SAN FRANCISCO (Reuters) - The agenda at a secretive conference on protecting critical infrastructure from computer attack was curtailed at the last minute last week, underscoring the legal challenges of sharing such information, much less getting companies to respond to it.
Two talks about a nuclear power plant’s potential vulnerabilities to cyber-attack were canceled after an equipment supplier threatened to sue, organizers said, even though plant officials had approved the presentations. The vendor complained that the talks would have revealed too much information about its own gear.
Conference participants were also told that a security firm that had uncovered the thousands of pieces of control equipment exposed to online attacks did not tell U.S. authorities where they were installed because it feared being sued by the equipment owners.
In addition, attendees said they were alarmed to learn that because the government has kept a technique it discovered for attacking electricity generation equipment secret for five years, potential targets had not realized they were vulnerable and therefore did not buy hardware needed to protect themselves.
The barriers to sharing information on emerging cyberthreats have concerned experts for years. Legislation that would have addressed those and other cybersecurity issues stalled this year in Congress. The White House is expected to issue an executive order to increase oversight of cybersecurity in the private sector.
Speaking in support of those initiatives, U.S. Defense Secretary Leon Panetta this month warned that enemy countries or terrorists could use cyber attacks to “contaminate the water supply in major cities or shut down the power grid across large parts of the country.”
But though officials say protecting privately owned critical infrastructure from hacking attacks is a top priority, the closed-door conference held at Old Dominion University in Suffolk, Virginia, shows how much work still needs to be done, computer security experts say.
“Information sharing and information disclosure is still problematic,” said conference organizer Joe Weiss, a security expert who has testified before Congress on the threats to the specialized computers known as control systems.
Control systems direct the actions of all manner of manufacturing equipment, and typically use their own specialized software. Security researchers, prompted by the success of the Stuxnet virus in disabling some centrifuges in Iran’s nuclear program, have been racing to establish what types of control systems could be compromised from afar.
The results so far have not been encouraging. Much of the control equipment was designed without security or even Internet connectivity in mind. The equipment itself can last for decades, and some of the software can’t be updated automatically with fixes, as is typical with most commercial software.
Regulators have limited authority to tell energy producers and distributors to fix known flaws in their equipment.
Congressional Republicans argue that the government shouldn’t set even nonbinding security standards. But all agreed that easing the spread of information was a critical step—and that the government should provide some relief from antitrust or privacy lawsuits if needed to get industry participants talking to one another.
Kevin McDonald, executive vice president at security service provider Alvaka Networks in Irvine, Calif., said that the government was making things harder by classifying too many things as secret and failing to issue regulations that the utilities would be obliged to follow.
“If we don’t do something as a community, really bad things are going to happen and people are going to die,” said McDonald, who attended the four-day Virginia conference along with more than 130 other professionals and officials from as far away as Europe and Asia.
The pair of canceled talks concerned a security review that a nuclear plant outside the United States conducted to find out where it might be vulnerable to attack.
One person from the utility had planned to speak about why it had conducted the review, which was not been required by regulators.
“What the utility wanted to talk about was why they were willing to go beyond” minimum requirements for studying their own defensibility, said conference organizer Weiss. “Because they did more, they found more vulnerabilities.” He declined to name the utility or the vendor that objected on the grounds that the review would disclose problems in its equipment.
A companion talk by a participant in the utility’s effort, German expert Ralph Langner, was also pulled. Langner won fame for discovering that Stuxnet had been aimed at disabling centrifuges for uranium enrichment.
Reporting by Joseph Menn. Editing by Jonathan Weber and Alden Bentley