Public Utilities Reports

PUR Guide 2012 Fully Updated Version

Available NOW!
PUR Guide

This comprehensive self-study certification course is designed to teach the novice or pro everything they need to understand and succeed in every phase of the public utilities business.

Order Now

Digital Terrorism: Holes in the Firewall?

Plugging cyber security holes isn't as easy as everyone wants to think.
Fortnightly Magazine - March 15 2002

discovered protects their system. Rush then asks them if they've ever heard of a wardialer.

Wardialers are pieces of software that quite simply, dial every number in an exchange. All 10,000 of them. Specifically, wardialers dial an area code, an exchange, and then 0001, 0002, etc. Using a wardialer to find a specific person would be difficult. But wardialers aren't looking for people. If someone answers, or if an answering machine picks up, the wardialer hangs up. If the wardialer gets a beeping or hissing kind of sound, it responds with a fax tone. If nothing happens, it switches to modem sounds. If still nothing happens, the wardialer makes a record that says, essentially, the number at (what was just dialed) doesn't have voice, doesn't have a fax machine, and doesn't have a computer modem. What has happened, Rush says, is that the wardialer has winnowed 10,000 possible numbers down to a much more manageable set. Then, a hacker can start to test.

Rush says, "[i]f you think that it would be hard for you to hack, I suggest you sit down at your computer and type into a search engine 'hacking sites' or 'telephone hacking.' I'm sure you can find a wardialer, for free."

These hacking tools, Rush says, are all known not only to hackers, but also to people who worry about cyber security. Such tools are less familiar to people who operate SCADA systems, he says, who often operate outside the purview of IT departments. "They want to run their own systems, and they don't want IT messing with them. And they're completely convinced their system is bulletproof," Rush says.

As Fortune points out, when it comes to critical infrastructure protection, "we're not talking the script kiddies." Those who could perpetrate a serious attack would have knowledge of both the electrical system and computers, and would have a malicious intent, according to Fortune. "Now that's not just terrorists. There's a long list of folks out there like Iraq, China, and North Korea, nation-states who are developing asymmetric warfare capability." These nations are knowledgeable, Fortune says, because the very same vendors-Siemens, ABB, GE, and Westinghouse-who sell to the United States sell systems to those countries as well.

Share and Share Alike

The solution to cyber security boils down to sharing information-of the right kind. As Fortune points out, "security awareness is the key." That awareness, he says, needs to be not only at the top levels within companies, it also must be an education process throughout the entire infrastructure. Educating employees about cyber security issues is, he says, "the most bang for the buck you can get."

Indeed, companies can overlook the fact that despite all the attention paid to terrorists and hackers, disgruntled employees are the most likely source of attack on cyber security. ()

Of course, companies must get information from somewhere. EPRI has a very active information sharing program amongst the major utilities in North America and internationally, Fortune says. "The basic premise is that no one organization has all the answers, but collectively we can probably