Digital Terrorism: Holes in the Firewall?
security needs, that is not necessarily the case for SCADA systems. Rush says "it is not a case that the algorithms don't exist, they do. The issue is to find one that is compatible with gas operations, water operations, and electric operations." What that means is the right combination of speed and security.
And as Fortune points out, the solution may not come quickly. "NIST [National Institute of Standards and Technology] has been working since the 1980s to develop intrusion detection systems for these types of systems, without success." On Oct. 1, NIST awarded a 2-year contract to Schweitzer to develop both procedures for hardening substations, as well as alogorithms for regional power control.
When PDD-63 came out-well before Sept. 11-GTI received a contract from the Technical Support Working Group, a government agency. That contract directed GTI to select an encryption algorithm that would meet the needs of the gas industry, but with an eye to water and electric, according to Rush. The contract also stipulated that at the conclusion of the research, GTI would give away the algorithms, the code, and everything that would help a manufacturer put such security into SCADA equipment.
Rush says he was thrilled at the prospect. "I sallied forth, so happy to be able to give people this wonderful new toy. Then, I just hit a brick wall. Manufacturers had no interest, even though we said it was free." Rush doesn't necessarily fault manufacturers. While the code was free, changing manufacturing and engineering systems was not without cost. And, more importantly, manufacturers told Rush that there was no demand from customers for such cyber security. It was 1998, not 2001, when Rush initially approached manufacturers.
Rush was not deterred. He went to the customers, specifically the gas utilities. Although receptive to the idea that cyber security was a concern, organizations such as the American Gas Association deferred consideration-Y2K was looming, and the need for the type of cyber security Rush was talking about did not seem particularly apparent. Ironically, Rush was scheduled to make a presentation to an AGA committee in October 2001. Instead of talking about the need for such security, the AGA wanted to know if it could be made available by the following May.
There is no doubt that like so many other things, after Sept. 11 the industry's view of security changed. While many, many discussions are occurring, the problem, according to Rush, is that most utilities will tell you that their system is bulletproof. Often, though, they aren't, he says. When he presses utilities on why they feel their SCADA systems are secure, Rush says a typical answer is, "I have a protocol that no one knows." Then he asks questions such as "could I get the manual from the company that makes the protocol?" Then utilities realize that the protocol is in the manual, available from the system supplier. "So what you quickly realize is that what you are hiding behind as a bulletproof shield is in fact fairly pathetic," Rush observes.
Rush says that there are lots of encryption