Infrastructure arenas still weak on defense

Although attacks against computer-based systems that control critical infrastructures, such as oil and gas facilities, have been increasing in the past few years, industry leaders have been slow to implement security measures, cybersecurity experts say.

Eric Byres, who leads the Internet Engineering Lab at the British Columbia Institute of Technology, said there has been a "radical upswing" of external attacks against control systems — also known as supervisory control and data acquisition (SCADA) — since 2001.

In 2001, Byres started the Industrial Security Incident Database, which collects data on international accidents and external threats dating back 20 years, to find out how urgent the risks are, what the myths are, where the vulnerabilities lie, who's behind the attacks and what security initiatives are being implemented.

The database includes 94 incidents through 2004 that have been voluntarily submitted by 15 companies across all industrial sectors. Although only 27 percent of cyber incidents came from external sources before 2001, that figure has jumped to 67 percent, he said.

The change could be due to new worms or viruses, widespread industrial adoption of Ethernet technology and TCP/IP, or just greater awareness of SCADA systems among the public and hackers, Byres said. He added that there are many more routes into the modern SCADA system than before and the problem is only going to get worse.

He said hackers are essentially becoming more malicious, targeting worms for specific applications or victims, and he likened them to organized crime.

"The landscape has changed," Byres said. "We need to start to tailor strategies to incidents as we see them now," not as we saw them the 2001 terrorist attacks.

But Charles Newton, president of Newton-Evans Research, which has been following technology trends in the electric, gas and water utilities for the past 25 years, said many companies aren't doing enough. They are protecting their systems with only three or four basic security measures, he said.

Nine in 10 companies use password protection, while three in four use firewalls and virus protection, Newton said. About 67 percent use virtual private networks, 54 percent use security software and only 7 percent encrypt data.

Newton said a lack of money is preventing many companies from implementing greater security measures. He also said they're waiting for clearer direction from the federal government.

"It's improving over the last two years," he said. "But it's not dynamic yet."

Newton added that few companies surveyed have not joined or are not aware of associations formed to promote information sharing or provide education and training.

For example, in the power sector, there are several groups, including the Electricity Sector Information Sharing and Analysis Center, Electric Power Research Institute, Carnegie Mellon University's CERT Coordination Center, and the Infrastructure Security Partnership.

The various industry associations might mandate some level of participation in such information-sharing associations among their members, he said.

Both Byres and Newton spoke at the InfraGard conference last week.

The Fed 100

Read the profiles of all this year's winners.

Featured

  • Shutterstock image (by wk1003mike): cloud system fracture.

    Does the IRS have a cloud strategy?

    Congress and watchdog agencies have dinged the IRS for lacking an enterprise cloud strategy seven years after it became the official policy of the U.S. government.

  • Shutterstock image: illuminated connections between devices.

    Who won what in EIS

    The General Services Administration posted detailed data on how the $50 billion Enterprise Infrastructure Solutions contract might be divvied up.

  • Wikimedia Image: U.S. Cyber Command logo.

    Trump elevates CyberCom to combatant command status

    The White House announced a long-planned move to elevate Cyber Command to the status of a full combatant command.

  • Photo credit: John Roman Images / Shutterstock.com

    Verizon plans FirstNet rival

    Verizon says it will carve a dedicated network out of its extensive national 4G LTE network for first responders, in competition with FirstNet.

  • AI concept art

    Can AI tools replace feds?

    The Heritage Foundation is recommending that hundreds of thousands of federal jobs be replaced by automation as part of a larger government reorganization strategy.

  • DOD Common Access Cards

    DOD pushes toward CAC replacement

    Defense officials hope the Common Access Card's days are numbered as they continue to test new identity management solutions.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group