SAN FRANCISCO—Information sharing—or the lack of sharing—has become a prominent point of contention between private corporations and government agencies. The issue is even more of a problem for critical infrastructure providers, control-system experts said at the RSA Conference.
While there are hubs of activity around security in critical infrastructure, companies tend not to share vulnerability and attack information with each other, a panel of industry and academic experts told attendees. Best practice information on device and network configuration is largely kept in-house, despite the benefits of sharing, said Doug Powell, manager for security, privacy and safety at electric-power generation firm BC Hydro.
“We’ve had to build our own test environment and test our technology—hack it to find vulnerabilities—before we deployed it,” Powell said. “But we, as an industry, don’t have a good sharing environment, so what we learn—and what others learn—is not necessarily passed along.”
Unlike the United States, information sharing between the Canadian government and critical infrastructure firms does occur because it does not have to surmount the hurdle of data classification. While the United States is working on getting more companies cleared for classified information, the Canadian utilities already have clearance, Powell said.
For the past half decade, security researchers have focused on breaking industrial-control systems–such as those that use supervisory control and data acquisition (SCADA) protocols–and finding vulnerabilities. Only recently, with the attack by Stuxnet and the identification of vulnerable networks connected to the Internet, have critical infrastructure owners really focused on the problem, panelists said.
Until recently, for example, electric providers worried about securing their operational technology (OT)—the generation and transmission capabilities—rather than their information technology, Powell said. But in the last two years, the concerns have become completely focused on the information technology that monitors and controls such equipment, Powell said.
While government and critical infrastructure companies used to be able to identify and control the threats to the physical equipment, that is no longer the case. The worry is that “you can manipulate OT to destroy a dam and you can do it halfway around the world,” he said.
The danger to SCADA and other operational networks will likely get worse, said Jose Fernandez, assistant professor in the Department of Computer and Software Engineering for Ecole Polytechnique de Montreal. Only a certain few actors would want to hack into power networks and harm critical infrastructure, but with consumer power being monitored and controlled through the smart grid, criminal hackers will likely become more interested in finding ways of breaking into the network and stealing money.
“What I’m worried about is, that with these smart grids, there will be an incentive to hack the network,” Fernandez said. “Money makes the world go round–not nuclear weapons (and other forms of massive destruction) but money.”
While improving the security of operational devices is important, control systems are updated and modernized very slowly, said Marcelo Branquinho, director of TI Safe’s Security Automation Training.
“What they are working on now are the next generation of devices, but many companies are planning to use their devices for the next 20 years,” Branquinho said.
In that environment, critical infrastructure providers need to work together to find the best ways to secure their insecure, legacy systems, he said.