In the February 23, 2013 Houston Chronicle, there is an article “Malware on oil rig computers raises security fears” by Zain Shauk, which describes how malware has infiltrated safety-critical software managing the activities and control systems of oil rigs. Shauk’s article is available at http://www.houstonchronicle.com/business/energy/article/Malware-on-oil-rig-computers-raises-security-fears-4301773.php
This situation is one of many examples of the security of safety-critical software systems as described in my book “Engineering Safe and Secure Software Systems” (Artech House, 2012). The oil-rig situation is particularly relevant in that it includes both embedded “computational” software, which falls under the traditional definition of cyber-physical systems, as well as distributed network and system software, particularly Web-facing software, which falls under the broader definition of cyber-physical systems that is becoming increasingly common.
In a presentation, “Mitigating the Risks of Cyber-Physical Systems,” on May 3, 2013 at the IEEE LISAT (Long Island Systems, Application and Technology) Conference, I made a particular distinction between the computational and management/supervisory software embedded in industrial control systems (ICSs) and the data processing (or IT) software to which ICSs are increasingly being connected. I made the same distinction in my book, although I didn’t dwell on the term “cyber-physical systems.” While both embedded software and data-processing systems are subject to malware and other attacks, Web-facing applications are especially vulnerable to distributed denial-of-service (DDoS) attacks, spear-phishing and the like. To infect stand-alone embedded systems with malware usually suggests some insider involvement, whether knowingly or inadvertently, whereas hacking into Web-facing application is rampant, and so, when ICSs are linked to distributed networks where one or more applications can be accessed via the Internet, the opportunity for exploitation grows by orders of magnitude.
A recent (May 21, 2013) Congressional report “Electric Grid Vulnerability: Industry Responses Reveal Security Gaps,” written by the staffs of Congressmen Edward J. Markey and Henry A. Waxman, came up with the following findings:
- The [U.S.] electric grid is the target of numerous and daily cyber-attacks
- Most utilities [surveyed] only comply with mandatory cyber-security standards and not voluntary NERC [North American Electric Reliability Corporation] recommendations [where NERC is an industry organization]
- Most utilities [surveyed] have not taken concrete steps to reduce the vulnerability of the [electric] grid to geomagnetic storms and it is unclear whether the number of available spare transformers is adequate [to replace those damaged]
I have talked to the third item in several BlogInfoSec columns, particularly mentioning William R. Forstchen’s novel One Second After (Forge, 2009), which describes the potentially catastrophic consequences of electromagnetic pulses (EMPs).
The first and second items are basic infosec … huge and increasing numbers of cyber attacks and inadequate defenses against them. The Congressional report emphasizes just how vulnerable our critical infrastructure systems are and how little is being done to reduce vulnerabilities and thwart attacks.
Isn’t it time that we took these threats and consequences much more seriously? Given the current state of the electricity grid, transportation systems, communications networks, and weapons systems … you name it, it is only a matter of time before severe compromises puts these systems at high risk or completely out of business. Reports are helpful, but are only useful to the extent that effective action can be generated.