Hackers have broken into the air traffic control mission-support systems of the U.S. Federal Aviation Administration several times in recent years, according to an Inspector General report sent to the FAA this week.
In February, hackers compromised an FAA public-facing computer and used it to gain access to personally identifiable information, such as Social Security numbers, on 48,000 current and former FAA employees, the report said.
Last year, hackers took control of FAA critical network servers and could have shut them down, which would have seriously disrupted the agency's mission-support network, the report said. Hackers took over FAA computers in Alaska, becoming "insiders," according to the report dated Monday.
Then, taking advantage of interconnected networks, hackers later stole an administrator's password in Oklahoma, installed "malicious codes" with the stolen password and compromised the FAA domain controller in the Western Pacific Region, giving them the access to more than 40,000 FAA user IDs, passwords, and other data used to control a portion of the mission-support network, the report said.
And in 2006, a virus spread to the air traffic control (ATC) systems, forcing the FAA to shut down a portion of its systems in Alaska, according to the report.
The attacks so far have primarily disrupted mission-support functions, but attacks could spread over network connections from those areas to the operational networks where real-time surveillance, communications and flight information is processed, the report warned.
"In our opinion, unless effective action is taken quickly, it is likely to be a matter of when, not if, ATC systems encounter attacks that do serious harm to ATC operations," the report concluded.
An audit of the FAA's air traffic control cybersecurity protection measures finds them lacking and says there have been several breaches by hackers and a virus.
(Credit: U.S. Department of Transportation, Office of Inspector General)The breaches were possible because Web applications that support the air traffic control system operations are not properly secured to prevent unauthorized access and network intrusion-detection software is not adequately being used to monitor and detect cyberattacks, the report concluded.
The FAA's increasing use of commercial software and Internet Protocol-based technologies as part of an effort to modernize the air traffic control systems poses a higher security risk to the systems than when they relied primarily on proprietary software, the report said.
"Now, attackers can take advantage of software vulnerabilities in commercial IP products to exploit ATC systems, which is especially worrisome at a time when the Nation is facing increased threats from sophisticated nation-state-sponsored cyber attacks," the report said.
In general, the nation's critical infrastructure is increasingly at risk as previously isolated and closed systems are moved to the Internet and commercial software, like Windows, is used, security experts have said.
The air traffic control system auditors said they discovered more than 760 high-risk vulnerabilities in the Web applications tested, including holes that provided "front-door access" to the systems and could allow attackers to inject malicious code onto FAA user computers. Web applications were not adequately configured and the applications with known vulnerabilities were not patched in a timely manner, auditors found.
Meanwhile, intrusion detection systems (IDS) are deployed at only 11 of hundreds of air traffic control facilities and none of the IDS sensors is installed to monitor operational systems at those sites, the report said. Cyber incidents are not effectively monitored or fixed quickly, the report concluded.
In 2008, more than 870 cyber incident alerts were issued to the organization responsible for air traffic control operations and by the end of the year 17 percent (more than 150 incidents) had not been remediated, "including critical incidents in which hackers may have taken over control" of operations computers, the report said.
The FAA is "identifying and fixing weaknesses," FAA spokeswoman Laura Brown told The Wall Street Journal. "We are working on developing security architecture for that whole system."
However, Brown dismissed the notion that hackers could get access to critical air traffic control operational systems.
The audit of the air traffic control systems was requested by the ranking minority members of the House Committee on Transportation and Infrastructure and its Aviation Subcommittee.
Updated 7:50 a.m. PDT April 24 to specify that the infection was in the U.S.
SAN FRANCISCO--The Conficker worm infected several hundred machines and critical medical equipment in an undisclosed number of U.S. hospitals recently, a security expert said on Thursday in a panel at the RSA security conference.
"It was not widespread, but it raises the awareness of what we would do if there were millions" of computers infected at hospitals or in critical infrastructure locations, Marcus Sachs told CNET News after the session. Sachs is the director of the SANS Internet Storm Center and a former White House cybersecurity official.
