Former White House staffer Marcus Sachs believes that there are thousands of critical infrastructure attacks that go unreported, demonstrating the need to educate critical asset owners.
As deputy director of SRI International's computer science laboratory, Sachs said access to critical infrastructure control systems is easier than originally thought.
Sachs is responsible for the U.S. Department of Homeland Security's cybersecurity R&D centre, which is operated by SRI International under contract. In addition to 20 years in the military, Sachs has also worked at the National Security Council.
Speaking at AusCERT 2007 about the risks and challenges facing SCADA systems, he said control systems in decades past have traditionally been private, and not connected to the Internet.
This has certainly changed today as connectivity has grown, he said.
"Weak security protocols that characterize the Internet have now transferred to industrial control system," Sachs said.
"In the old days protocols were proprietary, but there is a new trend to move over to TCP/IP."
Demonstrating vendor advertisements found on the Internet, Sachs showed how these systems were connected to the Internet so plant managers could log-on from home. The increased connectivity was said to have created serious security issues.
"One advertisement demonstrated how to run Modbus on the Internet so you can log onto the plant's control system from home - how dangerous is that?" he said.
"Most industries don't report breaches so there is a lot of cover up, and it is hard to quantify. I believe it happens a lot more than we realize."
Sachs cited examples of insiders modifying systems, and pointed out that plant managers generally are more concerned about safety than IT security.
Sachs said there are plenty of threat multipliers in this environment.
For example, he said there is no authentication in most SCADA protocols.
"Machines trust each other. Then there is legacy architectures," Sachs said. "If vulnerable, they are too costly to upgrade."
Finally, Sachs said there is a serious lack of awareness and education.
"Most of the reported attacks are in the US, Australia and Canada; this is just the tip of the iceberg," he said.
One major problem is the serious divide between those who manage control systems and those on the IT side.
He said these are two very different worlds, with totally different mindsets.
"There is big animosity between the two groups because plant managers focus on making the plant work and don't see IT as a friend, but an enemy," Sachs said.
"The big challenge is to bring the two together and bridge the gap."