Published: 01 Sep 2007
The Estonia attacks demonstrate that it takes only a few individuals to expose vulnerable civil infrastructure systems to harm.
As the sixth anniversary of the Sept. 11 attacks draws near and airports are on high alert for possible "dry runs" from terrorists, the likelihood of cyberterrorism has yet again surfaced for discussion in information security circles.
Some have scoffed at the assertion that cyberterrorism is a real threat today. But with the power of botnets, SCADA systems becoming less proprietary and the recent attacks on Estonia, have we reached an inflection point where we need to take this more seriously? Could we actually be engaged in an Internet war soon? Are some nation states hostile actors with the capability of conducting cyberterrorism? And how does the private sector also arm itself against such attacks?
In this month's Perspectives column (see "The Lesson of Estonia"), Dorothy Denning, information security pioneer, researcher and professor of defense analysis at the Naval Postgraduate School, argues that the attacks on Estonia this spring were probably not the workings of the Russian government, but finds the attacks very troubling nonetheless. The sheer power of today's botnets brought down the Estonian infrastructure for weeks and proved that a few individuals can indeed cause considerable damage at a national level. Denning asserts we need to take cyber defense very seriously, even if it appears over-hyped today.
What's more, supervisory control and data acquisition (SCADA) systems that run some of the most critical infrastructure in the U.S., such as power utilities, water treatment plants, chemical plants and mass-transit systems, are vulnerable and subject to attack. Traditionally these control systems were not connected to the Internet, but today, business and control systems are connecting to insecure networks. Furthermore, control systems are adopting standardized technology with known vulnerabilities, access is being granted to more users, and the demand for real-time control has increased system complexity.
While nearly 1,700 of the 3,200 power utilities have some sort of SCADA system in place, almost one quarter of those companies did not have a firewall separating the control network from the corporate network, according to a 2005 survey conducted by utilities and energy market researcher Newton-Evans. Less than half with such networks keep detailed access and network-data logs.
Because of the importance of security in such systems and the inherent risk, Idaho National Labs' Michael Assante, William Pelgrin from the New York State Office of Cyber Security and Critical Infrastructure, and Alan Paller, director of research for the SANS Institute have brought together the public and private sector to create effective procurement language that could be inserted into a supplier's contract as one way to ensure that security is integrated into the process. The project started in March 2006, and last month version 1.6 of the Cyber Security Procurement Language for Control Systems was posted on the msisac.org Web site. The 71-page document offers very specific contract language when dealing with perimeter protection, passwords and authentication, coding, malware detection and more.
But preventative measures are useless if they aren't moved beyond print. Our failure to implement defensive physical security measures gave terrorists an opening six years ago. Failure to implement defensive cyber security measures will give terrorists the opportunity again.