It is unclear how the devices, which control things like heart monitors and MRI machines, and the PCs got infected, he said. The computers are older machines running Windows NT and Windows 2000 in a local area network that was not supposed to have access to the Internet, however, the network was connected to one that has direct Internet access and so they were infected, he said.
Conficker spreads via networked computers as well as through removable storage devices and a hole in Windows that Microsoft patched in October, but these machines were too old to be patched, according to Sachs.
In the U.K., PCs at hospitals in Sheffield were found to be infected with Conficker in January, The Register reported.
The situation illustrates the dangers of connecting critical networks, like in hospitals and in SCADA (Supervisory Control and Data Acquisition) systems used by utilities and other critical infrastructure providers, with networks connected to the Internet, he said during the panel "Securing Critical Infrastructures: Infrastructure Exposed."
"We haven't found any nukes yet that are infected with Conficker or that are trying things like Twitter," he quipped. But "that is within the probable as we take shortcuts," he said.
"We're seeing a huge uptick in probing for SCADA systems," said Jerry Dixon, director of analysis and vice president of government relations at research firm Team Cymru. For years, the SCADA systems were separated from the public networks, but that's not the case anymore, he said.
Utilities move to remote access and other Internet-based technologies so workers can have access to the control systems when they are not at the plant and to cut costs, Sachs said. Workers have been known to access control systems using BlackBerrys for no reason other than that they can, he said.
Asked after the panel if cyberattacks had led to any utility outages, Michael Assante, chief security officer of the North American Electrical Reliability Corporation (NERC), said "none in North America."
"There is no evidence of computer compromise that led to a disruption of service," he said. "We're not immune to it; it's not hypothetical."
Government officials maintained that an electricity blackout in 2003 in the northeastern United States was not caused by the Blaster Internet worm that was circulating at the time as was suspected, but officials also were never able to reveal why it happened.
Smarter is not always better--at least when it comes to utilities.
More than a decade after initial reports said critical infrastructure in the U.S. is vulnerable to cyberattack, the situation has only worsened as utilities move their control systems closer to the Internet and install smart-grid technology, according to security experts.
Questions about the security of infrastructure in the United States arose this week following a Wall Street Journal report that said the nation's electricity grid has been compromised by foreign hackers. And several experts said in interviews this week that some energy systems have, in fact, gotten less secure as they have modernized. The Supervisory Control and Data Acquisition (SCADA) control systems used by the energy industry used to be segregated from public networks. But they have increasingly become more dependent on Internet protocol-based systems, the experts said. At the same time, their security precautions are inefficient, they said.
"The end result is that, as part of our modernization, we've made ourselves more vulnerable," said James Lewis, a senior fellow at the nonprofit Center for Strategic and International Studies (CSIS).
"Plant control networks (and their programmable logic controllers) should be disconnected from the Internet," said Peter "Mudge" Zatko, technical director of the national intelligence research unit at BBN Technologies. "These are the things lifting and lowering the plutonium rods into the water to make steam...It's on the Internet. This is terrifying."
Myriad operational problems
For many utility workers, it's easier to log onto the Internet from home when they get called at night. But if those home computers are infected with spyware, they can be used by attackers to get into the control systems, which are supposed to be separated from the Internet.
And there are other problems that are more deeply embedded in the day-to-day operations of a utility's business. Network control software that utilities buy from outside vendors often includes the ability to run Web servers and enable remote access and wireless access. Then there are configuration problems, such as routers and other systems that use default passwords, or worse, don't use passwords at all, according to Zatko and others who have tested the systems.
CEO, Leviathan Security
"It's out of ease-of-use and the fact that there weren't strong restrictions (the electric utilities were deregulated to a large extent) that the networks are a mess in a lot of places," Zatko said. Often, "the systems themselves aren't robust because they were designed to be on networks that weren't talking to the public Internet."
Many warnings have been sounded over the years. In 1999, Zatko compiled a list of about 30 utilities whose plant control networks could be accessed remotely, and he says many of them still have the same problems today. In 2004, Gartner did a report concluding that the use of IP networks for critical infrastructure could serve as bait for cyberattackers.
