UK Critical Systems Report – CSRI30th Jul 2011
The damage caused by the Stuxnet virus was tangible proof that viruses could have a major impact on the ‘real world’.
Now a report by the UK-based Cyber Security Research Institute (CSRI) has revealed that the vulnerability of societies around the world to virus attacks is greater than many had supposed.
In particular parts of the UK’s Critical National Infrastructure (CNI) – the backbone of the country through which essential services such as power and water supply are run – could be especially at risk to attacks from either criminal or state-sponsored cyber attacks.
In its ‘UK Critical Systems Report’, the CSRI reports claims that the so-called control systems world is ‘ten to fifteen years behind’ the IT industry in terms of security against online and digital attacks.
One reason for the vulnerability of the national infrastructure, finds the report, is that traditionally the world of control systems has not regarded cyber security as an important issue.
‘One of the biggest issues is that the people who design, implement and build [the control systems] don’t know one end of security from another because it is not part of their culture. It’s not their fault, they just have not been required to do it,’ says one leading UK expert who asked not to be named, told the report’s author.
This is partly because at the time various systems, grids and their equipment were installed, there was no expectation that they would ever be linked up to the outside world via the internet.
But, says the report, the need to drive down costs in many industries and the discovery that some key safety systems in dangerous places could be controlled remotely via the internet have changed that.
‘The move to [new control] systems boosts efficiency at utilities because it allows workers to operate equipment remotely. But at the same time this access to the internet exposes once-closed systems to cyber attacks,’ Frank Saxton, a computer network security engineer, tells the report. ‘Electric utilities, pipelines, railroads and oil companies use remotely controlled and monitored valves, switches and other mechanisms that are vulnerable to attack.’
The report points out that neither computers nor phones lines – through which the internet runs – were built with security in mind. ‘This inherently insecure internet was then connected to the systems that run our electricity, gas, fuel, telecoms, water and food to provide greater online control and market access to data. In this way the internet has been connected to systems that were never intended to be connected to the outside world. We are now starting to see the impact of that,’ notes the report.
The report accepts that the UK government is starting to address the problem by announcing in October 2010 that €650 million will be spent on the nation’s cyber defences at a time when other public sectors are seeing their budgets slashed.
But it says that the current state of the infrastructure will hamper progress, as will a chronic skills shortage in cyber security and a continuing reluctance in the world of the CNI to address cyber security issues.
‘The situation is worsening rather than improving. The mix of the people with the industrial systems knowledge and the security skills isn’t there,’ warns one expert who is advising the UK Government on CNI. ‘I have assessed 40-50 jobs in the last three months and not a single one mentions security.’
The CSRI report also highlights the need, in an inter-connected world, for private businesses to play their part in helping defend the national infrastructure by ensuring their own data systems and computers are properly protected against attack.
But it is not optimistic that this will happen quickly.
‘Some observers point out that even if large companies had been aware of the Stuxnet vulnerabilities they would not have taken the necessary steps to protect against it until it became essential to do so – i.e. that they had an example of a real world attack as in the case of the Iranian power plant,’ says the report.
The study also suggests that the computer security industry faces greater challenges in a post-Stuxnet world. ‘More and more it will become necessary for the computer security industry to act as part of the awareness-raising mechanism to prove the threat and the need to protect against it,’ it argues. ‘The challenge for computer security companies will be to evolve into a role that they have until now avoided – that of helping identify what needs to be protected, protecting it, finding out who is attacking it, and then helping prosecute the attackers.’
On a world-wide level the report also warns that with governments now devoting greater funds towards cyber security and with defence companies seeing the commercial opportunity and starting their own cyber security, there is a risk of an escalation in terms of offensive as well as defensive cyber security techniques.
‘It is definitely the start of something new, and it’s definitely the start of an arms race for the simple reason that you can’t stockpile weaponised software because it has to be constantly updated to make sure that it will still work in an internet and cyber landscape that is constantly being updated,’ one employee of a leading US arms firm tells the author.