Blog

Tyler Williams
Special to the Sun

Tuesday, June 05, 2007

The federal government’s plans to roll out a national strategy this summer to protect “critical infrastructure” systems such as oil and gas pipelines, power plants, telecommunications networks, water supplies and banking from attacks either by hackers or terrorists highlight a growing security issue in our country.

While the threat of attack by suicide bombers requires physical transportation to the pipeline or power plant here in Canada (and so may be less imminent), the cyber-security threat to these infrastructure systems is urgent because it can be mounted via the Internet from any country in the world.

Witness the cyber-attack on government and other websites in Estonia within the past few weeks, attacks that were believed to emanate from Russia in retaliation for Estonia taking down a Russian war memorial.

This was believed to be the first cyber-attack on one government by another in history. It won’t be the last.

And the attacks are hitting closer to home, here in North America. For example, the Washington Post has reported in one case: “Hundreds of times a day, hackers try to slip past cyber-security into the computer network of Constellation Energy Group Inc., a Baltimore power company with customers around the country.

” ‘We have no discernable way of knowing who is trying to hit our system,’ said John Collins, chief risk officer for Constellation, which operates Baltimore Gas and Electric. ‘We just know it’s being hit.’ ”

These kinds of attacks are becoming more frequent as Internet-based networks push deeper into organizational IT systems via the internal corporate Ethernet.

As a result, software-based devices known generally as “controllers” — a billion-dollar industry composed of products that switch railroad tracks, pump chlorine into the water supply, switch electrical generators and manage nuclear power plants — are now exposed to the outside world for the first time.

The problem is that controllers were never designed with stresses like cyber-attacks in mind, and so some running multi-billion-dollar installations are more vulnerable than a home computer.

If a hacker mounts a malicious attack, a critical system could be put out of commission for the months it can take to recode software for a new controller setup. Resurrecting critical infrastructure after a successful attack will require more effort than simply punching a few keys and rebooting.

The news last week from Washington was more chilling. There, the U.S. Nuclear Regulatory Commission released a troubling report on the emergency shutdown of the Browns Ferry nuclear reactor in Alabama last August.

It turns out that a water pump breakdown forced the plant operators to “scram” the plant. The post-mortem revealed that the breakdown was caused by a “data storm” that overwhelmed the programmable logic controllers managing the system’s pumps.

Remember the great power failure of August 2003, when 50 million homes went dark after a bug caused cascading power failures across the U.S. Northeast and Eastern Canada?

While it is believed a cyberbug and the MSblast worm were two of a number of factors that caused this blackout, this failure also highlights how increasingly interrelated many industrial systems are becoming in modern society through the impact of the Internet.

What to do? A common refrain in the controller systems community is: Don’t test your system because it will cause critical devices to fail. This is a sad but all too true statement on the reliability of the software design in devices responsible for providing power, drinking water, gas for cars and daily services to millions of people.

The truth of the matter is that most cyber-security incidents on the critical infrastructure to date have not been caused by hackers or terrorists.

Rather, unexpected traffic from a new or failed device on the network causes the failure.

The fragility of devices used to control trains, planes, pipelines, manufacturing plants, the electric grid, the telephone system and so much more is unacceptable in a modern society that is becoming increasingly interconnected.

Tyler Williams is CEO of Wurldtech Security Technologies, a Vancouver company.

© The Vancouver Sun 2007