"It's painfully easy to exploit" the control systems, said Frank Heidt, chief executive of professional security services company Leviathan Security. "Energy management systems really can't be connected to the Internet. It's going to be painful for some companies, but they're going to have to change this."
Last year, a security expert at the RSA conference detailed how easy it is to break into power plants by downloading malware to employee computers through a socially engineered e-mail that directs them to a malicious server. Meanwhile, Core Security found a hole in the Suitelink software that is used to automate operations at power stations, oil refineries, and production lines.
Lewis of the CSIS acknowledged that using the Internet opens utilities up to cyberattack risks, but said there are "sound economic reasons" for them doing so.
"Most of the critical infrastructure on the Internet is there for legitimate business purposes," agreed John Bumgarner, a research director at the nonprofit U.S. Cyber Consequences Unit.
Security company Industrial Defender has done more than 100 threat assessments over the past seven years, primarily in utility infrastructure, and identified 34,000 vulnerabilities, said company CEO Brian Ahern.
For the most part, utilities--among the most conservative businesses in spending on technology--don't do basic security monitoring of their power generation and distribution equipment, he said.
"You can't protect when you don't know what's happening. I think that less than five percent of utilities have a good sense of critical threats," he said.
Utilities "are sacrificing security for convenience and cost savings," said Richard Forno, a principal at KRvW, an information security consulting firm in Washington, D.C. "We've allowed the situation to get worse, and it will be harder to get away from these networks touching the public Net now that we are 10 years, 15 years into the process."
Smart grids: Efficient but insecure
IP networks aren't the only problem. The use of smart-grid technology, which consists of networked meters designed for adjusting electricity flows and monitoring everything from power plants to individual appliances in homes, are also putting critical systems at risk, experts said.
Critical infrastructure insiders in the U.S. and Canada surveyed last year said the energy sector was the industry most vulnerable to cyberattack. The survey cited many contributing factors: an increase in the number of access points through the use of sensors, smart meters, and third-party contractors with remote access capability; use of more IP-based networks; integration between corporate and operational networks; reliance on standard or commodity IT platforms such as Microsoft Windows; and lack of attention to security by network automation and control system vendors. The biggest bottleneck to improving critical infrastructure security is cost, followed by apathy, they said.
CEO, Industrial Defender
In March, IOActive, which provides application and smart-grid security services, said it had verified "significant" and "inherent" security flaws with multiple smart-grid platforms" and found them susceptible to common security vulnerabilities such as protocol tampering, buffer overflows, persistent and non-persistent rootkits, and code propagation.
"These vulnerabilities could result in attacks to the smart-grid platform causing utilities to lose momentary system control of their advanced metering infrastructure smart meter devices to unauthorized third parties," the company said in a release (PDF). "This would expose utility companies to possible fraud, extortion attempts, lawsuits, or widespread system interruption."
More than 2 million smart meters are in use in the U.S. today, and an estimated 73 utilities have ordered 17 million additional smart meters, according to IOActive. The Obama administration's proposed 2010 budget has earmarked $4.5 billion for smart-grid technologies in the electricity infrastructure.
"The plan now would be to put in largely unsecured networks for smart grid," said Lewis of CSIS. "Hopefully they'll fix it."
The worst case scenario is that a person would access and control a smart meter and control other networked smart meters to disrupt the grid, said Ahern of Industrial Defender.
Standards for securing smart-grid technologies are still being finalized, but Ahern thinks that government-led efforts to modernize the grid should focus more on designing security in right at the beginning.
"We've got to take a step back from the hurry-up approach with the smart grid," he said. "There needs to be a balanced approach between investing in (smart grid) deployments and building security deeply into it."
The vulnerability of the critical infrastructure isn't news, so why the Wall Street Journal report, with its unnamed sources, now?
