The article released by the Wall Street Journal on Wednesday has created quite a stir and I've spent a considerable amount of time the past two days asking and answering questions about it.
I think I can say without stepping too far out on a limb that the details in the article are no apocalyptic revelation to those who are paid to worry about these things. Weaknesses in the SCADA and control system environment have been known for years and the fact that some bad guys have penetrated and mapped the electrical grid is probably not a great shock. The fact that it was so publicly presented surely focused the issue in a lot of people's minds though so this problem may inch up the priority scale.
Not that things weren't already being done to fix weaknesses in the nation's power grid but getting such a public stage for the problem will undoubtedly get telephones ringing in legislators offices that may in turn force changes more quickly.
The choice was made years ago, the first time that the formerly closed SCADA/control system environment was connected to the Internet through some organization's admin network or wireless connection. That first time, when people began to see the incredible convenience of the Internet in remotely managing the switches, sensors and valves of these widely distributed systems, control was lost. Now these same systems and networks that security professionals fight to keep secure everyday, the same ones you are reading this blog on right now, with all their warts and weaknesses, are the same ones in many cases being used to manage our nation's critical infrastructures. Unfortunately, these control system weaknesses have been known for some time but startlingly little has been done to address them. Pogo said it best.
I always get a little nervous when I see a quote from an 'Official' that cautions, "...the motivation of the cyberspies wasn't well understood, and they don't see an immediate threat." Well they may be right about the immediate threat part (or maybe not) but as for the motivation part, put on your Mr. Wizard pointy hat for a second. Just what do you think is the motivation of someone, anyone, who hacks (or waltzes unhindered) into company and government networks across the nation, maps key critical infrastructure system environments and leaves behind little presents that may go boom someday. Here's a hint, the answer is not tea and crumpets at 2:00.
The good news is that both the government and utilities companies are beginning to take this threat seriously and devote the resources to slowly begin fixing the problems. In fact, there are many SCADA-related conferences during the year where security issues are beginning to get as much attention as efficiency of service delivery. While visibility is often a double edged sword, it can also be the catalyst that changes the game.