MIAMI -- A researcher who writes exploits for control systems that run power plants, gas refineries and other critical infrastructure said there is plenty of evidence that hackers have already infiltrated the networks of those facilities, but so far their activity is observational.
If you are going to wait for the explosions you're going to be waiting for a long time.
security researcherIdaho National Laboratory
Jason Larson, a security researcher at the Idaho National Laboratory, said once inside the network of critical infrastructure, hackers appear to be focusing on monitoring how the processes within the facilities work.
"If you are going to wait for the explosions you're going to be waiting for a long time," Larson said. "They don't seem terribly interested in wrecking the place -- at least not yet."
Larson spoke to hundreds of security response team members at the Forum of Incident Response and Security Teams (FIRST) Conference 2010. An increase in wireless field equipment – embedded devices and the high speed communication links they connect to, are making control systems more vulnerable, he said. Much more research needs to be done to improve the security of those embedded devices and produce standards so security experts can access firmware in the event of a breach, he said.
Larson, who does much of his work for the Department of Energy, helps find ways into supervisory control and data acquisition (SCADA) systems and develop methods to block the holes he finds before an attacker can take advantage of them. The major industries, from gas and oil refineries to chemical factories and power generation plants, understand that more needs to be done to protect their systems, Larson said. Regulations, however, are only forcing companies to focus on compliance and not leaving the budget necessary to invest in developing more robust security protections, Larson said.
Critical infrastructure security:
Experts alarmed over U.S. electrical grid penetration: Russian and Chinese probing of the U.S. electrical grid has prompted a call on lawmakers to act quickly to strengthen cybersecurity of the nation's critical infrastructure.
The scale of the problem was underscored in a recent survey of 600 IT executives at critical infrastructure facilities. The survey, funded by McAfee Inc. and conducted by the Center for Strategic and International Studies (CSIS) found SCADA systems in some cases connected directly to the Internet. The IT executives indicted that their facilities are constantly being attacked by a variety of methods, individuals and criminal gangs with various interests.
"We have direct evidence of attackers interacting with field equipment on the native protocols," Larson said. "They're in there now and starting to control things."
So far it is difficult and takes sophisticated methods to move from embedded devices into the heart of a control network, Larson said. For example, thousands of wireless "smart" meters are being deployed to consumers by power companies to better monitor homeowner power usage and more efficiently adjust the nation's power supply. So far no one has been able to hack from a meter into a control network, Larson said.
"It's funky enough in the middle that no attackers have been able to do this, even in a laboratory environment," he said.
Some researchers are focusing their attention on the security of the meter devices. Security researcher Travis Goodspeed, discovered an encryption algorithim problem in wireless radio chipsets in some smart meters.
Rather than a doomsday scenario, where attackers shut down the nation's power grid, officials need to focus on more likely scenarios. For example, it has already been documented outside the United States that criminals have offered firmware update services to homeowners, manipulating the software that runs the meter, resulting in a significant price break, Larson said.
"Destroying processes completely is not really profitable," he said. "It's more profitable to monitor and wait for the perfect opportunity."
Larson said he thinks the early smart meters being deployed by power companies will be replaced in the near future, enabling the development of standards for the firmware operating on those devices.