HILL PANEL SOUNDS ALARM ON TELECOM NETWORK VULNERABILITY
Telecom networks that allow operation of U.S. critical infrastructure are more vulnerable than ever, witnesses told a House panel Tues. One witness blamed that vulnerability in part on FCC rules. Industrial control systems have increasingly been linked to less secure networks that are vulnerable to cyberattack, the House Govt. Reform Technology Subcommittee was told. These systems include an array of public-switched networks, private microwave and fiber networks, wireless radio and cellular networks to oversee electrical grids, dams and so forth. “When I first began to learn about this topic, I must say that I did not grasp the scope of the challenge,” Chmn. Putnam (R-Fla.) said. But now he believes “the nation’s health, wealth and security rely on these systems,” which are “vulnerable to cyber attack or terrorism.”
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Much blame for vulnerabilities in Supervisory Control & Data Acquisition (SCADA) networks lies with the FCC, said United Telecom Council Chmn.-Public Policy Div. Jeffrey Katz. He listed several problems with FCC rules: (1) The agency’s Universal Licensing System (ULS) allows technical and location data to be obtained on any FCC licensee, so “anyone who would do us harm will find all they need courtesy of the FCC.” He said SCADA information should be less public, citing discretion NTIA has on disclosures about its licensees. (2) The FCC’s pole attachment provisions and other parts of the Telecom Act require maps of utility infrastructure to be made available. Katz said the FCC recently rejected a utility complaint about fear of vulnerability under the attachment disclosure rule by arguing that no serious harm had occurred. “One must wonder what the FCC is waiting to see,” Katz said, “before its attitude toward critical infrastructure protection changes.”
(3) The FCC “erroneously” believes that cellular and PCS providers can meet the needs of critical infrastructure. Katz said CI communications need to continue during outages, and while SCADA systems are designed to run for “weeks under the worst conditions,” cellular operations have limited battery backup “and are not designed to be continuously available or 100% reliable or exclusive.” He said cell sites were saturated or failed during the East Coast blackout last year, while utilities “relied exclusively on their private internal systems.” He also said the Wireless Priority Access System (WPAS) for wireless services is flawed because it puts critical infrastructure communications 4th in a 5 tier hierarchy.
The Internet has contributed to the heightened vulnerability of SCADA networks, said General Accounting Office (GAO) Dir.-Information Security Robert Dacey. He said the development of standardized communications technology has led SCADA network operators to use publicly familiar technology with known vulnerabilities. Those networks are increasingly connected with networks on the Internet, he said, and more information on those networks is available because of the Internet. (Katz said the ULS information is available at www.fcc.gov/wtb/uls.) Dacey, in his testimony and in a report the subcommittee released Tues., said the Dept. of Homeland Security had to take a lead role in encouraging the private sector, owner of most SCADA systems, to invest in heightened security.
DHS is making that effort, said DHS Dir.-Protective Security Div. James McDonnell. SCADA systems have been going digital, he said, making them more vulnerable to reprogramming by hackers. But he said his division is working closely with the National Cyber Security Div. (NCSD) and the National Communications System (NCS) to urge private sector investment. “Immediate efforts focus on protective measures that can be implemented within the as- installed/legacy environment,” he said, while near-term efforts “include detailed testing and assessment of the vulnerabilities” of process control systems. The long-term plan, McDonnell said, is to work with the private sector to develop safer technology. “SCADA vulnerabilities are a fact,” he said, but that “is not seen by the casual observer and therefore can go unnoticed.”
The SCADA networks are vulnerable because telecom networks are “the man in the middle,” said American Electric Power Dir.-Information Security Gerald Freese. Power plants and substations use modems to manage breakers, relays and switches over phone lines, which makes them vulnerable to interception. Vulnerability has increased, he said, as SCADA networks have moved to an “open system” model with standardized technology. He said the question regarding attacks on these telecom networks isn’t “Can it be done?” but “How will it be done, to what extent, and what are the expected impacts?”
Subcommittee members expressed concern about SCADA vulnerability but weren’t sure how they could help. Putnam cited the GAO study, which he had commissioned, as a start. Ranking Democrat Clay (Mo.) called for improved public- private partnerships, and said the federal govt. effort to secure computers from cyberattack could be a model. Still, Clay said, “a tremendous amount of work remains.” Vice Chmn. Miller (R-Mich.) and Putnam both wanted DHS to work closely with states, which also play a role in controlling some SCADA systems. Miller said the problem was that SCADA systems “were developed when fears of a cyberattack were nonexistent.”