Infrastructure security powers up

He may not have known it at the time, but Lonnie Charles Denison helped prove the need for tighter security at many infrastructure businesses when he launched a multifaceted attack against California Independent System Operator, a quasi-governmental agency responsible for management of the state's power grid.

Close to midnight on April 12, Denison -- who had been working for a contractor hired by Cal ISO -- allegedly used his employee credentials to gain access to a datacenter at the Folsom, Calif.-based organization. Once inside, the 32-year-old reportedly used a hammer to break into an emergency cut-off switch and kill power to the agency's computers, specifically machines used to trade energy with other utilities in real time.

As the company scrambled to respond to the shutdown on Monday, April 13, Denison, who is currently in a California prison facing charges of felony destruction of an energy facility, e-mailed a bomb threat to Cal ISO officials, forcing employees to evacuate the premises where he had carried out his sabotage.

While Cal ISO survived the incident admirably, reporting no interruption in services and getting its energy trading systems back up and running quickly, the attack is considered by some industry experts to represent the worst kind of infrastructure threat scenario possible: a combined affront on physical and IT security systems.

Since the Sept. 11 attacks, utilities, telecommunications companies, and other businesses controlling sensitive infrastructure operations have moved to bolster both their physical and IT defenses. However, most experts concede that much work remains to be done in improving security across vertical industries, which haven't always viewed IT and operational attacks in the same context.

Over the last decade, many companies have also moved to marry newer IP-based systems with older legacy technologies to improve productivity across their operations. And while those efforts have created new opportunities for businesses to monitor their workers and facilities, the applications have also introduced a wide range of additional security concerns around IT attacks.

"The awareness over the last six or seven years has really changed. We were always aware of physical security concerns, but we weren't worried about cybersecurity as much because the electronics we were using on location were so unique," said Greg Britton, telecommunications superintendent at the Tri-State Generation and Transmission Association.

The Westminster, Colo.-based company is a wholesale electric power supplier whose operations cover a 250,000-square-mile territory across Colorado, Nebraska, New Mexico, and Wyoming.

"As we've modernized, we've brought more IP-based systems into the operational side, and we've taken on the challenge of making things as accessible as possible for people who need to get in while also trying to do a better job of defending our networks," Britton said. "Like everything else in business or IT, it's a cost and balancing act, but one where the stakes are very, very high."

In addition to dealing with the same types of external and internal IT security concerns that face many other types of businesses, power companies like Tri-State are also facing a rash of break-ins at remote substation facilities; as prices for copper metal have soared, so have the number of criminals attempting to make off with the valuable copper wire.

The need for systems that can help the company monitor effectively for physical security events, in addition to IT-based threats such as denial-of-service attacks, has created the need for systems that haven't necessarily existed in the past, the executive said.

Many infrastructure businesses are leery to even speak of the security makeover they're currently undergoing.

"The biggest challenge as an end user today is that almost all process control systems have gone Ethernet over the last five years," said an executive at a large North American chemicals company who requested anonymity. "The intent of these systems is to connect operations to the outside world so they can be controlled and monitored remotely, which is a great idea, but it's also a bad idea because now someone can hack you and potentially take these system offline."

To address their problems, both Tri-State and the unnamed chemicals firm have turned to Verano, a Mansfield, Mass.-based technology vendor specializing in securing Supervisory Control and Data Acquisition (SCADA) systems -- the large-scale, distributed measurement and control technologies which serve as the operational backbone of many large infrastructure businesses.

In addition to the heightened need to defend SCADA systems as companies add more IP technologies into their facilities, Verano officials said that many infrastructure companies are simultaneously dealing with the loss of older engineers who had been responsible for building and maintaining internal applications.

A combination of looming security regulation by the government and the departure of their most knowledgeable workers are putting utilities and other companies under increasing pressure, said Brian Ahern, Verano's chief executive.

"These businesses are worried about external threats, insider attacks, potential regulation from the government, and a loss of their most important expertise," Ahern said. "The incidents you see in the field are often shocking in terms of what is out there right now unprotected, especially when you consider that the impact of even a minor incident could cripple national infrastructure."

A prime example of the type of domino effect that a seemingly small infrastructure mishap can have was the August 2003 blackout that left New York City and a large swath of the Northeastern United States without power, Ahern said. Investigators determined that the entire problem -- which plunged an estimated 40 million people into the dark -- was caused by overgrown tree limbs that interfered with power lines in Ohio.

Verano markets a package of tools under the banner of Industrial Defender that promises integrated security and performance management for mission-critical control systems. Among the products, sold individually or as part of the suite, are a perimeter security appliance, network sensor devices, software and security sensors, as well as a security event management (SEM) console.

Many of the individual components may be available from larger security applications and hardware makers, but the key to addressing many infrastructure security problems is having hands-on experience in the SCADA world, the CEO said.

"Traditional IT security companies are trying to move into this market, but they lack the domain expertise that is needed to understand the size and scope of what customers are going through in modernizing their operations," said Ahearn. "There's huge growth potential in the market, but only those companies with the specific domain expertise will be able to compete."

In late April, Novell announced a new deal to integrate its identity management technologies with access control systems made by industrial giant Honeywell, based in Morris, N.J.

By integrating such IT access tools with traditional physical security and operations management products made by Honeywell, the companies said, they can both improve existing infrastructure defenses and create new opportunities for thwarting attacks.

For instance, if an employee who has used a door access card at a facility is also observed trying to log onto the company's virtual private network remotely, alerts can be sent to on-site and IT security teams to gauge if the firm is somehow being infiltrated.

In addition to protecting themselves against would-be attackers, infrastructure companies are also mindful that they may soon be facing more stringent government security regulations. Some industries, including the electricity segment, have already begun creating their own guidelines in preparation for that possibility.

The North American Electric Reliability Corp (NERC), an industry oversight body, is already establishing tougher security standards in the space, with business leaders hopeful that such self-policing might encourage the federal government to stay out of the process.

"First of all, no one wants to be the plant that gets blown up, and secondly, the industry is scrambling to self-mandate to avoid the government stepping in and regulating," said Peter Fehl, a product manager for Honeywell Security. "This is still a difficult process because the existing requirements are written loosely and there's a lot of IT security work to make up in a short amount of time."

Fehr said that attacks combining IT and physical threats are becoming more popular. A company recently came to Honeywell seeking help after an outsider plugged a computer into a port in the firm's lobby and found a way to break into their IT network from the outside.

"The attacks are getting smarter, the regulations are coming, and there's still a lot of older technology in these companies that needs to be addressed from a security standpoint," said Fehr. "Things are starting to get stronger on the IT side and physical access is improving, but the gap is in between the two. That's where you'll likely see a lot of incidents."