|
|
 THE STAT 26Percentage of wireless customers who use their cell phones to take picturesMore Vitals
| |
SEPTEMBER 16, 2003
If These Networks Get Hacked, Beware America's critical transportation, power, and communications systems remain quite vulnerable and lack funds to remedy that When the subway trains of the Bay Area Rapid Transit system rattle through tunnels under San Francisco and over elevated tracks in Oakland, Ray Mok is in control. As BART's principal network engineer, Mok has created one of the most technologically sophisticated public transportation systems on the planet, using the protocols that power the Internet to manage BART's thousands of moving pieces. Yet Mok's network features plenty of security at key junctures. Critical systems that control the trains sit on a different network that remains physically unconnected from BART's other systems. And he's careful to separate the network that runs BART stations -- including everything from ticket machines to automated gates and escalators -- from the administrative network that powers the PCs of BART employees and that connects to the public Internet. Everything is protected by an extensive web of Internet security software and hardware, including firewalls aimed at fending off hackers and intrusion-detection systems designed to spot cyber break-and-enter artists who make it past the virtual fence. Sounds like overkill? Not if you're protecting the lives of tens of thousands of riders who each day pass below the frigid waters of San Francisco Bay. Mok believes that cyberattacks on the systems that run critical parts of U.S. infrastructure are inevitable. While BART isn't a big target, he says, "we have thousands of people scanning us from the Internet every day." Mok adds that the computer systems of most U.S. transportation networks suffer from too little security. "I generally don't feel that people are as concerned as we are," he says. WORM WARNING. The September 11 terrorist attacks on New York and Washington made cybersecurity a key concern at nuclear power plants, chemical plants, gas pipelines, phone networks, and water systems. This year's Aug. 14 blackout in the Northeast and Midwest dramatized the continued vulnerability of such systems. And on Sept. 3, the U.S. Nuclear Regulatory Commission issued a warning to plant operators to watch out for worm attacks, after the publication Security Focus reported a January, 2003, incident in which a worm called Slammer allegedly disabled critical safety systems at the Davis-Besse Nuclear Power Plant near Toledo, Ohio. (The plant wasn't running at the time). As America's infrastructure heads toward a future of standardization based on Microsoft (MSFT ) chronically insecure Windows operating systems, it's becoming more imperative than ever to secure the networks that run these facilities. And that isn't simple, even though protecting computer systems isn't a mystery, either. Like BART, critical infrastructure has for years run on two or more separate networks. And the ones that control trains or power plants are based on proprietary protocols that few programmers can use fluently. They're also usually separated physically from networks that are used for communication, Web surfing, and document sharing. "We don't want a single cyberevent to have a broad effect, so we don't mix our administrative traffic with our air-traffic-control networks," says Dan Mehan, the chief information officer of the Federal Aviation Administration. "SAME VULNERABILITIES." Increasingly, however, the software used to control operational networks has migrated to Windows-based PCs that use a graphical interface any teenager can fathom. And many agencies have enabled remote access over the Internet to operational systems. That improves their ease of use, but at a cost, says William Miller, president of Maximum Control Technologies, an integrator of industrial control systems. "Now they have the same vulnerabilities as a Web server on the Internet. At some of my customers' sites, I can't separate the real-time control systems from the desktop systems." That's not a big deal if the most pressing emergency is to shut down an office computer network. But on an electrical grid where a few seconds can mean the difference between massive blackouts and an averted catastrophe, separation is critical. "If you have a virus on the business level, it's very unpleasant, but it's nothing compared with having a plant shut down or interrupting a critical production process," says Karsten Newberry, a business manager at Siemens Automation & Energy, a unit of Germany's Siemens (SI ) the world's largest maker of industrial control systems. "It's critical that production systems be as protected as possible from viruses." Microsoft regularly patches holes in its software, it's true. But even that's tricky with critical systems, where unstable patches could bring down networks -- with potentially dangerous consequences. The latest Microsoft operating system is often layered on top of finicky older code that doesn't tolerate change very well. In fact, even doing security scans on legacy software applications (made by any number of companies) can cause the systems to crash, according to Phillipe Courtenot, the CEO of Qualys, which offers remote vulnerability scans of corporate networks via the Internet. For those reasons, says Miller, many companies that build interface software to manage industrial systems take up to a year to certify that a Microsoft patch won't cause a crash. When security is paramount, that's a long time.
BW MALL
SPONSORED LINKS
Buy a link now! | | |
 Copyright 2003, by The McGraw-Hill Companies Inc. All rights reserved.Terms of Use | Privacy Policy |
Printer-Friendly Version