Difference between revisions of "The issue of critical systems coming online"

-Zoran Milkovski

Description:

The issue of should we or should we not have systems such as electrical power grids, nuclear power plants, water distribution systems and even military systems such as the notorious SCADA systems online, is being present for a long time. The U.S power grid for example, is worth billions of dollars of electrical lines, switching stations and generators. That alone makes it a target for even teenage hackers, and we’re not even mentioning the terrorist, enemy governmental organizations and alike. If this sort of a system is online, than its an attractive target. Just as in conventional military strategy, natural resources refining and distribution facilities such as electrical power, water system, oil and gas and nuclear reactors are considered as legitimate military targets during wartime and therefore, are under direct defense from the military. This however, is only partially true in the cyberspace. Although an cyber attack on this systems will probably have a severe consequences in the real world, its network traffic maintenance and supervision is rarely done by the government or military, and yet they are still high priority target to attackers regardless of motivation. Granted, cyber war that will aim to bring such system offline would probably used only in case of a preceding of real physical attack. Nevertheless, even though such cyber attack will be anticipated, depending on a time frame, which is usually short in case of war, one cannot be 100% certain that these systems that are of benefit for both various defense mechanisms as well as general public will be bulletproof. It is more likely for one to predict that a cyber attack would target those systems in order to bring them offline and probably strategically disrupt the functionality of the country.

Enablers:

1. Technological advancement in remote access for distribution and monitoring of resources
   The control and monitor of such critical systems was done using the Supervisory Control and Data Acquisition (SCADA) systems that operated in vacuum and used language that only experts understood, and for then, both power companies and government believed that they were safe. However, new developments in technology (and internet) have made these systems vulnerable. When business computers were hooked up on the internet and the SCADA system on the other end, the risk came of being hacked. Of course many argue that this will be part of multiple layers of network and complex programming that an individual could not understand. But when talking about unrestricted cyber attack, we have to account for previous spy data gathered on these systems and whole organizations and militaries mandated by the government, employing the most educated minds of their countries, and that might change the odds.
2. Cost efficiency in online systems
   In addition to this page, there are 4 case studies given below which explain throughly this motivation for bringing systems online.

Inhibitors:

1. VPN, Intranet solutions
   Virtual private networks and local or wan intranets developed in the future may give provide the opportunity of having the ability to remotely access systems on different physical locations without direct access to the internet.
2. Isolation of critical systems
   Live everything else, the most critical systems can be isolated and or limit and distribute the overall critical controls on various different computers which don't have direct access to the internet.
3. Exploit – Patch ratio equality
   True, vulnerabilities are found in systems every day and exploits are written almost instantly, however, there are also numerous security experts who's job description is also finding vulnerabilities, therefore helping patching at virtually the same rate therefore eliminating exposure.
4. Advanced designs to withstand serious damage
   We have found evidence that cyber attacks are already anticipated in the design phase and appropriate measures taken to minimize the possible damage.

Web Links:

The web links provided below are case studies developed for companies in the power and water distribution, recent decisions for advancement that led to exposing critical control systems to remote access:

- DONG Energy: Making the most of the intelligent electrical grid.
- http://www-01.ibm.com/software/success/cssdb.nsf/cs/CSDY-78WUDJ?OpenDocument&Site=gicss67eu&cty=en_us

- Hydro Ottawa: Outsourced billing system allows tighter focus on core competencies and customer service.
- http://www-01.ibm.com/software/success/cssdb.nsf/CS/JSTS-6K9TFC?OpenDocument&Site=gicss67eu&cty=en_us

- Russian power company rolls out IBM Maximo Asset Management software to reduce cost per kilowatt-hour of energy produced.
- http://www-01.ibm.com/software/success/cssdb.nsf/CS/LWIS-7BCU8M?OpenDocument&Site=gicss67eu&cty=en_us

- Shipcom uses IBM WebSphere Application Server to bring the benefits of a full enterprise solution to oil and gas rigs and other remote sites.
- http://www-01.ibm.com/software/success/cssdb.nsf/CS/JKIN-7CETN6?OpenDocument&Site=gicss67eu&cty=en_us

Other Web Links:
http://www.memagazine.org/backissues/membersonly/dec02/features/scadavs/scadavs.html
http://www.hhs.gov/disasters/press/newsroom/leadersguide/freo_appendixd.pdf
http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Maynor-Graham-up.pdf
http://www.redherring.com/Home/12117