SEPTEMBER 16, 2003
SPECIAL REPORT: NETWORK SECURITY

If These Networks Get Hacked, Beware
America's critical transportation, power, and communications systems remain quite vulnerable and lack funds to remedy that.......

When the subway trains of the Bay Area Rapid Transit system rattle through tunnels under San Francisco and over elevated tracks in Oakland, Ray Mok is in control. As BART's principal network engineer, Mok has created one of the most technologically sophisticated public transportation systems on the planet, using the protocols that power the Internet to manage BART's thousands of moving pieces.

Yet Mok's network features plenty of security at key junctures. Critical systems that control the trains sit on a different network that remains physically unconnected from BART's other systems. And he's careful to separate the network that runs BART stations -- including everything from ticket machines to automated gates and escalators -- from the administrative network that powers the PCs of BART employees and that connects to the public Internet. Everything is protected by an extensive web of Internet security software and hardware, including firewalls aimed at fending off hackers and intrusion-detection systems designed to spot cyber break-and-enter artists who make it past the virtual fence.

Sounds like overkill? Not if you're protecting the lives of tens of thousands of riders who each day pass below the frigid waters of San Francisco Bay. Mok believes that cyberattacks on the systems that run critical parts of U.S. infrastructure are inevitable. While BART isn't a big target, he says, we have thousands of people scanning us from the Internet every day. Mok adds that the computer systems of most U.S. transportation networks suffer from too little security. I generally don't feel that people are as concerned as we are, he says.

WORM WARNING. The September 11 terrorist attacks on New York and Washington made cybersecurity a key concern at nuclear power plants, chemical plants, gas pipelines, phone networks, and water systems. This year's Aug. 14 blackout in the Northeast and Midwest dramatized the continued vulnerability of such systems. And on Sept. 3, the U.S. Nuclear Regulatory Commission issued a warning to plant operators to watch out for worm attacks, after the publication Security Focus reported a January, 2003, incident in which a worm called Slammer allegedly disabled critical safety systems at the Davis-Besse Nuclear Power Plant near Toledo, Ohio. (The plant wasn't running at the time).

As America's infrastructure heads toward a future of standardization based on Microsoft (MSFT ) chronically insecure Windows operating systems, it's becoming more imperative than ever to secure the networks that run these facilities. And that isn't simple, even though protecting computer systems isn't a mystery, either. Like BART, critical infrastructure has for years run on two or more separate networks. And the ones that control trains or power plants are based on proprietary protocols that few programmers can use fluently.

They're also usually separated physically from networks that are used for communication, Web surfing, and document sharing. We don't want a single cyberevent to have a broad effect, so we don't mix our administrative traffic with our air-traffic-control networks, says Dan Mehan, the chief information officer of the Federal Aviation Administration.

SAME VULNERABILITIES. Increasingly, however, the software used to control operational networks has migrated to Windows-based PCs that use a graphical interface any teenager can fathom. And many agencies have enabled remote access over the Internet to operational systems. That improves their ease of use, but at a cost, says William Miller, president of Maximum Control Technologies, an integrator of industrial control systems. Now they have the same vulnerabilities as a Web server on the Internet. At some of my customers' sites, I can't separate the real-time control systems from the desktop systems.

That's not a big deal if the most pressing emergency is to shut down an office computer network. But on an electrical grid where a few seconds can mean the difference between massive blackouts and an averted catastrophe, separation is critical. If you have a virus on the business level, it's very unpleasant, but it's nothing compared with having a plant shut down or interrupting a critical production process, says Karsten Newberry, a business manager at Siemens Automation & Energy, a unit of Germany's Siemens (SI ) the world's largest maker of industrial control systems. It's critical that production systems be as protected as possible from viruses.

Microsoft regularly patches holes in its software, it's true. But even that's tricky with critical systems, where unstable patches could bring down networks -- with potentially dangerous consequences. The latest Microsoft operating system is often layered on top of finicky older code that doesn't tolerate change very well. In fact, even doing security scans on legacy software applications (made by any number of companies) can cause the systems to crash, according to Phillipe Courtenot, the CEO of Qualys, which offers remote vulnerability scans of corporate networks via the Internet.

For those reasons, says Miller, many companies that build interface software to manage industrial systems take up to a year to certify that a Microsoft patch won't cause a crash. When security is paramount, that's a long time.

OBSCURITY EQUALS SAFETY? Below the level of the Microsoft-based systems lurks another big problem. Plant-floor systems usually run on homegrown protocols that, for the most part, software and hardware built to guard the Net can't understand. So Internet security tools such as firewalls and intrusion-detection systems are useless for securing that crucial part of the network, says Joseph Weiss, head of the cybersecurity practice at KEMA Consulting Group, a Fairfax (VA.) consultancy that advises energy companies and utilities.

Conventional wisdom holds that these systems and the protocols that run them are so obscure as to be safe from hackers. But Weiss believes it's easier to hack proprietary industrial computer systems than most industry insiders will admit, thanks to Web-based translation software that can convert the proprietary protocols into other computing languages.

Weiss also claims that it remains next to impossible to detect a hacker who makes it inside these systems. We have no tools to find them, he says. We don't even know what to look for. When a guy hacked into a sewage plant in Australia during 2001 and caused it to dump sewage, he did it 20 times before they figured out they had been hacked.

FOOLISH TRADE-OFF? Weiss thinks systems to protect these specialized networks remain a long way off -- even though companies that build critical infrastructure controls say they're working hard to include software security wherever they can. For now, that's mainly at the operation-center level, which runs on Microsoft (or sometimes Linux) systems. We've been very conscious about security in our products, says Roy Kok, a director of product marketing for a division of General Electric (GE ) that sells industrial controls. For instance, we went into the core of all our products and added electronic signature and auditing capabilities.

Such suppliers also note, however, that if their customers don't use their products properly, even the best security can be breached. That sounds obvious, but Weiss says he's often shocked at how little thought factories, power plants, and energy companies have put into securing their networks. Though it's a point that could be interpreted as self-serving, Kok also argues that pressure to cut technology expenses throughout the deregulated utility industry has induced some electricity generators to accept smaller margins of error on security in order to achieve greater efficiencies.

Funding remains in short supply all over, by many accounts. The Bush Administration has allocated nearly $1 billion in fiscal 2004 for protection of critical infrastructure, including cybersecurity. But little of that will go to the agencies and companies that are on the front lines of the battle. While the FAA's Mehan says his budget for cybersecurity has more than doubled since 1999, he says he needs more funding for research and development.

HARDLY PRAGMATIC. BART's Mok says he has yet to see a dime of federal money, a claim echoed by other operators of critical infrastructure facilities. With a monstrous federal deficit looming and the war against terrorism being refocused for the moment as part of the massively expensive campaign in Iraq, the job of securing the digital backbone of America's critical infrastructure may get even less federal support in the coming years.

That may look like a pragmatic decision now. But it could look penny-wise, pound foolish -- and nearly impossible to justify -- should someone figure out how to breach the computer networks that help provide America with transportation, power, electricity, and water.


--------------------------------------------------------------------------------

By Alex Salkever, Technology editor for BusinessWeek Online


BW
Copyright 2000-2003, by The McGraw-Hill Companies Inc. All rights reserved.