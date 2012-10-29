* Conference organizer forced to cancel talks after legal
threats
* Nuclear power plant vulnerabilities discovered, but not
shared
* Industrial control systems seen as weak link
By Joseph Menn
SAN FRANCISCO, Oct 29 The agenda at a secretive
conference on protecting critical infrastructure from computer
attack was curtailed at the last minute last week, underscoring
the legal challenges of sharing such information, much less
getting companies to respond to it.
Two talks about a nuclear power plant's potential
vulnerabilities to cyber-attack were canceled after an equipment
supplier threatened to sue, organizers said, even though plant
officials had approved the presentations. The vendor complained
that the talks would have revealed too much information about
its own gear.
Conference participants were also told that a security firm
that had uncovered the thousands of pieces of control equipment
exposed to online attacks did not tell U.S. authorities where
they were installed because it feared being sued by the
equipment owners.
In addition, attendees said they were alarmed to learn that
because the government has kept a technique it discovered for
attacking electricity generation equipment secret for five
years, potential targets had not realized they were vulnerable
and therefore did not buy hardware needed to protect themselves.
The barriers to sharing information on emerging cyberthreats
have concerned experts for years. Legislation that would have
addressed those and other cybersecurity issues stalled this year
in Congress. The White House is expected to issue an executive
order to increase oversight of cybersecurity in the private
sector.
Speaking in support of those initiatives, U.S. Defense
Secretary Leon Panetta this month warned that enemy countries or
terrorists could use cyber attacks to "contaminate the water
supply in major cities or shut down the power grid across large
parts of the country."
But though officials say protecting privately owned critical
infrastructure from hacking attacks is a top priority, the
closed-door conference held at Old Dominion University in
Suffolk, Virginia, shows how much work still needs to be done,
computer security experts say.
"Information sharing and information disclosure is still
problematic," said conference organizer Joe Weiss, a security
expert who has testified before Congress on the threats to the
specialized computers known as control systems.
Control systems direct the actions of all manner of
manufacturing equipment, and typically use their own specialized
software. Security researchers, prompted by the success of the
Stuxnet virus in disabling some centrifuges in Iran's nuclear
program, have been racing to establish what types of control
systems could be compromised from afar.
The results so far have not been encouraging. Much of the
control equipment was designed without security or even Internet
connectivity in mind. The equipment itself can last for decades,
and some of the software can't be updated automatically with
fixes, as is typical with most commercial software.
Regulators have limited authority to tell energy producers
and distributors to fix known flaws in their equipment.
Congressional Republicans argue that the government
shouldn't set even nonbinding security standards. But all agreed
that easing the spread of information was a critical step--and
that the government should provide some relief from antitrust or
privacy lawsuits if needed to get industry participants talking
to one another.
Kevin McDonald, executive vice president at security service
provider Alvaka Networks in Irvine, Calif., said that the
government was making things harder by classifying too many
things as secret and failing to issue regulations that the
utilities would be obliged to follow.
"If we don't do something as a community, really bad things
are going to happen and people are going to die," said McDonald,
who attended the four-day Virginia conference along with more
than 130 other professionals and officials from as far away as
Europe and Asia.
The pair of canceled talks concerned a security review that
a nuclear plant outside the United States conducted to find out
where it might be vulnerable to attack.
One person from the utility had planned to speak about why
it had conducted the review, which was not been required by
regulators.
"What the utility wanted to talk about was why they were
willing to go beyond" minimum requirements for studying their
own defensibility, said conference organizer Weiss. "Because
they did more, they found more vulnerabilities." He declined to
name the utility or the vendor that objected on the grounds that
the review would disclose problems in its equipment.
A companion talk by a participant in the utility's effort,
German expert Ralph Langner, was also pulled. Langner won fame
for discovering that Stuxnet had been aimed at disabling
centrifuges for uranium enrichment.