Cyberexperts now are calling the years since 9/11 a “lost decade” in which little was done to protect the vulnerable computer-controlled machines that operate critical US infrastructure – like the power grid and transportation and financial sectors – against malicious software, hackers, and nation-states.
It’s now become a serious game of catch-up. Threats to the vital digital networks that run substations and transmission lines, chemical plant processes, and air traffic control are growing dramatically, leaving the United States at greater risk than at any time since 9/11, these industrial control system experts say.
Yet the vulnerabilities in these industrial cybersystems have never been more widely acknowledged or as well understood in their intricacy, say top critical infrastructure cybersecurity experts, who met in Miami this week. Despite some gains, however, a surprising number of control systems for critical infrastructure are still visible on the Internet and exposed to hackers, lacking even rudimentary digital security.
“What’s amazing is that, 13 years after 9/11, there’s been almost no progress on the devices and equipment that send commands or do the monitoring on these networks,” says Dale Peterson, founder of Digital Bond and organizer of the S4 conference.
While there's been some limited progress in shoring up security on servers and workstations that store information for these industrial networks, the same can't be said of the huge mass of industrial computerized controllers, switches, valves, instruments, and older “legacy” gear that were created “insecure by design,” he adds. "They’re terribly insecure at a time when threats against them are increasing rapidly."
Other top experts point to the rapid development of cyberweapons by more than 30 nation-states, as well as a profusion of new software exploits that make it far easier for nonexperts to hack control systems.
For example, Jason Larsen, a researcher at Idaho National Laboratory in Idaho Falls, Idaho, demonstrated a futuristic technique in which attackers could take over control of vital sensors in a power plant without being detected.
Such demonstrations show that the development of “offensive capabilities” is moving ahead rapidly, says Ralph Langner, the German industrial control system expert who was first to identify Stuxnet as a cyberweapon targeting Iran’s nuclear fuel facilities in 2010. "But we don't see nearly as much investment in defensive systems."
“The idea of a lost decade is not fiction. It’s a fact,” he adds. "The worst thing is that this lost decade is expanding."
Researchers at the Miami meeting also revealed new means that hackers would probably use in the future to try to wrest control from legitimate operators. Major vulnerabilities continue to be found in areas ranging from critical communications protocols used by the industrial control systems that monitor and regulate digital switches across the power grid to the valves and motors across the water purification sector.
Chris Sistrunk, a cybersecurity expert with Entergy, the big New Orleans-based electric utility, teamed up with Adam Crain, an industrial control system security expert at the company Automatak, to explain how specialized detection “fuzzer” software that they had created enabled them to spot previously invisible vulnerabilities in a key communications protocol. That protocol, called DNP3, is widely used by utilities to manage the power grid and water sectors in the US and Australia.
Rather than being robust, as previously thought, DNP3 was shown to be rife with vulnerabilities. Any one of those weaknesses could be used by an attacker to gain control of a utility’s master controller, which might oversee hundreds or thousands of devices, and wreak havoc across a utility’s industrial network and the section of the grid it controlled, the researchers said.
But the utility industry and control-system and equipment vendors are at least starting to take such vulnerabilities seriously, Mr. Sistrunk says. In fact, the majority of industrial control system companies, when confronted with evidence that the protocol being used in their systems was like Swiss cheese, moved swiftly to patch the vulnerabilities – an unusual level of responsiveness from an industry that has sometimes stonily resisted fixing its products, he and other experts say.
“A lot of similar things were done as far back as 10 years ago, but there was no traction within the industry,” Sistrunk says. “But we are starting to see, just now in the last few years since Stuxnet – some companies have started to decide, hey, we need to make changes.”
Other glimmers of a shift can also be seen in the increasing number of large control system vendors creating equipment that, for the first time, has serious security features.
Moreover, several big industrial control system manufacturers like Siemens and General Electric have created cyber-emergency response teams to fix vulnerabilities.
“We’re serious about developing products that have good cybersecurity in them,” says an official with a company that makes digital controllers, who asked to remain anonymous because he was not permitted to speak to the press. “We’re seeing demand for these devices increase.”
But one researcher, who also asked for anonymity for the same reason, says that careful analysis of the software code produced by industrial control system vendors shows any perceived gains so far to be tenuous.
“You would think that the vendor equipment would keep getting better after doing several rounds of testing, but the new software code inside them isn’t significantly better than the old code in terms of vulnerabilities,” the researcher says. “The bug rate has fallen, but quite a number of the vendors are producing bad code like it was 10 years ago.”
For these and other reasons, Mr. Peterson, Mr. Langner and other thought leaders in the industry are leery of touting the recent evidence of progress. While he rails against government inaction on mandating that companies secure their critical infrastructure, Langner concedes that Obama administration directives have had some limited positive impact, even though he considers them to be far too weak – for example, a presidential directive to have the National Institute of Standards and Technology define critical infrastructures standards that could be followed voluntarily by industry.
“There’s been some movement, but it’s small compared to the offensive capabilities now being developed,” he says.
Government-mandated standards developed in recent years by the North American Electric Reliability Corp., an electric utility industry watchdog, have also convinced utilities that they must make some progress in cybersecurity, if reluctantly because of the added cost.
Yet the Department of Homeland Security has yet to require that older insecure-by-design systems must be replaced in a time frame of a few years, Peterson says. Instead, government, as well as cybersecurity industry expert “apologists,” continue to predict that it will take “decades to make the transition.”
“You read the articles from industry organizations talking about it,” he says. “Obama talks about how important it is. Yet no one says we actually have to fix these things.”
"It’s either critical infrastructure or it’s not. You can’t have it both ways.”