Infrastructure arenas still weak on defense

Although attacks against computer-based systems that control critical infrastructures, such as oil and gas facilities, have been increasing in the past few years, industry leaders have been slow to implement security measures, cybersecurity experts say.

Eric Byres, who leads the Internet Engineering Lab at the British Columbia Institute of Technology, said there has been a "radical upswing" of external attacks against control systems — also known as supervisory control and data acquisition (SCADA) — since 2001.

In 2001, Byres started the Industrial Security Incident Database, which collects data on international accidents and external threats dating back 20 years, to find out how urgent the risks are, what the myths are, where the vulnerabilities lie, who's behind the attacks and what security initiatives are being implemented.

The database includes 94 incidents through 2004 that have been voluntarily submitted by 15 companies across all industrial sectors. Although only 27 percent of cyber incidents came from external sources before 2001, that figure has jumped to 67 percent, he said.

The change could be due to new worms or viruses, widespread industrial adoption of Ethernet technology and TCP/IP, or just greater awareness of SCADA systems among the public and hackers, Byres said. He added that there are many more routes into the modern SCADA system than before and the problem is only going to get worse.

He said hackers are essentially becoming more malicious, targeting worms for specific applications or victims, and he likened them to organized crime.

"The landscape has changed," Byres said. "We need to start to tailor strategies to incidents as we see them now," not as we saw them the 2001 terrorist attacks.

But Charles Newton, president of Newton-Evans Research, which has been following technology trends in the electric, gas and water utilities for the past 25 years, said many companies aren't doing enough. They are protecting their systems with only three or four basic security measures, he said.

Nine in 10 companies use password protection, while three in four use firewalls and virus protection, Newton said. About 67 percent use virtual private networks, 54 percent use security software and only 7 percent encrypt data.

Newton said a lack of money is preventing many companies from implementing greater security measures. He also said they're waiting for clearer direction from the federal government.

"It's improving over the last two years," he said. "But it's not dynamic yet."

Newton added that few companies surveyed have not joined or are not aware of associations formed to promote information sharing or provide education and training.

For example, in the power sector, there are several groups, including the Electricity Sector Information Sharing and Analysis Center, Electric Power Research Institute, Carnegie Mellon University's CERT Coordination Center, and the Infrastructure Security Partnership.

The various industry associations might mandate some level of participation in such information-sharing associations among their members, he said.

Both Byres and Newton spoke at the InfraGard conference last week.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.