::: nBlog :::
After reading the latest editions of Scientific American and Suomen Sotilas I was again enraged to see how some prominent writers are attacking the technological development of Smart Grids and general communications with all kinds of security arguments. At the same time there is no criticism towards the insecurity and obscurity of the existing systems that have been designed in the 70s and 80s. How ostrich is that?
The Stuxnet worm that attacked power plant systems (eg. in Iran) clearly demonstrated that it is actually easier to hack into your local power plant than to your local web enabled bank. Banks are continuously developing their systems in order to defend against cyber attacks, and most of them have succeeded well enough, with service availability levels at 99.9% or better.
In an interconnected world, security is just as important as before. It just needs different kind of engineering, but it is definitively not rocket science. Take IPv6 and IPSEC, developed more than 10 years ago – both offer formidable functions for encrypting data and verifying identities. In a properly engineered IPSEC network, an attacker cannot even know whether his or her malicious packets are arriving at the target – as it stays dead silent unless the attacker has the strongly encrypted key. Getting that key is much more difficult than slipping a USB device inside a power plant. (Yes, that USB device should conform with the same security framework, requiring the encrypted key before being accepted)
So why aren’t IPSEC and IPv6 in widespread use? I think that the reason is the typical (but irrational) resistance to change. When power systems have not been (badly) compromised in 80 years, people gain a dangerously false feeling of security and invent reasons for inaction.
The only way to maintain proper security is to develop systems continuously and embrace new technologies quickly so that security holes in old systems are recognized before they are used by attackers. That just takes bold leadership and ability to grasp large concepts. Clausewitzian thinking, again.
//Pasi