BART computer network features plenty of security
- Published Tuesday, September 16, 2003, in BusinessWeek Online
If These Networks Get Hacked, Beware
America's critical transportation, power, and communications systems
remain quite vulnerable and lack funds to remedy that
By Alex Salkever
When the subway trains of the Bay Area Rapid Transit system rattle
through tunnels under San Francisco and over elevated tracks in
Oakland, Ray Mok is in control. As BART's principal network engineer,
Mok has created one of the most technologically sophisticated public
transportation systems on the planet, using the protocols that power
the Internet to manage BART's thousands of moving pieces.
Yet Mok's network features plenty of security at key junctures.
Critical systems that control the trains sit on a different network
that remains physically unconnected from BART's other systems. And
he's careful to separate the network that runs BART stations --
including everything from ticket machines to automated gates and
escalators -- from the administrative network that powers the PCs of
BART employees and that connects to the public Internet. Everything
is protected by an extensive web of Internet security software and
hardware, including firewalls aimed at fending off hackers and
intrusion-detection systems designed to spot cyber break-and-enter
artists who make it past the virtual fence.
Sounds like overkill? Not if you're protecting the lives of tens of
thousands of riders who each day pass below the frigid waters of San
Francisco Bay. Mok believes that cyberattacks on the systems that run
critical parts of U.S. infrastructure are inevitable. While BART
isn't a big target, he says, "we have thousands of people scanning us
from the Internet every day." Mok adds that the computer systems of
most U.S. transportation networks suffer from too little security. "I
generally don't feel that people are as concerned as we are," he
WORM WARNING. The September 11 terrorist attacks on New York and
Washington made cybersecurity a key concern at nuclear power plants,
chemical plants, gas pipelines, phone networks, and water systems.
This year's Aug. 14 blackout in the Northeast and Midwest dramatized
the continued vulnerability of such systems. And on Sept. 3, the U.S.
Nuclear Regulatory Commission issued a warning to plant operators to
watch out for worm attacks, after the publication Security Focus
reported a January, 2003, incident in which a worm called Slammer
allegedly disabled critical safety systems at the Davis-Besse Nuclear
Power Plant near Toledo, Ohio. (The plant wasn't running at the
As America's infrastructure heads toward a future of standardization
based on Microsoft chronically insecure Windows operating systems,
it's becoming more imperative than ever to secure the networks that
run these facilities. And that isn't simple, even though protecting
computer systems isn't a mystery, either. Like BART, critical
infrastructure has for years run on two or more separate networks.
And the ones that control trains or power plants are based on
proprietary protocols that few programmers can use fluently.
They're also usually separated physically from networks that are used
for communication, Web surfing, and document sharing. "We don't want
a single cyberevent to have a broad effect, so we don't mix our
administrative traffic with our air-traffic-control networks," says
Dan Mehan, the chief information officer of the Federal Aviation
"SAME VULNERABILITIES." Increasingly, however, the software used to
control operational networks has migrated to Windows-based PCs that
use a graphical interface any teenager can fathom. And many agencies
have enabled remote access over the Internet to operational systems.
That improves their ease of use, but at a cost, says William Miller,
president of Maximum Control Technologies, an integrator of
industrial control systems. "Now they have the same vulnerabilities
as a Web server on the Internet. At some of my customers' sites, I
can't separate the real-time control systems from the desktop
That's not a big deal if the most pressing emergency is to shut down
an office computer network. But on an electrical grid where a few
seconds can mean the difference between massive blackouts and an
averted catastrophe, separation is critical. "If you have a virus on
the business level, it's very unpleasant, but it's nothing compared
with having a plant shut down or interrupting a critical production
process," says Karsten Newberry, a business manager at Siemens
Automation & Energy, a unit of Germany's Siemens the world's largest
maker of industrial control systems. "It's critical that production
systems be as protected as possible from viruses."
Microsoft regularly patches holes in its software, it's true. But
even that's tricky with critical systems, where unstable patches
could bring down networks -- with potentially dangerous consequences.
The latest Microsoft operating system is often layered on top of
finicky older code that doesn't tolerate change very well. In fact,
even doing security scans on legacy software applications (made by
any number of companies) can cause the systems to crash, according to
Phillipe Courtenot, the CEO of Qualys, which offers remote
vulnerability scans of corporate networks via the Internet.
For those reasons, says Miller, many companies that build interface
software to manage industrial systems take up to a year to certify
that a Microsoft patch won't cause a crash. When security is
paramount, that's a long time.
OBSCURITY EQUALS SAFETY? Below the level of the Microsoft-based
systems lurks another big problem. Plant-floor systems usually run on
homegrown protocols that, for the most part, software and hardware
built to guard the Net can't understand. So Internet security tools
such as firewalls and intrusion-detection systems are useless for
securing that crucial part of the network, says Joseph Weiss, head of
the cybersecurity practice at KEMA Consulting Group, a Fairfax (VA.)
consultancy that advises energy companies and utilities.
Conventional wisdom holds that these systems and the protocols that
run them are so obscure as to be safe from hackers. But Weiss
believes it's easier to hack proprietary industrial computer systems
than most industry insiders will admit, thanks to Web-based
translation software that can convert the proprietary protocols into
other computing languages.
Weiss also claims that it remains next to impossible to detect a
hacker who makes it inside these systems. "We have no tools to find
them," he says. "We don't even know what to look for. When a guy
hacked into a sewage plant in Australia during 2001 and caused it to
dump sewage, he did it 20 times before they figured out they had been
FOOLISH TRADE-OFF? Weiss thinks systems to protect these specialized
networks remain a long way off -- even though companies that build
critical infrastructure controls say they're working hard to include
software security wherever they can. For now, that's mainly at the
operation-center level, which runs on Microsoft (or sometimes Linux)
systems. "We've been very conscious about security in our products,"
says Roy Kok, a director of product marketing for a division of
General Electric (GE ) that sells industrial controls. For
instance, "we went into the core of all our products and added
electronic signature and auditing capabilities."
Such suppliers also note, however, that if their customers don't use
their products properly, even the best security can be breached. That
sounds obvious, but Weiss says he's often shocked at how little
thought factories, power plants, and energy companies have put into
securing their networks. Though it's a point that could be
interpreted as self-serving, Kok also argues that pressure to cut
technology expenses throughout the deregulated utility industry has
induced some electricity generators to accept smaller margins of
error on security in order to achieve greater efficiencies.
Funding remains in short supply all over, by many accounts. The Bush
Administration has allocated nearly $1 billion in fiscal 2004 for
protection of critical infrastructure, including cybersecurity. But
little of that will go to the agencies and companies that are on the
front lines of the battle. While the FAA's Mehan says his budget for
cybersecurity has more than doubled since 1999, he says he needs more
funding for research and development.
HARDLY PRAGMATIC. BART's Mok says he has yet to see a dime of
federal money, a claim echoed by other operators of critical
infrastructure facilities. With a monstrous federal deficit looming
and the war against terrorism being refocused for the moment as part
of the massively expensive campaign in Iraq, the job of securing the
digital backbone of America's critical infrastructure may get even
less federal support in the coming years.
That may look like a pragmatic decision now. But it could look penny-
wise, pound foolish -- and nearly impossible to justify -- should
someone figure out how to breach the computer networks that help
provide America with transportation, power, electricity, and water.