Experts disagree on how vulnerable the nation's critical infrastructure is, especially so-called SCADA, or supervisory-control and data-acquisition, systems that utility companies use to remotely monitor and control their operations. Joe Weiss, consultant with KEMA Consulting and former technical lead for cybersecurity of digital control systems security for the Electric Power Research Institute, says SCADA systems are vulnerable. "They were never designed with security in mind, and these systems are connected to the Internet," he says. "There's no doubt that you can get unauthorized access to these systems. It's been done often." But James Lewis, director of the technology program at the Center for Strategic and International Studies, a Washington think tank, says any attacks against SCADA systems would be unlikely to cause anything more than "minor disturbances, like the outages in phone or electrical power that we already experience."
According to network-security vendor Symantec Corp.'s Internet Security Threat Report, which is based on real-time attack information from more than 400 companies in more than 30 countries, about 60% of power and energy companies experienced at least one severe event in the second half of 2002. The attacks, however, didn't "necessarily endanger critical systems, such as SCADA systems," according to Symantec.
More likely targets may be the Internet's domain-name servers, which store Internet addresses, and the Border Gateway Protocol, used by routers to send traffic around the Internet. Research presented last week to the International Telecommunication Union in Geneva indicates that an attack against country-code domains could make an entire country disappear from the Internet because its domain-name servers couldn't be reached, with serious repercussions on its economy.
Companies must think about security when they put new processes and systems in place, P&G's David says.
Business-technology managers may need to ratchet up security efforts even more. Despite experiencing a variety of worms, viruses, denial-of-service attacks, and other threats, "security is now almost the last thing companies think about when they put in place new systems or business processes," said Steve David, CIO and business-to-business officer at Procter & Gamble Co., at the InformationWeek conference. "There has to be a shift." The SQL Server worm in January was the first to penetrate Procter & Gamble's firewalls, and though it didn't cause serious damage, it was a real "wake-up call," he said.
One chief information security officer at a major financial-services firm says he welcomes all efforts to create a more secure Internet, secure software, and better tools to protect apps and networks. "We're preparing the best we can, monitoring and hardening our systems," he says. "The rest is patching and praying."--with Robin Gareiss and Jennifer Zaino
Photo of David by Sacha Lecca