Last summer's massive blackout in the Northeast demonstrated the vulnerability of our nation's most critical networks. It also set in motion an inquiry that today brings together legislators and IT experts to discuss how to better secure these networks from further disaster.
Supervisory Control and Data Acquisition (SCADA) systems, associated with power plants and other mission-critical networks, especially need stronger protection.
"Historically, there is a false sense of security related to SCADA systems. Some administrators have been comforted by the thought that these systems are specialized and often deployed in a 'closed' network utilizing proprietary protocols," explains Andre Yee, president and CEO of network security vendor NFR Security.
"This 'security by secrecy' approach is erroneous, but until the blackout of August 2003, no one felt the pain caused by a widespread power failure and the related potential national security threat."
Members of a House subcommittee on technology will hear from two panels today. The first includes officials from the General Accounting Office, Department of Homeland Security and a Computerworld senior writer. Another panel includes consultants and an information security director for American Electric Power. All will give their opinions on whether the current state of telecommunications and SCADA makes these networks "secure links or open portals to the security of our nation's critical infrastructure."
One problem with securing SCADA is the unique nature of the systems. Most operate in real time and can't afford to be offline for lengthy upgrades or security installations, for fear of a degradation of performance.
Another problem, Yee notes, is with newer SCADA systems incorporating more Web accessibility, which poses myriad problems when using the Internet, a public conduit susceptible to attack. They also leverage Unix and Windows systems, which puts networks at risk, particularly given the number of vulnerabilities that can be exploited.
"Many SCADA systems are built without any inherent security measures that we consider standard in mainstream computing systems," he says. "For instance, there is typically no encryption of commands and data flowing between SCADA systems. Control commands flow as open text across the network. There is also typically little to no authentication between SCADA devices."
Yee advocates moving SCADA systems closer to corporate environments and applying stronger security policies. Administrators need to conduct regular vulnerability assessments and use intrusion detection and intrusion prevention solutions to monitor traffic.