Infrastructure arenas still weak on defense

Although attacks against computer-based systems that control critical infrastructures, such as oil and gas facilities, have been increasing in the past few years, industry leaders have been slow to implement security measures, cybersecurity experts say.

Eric Byres, who leads the Internet Engineering Lab at the British Columbia Institute of Technology, said there has been a "radical upswing" of external attacks against control systems — also known as supervisory control and data acquisition (SCADA) — since 2001.

In 2001, Byres started the Industrial Security Incident Database, which collects data on international accidents and external threats dating back 20 years, to find out how urgent the risks are, what the myths are, where the vulnerabilities lie, who's behind the attacks and what security initiatives are being implemented.

The database includes 94 incidents through 2004 that have been voluntarily submitted by 15 companies across all industrial sectors. Although only 27 percent of cyber incidents came from external sources before 2001, that figure has jumped to 67 percent, he said.

The change could be due to new worms or viruses, widespread industrial adoption of Ethernet technology and TCP/IP, or just greater awareness of SCADA systems among the public and hackers, Byres said. He added that there are many more routes into the modern SCADA system than before and the problem is only going to get worse.

He said hackers are essentially becoming more malicious, targeting worms for specific applications or victims, and he likened them to organized crime.

"The landscape has changed," Byres said. "We need to start to tailor strategies to incidents as we see them now," not as we saw them the 2001 terrorist attacks.

But Charles Newton, president of Newton-Evans Research, which has been following technology trends in the electric, gas and water utilities for the past 25 years, said many companies aren't doing enough. They are protecting their systems with only three or four basic security measures, he said.

Nine in 10 companies use password protection, while three in four use firewalls and virus protection, Newton said. About 67 percent use virtual private networks, 54 percent use security software and only 7 percent encrypt data.

Newton said a lack of money is preventing many companies from implementing greater security measures. He also said they're waiting for clearer direction from the federal government.

"It's improving over the last two years," he said. "But it's not dynamic yet."

Newton added that few companies surveyed have not joined or are not aware of associations formed to promote information sharing or provide education and training.

For example, in the power sector, there are several groups, including the Electricity Sector Information Sharing and Analysis Center, Electric Power Research Institute, Carnegie Mellon University's CERT Coordination Center, and the Infrastructure Security Partnership.

The various industry associations might mandate some level of participation in such information-sharing associations among their members, he said.

Both Byres and Newton spoke at the InfraGard conference last week.