co-authored by Dr. Stephen Bryen, Founder & CTO Ziklag Systems
Admiral Michael Rogers, Director of the National Security Agency and head of the US Cyber Command has warned Congress that our energy grid is under threat of cyber attack. His warning comes after independent reports tracked intrusions targeting energy companies, health care systems and other components of our "critical infrastructure." The warning advised the House Intelligence Committee about the threat, but it lacked concrete steps to prevent cyber attacks that could hobble the United States in a crisis.
It is clear we need more than warnings. There is no thought through national policy on how to properly protect the energy grid, telecommunications, defense systems and industries, or our emergency preparedness system. Certainly the US government has warned for years about cyber vulnerabilities and urged computer security. But our policy makers, who mean good, haven't the vaguest idea of what to do about protecting America's computer-driven networks.
Even so, a vast array of security companies, some tiny, some bigger, some traditional defense companies looking to expand their revenue base, have emerged offering different solutions, all of which sound like witch doctor incantations. None of them can demonstrate that their "solutions" have stopped any potential adversary from successfully attacking our critical infrastructure. All the empirical evidence points in the opposite direction. Despite spending, the situation is far worse now than ever before, and is likely to grow ever more dangerous. Countries such as China and Russia may have found our Achilles heel --they are acting that way and pouring in resources to do us in. They are smart to do so: it is highly profitable for them to steal our secrets, empty our banks and threaten our well being. The cyber attack industry also is semi-privatized, meaning that even rogue players can cause irredeemable harm. Are our nuclear missile systems safe from cyber attack? Our command and control systems secure? No one can say for sure.
The problem concerns computer networks and machine controller systems known as SCADA. SCADA are systems that manage our refineries, power grids, nuclear power stations, manufacturing processes and anything that is automated. It was a Siemen's SCADA system sold to Iran and used to refine uranium that was attacked by the now famous Stuxnet worm (ostensibly a joint US-Israeli attempt to slow Iran's nuclear weapons program). We use the same exact systems just about everywhere. The Russians and Chinese no doubt have taken Stuxnet apart, so they know how to do it. Of course they were helped by all the nice cyber folks who published all of Stuxnet's secrets!
A good first step would be to design a new, secure SCADA controller that replaces all the SCADAs operating in our critical infrastructure. A US-only secure SCADA should replace SCADA devices everywhere in the critical infrastructure. The US government should sponsor a crash R&D program. It is important to do all this secretly. The Chinese and Russians and the rogue actors need to be kept totally in the dark.
Fixing SCADA is only a first step, but a badly needed one.
In parallel, we need new, secure operating systems for our sensitive computer networks to replace unsuitable commercial products which, unless changed out, will lead to our destruction. Commercial network operating systems cannot be repaired -they must be scrapped. This is a tall order: but we have the expertise to do the job. In fact, even the Chinese are already putting in place their own operating system development to keep Western intelligence agencies out. We can build even better ones. We need to urgently.