Hacking into infrastructure systems to prove a point
Vulnerabilities exist as Congress debates cybersecurity legislation.
Senate Majority Leader Harry Reid (D-Nev.) has said he wants to bring a new cybersecurity bill to the floor of the Senate as soon as this week. The bill being debated would make the Department of Homeland Security responsible for evaluating which companies are considered critical to American infrastructure and regulating those companies to make sure their security compliance is up to snuff. But the bill has a lot of critics. Some on the left argue that there are way too many loopholes and that big companies will easily find a way out of doing anything at all. Others on the right think additional measures to rein in business will be too burdensome.
Senator John McCain (R-Ariz.) is one of the opponents of the bill and he says he will craft new legislation to be announced next month. But while politicians bicker, a lot of security professionals get very nervous because they think an attack could come at any moment and be incredibly bad. In particular, SCADA systems are thought to be especially vulnerable. “So, you think about it as a sort of computer code that helps operate equipment and machinery across all kinds of different sectors,” says David Fidler, law professor at Indiana University. “It could be power generation, water treatment, oil and gas, manufacturing. So these systems collect data, make sure the machines are running properly according to their parameters. One of the concerns from a cybersecurity point of view is a lot of what is called critical infrastructure operates with equipment and machinery that's connected to these systems.”
What that means to you and me is the water that comes out of the tap, the power grid, air traffic control, waste management, a bunch of systems that are connected to SCADA controls. And if those controls are attacked, those systems could be altered or disabled entirely. “This is the fear that we have,” Fidler says, “that equipment and machinery attached to these systems and then if those systems are then attached to the Internet, there are vulnerabilities that sort of run the gamut.”
A group of security researchers called Project Basecamp has recently started hacking into these systems to show how vulnerable they are. According to Paul Roberts, editor of Threatpost, the Kaspersky Labs news service, “It's almost like Upton Sinclair's ‘The Jungle.’ This is sort of like walking into the meat packing plant and looking at what's going on and then going out and really telling the world what's going on in these places is really terrible, and in fact it's dangerous.”
Roberts says the computers have a lot of built-in problems -- for instance, hard-coded passwords that can't be changed by the people actually operating the equipment. Once those passwords are known, they can be distributed online and an enterprising hacker can go online, get the data they need, and then set about hacking in. “It would be a stretch really to call it hacking in many cases,” says Roberts. “They're not what we think of as software vulnerabilities or mistakes that were made, many of them are design decisions by the companies and the companies have known about in many cases for years.”
Some of the Project Basecamp researchers are former employees of the companies that are now being targeted. Roberts says, “They all had found these types of problems and security holes for a long time but they were under nondisclosure agreements so they couldn't talk about it or because there was a culture within the industry of saying don't talk about these things because then you're just giving ammunition to the bad guys. We'll take care of it ourselves internally; it's best to handle these things in a quiet way. And, eventually these folks just got fed up and said no, the problems aren't getting fixed; in fact, they're getting worse and now the stakes are too high.”
Also on today’s program, we hold a three-part tech funeral for technologies that have passed into the spirit realm. Farewell to you, Windows Start Button. Adios, iChat. And goodbye, Kodak digital picture frame.