Black Hat and Defcon to focus on critical infrastructure

Hacker conferences Black Hat and Defcon will cover threats to industrial systems, transportation, and the electrical grid

The annual Black Hat Briefings and Defcon security conferences will kick off in Las Vegas next week, and the security (or lack of it) for critical infrastructure -- such as systems that control public utilities and other vital systems -- will likely make headlines in the days that follow.

The focus on critical infrastructure consolidates a trend that has been evident in recent years. In just the last week, researchers warned about a worm that targets industrial control systems from Siemens.

[ Also on InfoWorld: "Prepare for extensive attacks of Windows zero-day." | Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

Recognizing the shift in focus to critical infrastructure within the cyber underground, Black Hat 2010 will feature an entire track on infrastructure, with presentations on hacking electrical "smart" meter deployments (a fixture at last year's Black Hat Briefings) as well as talks on the Supervisory Control and Data Acquisition (SCADA) and Industrial Control System (ICS).

The U.S. Government's Accountability Office (GAO) has been warning for years that the systems used to operate the nation's critical infrastructure, including its electric grid, were vulnerable to both physical and cyber attack. Despite these warnings, a recent update from GAO, while citing progress, noted that "thousands of facilities" in the country -- if destroyed by a national or man-made disaster -- could cause "casualties, economic losses, or threaten national security."

The stakes were further raised by reports in the media about successful efforts by foreign governments to penetrate the U.S. electrical grid. Groups that monitor attacks on critical infrastructure, such as Team Cymru, note that attacks have increased as SCADA and ICS systems have become linked, often inadvertently, to the public Internet.

Still, progress toward securing critical infrastructure has been slow, and next week, security researchers will take their swings: Black Hat speaker Jon Pollet of Red Tiger Security will discuss common vulnerabilities and exploits found in critical infrastructure systems such as SCADA, EMS, distributed control system (DCS), and smart grids. Speakers Shawn Moyer and Nathan Keltner of FishNet Security will show off techniques for hacking into wireless smart electric meter networks -- a possible first step in attacks on the larger SCADA systems they connect to.

A Defcon presentation by security researcher Righter Kunkel will take on the security of air traffic control and critical flight systems in an era of in-flight Wi-Fi and Internet access. Looking beyond SCADA and industrial control, researchers and the federal government have also expressed concern and found evidence of loose protections in everything from the banking and financial services sectors to telecommunications.

The question, as always, lies with the issue of practicality vs. technical feasibility: Hacking shows tend to sensationalize theoretical but impractical attacks and exploits. At the same time, the U.S. government is working through the National Institute of Standards and Technology (NIST) and the Department of Homeland Security to improve and automate the security of systems that manage critical infrastructure, while also pushing private sector organizations to focus resources on both resiliency to attack and threat detection and blocking.

With a complex mixture of private and publicly managed infrastructure and a heavy overhang of legacy control systems, security will be a long time coming to the world of critical infrastructure, which looks to be a major area of investment and innovation for both white hat and black hat hackers for years to come.

This article, "Black Hat and Defcon to focus on critical infrastructure," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.