From: New York Times
By DYLAN WALSH
In a recent annual review, a team at the Department of Homeland Security that works to counter the threat of cyberattacks on critical infrastructure counted 198 “incidents” in fiscal 2012. The events reported ranged from the use of malware to sabotage systems to phishing attacks for retrieving sensitive information. In roughly 40 percent of those cases, the target was the energy sector – “an alarming rate,” the report said.
Last year the Obama administration championed passage of a Cybersecurity Act, which would have made it easier for companies that operate critical infrastructure to improve the security of their computer systems and to share information about attacks on their networks with the federal government. But Senate Republicans succeeded in fending off the bill last August, arguing that it would have imposed a financial burden on companies.
In November, a White House draft executive order picked up the baton by calling for concerted agency action on the issue.
The order describes cyberattacks on critical infrastructure, which have risen exponentially over the last five years, as “one of the most serious national security challenges we must confront.” Last year, for example, the natural gas industry fought off a lengthy and ultimately unsuccessful series of attacks on its pipeline infrastructure, with the Department of Homeland Security issuing three amber alerts, the second-most serious level of warning. The Transportation Security Administration wields authority over pipeline security but has yet to promulgate industry-wide standards for cybersecurity. The agency relies instead on the voluntary adoption of best practices by industry.
Pipeline vulnerability is a particular concern because of the ubiquity of supervisory control and data acquisition, or Scada, software systems, which are used to monitor variables like pressure and flow rates. Pipeline operators can respond to any unexpected changes through remote management of valves, pumps and compressor stations.
But, like any software, Scada systems are susceptible to hacking and viruses. The Stuxnet computer worm, designed jointly by the United States and Israel to attack Iran’s main nuclear enrichment facility in 2008, is a prime example of how such attacks can disrupt and destroy physical infrastructure. In the case of pipelines, the attacks could come in the form of unauthorized commands or false reports to operators, resulting in spills, fires or explosions.
Investigators have so far not linked any historical pipeline problems to malicious cyberactivity, but software malfunctions have illustrated the potential threat.
In the summer of 2010, problems in a Scada control center contributed to the spill of more than one million gallons of crude oil outside the small town of Marshall, Mich. Coursing through local waterways, the oil made its way into the Kalamazoo River and now ranks as one of the largest inland spills in the nation’s history.
Debate over cybersecurity regulation remains fiercely split along party lines, with Senate Republicans casting 40 of the 46 nay votes against last year’s Cybersecurity Act. A recent letter from Congressional Republicans to the president attacked his draft order as a “backdoor regulatory framework.”
Leave a Reply