A computer virus that kills people forms the plotline of The Drone Virus.
In this "real-life inspired" medical novel (and motion picture) by physician/writer Dr. Gerald P. Clarke, children are dying because of a virus-infected MRI unit, and only a hero can save them.
Could this type of malware get into the innards of the systems that control energy industry assets such as pipelines and refineries? Experts such as Eric Byers of the British Columbia Institute of Technology certainly think so. He and his colleagues have compiled a knowledgebase of more than 50 industrial computer security incidents that, according to their webpage, "is growing by about 10 incidents per quarter."
To discourage hackers from using his database as a shortcut to mischief, Byers only gives access to people who submit a valid incident report or who pay fees of $500 US and up.
 |
| Bob Hansmann |
But a paper he presented at a Berlin conference in 2004 gives some clues to what's in the system. It lists penetrations of "the Davis-Besse nuclear power plant process computer and safety parameter display systems," as well as "a power SCADA (supervisory control and data acquisition) system," and a "petroleum control system.”
This led Byers and co-author Justin Lowe to use the term "the backdoor to the plant" to describe industrial computer vulnerabilities.
Part of the problem is the move to using "common off-the-shelf" operating systems in industrial computers. Windows and Linux are rapidly replacing the special-purpose, proprietary systems of the past.
Those were virtually immune to hackers because they were so weird and esoteric. Now, any "script kiddie" worth his keyboard can download automated attacks that target common operating systems.
Experts agree that plugging all the security holes is a difficult task, yet it takes only one "open door" for a system to be penetrated. Even a single packet of bad data can cause problems.
Byers and Lowe describe points of entry including a dial-up modem, a contractor's T1 line, and, of course, the Internet, which accounted for 36 per cent of the intrusions.
The study also found that in nearly half of the cases where a financial loss was reported, it was "substantial," i.e. greater than $1 million. Even more frightening is the statistic that 41 per cent of the incidents caused lost production time, and "29 per cent reported a loss of ability to view or control the plant."
Byers is Canada's leading expert specializing in this aspect of computer security, so we should heed his advice that "failure to adapt to the changing threats and vulnerabilities will leave the controls world exposed to increasing cyber incidents."
Bob Hansmann, senior product marketing manager for U.S.-based Trend Micro, Inc., says the threat is very real. "We've started to see computer viruses in things like medical MRI machines. And if they can get into systems like that, many other types of computers are vulnerable.
"We're looking at (attacks on) cellphones, routers, and Linux. Linux is becoming a little more mainstream. Once there's a standard, virus writers will write for it."
He also warns about "bot networks" that take over innocent PCs and use them to attack websites by flooding them with traffic. Industrial computers can fall prey to a "resource starvation attack," with the same dire consequences.
Hansmann says some bot networks control huge numbers of zombie PCs. "We've seen these with up to 20 to 30 thousand computers," he says. "And we had to ask ourselves, what can you do with 20 to 30 thousand systems? I can cause a very effective denial of service attack with only 15 PCs."
As a defence strategy, Hansmann advises installing good anti-virus, anti-spyware and personal firewall software, and keeping it up to date with all the latest patches.
Of course, he recommends his own company's products, but, in fairness, they do offer free online scanning for viruses and spyware through a service called HouseCall. It does the job quite nicely without installing any junk on your computer or pestering you with pop-ups. Why do they give away their core product?
Hansmann says "it's only a snapshot" and, of course, a virus or spyware can sneak in two seconds after you run HouseCall, if you remember to run it at all. Trend Micro's commercial products provide continuous protection.
Just when you thought it was safe to come out, along comes a new tool in the hacker arsenal - Google! I attended a presentation on "google hacking" at Infosecurity Canada in Toronto given by Kartik Trevedi of Foundstone Professional Services.
I actually decided not to write about it in detail since it might put a powerful tool into the hands of the wrong people. However, the general idea is to use the advanced search features of Google to look for security holes on servers.
Here's an example that conveys the principle without giving away all the secrets, which, of course, are on the Internet for anyone to find anyway. If you use Google to search the exact phrase inurl: "ViewerFrame?Mode=" you are going to find hundreds of sites running a Panasonic web camera. Try it. Some of them are in interesting places such as a mall in Japan and an elementary school in Wisconsin. Anybody in the oilpatch using network-connected web cameras to keep an eye on assets?
I thought so! Now just imagine what other kinds of secrets people can discover with a Google search: Passwords, device addresses, even tidy reports of security vulnerabilities that have been stored online.
A helpful article in Security Pipeline called How to Stop Attacks that Use Google (see Web Watch, below) is mandatory reading for people trying to secure industrial computers.
So is 21 Steps to Improve Cybersecurity of SCADA Networks, from the U.S. government's Technical Support Working Group (also in WebWatch.)
That time-honoured principle of "security through obscurity" started to collapse with the proliferation of standardized systems and the growth of the Internet.
Now, the bad guys range from terrorists to competitors to disgruntled employees to the just plain nosy. Any company that's asleep at the switch in industrial computer security may just find that their computer's switch is asleep or controlled by an intruder when they try to give commands to their pipeline or refinery.
Web Watch:
www.littlestudiofilms.com/dronehome.htm
www.bcit.ca/appliedresearch/security/
www.securitypipeline.com/showArticle.jhtml?articleID=57701375
/www.tswg.gov/tswg/home/home.htm
(Tom Keenan is a professor at the University of Calgary and an expert on technology and its social implications. He can be reached at keenan@businessedge.ca)
