Across the UK computer usage is increasing, for both social and business areas, and it looks to continue to do so. This is leading to an increase in the ways in which we as individuals, households, service providers, and the organisations we work for may be attacked. Ownership of numerous gadgets and systems that we have, all increase the technical attack surface we expose. See page 10 of the IMIS Journal (Bring Your Own phenomenon), and the Google powermeter.
Earlier this year Dave Clemente in written evidence to a Select Committee said “Protection of critical national infrastructure (CNI) is an area of significant importance and one that is becoming more difficult to analyse as inter-dependency increases between CNI sectors.”
He also says that in a conflict situation it may be necessary for the military and wider Government to operate in a degraded or insecure cyber environment. This requires acceptance that total control of ‘UK cyberspace’ – however defined – is impossible. As the late Prof Philip Taylor noted, ‘full spectrum dominance is impossible in the global information environment.’ This was meant in the context of military psychological operations, but it holds equally true when attempting to secure highly inter-dependent computer networks and information systems.
A recent Daily Mail article tells us that the Government has plans to install smart meters in our homes. Essentially a large scale Supervisory Control And Data Acquisition system. As well as the Government wanting information from these devices, people will want to access it on their various portable gadgets.
This prompted me to revisit an article the March 2012 IMIS Journal. Certification constraints and product life spans are pointed to as throwing up problems. Allan Dyer says that “New PC operating systems are released every few years, but they may be connected to systems with much longer life spans, such as line-of-business mainframe applications, or SCADA systems, or medical equipment. Medical equipment is often certified to medical standards, and the certification includes the computing hardware and software. The software may be obsolete and no longer supported by the software developers. There are Windows 98, Windows ME and Windows XP systems controlling medical systems still in daily use and the situation is ongoing”
In the case that the Daily Mail is talking about, the network linking 46 Million meters would have to be highly secure, as it could become impossible to ensure all those systems are up to date and protected against malicious hackers. As the system grows older, so the availability of protection would diminish, and the potential for infection increase. Malware disrupting the operation of just a few meters might be manageable, but malware could rapidly spread and disrupt many devices. The MIDPM article suggested that network traffic be strictly filtered so that only legitimate transactions are allowed. Maybe also there should be physical breakpoints or switches in the system to isolate parts, should the monitoring or firewall systems become compromised.
In the US, federal researchers discovered that outside hackers could take control of the generators used to produce electricity in the US and destroy them. Presentations at a Black Hat hackers conference showed how control systems can be located with special Google searches and then ordered to shut down or speed up, potentially blowing up a power or water treatment plant.
Joseph Menn writing in the Financial Times says that “Hundreds of thousands of people in darkness, hospitals in chaos, a banking system under siege – a cyber attack on the US electricity grid could have catastrophic consequences”. See also an article in the Busines Insider.
Back in the Daily Mail Article Ross Anderson, a Cambridge computer science professor and chairman of the think-tank, said: ‘GCHQ have also told us they are worried about it. ‘Once you have the ability to turn off meters remotely, then it becomes a strategic vulnerability. ‘If the Iranians or Chinese want to attack Britain, they could do so easily through smart meters. This is the modern day equivalent of a nuclear strike.’
How do we trade off the need/want for integrated systems against what happens if those systems become compromised? Individuals can install protection on their own systems, but what of the wider world?