SAN
FRANCISCO (Reuters) - The agenda at a secretive conference on
protecting critical infrastructure from computer attack was curtailed at
the last minute last week, underscoring the legal challenges of sharing
such information, much less getting companies to respond to it.
Two talks about a nuclear power plant's potential vulnerabilities to
cyber-attack were canceled after an equipment supplier threatened to
sue, organizers said, even though plant officials had approved the
presentations. The vendor complained that the talks would have revealed
too much information about its own gear.
Conference participants were also told that a security firm that had
uncovered the thousands of pieces of control equipment exposed to online
attacks did not tell U.S. authorities where they were installed because
it feared being sued by the equipment owners.
In addition,
attendees said they were alarmed to learn that because the government
has kept a technique it discovered for attacking electricity generation
equipment secret for five years, potential targets had not realized they
were vulnerable and therefore did not buy hardware needed to protect
themselves.
The barriers to sharing information on emerging
cyberthreats have concerned experts for years. Legislation that would
have addressed those and other cybersecurity issues stalled this year in
Congress. The White House is expected to issue an executive order to
increase oversight of cybersecurity in the private sector.
Speaking in support of those initiatives, U.S. Defense Secretary Leon
Panetta this month warned that enemy countries or terrorists could use
cyber attacks to "contaminate the water supply in major cities or shut
down the power grid across large parts of the country."
But
though officials say protecting privately owned critical infrastructure
from hacking attacks is a top priority, the closed-door conference held
at Old Dominion University in Suffolk, Virginia, shows how much work
still needs to be done, computer security experts say.
"Information sharing and information disclosure is still problematic,"
said conference organizer Joe Weiss, a security expert who has testified
before Congress on the threats to the specialized computers known as
control systems.
Control systems direct the actions of all manner
of manufacturing equipment, and typically use their own specialized
software. Security researchers, prompted by the success of the Stuxnet
virus in disabling some centrifuges in Iran's nuclear program, have been
racing to establish what types of control systems could be compromised
from afar.
The results so far have not been encouraging. Much of
the control equipment was designed without security or even Internet
connectivity in mind. The equipment itself can last for decades, and
some of the software can't be updated automatically with fixes, as is
typical with most commercial software.
Regulators have limited authority to tell energy producers and distributors to fix known flaws in their equipment.
Congressional Republicans argue that the government shouldn't set even
nonbinding security standards. But all agreed that easing the spread of
information was a critical step--and that the government should provide
some relief from antitrust or privacy lawsuits if needed to get industry
participants talking to one another.
Kevin McDonald, executive
vice president at security service provider Alvaka Networks in Irvine,
Calif., said that the government was making things harder by classifying
too many things as secret and failing to issue regulations that the
utilities would be obliged to follow.
http://articles.chicagotribune.com/2012-10-29/business/sns-rt-us-cyberwar-infrastructurebre89s1ah-20121029_1_cyber-attacks-cybersecurity-stuxnet 