Legal fears muffle warnings on cybersecurity threats

SAN FRANCISCO Tue Oct 30, 2012 4:18am IST

A cyber security analyst works in a watch and warning center at a Department of Homeland Security cyber security defense lab at the Idaho National Laboratory, September 30, 2011, in Idaho Falls, Idaho. REUTERS/Jim Urquhart

A cyber security analyst works in a watch and warning center at a Department of Homeland Security cyber security defense lab at the Idaho National Laboratory, September 30, 2011, in Idaho Falls, Idaho.

Credit: Reuters/Jim Urquhart

SAN FRANCISCO (Reuters) - The agenda at a secretive conference on protecting critical infrastructure from computer attack was curtailed at the last minute last week, underscoring the legal challenges of sharing such information, much less getting companies to respond to it.

Two talks about a nuclear power plant's potential vulnerabilities to cyber-attack were canceled after an equipment supplier threatened to sue, organizers said, even though plant officials had approved the presentations. The vendor complained that the talks would have revealed too much information about its own gear.

Conference participants were also told that a security firm that had uncovered the thousands of pieces of control equipment exposed to online attacks did not tell U.S. authorities where they were installed because it feared being sued by the equipment owners.

In addition, attendees said they were alarmed to learn that because the government has kept a technique it discovered for attacking electricity generation equipment secret for five years, potential targets had not realized they were vulnerable and therefore did not buy hardware needed to protect themselves.

The barriers to sharing information on emerging cyberthreats have concerned experts for years. Legislation that would have addressed those and other cybersecurity issues stalled this year in Congress. The White House is expected to issue an executive order to increase oversight of cybersecurity in the private sector.

Speaking in support of those initiatives, U.S. Defense Secretary Leon Panetta this month warned that enemy countries or terrorists could use cyber attacks to "contaminate the water supply in major cities or shut down the power grid across large parts of the country."

But though officials say protecting privately owned critical infrastructure from hacking attacks is a top priority, the closed-door conference held at Old Dominion University in Suffolk, Virginia, shows how much work still needs to be done, computer security experts say.

"Information sharing and information disclosure is still problematic," said conference organizer Joe Weiss, a security expert who has testified before Congress on the threats to the specialized computers known as control systems.

Control systems direct the actions of all manner of manufacturing equipment, and typically use their own specialized software. Security researchers, prompted by the success of the Stuxnet virus in disabling some centrifuges in Iran's nuclear program, have been racing to establish what types of control systems could be compromised from afar.

The results so far have not been encouraging. Much of the control equipment was designed without security or even Internet connectivity in mind. The equipment itself can last for decades, and some of the software can't be updated automatically with fixes, as is typical with most commercial software.

Regulators have limited authority to tell energy producers and distributors to fix known flaws in their equipment.

Congressional Republicans argue that the government shouldn't set even nonbinding security standards. But all agreed that easing the spread of information was a critical step--and that the government should provide some relief from antitrust or privacy lawsuits if needed to get industry participants talking to one another.

Kevin McDonald, executive vice president at security service provider Alvaka Networks in Irvine, Calif., said that the government was making things harder by classifying too many things as secret and failing to issue regulations that the utilities would be obliged to follow.

"If we don't do something as a community, really bad things are going to happen and people are going to die," said McDonald, who attended the four-day Virginia conference along with more than 130 other professionals and officials from as far away as Europe and Asia.

The pair of canceled talks concerned a security review that a nuclear plant outside the United States conducted to find out where it might be vulnerable to attack.

One person from the utility had planned to speak about why it had conducted the review, which was not been required by regulators.

"What the utility wanted to talk about was why they were willing to go beyond" minimum requirements for studying their own defensibility, said conference organizer Weiss. "Because they did more, they found more vulnerabilities." He declined to name the utility or the vendor that objected on the grounds that the review would disclose problems in its equipment.

A companion talk by a participant in the utility's effort, German expert Ralph Langner, was also pulled. Langner won fame for discovering that Stuxnet had been aimed at disabling centrifuges for uranium enrichment.

(Reporting by Joseph Menn. Editing by Jonathan Weber and Alden Bentley)

Comments (0)
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.

  • Most Popular
  • Most Shared

Wipro Results

People walk in the Wipro campus in Bangalore June 23, 2009. REUTERS/Punit Paranjpe/Files

Wipro sees rosier end to year as U.S. clients spend

India's third-biggest software services firm Wipro Ltd , under pressure to improve lacklustre sales growth, said it saw a rosier end to the year as more confident U.S. clients increase spending.  Full Article 

Reuters Showcase

New Email Service

New Email Service

Google launches new email service dubbed "Inbox".  Full Article 

Apple-1 Auction

Apple-1 Auction

Early Apple computer sells for $905,000 at auction.  Full Article 

No More Nokia

No More Nokia

Microsoft looks set to drop Nokia name from smartphones.  Full Article 

User Data Security

User Data Security

Apple CEO discusses security with top Chinese official amid hacking claims - Xinhua.  Full Article 

Patent Wars

Patent Wars

Big Tech winning battle with 'patent trolls'.  Full Article 

Record Season

Record Season

FedEx expects record peak volume of 22.6 million packages on Dec. 15.  Full Article 

Yahoo Earnings

Yahoo Earnings

Yahoo ekes out Q3 revenue gain despite display ad weakness.  Full Article 

Reuters India Mobile

Reuters India Mobile

Get the latest news on the go. Visit Reuters India on your mobile device.  Full Coverage