The phrase "digital Pearl Harbour" was first published in 1991, and there are frequent news stories about digital threats to critical infrastructure, yet there have been no catastrophic incidents. Even in the 2008 war in South Ossetia, when Georgia claimed that Russia launched "cyberattacks", the digital casualties were Government websites. Bringing down a website might be a propaganda victory, but it does not affect critical infrastructure.
Critical infrastructure covers assets that are essential for the functioning of a society or economy. When considering digital attacks, they can be divided into three groups. Functions like agriculture, health care and emergency services rely on personnel with only incidental digital support, and the personnel can adapt to disruption, minimising the consequences of a cyberattack. A second group, financial services and telecommunications, cannot function without digital support but a certain level of failures or attacks is normal. Banking systems expect constant attacks and even major, unexpected incidents such as Slammer or Blaster merely cause delay. The third group is the industrial parts of the critical infrastructure - electricity, gas and oil production and distribution, and water and sewage treatment. These assets are digitally controlled and appear to be highly attractive targets, yet they are poorly defended and have not suffered a catastrophic attack. There are, however, stories about incidents, last year I came across a claim, "Recently, a student created a virus, which halted the entire electric supply network in North China", in a paper I was editing for the education department, but could find no source.
There is a massive contradiction here, security experts have documented widespread security negligence in SCADA (supervisory control and data acquisition) systems but there has been no attack. SCADA engineers generally say that their systems are complex and difficult to understand, and not connected to public networks, but recent malware challenges these assumptions. In July 2010, a worm Win32/Stuxnet was found spreading via USB devices. Two features made it enormously interesting, first, it uses a zero-day vulnerability in how Windows handles .lnk files to get executed even if Autorun is turned off. Secondly, and more pertinent to this discussion, it contains and uses the default password for Siemens' WinCC SCADA systems.
The Stuxnet worm is dramatic confirmation of security negligence in the SCADA world, not only has it become widespread and it contains the default password for Siemens' SCADA systems, Siemens' has advised their customers against changing the default password as it could disrupt operations. This flies in the face of good password management: passwords should be changed regularly. If it is infeasible to change the password, you cannot keep the system secure. If you have the same default fixed password on every system sold to every customer, it is no longer secret and therefore no protection. Worse, although Siemens has started distributing a malware scanner to remove Stuxnet, they warn, “As each plant is individually configured, we cannot rule out the possibility that removing the virus may affect your plant in some way”. Removing unauthorised, untested software may prevent the authorised, tested software behaving correctly!
The purpose of Stuxnet is a mystery, if these targets are so attractive to terrorists, why wasn't the first we heard of it when the lights went out and the water stopped? One theory is that Stuxnet was designed for industrial espionage, collecting information about industrial control systems to assist a rival supplier. This would be reassuring to SCADA engineers, as they could cling to the assumption that their systems are too complex for an outsider to penetrate, but how much knowledge do you need to delete the entire control database? Even if SCADA engineers heed the wakeup call, it will be years before they can rebuild their complex control networks with security in mind. Worrying though SCADA insecurities are, the future might see a device to threaten the power network built into every home. Smart meters have been proposed as a way to provide demand-side control of electricity demand peaks, reducing requirements for new generators and greenhouse emissions. Ross Anderson, professor in security engineering at the University of Cambridge Computer Laboratory, warns that they introduce a strategic vulnerability to the system. What if, instead of shifting the on-time of everyone's fridge away from a peak, an attacker reprograms them to coincide – the overload could take down the grid. While SCADA engineers can claim their systems are obscure, smart meters will be accessible to everyone.
Interconnection and centralised control provide economic benefits in a resource-limited world, but also make the systems more vulnerable to attack. For smart meters, and other new systems, we would be foolish to miss the opportunity to build in security at the design stage. Obvious security features would be strong authentication of centralised commands, and a local override facility. Retrofitting security on existing SCADA systems will be a slow process, but penetration testing from public networks can help identify inadvertent exposure, and disaster recovery plans should be reviewed with the possibility of a SCADA breach in mind.