Reality Is More Complicated
That scenario has been tested and known about for some time, according to Amit Yoran, CEO of NetWitness and former director of the DHS National Cyber Security Division. The reality is a bit more complicated, however, than the sensationalistic, smoking-equipment video clip reveals, he told eWEEK in a recent conversation. "Utilities and equipment that rely on control systems[i.e.,] computer or electronic equipment attached to mechanical equipmentbroadly in the power sector or in other utilities or other critical infrastructure, thats a very complex system or set of systems, and their interaction is very complicated, not only in the case of power if youre talking about generation, or transmission, or distribution, all these things are very complicated in and of themselves, and when you start intertwining them, it gets very complicated.Thus the systems that control the grid get increasingly interconnected, Yoran said, and the disparate lines that were once more or less stand-alone get put together and deployed in ways that "may be lacking from a security perspective," he said. Still, nobody should assume that one turbine blowing up in the controlled situation of a lab should be taken to mean that all control systems are vulnerable to this type of attack, he said. "Many infrastructures have both electronic as well as physical measures to protect equipment, for public or operator safety. They have spillover valves, auto shut-off valves. Some of those are not electronic; some have mechanical protective measures. I dont think a valid conclusion is because one turbine is destroyed all critical infrastructure is vulnerable to this attack. Its important, its dramatic, its a good indicator of a bad-case scenario, but it shouldnt be interpreted as a pervasive and definitive conclusion for all control systems." At any rate, getting control systems vendors to comply with a rigid set of standards doesnt fit in well with the reality of the world of control systems, Yoran said. Control systems themselves have complex and long deployment cycles. A control system may be an application with a warranty that the control system vendor put together and offered on a particular operating system where the control system was tested and validated. As vulnerabilities are discovered, those who run control systems run into scenarios wherein they well might void their warranty, such as when a security patch is applied. Thus, in some cases, operators are caught between a rock and a hard place, having to choose between improved security versus the desire for a valid warranty and support services. "The control system world is a very complex one. We cant say, Charge forward and by next Tuesday patch everything and well be protected. It takes a lot of detailed study of control systems and interactions with the infrastructure before" the grid overall can be improved vis-à-vis its safety from cyber-attack, he said. Citrix opens security holes in military and federal Web sites. Read more here. The NERC is well aware of the complexity of the situation. Joseph McClelland, director of the Office of Electric Reliability at the FERC, said at the Oct. 17 hearing that overly prescriptive standards run the risk of becoming a "one-size-fits-all" solution that ignores "significant differences in system architecture, technology and risk profile." "A major concern with cyber-security is the prevalence in the industry of legacy equipment which may not be readily adaptable for purposes of cyber-security protection," he said. "If this equipment is left vulnerable, it could be the focal point of efforts to disrupt the grid." Replacing the grids antiquated equipment or retrofitting it to incorporate cyber-security protection could be costly, McClelland said, "but a successful cyber-attack could damage our bulk-power system and economy in ways that cost far more." The Homeland Securitys cyber-security czar Greg Garcia reportedly said on Oct. 17 that his agency will be passing out cyber-security self-assessment guidelines to control systems operators, will offer training to workers in the field, and will be distributing suggestions for mitigations against real-world attacks similar to the one enacted on the Idaho National Lab video.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
"[Add to that] regulatory issues, industry standards and best practices, [and] sometimes seemingly competing requirements between availability and redundancy and what we think of as a standard that says you shalt not set a password on this system because if Joe is at home or hit by a bus and power goes down, we dont want people to have to crack a password to get power."