linked with Microsoft Windows and the Internet, is now under intense scrutiny because of growing awareness that they could be attacked and cause massive disruptions.

Industrial facility operators are making efforts to follow security procedures, such as using vulnerability-assessment scanning tools to check for needed patches in Windows. But ICS environments present special problems, say managers who spoke on the topic at a recent conference organized by the Department of Homeland Security.

“A lot of my ICS systems are running on Windows Server 2003,” said Tracy Waller, a manager in the process and controls engineering division at Savannah River Site, the sprawling Department of Energy facility in Aiken, S.C. where nuclear-weapons-related tasks, such as processing tritium and managing waste, is done. Supervisory control and acquisition systems (SCADA) “don’t play well with Microsoft patches,” he noted. The problem is that it’s not always clear ICS will work properly after Microsoft patches are applied. Sometimes vendors want customers to buy new ICS gear to keep up with Windows releases.

While ICS and SCADA once seemed safely tucked away in the depths of engineering, they are now subject to security demands from the IT and security departments, and the two groups don’t always get along.

These days, energy and manufacturing facilities are being openly warned by DHS and ICS-CERT, the DHS investigative arm, that they are being targeted by attackers who will often try to infiltrate business networks, often through spear phishing attacks against employees, in order to also gain information about ICS operations.

DHS is also taking concrete steps to improve ICS through a joint effort that includes Motorola Solutions, DHS and Israel’s National Information Security Authority -- the Israeli government agency tasked with protecting its critical infrastructure. Together, under what’s called the “Secure Controller Joint Project,” it has led to Motorola coming up with the security-hardened ACE-3600.

To download this PDF and find out more about the nation's critical infrastructure as well as review the false alarm at the water pump in Illinois, you must become a Network World Insider (free registration is required).

Read more about security in Network World's Security section.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News