Loading ...
Sorry, an error occurred while loading the content.
 

BART computer network features plenty of security

Expand Messages
  • 9/16 BusinessWeek
    Published Tuesday, September 16, 2003, in BusinessWeek Online If These Networks Get Hacked, Beware America s critical transportation, power, and communications
    Message 1 of 1 , Sep 17, 2003
      Published Tuesday, September 16, 2003, in BusinessWeek Online

      If These Networks Get Hacked, Beware

      America's critical transportation, power, and communications systems
      remain quite vulnerable and lack funds to remedy that

      By Alex Salkever
      Technology Editor

      When the subway trains of the Bay Area Rapid Transit system rattle
      through tunnels under San Francisco and over elevated tracks in
      Oakland, Ray Mok is in control. As BART's principal network engineer,
      Mok has created one of the most technologically sophisticated public
      transportation systems on the planet, using the protocols that power
      the Internet to manage BART's thousands of moving pieces.

      Yet Mok's network features plenty of security at key junctures.
      Critical systems that control the trains sit on a different network
      that remains physically unconnected from BART's other systems. And
      he's careful to separate the network that runs BART stations --
      including everything from ticket machines to automated gates and
      escalators -- from the administrative network that powers the PCs of
      BART employees and that connects to the public Internet. Everything
      is protected by an extensive web of Internet security software and
      hardware, including firewalls aimed at fending off hackers and
      intrusion-detection systems designed to spot cyber break-and-enter
      artists who make it past the virtual fence.

      Sounds like overkill? Not if you're protecting the lives of tens of
      thousands of riders who each day pass below the frigid waters of San
      Francisco Bay. Mok believes that cyberattacks on the systems that run
      critical parts of U.S. infrastructure are inevitable. While BART
      isn't a big target, he says, "we have thousands of people scanning us
      from the Internet every day." Mok adds that the computer systems of
      most U.S. transportation networks suffer from too little security. "I
      generally don't feel that people are as concerned as we are," he
      says.

      WORM WARNING. The September 11 terrorist attacks on New York and
      Washington made cybersecurity a key concern at nuclear power plants,
      chemical plants, gas pipelines, phone networks, and water systems.
      This year's Aug. 14 blackout in the Northeast and Midwest dramatized
      the continued vulnerability of such systems. And on Sept. 3, the U.S.
      Nuclear Regulatory Commission issued a warning to plant operators to
      watch out for worm attacks, after the publication Security Focus
      reported a January, 2003, incident in which a worm called Slammer
      allegedly disabled critical safety systems at the Davis-Besse Nuclear
      Power Plant near Toledo, Ohio. (The plant wasn't running at the
      time).

      As America's infrastructure heads toward a future of standardization
      based on Microsoft chronically insecure Windows operating systems,
      it's becoming more imperative than ever to secure the networks that
      run these facilities. And that isn't simple, even though protecting
      computer systems isn't a mystery, either. Like BART, critical
      infrastructure has for years run on two or more separate networks.
      And the ones that control trains or power plants are based on
      proprietary protocols that few programmers can use fluently.

      They're also usually separated physically from networks that are used
      for communication, Web surfing, and document sharing. "We don't want
      a single cyberevent to have a broad effect, so we don't mix our
      administrative traffic with our air-traffic-control networks," says
      Dan Mehan, the chief information officer of the Federal Aviation
      Administration.

      "SAME VULNERABILITIES." Increasingly, however, the software used to
      control operational networks has migrated to Windows-based PCs that
      use a graphical interface any teenager can fathom. And many agencies
      have enabled remote access over the Internet to operational systems.
      That improves their ease of use, but at a cost, says William Miller,
      president of Maximum Control Technologies, an integrator of
      industrial control systems. "Now they have the same vulnerabilities
      as a Web server on the Internet. At some of my customers' sites, I
      can't separate the real-time control systems from the desktop
      systems."

