Utility, Industrial Control Systems Vulnerable to Hackers and Terrorists

Businesses and government agencies must re-examine the growing threat of cyberterrorism to automated computer systems running power grids, dams and other industrial facilities, security experts said Tuesday.

From 1982 until about 2000, problems with such systems usually were associated with internal accidents or inappropriate employee behavior, said Eric Byres, manager of Critical Infrastructure Security Research at the British Columbia Institute of Technology.

But a review by Byres of the last three years showed that 90 percent of these problems come from break-ins by hackers and computer viruses.

His presentation was part of a forum during the first day of the Instrumentation, Systems and Automation Society's annual conference running through Thursday.

"This was a shock to me. All of a sudden our threat source has changed,'' he said. ``A control system is a very complex system that has a lot of backdoors in. We have to reevaluate the way we protect our systems.''

David Sanders, director of critical infrastructure cyber security with the National Cyber Security Division at the Department of Homeland Security, said hackers or terrorists can break into automated control systems by having companies violate their own security policies, spreading viruses or through software errors.

"The intent will be directed at specific targets within your critical infrastructure,'' he said. ``If you're from the power and electric world and you run a substation, and one of your transformers blows up, how many would attribute it to a cyber attack? My guess is no one.''

To educate the country on the growing problem and how to protect itself from it, Sanders said Homeland Security has created a strategy with five goals, including helping industry build its own self-sustaining security culture and creating international awareness about cyber threats that keeps track of them and distributes warnings.

"It is important and it has been highlighted and you will see commitment from both government and industry to work together to make sure the information sharing and protection is there,'' said Elizabeth Rhodenizer, with the Office of Critical Infrastructure Protection and Emergency Preparedness, the Canadian version of the Department of Homeland Security.

Oil company BP reviewed its inner workings after the terrorist attacks of Sept. 11, 2001 and found that its business and operations systems were ``really just one global network'' that was interconnected and could leave any of its enterprises vulnerable to attack, said David Scheulen, a company manager of industry and government relations.

The company created a set of standard responses to problems and closed down backdoors that hackers could use to break into its computer systems.

``Things have worked out fairly well for us,'' he said. ``But we've still got an awful lot of work to do.''