Legal threats have silenced security warnings at a recent systems-control conference.
Two talks at a recent US conference on cyber security in critical infrastructure were pulled from the agenda after a supplier of nuclear power plant equipment threatened to sue, worried that open discussion of vulnerabilities would reveal too much – even though the presentations had been approved by the power plant in question.
The conference, the 12th ICS Cyber Security Conference, was held at Old Dominion University’s Virginia Modeling Analysis and Simulation Center 22-25 October.
Participants were told that the security firm that uncovered the thousands of pieces of control equipment that are exposed to online attack demurred from telling US authorities where the equipment is installed, since it feared that the equipment’s owners would sue, according to a Reuters report.
Besides legal threats, security findings were muzzled in other ways.
The US government itself has been keeping potential targets of attack in the dark, the alarmed attendees were told.
From the Reuters article:
"In addition, attendees said they were alarmed to learn that because the government has kept a technique it discovered for attacking electricity generation equipment secret for five years, potential targets had not realized they were vulnerable and therefore did not buy hardware needed to protect themselves."
Joe Weiss, one of the conference’s organizers, said that information-sharing is also being bogged down by vendors who withhold cyber-incident information from their customers—even, in at least one case, to the point of withholding information entirely.
In blogging about the conference, he writes about a project that found more than 500,000 internet-facing control system devices, “all the way to device IP addresses.”
The researcher who discovered the exposure informed the US Department of Homeland Security, Weiss wrote, with ICS-CERT recently issuing a notification.
The researcher actually contacted a vulnerable water utility that had vulnerable components remotely accessible to anyone with an Internet connection, but the end user simply didn’t understand the impact and basically ignored the warning, Weiss says.
As Weiss notes, awareness issues are already a problem in the community responsible for infrastructure systems, even before you add censorship/silence-via-intimidation into the mix.
He cites an international survey performed for CIGRE, a large electrical systems industry group, that showed a “lack of cyber understanding” in the control and protective relay community.
That was apparent at the conference, he said, when it came to Aurora: a vulnerability to cyber attacks that could sabotage systems that provide electricity, including the US’s nationwide power grid.
In 2007, an experimental test of Aurora demonstrated how physical damage to a power plant could be triggered by a cyber attack.
Here is a CNN report which includes footage of the Aurora experiment:
As Digital Bond put it, there’s nothing quite like shaking and smoke to get the point across.
But at the conference, Weiss wrote, more than five years after that Aurora test, few attendees quite understood the vulnerability and why it applied to their facilities.
"A question was asked why the electric industry should care about every substation since there are so many substations - losing some should not be cause for concern. The answer is that Aurora effectively makes the substation an attacker. Consequently, any unsecured (for Aurora) substation can be a threat to any commercial or industrial facility with Alternating Current (AC) rotating equipment served by that substation including power plants, refineries, ships, hospitals, data centers, etc. Since so few utilities are addressing Aurora, DOD was questioning if they should take matters in their own hands by installing the mitigation at their facilities effectively protecting themselves from their own utilities!"
The destruction wrought by natural weather events such as Hurricane Sandy are one thing.
The destruction that could be wrought by withholding information, by silence imposed on researchers by vendors’ legal threats, and by an industry wherein a lack of understanding hampers action, that’s another thing entirely.
Happy, scary, infrastructure meltdown-ish Halloween.
Nuclear power plant image from Shutterstock.