This past May, the Internet was abuzz about a report by the Government Accountability Office (GAO) highlighting a number of outdated “legacy systems” still in use across the U.S. government. According to the report, “The Strategic Automated Command and Control System coordinates the operational functions of the United States’ nuclear forces, such as intercontinental ballistic missiles, nuclear bombers, and tanker support aircrafts. This system runs on an IBM Series/1 Computer—a 1970s computing system—and uses 8-inch floppy disks.” Many reading this article may have worked on similar systems when they were much younger.
Most people believe that using computers from the 1970’s is a bad idea. However, computer systems from the 1970’s are still very effective at what they do. They are not vulnerable to the operating system and application exploits we see today that are infecting and compromising computer systems all over the world. In addition, most of these systems are not connected to the Internet as well. Simply put, they have little if any known vulnerabilities to today’s nation-state or terrorist attackers. Security by obscurity… and to be honest, these “archaic” systems are actually quite secure.
On the other hand, many of the organizations running our nation’s electric, water, gas, sewage, street lights, transportation, etc. systems use a combination of modern computing platforms (Windows, OS X, Linux) and older control systems, simultaneously to operate their infrastructures. This combination of potentially vulnerable, online computers is often connected to the utility’s broader network. This represents a tremendous vulnerability to our nation’s critical infrastructure.
According to written testimony of National Protection and Programs Directorate Infrastructure Analysis and Strategy Division Director Brandon Wales found on the DHS website, he mentions, “Since the 1980s, our power grid control systems and information infrastructures have been growing in their reliance on Ethernet and computers, which are much more vulnerable… than previous control and communications systems designs.”
If attackers gained access to the more modern systems, the likelihood of lateral movement in the network is quite high. In this scenario, any utility control or monitoring system running a TCP stack that is network connected is vulnerable to attack. As a result, hackers could degrade performance, cause loss of view, loss of control, or even take older, critical utility systems offline.
The decision to combine modern computer systems with older control systems in a utility’s network was driven by the need to become “more efficient”. Many utility companies in the U.S. are either publicly traded companies or Co-Ops that have to remain profitable – sometimes at the cost of security.
Although doomsday scenarios seem to run amuck these days, the possibility of an attack on critical infrastructure is a reality. Many efforts are being made to shore up the defenses of public utility networks and one simple way of securing this infrastructure would be to ensure that is impossible to access it from the Internet. It may not be the most efficient method, but it would certainly be the most secure. Without a physical air gap between the utility’s monitor and control network and the Internet, the likelihood of a breach increases each day.