      That's not a big deal if the most pressing emergency is to shut down
      an office computer network. But on an electrical grid where a few
      seconds can mean the difference between massive blackouts and an
      averted catastrophe, separation is critical. "If you have a virus on
      the business level, it's very unpleasant, but it's nothing compared
      with having a plant shut down or interrupting a critical production
      process," says Karsten Newberry, a business manager at Siemens
      Automation & Energy, a unit of Germany's Siemens the world's largest
      maker of industrial control systems. "It's critical that production
      systems be as protected as possible from viruses."

      Microsoft regularly patches holes in its software, it's true. But
      even that's tricky with critical systems, where unstable patches
      could bring down networks -- with potentially dangerous consequences.
      The latest Microsoft operating system is often layered on top of
      finicky older code that doesn't tolerate change very well. In fact,
      even doing security scans on legacy software applications (made by
      any number of companies) can cause the systems to crash, according to
      Phillipe Courtenot, the CEO of Qualys, which offers remote
      vulnerability scans of corporate networks via the Internet.

      For those reasons, says Miller, many companies that build interface
      software to manage industrial systems take up to a year to certify
      that a Microsoft patch won't cause a crash. When security is
      paramount, that's a long time.

      OBSCURITY EQUALS SAFETY? Below the level of the Microsoft-based
      systems lurks another big problem. Plant-floor systems usually run on
      homegrown protocols that, for the most part, software and hardware
      built to guard the Net can't understand. So Internet security tools
      such as firewalls and intrusion-detection systems are useless for
      securing that crucial part of the network, says Joseph Weiss, head of
      the cybersecurity practice at KEMA Consulting Group, a Fairfax (VA.)
      consultancy that advises energy companies and utilities.

      Conventional wisdom holds that these systems and the protocols that
      run them are so obscure as to be safe from hackers. But Weiss
      believes it's easier to hack proprietary industrial computer systems
      than most industry insiders will admit, thanks to Web-based
      translation software that can convert the proprietary protocols into
      other computing languages.

      Weiss also claims that it remains next to impossible to detect a
      hacker who makes it inside these systems. "We have no tools to find
      them," he says. "We don't even know what to look for. When a guy
      hacked into a sewage plant in Australia during 2001 and caused it to
      dump sewage, he did it 20 times before they figured out they had been
      hacked."

      FOOLISH TRADE-OFF? Weiss thinks systems to protect these specialized
      networks remain a long way off -- even though companies that build
      critical infrastructure controls say they're working hard to include
      software security wherever they can. For now, that's mainly at the
      operation-center level, which runs on Microsoft (or sometimes Linux)
      systems. "We've been very conscious about security in our products,"
      says Roy Kok, a director of product marketing for a division of
      General Electric (GE ) that sells industrial controls. For
      instance, "we went into the core of all our products and added
      electronic signature and auditing capabilities."

      Such suppliers also note, however, that if their customers don't use
      their products properly, even the best security can be breached. That
      sounds obvious, but Weiss says he's often shocked at how little
      thought factories, power plants, and energy companies have put into
      securing their networks. Though it's a point that could be
      interpreted as self-serving, Kok also argues that pressure to cut
      technology expenses throughout the deregulated utility industry has
      induced some electricity generators to accept smaller margins of
      error on security in order to achieve greater efficiencies.

      Funding remains in short supply all over, by many accounts. The Bush
      Administration has allocated nearly $1 billion in fiscal 2004 for
      protection of critical infrastructure, including cybersecurity. But
      little of that will go to the agencies and companies that are on the
      front lines of the battle. While the FAA's Mehan says his budget for
      cybersecurity has more than doubled since 1999, he says he needs more
      funding for research and development.

      HARDLY PRAGMATIC. BART's Mok says he has yet to see a dime of
      federal money, a claim echoed by other operators of critical
      infrastructure facilities. With a monstrous federal deficit looming
      and the war against terrorism being refocused for the moment as part
      of the massively expensive campaign in Iraq, the job of securing the
      digital backbone of America's critical infrastructure may get even
      less federal support in the coming years.

      That may look like a pragmatic decision now. But it could look penny-
      wise, pound foolish -- and nearly impossible to justify -- should
      someone figure out how to breach the computer networks that help
      provide America with transportation, power, electricity, and water.
    Your message has been successfully submitted and would be delivered to recipients shortly.