Out of Control

Industrial control systems sit squarely at the intersection of the digital and physical worlds. They're vulnerable, they're unpatchable, and they're connected to the Internet.

Vitek Boden sought revenge. After he was turned down for a job ... in Queensland, Australia, the ... techie unleashed his anger ... by hacking into the town's wastewater system at least 46 times. On two separate occasions, his electronic attacks ... led to pumping station failures that caused as much as 1 million liters of foul-smelling raw sewage to spill ...

Electric utilities, oil and gas refineries, chemical factories ... use control systems to digitize and automate tasks once handled by people: opening and closing valves in pipes and circuit breakers on the power grid, monitoring temperatures and pressures in reactors ... these systems are now connected to corporate networks... A malicious hacker or terrorist group could conceivably take down parts of the power grid, throwing the country into darkness ...

Raids in Afghanistan in early 2002 discovered that al-Qaida operatives had scoured websites containing information on SCADA (supervisory control and data acquisition) networks in U.S. water systems and the electricity grid. ...

Control systems are designed for efficiency and reliability—not security. "It requires very little knowledge" to hack into a control system, says Juan Torres, program manager of the SCADA program at Sandia National Laboratories. ....

Pollet notes that some SCADA software vendors use ... Microsoft connectivity tools ... "A worm written to take down a SQL server can take down a SCADA system

Weiss observes that 9/11 served to make security a big deal in terms of physical and IT security: business systems, websites and the like. But control system security? "To this day, most people don't think they're vulnerable," he says.

You are right.

There was an article a couple of years ago, which went into more detail, regarding Al Qaeda using the net to bring down powergrids and infrastructure and the article mentioned the incident also mentioned in this article.

Very interesting read:

Cyber-Attacks by Al Qaeda Feared
http://www.washingtonpost.com/ac2/wp-dyn/A50765-2002Jun26?language=printer

Thursday, June 27, 2002; Page A01

Late last fall, Detective Chris Hsiung of the Mountain View, Calif., police department began investigating a suspicious pattern of surveillance against Silicon Valley computers. From the Middle East and South Asia, unknown browsers were exploring the digital systems used to manage Bay Area utilities and government offices. Hsiung, a specialist in high-technology crime, alerted the FBI's San Francisco computer intrusion squad.

Working with experts at the Lawrence Livermore National Laboratory, the FBI traced trails of a broader reconnaissance. A forensic summary of the investigation, prepared in the Defense Department, said the bureau found "multiple casings of sites" nationwide. Routed through telecommunications switches in Saudi Arabia, Indonesia and Pakistan, the visitors studied emergency telephone systems, electrical generation and transmission, water storage and distribution, nuclear power plants and gas facilities.

Some of the probes suggested planning for a conventional attack, U.S. officials said. But others homed in on a class of digital devices that allow remote control of services such as fire dispatch and of equipment such as pipelines. More information about those devices -- and how to program them -- turned up on al Qaeda computers seized this year, according to law enforcement and national security officials.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.