NEWS

Computing Now Exclusive Content — April 2011

News Archive

May 2012

Encryption System Flaw Threatens Internet Security

April 2012

For Business Intelligence, the Trend Is Location, Location, Location

Corpus Linguistics Keep Up-to-Date with Language

March 2012

Are Tomorrow's Firewalls Finally Here Today?

February 2012

Spatial Humanities Brings History to Life

December 2011

Could Hackers Take Your Car for a Ride?

November 2011

What to Do about Supercookies?

October 2011

Lights, Camera, Virtual Moviemaking

September 2011

Revolutionizing Wall Street with News Analytics

August 2011

Growing Network-Encryption Use Puts Systems at Risk

New Project Could Promote Semantic Web

July 2011

FBI Employs New Botnet Eradication Tactics

Google and Twitter "Like" Social Indexing

June 2011

Computing Commodities Market in the Cloud

May 2011

Intel Chips Step up to 3D

Apple Programming Error Raises Privacy Concerns

Thunderbolt Promises Lightning Speed

April 2011

Industrial Control Systems Face More Security Challenges

Microsoft Effort Takes Down Massive Botnet

March 2011

IP Addresses Getting Security Upgrade

February 2011

Studios Agree on DRM Infrastructure

January 2011

New Web Protocol Promises to Reduce Browser Latency

To Be or NAT to Be?

December 2010

Intel Gets inside the Helmet

Tuning Body-to-Body Networks with RF Modeling

November 2010

New Wi-Fi Spec Simplifies Connectivity

Expanded Top-Level Domains Could Spur Internet Real Estate Boom

October 2010

New Weapon in War on Botnets

September 2010

Content-Centered Internet Architecture Gets a Boost

Gesturing Going Mainstream

August 2010

Is Context-Aware Computing Ready for the Limelight?

Flexible Routing in the Cloud

Signal Congestion Rejuvenates Interest in Cell Paging-Channel Protocol

July 2010

New Protocol Improves Interaction among Networked Devices and Applications

Security for Domain Name System Takes a Big Step Forward

The ROADM to Smarter Optical Networking

Distributed Cache Goes Mainstream

June 2010

New Application Protects Mobile-Phone Passwords

WiGig Alliance Reveals Ultrafast Wireless Specification

Cognitive Radio Adds Intelligence to Wireless Technology

May 2010

New Product Uses Light Connections in Blade Server

April 2010

Browser Fingerprints Threaten Privacy

New Animation Technique Uses Motion Frequencies to Shake Trees

March 2010

Researchers Take Promising Approach to Chemical Computing

Screen-Capture Programming: What You See is What You Script

Research Project Sends Data Wirelessly at High Speeds via Light

February 2010

Faster Testing for Complex Software Systems

IEEE 802.1Qbg/h to Simplify Data Center Virtual LAN Management

Distributed Data-Analysis Approach Gains Popularity

Twitter Tweak Helps Haiti Relief Effort

January 2010

2010 Rings in Some Y2K-like Problems

Infrastructure Sensors Improve Home Monitoring

Internet Search Takes a Semantic Turn

December 2009

Phase-Change Memory Technology Moves toward Mass Production

IBM Crowdsources Translation Software

Digital Ants Promise New Security Paradigm

November 2009

Program Uses Mobile Technology to Help with Crises

More Cores Keep Power Down

White-Space Networking Goes Live

Mobile Web 2.0 Experiences Growing Pains

October 2009

More Spectrum Sought for Body Sensor Networks

Optics for Universal I/O and Speed

High-Performance Computing Adds Virtualization to the Mix

ICANN Accountability Goes Multinational

RFID Tags Chat Their Way to Energy Efficiency

September 2009

Delay-Tolerant Networks in Your Pocket

Flash Cookies Stir Privacy Concerns

Addressing the Challenge of Cloud-Computing Interoperability

Ephemeralizing the Web

August 2009

Bluetooth Speeds Up

Grids Get Closer

DCN Gets Ready for Production

The Sims Meet Science

Sexy Space Threat Comes to Mobile Phones

July 2009

WiGig Alliance Makes Push for HD Specification

New Dilemnas, Same Principles:
Changing Landscape Requires IT Ethics to Go Mainstream

Synthetic DNS Stirs Controversy:
Why Breaking Is a Good Thing

New Approach Fights Microchip Piracy

Technique Makes Strong Encryption Easier to Use

New Adobe Flash Streams Internet Directly to TVs

June 2009

Aging Satellites Spark GPS Concerns

The Changing World of Outsourcing

North American CS Enrollment Rises for First Time in Seven Years

Materials Breakthrough Could Eliminate Bootups

April 2009

Trusted Computing Shapes Self-Encrypting Drives

March 2009

Google, Publishers to Try New Advertising Methods

Siftables Offer New Interaction Model for Serious Games

Hulu Boxed In by Media Conglomerates

February 2009

Chips on Verge of Reaching 32 nm Nodes

Hathaway to Lead Cybersecurity Review

A Match Made in Heaven: Gaming Enters the Cloud

January 2009

Government Support Could Spell Big Year for Open Source

25 Reasons For Better Programming

Web Guide Turns Playstation 3 Consoles into Supercomputing Cluster

Flagbearers for Technology: Contemporary Techniques Showcase US Artifact and European Treasures

December 2008

.Tel TLD Debuts As New Way to Network

Science Exchange

November 2008

The Future is Reconfigurable

Industrial Control Systems Face More Security Challenges

by George Lawton

Two independent sets of security researchers have released lists of vulnerabilities in supervisory control and data acquisition (SCADA) software used to control industrial and manufacturing systems, including nuclear power facilities and power plants. The lists follow on the heels of the Stuxnet attack discovered last July, in which an unidentified assailant physically destroyed the centrifuges that were key for Iran's nuclear weapons program via a virus delivered through a USB card.

