Sep 27, 2007

SCADA (in)Security’s Going to Cost Us

Posted by in categories: cybercrime/malcode, defense, existential risks

When I read about the “Aurora Generator Test” video that has been leaked to the media I wondered “why leak it now now and who benefits.” Like many of you, I question the reasons behind any leak from an “unnamed source” inside the US Federal government to the media. Hopefully we’ll all benefit from this particular leak.

Then I thought back to a conversation I had at a trade show booth I was working in several years ago. I was speaking with a fellow from the power generation industry. He indicated that he was very worried about the security ramifications of a hardware refresh of the SCADA systems that his utility was using to control its power generation equipment. The legacy UNIX-based SCADA systems were going to be replaced by Windows based systems. He was even more very worried that the “air gaps” that historically have been used to physically separate the SCADA control networks from power company’s regular data networks might be removed to cut costs.

Thankfully on July 19, 2007 the Federal Energy Regulatory Commission proposed to the North American Electric Reliability Corporation a set of new, and much overdue, cyber security standards that will, once adopted and enforced do a lot to help make an attacker’s job a lot harder. Thank God, the people who operate the most critically important part of our national infrastructure have noticed the obvious.

Hopefully a little sunlight will help accelerate the process of reducing the attack surface of North America’s power grid.

After all, the march to the Singularity will go a lot slower without a reliable power grid.

Matt McGuirl, CISSP


Comments — comments are now closed.

  1. Shaun says:

    Has anyone given thgouht that American businessmen working with foreign countries are training them in the ways of hacking into US corporations’ systems in order to gain edge using their private information? It is being done, has been done, and I believe cyber-security between companies who outsource their employees to land outside the US is non-existent. Take Intel, for example. HP. Koch Brothers, anyone? A few months ago there was a story about foreign hacking, computer screens showing outdated versions of software- XP systems are VERY vulnerable to foreign attacks due to MS updating to versions of Windows that aren’t compatible with the older service packs or system requirements of old computers. They are being taught how to inject SQL attacks into Java, finding the codes for Norton and other programs that have worked hard to impress & improve their product’s outer look, yet sloppily disregarded attention to update the code integrated in order to actually do what it claims it will- save your precious computer from viruses and trojans. I cringe each time I need to use Java, and think Adobe is a landmine of atrocity- it is the hacker’s dream and the typical beginner-user’s nightmare. They are tearing old code apart to find new ways of integrating attacks into new systems. And being taught by various traveling businessmen who are being paid like Wall Street brokers for giving them this opportunity, a backdoor yellow-brick road into each of our homes, into our bank accounts, into our lives- no longer private, nothing sacred in this age of tech-hell. Not an exaggeration, this is a reality. And those who travel to teach corporate secrets in order to benefit themselves or whomever else- are the ones who need to be investigated and put to a stop.#endrant