Increasingly, the industrial control systems used to operate such facilities as water and electric plants are being connected to the internet, says Phyllis Schneck, vice president and CTO of global public sector for McAfee. While bringing these systems online allows for operational efficiencies, such as remote monitoring, it also introduces significant vulnerabilities into systems never designed to sustain such risks.
Experts for years have warned that critical infrastructure is vulnerable, but the threat became more than just conjecture when an FBI official, speaking at a conference in London in November, admitted that SCADA systems in three U.S. cities were compromised.
“This will happen again and again,” Schneck said.
Too, a recent anomalous incident at a facility in Illinois also put into question the accuracy and timeliness of threat information disseminated by the Department of Homeland Security (DHS), said Joe Weiss, managing partner of SCADA security firm Applied Control Solutions. He criticized the DHS, US-CERT and WaterISAC (Information Sharing and Analysis Center), for failing to disclose the incident as a possible cyber attack to those in
the sector.
“All the DHS has said is that there is no evidence that a hack occurred, but there's also no evidence that a hack didn't occur,” Weiss said.
Investigators wouldn't be able to rule out a cyber attack because forensic and logging capabilities are not present for critical infrastructure control systems like they are in the IT world, he added.
Despite the issues, shortfalls can be overcome, Schneck said. The manufacturers of control system components are starting to implement more safeguards and are creating products that are less susceptible to attacks. As parts need replacing, plants now have the opportunity to use safer products. Critical infrastructure companies should bolster security investments and conduct risk assessments before bringing control systems online, she said.
But, getting buy-in for security will remain a challenge, she predicted. “The pessimistic side of me frowns when I realize that it takes something bad to happen to build security into systems,” she said. “It's difficult to convince the people who hold the financial strings that this is an issue.”
160,000
Approximate number of public drinking water utilities in the U.S.
Source: DHS