Despite widespread vulnerabilities in infrastructure software, the security research in this area lagged until Stuxnet showed how damaging a precisely targeted cyber attack could be. "Nobody would have given these vulnerabilities much attention two or three years ago," said Yuriy Gurkin, CEO of Gleg Ltd., an infrastructure security provider, which announced 11 vulnerabilities.

Many of the security upgrades recommended by vendors raise new problems, said Luigi Auriemma, an independent researcher who published the other list of vulnerabilities. "For example, the Siemens FactoryLink product will no longer be supported by Siemens after October 2012, and they suggest migrating to WinCC, which has been the target of Stuxnet. It's scary to think of changing the product used for years with the additional costs and the risks of things no longer working."

The Dawn of Cyber Attacks

Stuxnet raised awareness of how a well-organized team could remotely destroy an industrial system by slowly sabotaging as many as 30,000 nuclear centrifuges. Now well-organized criminals have an idea and some methodologies for creating new havoc.

"Criminal and nuisance attacks would, in my opinion, be more likely to rise in the short term due to the public awareness created by Stuxnet," said Chris Blask, vice president of marketing at AlienVault, a security vendor. "The general weaknesses in control-system infrastructure that Stuxnet exploited aren't new or unknown, and technical remediations for dealing with this type of attack are widely available." Blask said this opens the door for organized crime to take a role in developing either Stuxnet itself or similar future attack tools, raising legal issues about giving a wider audience access to such tools.

The attackers must have spent at least $1 million, said Joe Weiss, CEO of Applied Control Systems, a consulting firm that focuses on protecting against cyber incidents. One team mastered the control system for the specific centrifuges being used in Iran, while another identified two zero-day vulnerabilities. When the code was readied, it was delivered on USB sticks at an event likely to be attended by the Iranian scientists.

Once the disks were brought to Iran, the code wormed its way into the programmable logic controllers (PLCs) control systems driving the centrifuges and made subtle adjustments that the main control system failed to detect. The centrifuges broke down gradually one at a time. Although the Stuxnet code has found its way onto other systems, it hasn’t caused any significant damage outside Iran.

The Unprotected PLC

Critical-infrastructure managers have typically broken their networks into two realms. The PC-based networks are well secured, but the PLCs that control the systems that pump water, switch electricity, and operate power plants have been presumed protected by technical obscurity.

At the SCADA level of control, a competent hacker might be able to commandeer a PC-based control system to make changes at a high level. These are the sorts of threats that Gurkin and Auriemma recently presented.

Thus far, no widespread SCADA-based attacks have been reported. But many different types of attacks have occurred using other vectors. In France and Washington state, infrastructure hackers managed to steal water.

Far more threatening and dangerous threats rely on precisely and surreptitiously tweaking the PLC control infrastructure. These attacks can operate beneath the SCADA systems and confuse the readings sent from and the control signals sent to specific classes of physical equipment. Stuxnet operated in this manner.

In 2006, the US Department of Homeland Security ran a test simulation in Iowa, the Aurora project, that showed how code transmitted over a modem could destroy a $25 million generator. In 2009, a fossil fuel power plant in Iran suffered about $100 million in damage after a mysterious accident that resembled the destruction in Aurora, said Weiss.

Malicious Attack or Cyber Incident?

For years, security and infrastructure experts have warned against a lackadaisical attitude about the control systems that protect infrastructure. Because these systems are interrelated, the consequences of attacks can be severe. Malicious attacks are but one element in the wider threat of cyber incidents possible when one system establishes a damaging feedback pattern in relation to others.

Today, there is no systematic effort to tabulate the impact of cyber incidents and, according to Weiss, little appreciation of the kind of chaos that a deliberate cyber attack could cause. Weiss said he’s documented over 200 control systems cyber incidents, including four that resulted in death and two that affected nuclear power plants. However, only 10 of those were officially linked to a cyber incident.

"The reason we care is that if you could damage systems unintentionally, you could do it worse intentionally," said Weiss. He’s identified a set of fundamental communication vulnerabilities that could be leveraged to stage malicious code capable of damaging the electrical infrastructure nationwide. He believes that a well-crafted attack could cause 18 months of nationwide power outages before the industry could replace the affected equipment.

Blask believes that more events on the scale of Stuxnet are likely, but he doesn’t expect an electrical infrastructure Armageddon any time soon. "This would generally require a large-scale coordinated attack on a large number of sites or an unusually successful attack at an extremely sensitive site," Blask said. "Attacks on this scale are unlikely not only due to the electronic security at such facilities but also due to the design of the industrial processes themselves. Individual facilities may be likely to be impacted in the foreseeable future — with potentially significant economic and perhaps even human loss — but large-scale risk to society as a whole is likely relatively low."

In the short term, Weiss doesn't see the publication of new vulnerabilities as likely to significantly affect the power industry. "Until Congress regulates this," he said, "critical infrastructure security won't matter because the industry is fighting tooth and nail against it."

George Lawton is freelance writer based in Guerneville, California. Contact him at glawton@glawton.