Infrastructure paralysed at the click of a mouse?

There is increasing global nervousness about the phenomenal rise of malicious ‘botnets’. Created over the Internet, these sinister robot networks are groups of computers running malicious software applications, controlled and manipulated only by the owner or the software source, and presenting a security threat to the owners of computers linked across the network.

Only last month, Computerworld UK reported that the US based Finjan’s Malicious Code Research Centre had uncovered one of the largest botnets to date. It had ‘infected’ 1.9 million computers around the world, including corporate and government machines, and is suspected to be the work of just six criminals based in the Ukraine.

Supervisory Control and Data Acquisition (SCADA) systems are now commonly used by the utilities to control and monitor widely distributed communications, power and water supply networks. With the emphasis on ‘openness’ and increasing Ethernet based connectivity between SCADA and corporate networks, the Internet now poses a threat to what was once considered a relatively closed and safe industrial control environment.

Speaking at a seminar at last week’s Infosecurity Europe exhibition in London, Norman Data Defense UK’s David Robinson* issued a warning to all national infrastructure suppliers to sit up and take notice of the increasing number of threats to national infrastructure controls running on TCP/IP based networks. Most of the national infrastructure is controlled and operated by legacy process and control systems, which are now open to attack.

“We take it for granted that when we flick a switch the light comes on, when we run a tap we will have safe, clean drinking water and when we go to catch a train it will arrive on time,” he told his packed seminar audience. “But we often forget that these services and the processes and controls behind them are increasingly running on standardised architecture with TCP/IP based networks. Sadly, due to the nature of these systems, they often run with minimal security in place leaving them open to attack.”

Over the last ten years or so there has been a convergence of IT and control systems, with the adoption of common hardware, operating systems and communication technologies in the process and control layers. Legacy process and control systems are frequently merged with other systems to deliver increased information flow, with entire organisations operating them. Once isolated, process and control systems can now be accessed externally from many different points of entry.

One major threat to security is the ubiquitous mobile device. Portable memory devices, laptops and PDAs are moved to and from the process and control system environment, with legacy systems still operating on some technologies despite known vulnerabilities; and these systems have little or no security implemented. A further risk is that traditional IT security methods are not used because system incompatibilities create a gaping hole in the defences that hold the national infrastructure together.

Last summer, UK government security minister Lord West of Spithead warned that computer networks controlling electricity supplies, telecommunications and banking are being attacked thousands of times a day in a new “cyberwar” against Britain waged by criminals and terrorists. In a report posted on the Times Online website, Lord West said that If you take the whole gamut of threats, from state-sponsored organisations to industrial espionage, private individuals and malcontents, you’re talking about a “remarkable number of attempted attacks” on our system.

So, what can be done about it? Norman Data Defense (www.norman.com) has developed a seven point plan, which it believes goes a long way to reducing the threat to the national infrastructure:

+ Existing IT security guidelines within national infrastructure organisations should be enhanced to include process and control systems security.

+ Modifications to existing IT security guidelines should be made to accommodate specific process and control systems requirements.

+ IT and control system departments need to work together.

+ Vulnerability assessments should be commissioned on all process and control systems used within the national infrastructure.

+ New and legacy systems should be security hardened to prevent, wherever possible, both untargeted and targeted attacks.

+ System security hardening should commence immediately and not wait for major system upgrades.

+ Both physical and IT security need to be considered together.

*See David’s article, which was published in PSB’s November 2007 edition: by clicking here


Les Hunt
Editor

Contact Details and Archive...

• Panel and System Building

Related Articles...

• CC-Link opens gateway to China for device suppliers
• All-in-one repeater and cable entry system
• Compact fieldbus I/O station for machine control applications
• Industrial gateways reduce network costs
• Sub-miniature AS-i modules

Most Viewed Articles...

• UK entrepreneurship: strong on start-up; weak on aspiration
• GSM communication with six inputs and four relay outputs
• Latching system stems HVAC enclosure leaks
• Visit Danfoss at the Drives & Controls exhibition 2012
• Time: just how accurate do we need to be?

Print this page | E-mail this page

E-mail this page

Your name :
Recipient name :
Recipient e-mail :
Enter the code shown :