The Chubu Electric Power Company?s recent experience with cyber security vulnerabilities illustrates two important lessons. First, many vulnerabilities are a direct result of a blatant violation of standard policy or security best practices. In this particular instance, the Chubu Electric Power Company had created a series of information security policies in the aftermath of similar ?leaks? of sensitive information. These leaks were the result of Chubu users installing vulnerable versions of the popular Winny file-sharing applications on the company network in January 2006. In response to this incident, file-sharing applications were banned from the network. However, in this most recent incident, a 40-year old security contractor installed Share, another file-sharing application, onto his desktop in blatant violation of the policy barring file-sharing applications.
Certainly, these ?leaks? are not as damaging a direct assault against a power plant. However, they can most certainly aid in the planning and execution of a damaging attack. For example, in the most recent incident, the location of the control and instrument panel rooms, boilers, and manuals on how to deal with intruders were made public. In addition, names and addresses of the plant?s security personnel were also posted on the Internet. This type of sensitive information can aid a determined attacker in planning either a physical or a cyber attack.
The second lesson that can be drawn from this incident is that the computer networks that monitor and administer critical infrastructure are vulnerable to attack. As these networks are standardized on TCP/IP and connected to the Internet, they become increasingly vulnerable to attack. For example, the North American Electric Reliability Council (NERC) noted in a June 20, 2003 report that the Slammer worm was able to infiltrate critical systems “through corporate networks until it finally reached the critical SCADA network via a remote computer through a VPN connection.” As the worm proliferated, it saturated these critical networks and blocked SCADA traffic at a power station. While the worm did not shut off the power station, it ?essentially shut off the control system.?
Furthermore, the incidents at Chubu Electric Power and the infection reported by the NERC are not isolated cases. According to the British Columbia Institute of Technology (BCIT) Industrial Security Incident Database (ISID), a database that monitors cyber security incidents that affect industrial control systems, there have been a total of 34 documented incidents between 1995 and 2003 (see graph). Moreover, as shown by the associated graph, there has been a marked increase in reported incidents since 2001. However, it is unclear whether this spike is a result in an increase in attacks or a result of an increased in attention.
Given these lessons, it is vital that private sector companies responsible for maintaining components of the critical infrastructure take cyber security seriously. A few simple steps can ensure that these companies will boost their security posture. For example, companies should design and enforce an information security policy that ensures that no unauthorized applications, especially networked applications, are installed on any of the company?s computers. Additionally, companies should ensure that sensitive applications and data are connected to publicly accessible networks. Finally, companies should conduct routine patch management to ensure that software vulnerabilities are corrected.