Welcome to NBlog, the NoticeBored blog

I may meander but I'm exploring, not lost

Mar 26, 2009

Pop Mechanics does infrastructure security

Popular Mechanics gives the US national infrastructure a once-over from the perspective of its resilience to cyberwarfare, asking "How Vulnerable is U.S. Infrastructure to a Major Cyber Attack? Could hackers take down key parts of our infrastructure? Experts say yes. They could use the very computer systems that keep America's infrastructure running to bring down key utilities and industries, from railroads to natural gas pipelines. How worried should we be about hacking, the new weapon of mass disruption?"

It starts with a pop culture doomsday scenario to grab the readers' attention: "The next world war might not start with a bang, but with a blackout. An enemy could send a few lines of code to control computers at key power plants, causing equipment to overheat and melt down, plunging sectors of the U.S. and Canadian grid into darkness. Trains could roll to a stop on their tracks, while airport landing lights wink out and the few traffic lights that remain active blink at random."

Referring to the "hodgepodge" of Industrial Control Systems controlling elements of the critical infrastructure such as power and water supplies, the author at one point claims that "a good rule of thumb is that any device that is computer-controlled and networked is vulnerable to hacking". That's true I guess, for undefined values of 'vulnerable'. But SCADA/ICS devices that are connected to wireless/microwave control links or use phone lines and modems are also vulnerable to hacking: are these 'networked' I wonder?

I would disagree with the author on one point. He says "Infrastructure is meant to last a long time, so upgrades to existing systems tend to occur at a glacial pace." The glacial pace is not because infrastructure is meant to last a long time, but because changing such complex, safety-critical systems in any way (even to implement security patches) creates additional risks that may outweigh the need to make the change. It's a risk management decision, of course, and a delicate one given that leaving the systems open to cyberwarfare attackers does not necessarily lead to cyberwarfare, whereas creating a power cut or safety incident is bound to hit the headlines.

The article covers the usual range of headline incidents and scare stories with a little expert commentary, and as such is fine as a general security awareness piece. There's nothing of much use here, though, for security or general management at critical infrastructure organizations.