The Stuxnet worm showed the world in 2010 that PLCs controlling centrifuges in a nuclear storage facility could be breached from the outside. Australia's Maroochy Shire sewage spill in 2000 revealed the vulnerability of PLC-controlled water storage and treatment facilities. At DEF CON 2011, Virginia-based security engineer and consultant John Strauchs described his disturbing success in writing a zero-day exploit code that allowed his team to take control of PLCs used to govern correctional facilities' doors and other physical security systems.
What are the implications of this in a country where approximately one percent of the population ends up in prison -- and inmate-to-guard ratios in county facilities may be as high as 55:1? Consider this: Strauchs has worked on electronic locking systems in more than 100 U.S. law enforcement, penal, and court systems.
The convergence of physical and information security mechanisms into a common platform for automated access -- or egress -- control, as in these examples, can create opportunities for bad actors seeking to create disruption. Federal policy-makers from the legislative and executive branches continue to raise awareness about the vulnerabilities in critical infrastructure facilities, such as electrical and power systems. At least nine of the 25 pieces of congressional legislation addressing cybersecurity issues introduced in 2011 between January and early August include provisions for protecting critical infrastructure, as did the president's cybersecurity strategy policy delivered to Congress in May.
And yet, the U.S. Department of Homeland Security Appropriations Act for 2012 recommends $500,000,000 be allocated through 2014 to "establish and maintain a security barrier" along the U.S. border, while the combined National Cyber Security Division program and Office of Infrastructure Protection budget of $891,243,000 is subject to a 41 percent holdback if stringent project plan specifications do not receive congressional approval.
Programmable logic controllers (PLCs) are environmentally tolerant, purpose-driven computing devices that are used in a range of industrial control systems to automate production processes, manage physical controls, etc. Along with sensor and radio frequency identification technologies, PLCs are becoming part of the "Internet of things" that are increasingly accessible over IP networks instead of being directly programmed through point-to-point connections.
- http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf (NIST Guide to Industrial Control Systems, published June 2011)
Jennifer Kurtz is a technology and economic development consultant currently focused on information security and privacy. She has held appointments at Purdue and Ball State Universities in Indiana and currently teaches graduate courses in information assurance at Regis University in Denver. Her work in telecommunications includes leading Indiana’s statewide broadband infrastructure initiative as Indiana’s eCommerce Director, building and managing the telecommunications infrastructure for Delco Remy International, and co-authoring a 10-year strategic plan for the US Department of the Treasury. She recently wrote a chapter on data leakage prevention for a book published in early 2011 by the American Bar Association, The Data Breach and Encryption Handbook. Her degrees are from The American University and Anderson University.
Connect with Jennifer Kurtz on LinkedIn.