There are things to be concerned about and things to be downright worried about. This story – which outlines what appears to be woefully lax security at The Tennessee Valley Authority, the largest public power company in the United States – fits firmly in the latter category.
InformationWeek reports that a General Accountability Report released this week found that the TVA was in sorry shape. The authority did not dispute the report, and says that it is already working on 17 of the 19 identified problems.
Cyber criminals or terrorists playing with national infrastructure is not a new idea, but it doesn’t lose its ability to frighten. The story says that last year, the Department of Homeland Security (DHS) leaked a video of what has come to be known as the Aurora Vulnerability that shows how a hacker could mount an attack. Indeed, there has been one confirmed case of a blackout caused by computer hacking, albeit outside the United States.
A recent Inquirer story, which uses the same House hearing mentioned in the InformationWeek piece as a jumping off point, describes the Aurora Vulnerability in more detail – and provides many more reasons to worry. The piece beings by saying that the release of the video, which showed how a generator in Idaho in a test was made to self-destruct, was “an extremely dumb thing to do.” What is perhaps even more frightening is that it doesn’t seem that a whole lot has been done since to obviate the threat.
James Langevin (D.-R.I), the chairman of the Subcommittee on Emerging Threats Cybersecurity and Science and Technology, said that DHS had not provided enough detail on the test, that power companies worked too slowly to fix the issues and that the North American Electric Reliability Corp. (NERC) did not performing its oversight job.
That’s scary enough. But the pièce de résistance was the dismissive attitude of NERC. The information given to the House by the group that supposedly showed progress was found to have been “thrown together a couple of days before the hearing.” Bill Pascrell (D.-N.J.), a member of the subcommittee, asked NERC if it thought House members are “a bunch of jerks.”
There is no shortage of scary angles to the story of cyber threats to national infrastructure. Earlier this month, SecurityProNews reported that security firm Trend Micro found a vulnerability in the Supervisory Control and Data Acquisition (SCADA) systems used by utilities. The story provides some detail on how the vulnerability could work. Core Security, another security firm, said in essence the flaw may or may not be exploitable. The National Vulnerability Database said that the vulnerability was seen as potentially dangerous because it is network-exploitable, not complex and doesn’t require access to the component under attack.
Hopefully, the government will begin taking cyber security more seriously than the reaction to the Aurora Vulnerability and other problems in the past. A representative of a group with a suitably unsettling name – the U.S. Cyber Consequences Unit (US-CC) – said at the recent GovSec, U.S. Law and Ready Conference and Exposition that the nation is increasingly vulnerable to cyber attacks.
Several layers of distinction (between physical and information-based attacks, between local and remote, between personal and public, and between economic and military) are fading. These changes tend to heighten the danger. Lauri Almann, Estonia Permanent Undersecretary of Defense, added that the world is in a state of cyber terror and even cyber war. Last year, Estonia came under cyber attack after it moved a statute honoring World War II Soviet soldiers.
At least some people are paying attention. This release says that the American Water Works Association (AWWA) and DHS released a document entitled “Roadmap to Secure Control Systems in the Water Sector” which outlines the design, installation and maintenance of control systems that can operate through a cyber attack. In the utility security industry, the public pays the most attention to power issues. Water safety, however, is a major issue. The story includes a link to the 48-page report.