Southern Company named Ronnie Labrato vice president, internal auditing. FirstEnergy’s board of directors elected Gary R. Leidich executive vice president and president...
Digital Terrorism: Holes in the Firewall?
algorithms-and the strength of the best ones lie not in the fact that they are secret. Basically, he says, what you want to do is pick an encryption system where the security lies in the key, not in the mechanism-like a lock. You can find out how to make that lock, he says, but that doesn't enable you to open any lock. "What you're really looking at is the key. Encryption algorithms are the same way." So Rush advises those in the industry to pick one that's been attacked by mathematicians for years and years. "If no one can crack it, that's a pretty good bet."
Rush says that in testing the algorithms chosen by GTI, he and others came to the conclusion that it makes a difference how they are implemented. "If you implement them just by sticking them on an existing SCADA system, it will probably slow it down too much," he says. What is needed, he says, is to modify the SCADA RTU-remote terminal unit-the computer that actually processes the information, by putting the algorithm on a separate chip. The chip, he says, costs about $5, "so it's no big deal-and it already exists."
The problem is, Rush notes, that utilities need to put the chip into their SCADA units. The cost for doing so? "The best estimate I can come up with is it would add something on the order of $50-100/RTU." Such cost would add little to the overall RTU cost of about $3000-5000. Rush estimates that a mid-sized utility system has around 100 RTUs. "So we aren't talking a huge amount of money," he says.
Some utilities consider those kinds of cost a sound investment. Alliant Energy has already spent between half a million and one million dollars to harden its systems to cyber attack, according to Erroll Davis, president, chairman, and CEO of Alliant. Davis has been speaking to the utility industry since 2000 about the need to defend against cyber attacks. At first, he says, the reaction was akin to his early Y2K education efforts-he was accused of preaching doom and gloom. He isn't getting that same reaction any longer.
Heads in the Sand?
Rush voices worries about the way IT departments and those operating SCADAs think about SCADA security. Although IT managers go to great lengths to harden utilities' corporate networks, Rush says they may overlook off-site SCADA systems, the backups for which are often connected to inexpensive telephone lines. "What happens is the SCADA system will be located several miles away from the facility. And, in order to provide robustness to the system, it's typical that they will have at least one communications backup system, and sometimes two. Which is good from the robustness of the system perspective, but it's bad from the perspective that it gives me three unsecured routes in which to attempt an attack." What that means, Rush says, is that there's a telephone number such that if someone dials it, they call into a utility SCADA system.
SCADA engineers often protest that an unlisted number that cannot be