Worry: Hackers can take over power plants

next year —has plans to grow to ten teams in 2011.

The teams are armed with a $5,000 kit: a black, suitcase-sized bag crammed with cables, converters, data storage, and high-tech computer forensic tools. With that equipment, they can download the problem malware, analyze it and work with the companies to correct or clean their systems.

So far, said McGurk, the teams have done fifty assessments and have been dispatched thirteen times to investigate and help correct cyber incidents and attacks. Nine of those cases involved some type of deliberate cyber intrusion, while the other four were the unintended result of an operator’s action.

The report’s highlights

The security gaps highlighted in the report include “well-known unsecure coding practices” for software used by these control networks; and permitting an “excessive” number of portals access into the networks. “Poor code quality leads to vulnerabilities and bugs in the code that not only make it vulnerable to attack, but also fragile and unstable,” the report said.

Ineffective passwords are also a major problem, the report said. That issue was borne out in the Siemens attacks, because the attack software took advantage of preset passwords that Siemens advised clients not to change. “Passwords are often the weakest link,” the report said.

A lack of sufficient encryption for communications lines used by these computer networks was another security gap the report identified, with the warning that “unfortunately there is no drop-in replacement currently available.”

Databases that archive information about the systems were also vulnerable to penetration, the report found.

Gorman notes that such security gaps have been known inside security circles for years, but it is unusual for a government agency to publicly acknowledge them. “We have so many known vulnerabilities that have not been patched,” said Mischel Kwon, a former senior DHS official and now a vice president at computer security company RSA. “The report offers common sense and best-practice recommendations that have been available for years.”

Critical infrastructure vulnerability and secrecy

Steven Aftergood writes in FAS Secrecy News that the vulnerabilities of critical energy infrastructure installations to potential cyber attack are normally treated as restricted information and are exempt from public disclosure. The May 2010 Department of Energy report was able openly to catalog and describe the typical vulnerabilities of energy infrastructure facilities because it did not reveal the particular locations where they were discovered.

“Although information found in individual… vulnerability assessment reports is protected from disclosure, the security of the nation’s energy infrastructure as a whole can be improved by sharing information on common security problems,” the the DOE report (pdf) said. “For this reason, vulnerability information was collected, analyzed, and organized to allow the most prevalent issues to be identified and mitigated by those responsible for individual systems without disclosing the identity of the associated… product.”

The specific vulnerabilities that were found are no big surprise — open ports, unsecure coding practices, and poor patch management. “By describing the issues in some detail, the new report may help to demystify the cyber security problem and to provide a common vocabulary for publicly addressing it,” Aftergood concludes. See “NSTB Assessments Summary Report: Common Industrial Control System Cyber Security Weaknesses,” Idaho National Laboratory, May 2010.