Bringing national infrastructure to its knees – with just one click

01 May 2009

Norman Data Defense has issued a warning to all national infrastructure suppliers to sit up and take notice of the increasing number of threats to national infrastructure controls running on TCP/IP based networks. Most of the national infrastructure is controlled and operated by legacy process and control systems, which are open to attack.

David Robinson, Norman Data Defense UK general manager

David Robinson, Norman Data Defense UK general manager, said: “We take it for granted that when we flick a switch the light comes on, when we run a tap we will have safe clean drinking water and when we go to catch a train it will arrive on time. But we often forget that these services and the processes and controls behind them are increasingly running on standardised architecture with TCP/IP based networks. Sadly, due to the nature of these systems, they often run with minimal security in place leaving them open to attack.”
Over the last 10 years or so there has been a convergence of IT and control systems, with the adoption of common hardware, operating systems and communication technologies in the process and control layers. Legacy process and control systems are frequently merged with other systems to deliver increased information flow, with entire organisations operating them. Once isolated, process and control systems can now be accessed externally from many different points of entry.

One major threat to security are the mobile devices that are in everyone’s possession. USBs, laptops and PDAs are moved to and from the process and control systems, with legacy systems still operating on some technologies despite known vulnerabilities; these systems have little or no security implemented.
A further risk is that traditional IT security solutions are not used because system incompatibilities create a gaping hole in the defences that hold the national infrastructure together.

Lord West of Spithead, the UK Security Minister, discussing the daily attacks to critical networks controlling electricity supplies, telecommunications and banking with The Times Online said recently: “If you take the whole gamut of threats, from state-sponsored organisations to industrial espionage, private individuals and malcontents, you’re talking about a remarkable number of attempted attacks on our system — I’d say in the thousands.”

Norman Data Defense has developed a seven point plan to reduce the threat on the national infrastructure:

1. Existing IT security guidelines within national infrastructure organisations should be enhanced to include process and control systems security

2. Modifications to existing IT security guidelines should be made to accommodate specific process and control systems requirements

3. IT and control system departments need to work together

4. Vulnerability assessments should be commissioned on all process and control systems used within the national infrastructure

5. New and legacy systems should be security hardened to prevent, wherever possible, both untargeted and targeted attacks

6. System security hardening should commence immediately and not wait for major system upgrades

7. Both physical and IT security need to be considered together