The story is likely linked to turf battles within the federal government over which agency will oversee the cybersecurity policies, and get the funding for it, several of the security experts suggested. For instance, the Department of Homeland Security has been criticized for not doing enough on cybersecurity, while the director of Homeland Security's National Cybersecurity Center resigned recently, accusing the NSA of trying to wrest control.
The Obama administration in December ordered officials to do a 60-day review on the Department of Homeland Security's cybersecurity efforts, and that report is due to be released next week.
Meanwhile, the administration's proposed 2010 budget includes $355 million to support the base operations of the National Cyber Security Division and the efforts of the Comprehensive National Cybersecurity Initiative.
"We're right at the point where they're naming new cybersecurity czars and there's a grab for funding between the Air Force, Navy, NSA, and others that want the cybersecurity budget," said Zatko. "There are a lot of renewed efforts in this particular field, and it's a field that's in a fair amount of disarray."
While experts discuss cybersecurity threats, physical attacks on infrastructure are taking place. AT&T said on Thursday that vandals are to blame for the massive phone and Internet outage in Silicon Valley on Thursday.
(CNET News' Martin LaMonica contributed to this report.)
The administration of President Barack Obama will be hiring a new national cyber adviser, according to the agenda for homeland security released on his first full day in office.
Janet Napolitano sworn in at her confirmation hearing.
(Credit: U.S. Department of Homeland Security)The Agenda for Homeland Security, released Wednesday, lists goals for defeating terrorism and improving intelligence gathering, as well as for protecting the nation's information networks and critical infrastructure.
The top item under protecting information networks is to strengthen leadership on cyber security by establishing a "position of national cyber advisor who will report directly to the president and will be responsible for coordinating federal agency efforts and development of national cyber policy."
Other items include: supporting an initiative to develop next-generation secure computers and networking for national security applications, and deploying secure hardware and software to protect critical cyber infrastructure; establishing "tough new standards for cyber security and physical resilience;" developing systems to protect trade secrets from being stolen online from U.S. businesses; shutting down "untraceable Internet payment schemes;" and securing personal data stored on government and private systems and requiring companies to disclose data breaches.
The homeland security agenda also calls for ensuring that "security is considered and built into the design of new infrastructure, so that our critical assets are protected from the start and more resilient to naturally-occurring and deliberate threats throughout their life-cycle."
Also on Wednesday, former Arizona Gov. Janet Napolitano was sworn in as secretary of the Department of Homeland Security.
Asked which industry is the biggest target for cyberattack, critical infrastructure insiders in the U.S., Canada, and Europe point to the energy sector.
The energy industry also is the most vulnerable to cyberattacks and would have the most detrimental breach, while the financial sector is the best prepared in the case of a cyberattack, according to the survey sponsored by security firm Secure Computing. All other industries were deemed to be "not prepared" by greater than 50 percent of the respondents.
Survey participants from the U.S. and Canada were also asked how soon major exploits of critical infrastructure were likely to occur and more than half said they had already begun. Another 14 percent predicted that a major exploit was likely in the next 12 months. Only 2 percent said there would never be a severe exploit, according to the research released Monday.
Concerns about cyberattacks on the energy sector spurred U.S. lawmakers to consider legislation to broaden federal authority over electric companies in September.
Contributing to the increased vulnerability in the energy industry are: an increase in the number of access points through the use of sensors, smart meters, and third-party contractors with remote access capability; use of more IP-based networks; integration between corporate and operational networks; reliance on standard or commodity IT platforms such as Microsoft Windows; and lack of attention to security by network automation and control system vendors, according to a white paper on the research written by Energy Insights.
The biggest bottleneck to improving the security of critical infrastructure is cost, followed by apathy. Government bureaucracy and internal issues were tied for third place.
Nearly 200 industry leaders from the critical infrastructure industries completed the survey at industry events in August and September.
Security experts have discussed how easy it would be to break into a power plant. Cybersecurity worries prompted U.S. lawmakers in September to consider legislation to broaden federal authority over electric companies.
This chart shows how prepared respondents said specific industries are or aren't for cyberattack.
(Credit: Secure Computing)
- prev
- 1
- next
