DHS Exploding Generator Shows Dire Need For Better Computer Security

Scanning the news this morning, this CNN headline caught my eye, “Mouse click could plunge city into darkness, experts say
The first sentence is compelling:

“Researchers who launched an experimental cyber attack caused a generator to self-destruct, alarming the government and electrical industry about what might happen if such an attack were carried out on a larger scale, CNN has learned.”

Over the past many years, many of my information security pro colleagues and I have discussed how computer security issues can impact physical security and personal safety.
There are many ways in which not only sudden, wide-range impacts, such as through the power grid, could be effected through poor computer security practices, but there are also many long-term, even wider-ranging, insideous types of horrible impacts that could be effected through not only poor computer security practices, but also through malicious changes within applications and systems, such as within hospital and medical data systems.
Much of the risk results from doing inadequate security tests, or too often doing NO security tests, on systems and applications before putting them into production. Security is rarely built in from the beginning of the systems development lifecycle.
This “Aurora” experiment was actually conducted in March of this year at the Department of Energy’s Idaho lab.
CNN provides an interesting video showing the impact of the “mouse click” upon a generator…showing it shake and smoke.
(As an aside, those obligatory commercials before the CNN videos drive me nutty!)
After you get past that commercial, though, the video report is really fascinating.
It’s too bad this type of experiment, in this day and age, just now (according to the report) makes our government leaders understand how computer security relates to physical security and personal safety.
The scenario discussed within the video would make a great case study for a joint information security and physical security training session at most organizations.

“DHS acknowledged the experiment involved controlled hacking into a replica of a power plant’s control system. Sources familiar with the test said researchers changed the operating cycle of the generator, sending it out of control.”

Controlled hacking probably equates to what is usually described as “white hat hacking” or “ethical hacking”…but seems to me should actually be part of the ongoing systems quality assurance and security testing performed as a matter of routine to catch these types of vulnerabilities before launching a system into production.

“Government sources said changes are being made to both computer software and physical hardware to protect power generating equipment. And the Nuclear Regulatory Commission said it is conducting inspections to ensure all nuclear plants have made the fix.”

It seems that over the past couple of decades the attention to doing thorough quality assurance and security testing to computer systems has been slowly eroding and disappearing as systems have become more decentralized and geographically spread throughout massive WANs. Of course the added complexity makes thorough testing take much more time, but it also makes it that much more important as the number of vulnerabilities also increases exponentially with the complexity.
However, I think that the lack of thorough testing goes beyond the complexity issues…too many times, within many to most organizations, I don’t see security tests being done at all in a push to get systems and applications launched into production as soon as possible. Most organizations seem to place a much higher importance on meeting a launch deadline than actually making sure the product is secure by that deadline.

“Borg notes that industry will have to remain forever vigilant at protecting control systems. “It will always be an ongoing problem. It’s something we will have to be dealing with [for] lots of years to come,” he said.”

Well, yes, indeed! As long as computer systems are used for any type of public purpose or business function, they must be diligently secured, and security tested, on an ongoing basis.
As technologies continue to change…and they will always continue to change…security practitioners must be diligent to ensure the production versions are thoroughly tested prior to production release.
If you are concerned about information and computer security at all, watch the video; what do you think? It is quite thought-provoking…

Tags: , , , , , , , , ,

Leave a Reply