Cyber watch

Winkler says power companies need to adopt SCADA software that is better tested for vulnerabilities and engineered for rapid patching when flaws are found. They also need to segment their networks so a breach from the Internet cannot reach the SCADA network.

"IT security guys tend to say that SCADA is infallible but a lot of SCADA systems are embedded with Linux or Windows 95 and this means they can't be patched if something goes wrong. It's a serious issue and it's getting worse," says Mike Smart, product manager at Secure Computing.

Utilities at risk

Secure Computing recently conducted a survey looking across all sectors in the US and in Europe.Respondents to the study were asked to indicate the state of readiness against IT threats in eight different industries.

Only the financial services sector was considered to be adequately ready to defend against attack and the utilities sector emerged as the most vulnerable target. Utilities in the Middle East are more advanced because they are newer to it.  But although newer systems generally speaking have less vulnerability, it might actually increase it in many cases," adds Smart.

Secure Computing advised critical infrastructure operators to perform ongoing vulnerability assessments, carefully monitor network automation and control systems, and share more information with each other about potential threats and cyber attacks.

Seeking solutions

Industrial Defender Security Consultants provide a range of risk assessment services to utilities, specialising in process control and SCADA system security assessment. The company has a cyber-risk mitigation technology platform designed specifically to monitor and protect both new and legacy process control and SCADA systems.

The systems are designed to passively monitor and protect without impacting the availability and reliability of the control system and network, while the company's security analysts remotely monitor and manage over 160 process control networks across 21 countries.

Todd Nicholson, chief marketing officer of Industrial Defender, says there is growing demand for system security solutions and training in the Middle East as although the stringent compliance standards in North America are not yet present everywhere, a lot of customers are now following US standards anyway. "They don't need the standards but they are using them as a benchmark for best practice and for training staff," he adds.

In the MENA region, Paramount, a provider of products and services for securing the information assets of businesses, recently floated a new business division for SCADA and process control security and has signed a partnership agreement with Industrial Defender.

Paramount CEO Pramchand Kurup says: "The key criteria when protecting data networks is to ensure that it is simple to implement, that it is scaleable, that it is product network agnostic so that it can work with ABB, Siemens or whatever. Once people realise the risk then things will start moving. It's like the chief security officer at Bank of America said: ‘I think I'm an important person because my CEO worries about nine different things every day and I'm there on at least five of them."

"We need to evengelise," says Kurup, "utilities in the Middle East are not in any particular hurry to install these systems and it might take some time before the message reaches them. There is a lack of awareness of the risks even though it is something that we should probably have done two years back when SCADA started to become IP based," says Kurup.

But Kurup believes that local utilities will eventually start to recognise the need to protect their networks with utilities in Kuwait, Bahrain, Abu Dhabi, Oman and Saudi Arabia the most likely buyers of security systems.

Protecting the GCC

Dr Rocky Termanini is the Dubai-based vice president for technology at MERIT International Security Consulting of the US says: "Most of the sub-stations in the region are vulnerable because they are running older generations systems that have holes in them like Swiss cheese, such as Microsoft NT. If you can knock out a sub-station the impact will cascade and bring a major part of the utility network down for six or seven hours. The aim of a hacker is to bring about a DDOS (distributed denial of service) that could bring a sub-station to its knees. Similarly a cyber attack on water infrastructure would cause widespread panic and chaos in the UAE," says Termanini.

"This will cause a major problem for hospitals, traffic lights, power, ATM's, air con and cause widespread panic in the country. The UAE has a lot of jealous enemies and people are certainly going to try that," he adds.

Termanini says he plans a series of meetings with senior government officials in the UAE to highlight the scale of the danger, "It is necessary to put an early warning predictions system in place, a national grid that is able to track penetration, as the damage from an attack could be minimised if an attack on a sub-station could trigger other satellite systems to shut down or to do something else quickly. As things stand, an attack on one substation could potentially threaten the entire network. The problem is that I don't think anyone is really imagining what the consequences could be at the moment," says Termanini.

Termanini says that the cost of putting an early-warning system in place could be high. "It can be done in stages but it would cost around US $3 billion for a complete early warning system to protect the energy infrastructure in the UAE."

There is a tremendous technological stampede going on at the moment but the security has not yet caught up with it," he adds.

READERS' COMMENTS

MORE FROM ARABIANBUSINESS.COM