Being the type of person that is always looking to learn about the world and everything in it, I recently had the opportunity to spend a few days in Houston, Texas, at the Oil & Gas Cyber Security Conference. Boy, was it an eye opening experience!
I’m pretty sure when you hear the term “Cyber Security” you know that the conversations are going to be about protecting computers and networks against “Cyber Threats” such as Malware; which includes computer viruses, worms, Trojan horses, key loggers, spyware and several other security vulnerabilities. This was indeed part of the discussion but not the key issue as attacks against computer systems are an every day occurrence.
Now, so you can understand the depth of the issue, I’m going to have to get a little technical…
Every aspect of our day-to-day lives encompasses some form of automation. Whether that’s in “Industrial” processes such as manufacturing, production, power generation, fabrication, and refining, or “Infrastructure” processes that may be public or private, and include water treatment and distribution, wastewater collection and treatment, oil and gas pipelines, electrical power transmission and distribution, wind farms, and large communication systems. Then there are “Facility” processes that occur both in public facilities and private ones, including buildings, airports and ships. They monitor and control heating, ventilation, and air conditioning systems (HVAC), access, and energy consumption.
These systems are all run by PLC’s (Programmable Logic Controllers), which are digital computer’s used for automation of electromechanical processes, such as control of machinery on factory assembly lines, amusement rides, lighting fixtures and so on. These industrial control systems (ICS) utilize SCADA (supervisory control and data acquisition) devices that monitor and control industrial processes that exist in the physical world.
PLC programs are typically written in a special application on a personal computer and then downloaded by a direct-connection cable or over a network to the PLC. It is this special application code that is the biggest security risk to the enterprise.
It seems that most all PLC’s have some bugs in their code at the time of installation that can be exploited either internally or externally by inserting malicious code. What I found to be most disconcerting was unlike the major computer operating systems; Windows, Mac and the like that regularly send out updates and patches, the manufacturers of these PLC’s seem very slow to respond to fix the bugs with patches even after the bugs have been brought to their attention. Also, there’s no testing of the integrity of the programming by an agency like UL (Underwriters Laboratories) that provide safety-related certification, validation, testing, inspection, auditing, advising and training services to a wide range of clients, including manufacturers, retailers, policymakers, regulators, service companies, and consumers.
Companies have created SOC’s (Security Operations Centers) to ride herd over their IT departments to implement the latest and greatest firewalls, antivirus software, redundant and separate networks to battle the ongoing threats, but they have some how forgotten to address threats to their physical world devices that are all connected via copper cables. Copper cabling is inherently an unsecure means of transporting control signals and data, as well as it is a lot less sophisticated to gain access to than writing malicious computer code.
It has been known, since 2008, that the ability to access these protected networks remotely, through the air, by reading activity via electromagnetic field distortions and inserting code via radio frequencies are possible. Accessing these networks that don’t have wireless routers and are not connected to the Internet has been dubbed “jumping the gap.” In fact, in government circles it’s referred to as “Tactical Electromagnetic Cyber Warfare.”
It would seem to me after examining all the data; we must take at minimum two steps immediately protecting our Nations infrastructure on both sides of the firewall. They are, (1) Establish a Nationally Recognized Testing Laboratory for computer programming bugs, and (2) The immediate requirement to replace copper cabling with fiber optic cabling in all operations concerned with the Nations safety and our economy.