Weak links

Computer security experts point to three chronic problem areas: the inside job, official silence, and supervisory control and data acquisition (SCADA) systems.

The greatest threat to any company's network is the knowledgeable employee who, for pique or profit, uses that knowledge to fling a monkey wrench into the e-works. The reason is that even though the workings of all the important operating systems are well known, the vagaries of any specific network or production line are known to only a few-and the devil, the old expression has it, is in the details.

The best defenses are commonsensical. First, share operational details about networks and production lines only on a need-to-know basis. Second, promptly update passwords and other system defenses to firmly lock out employees who leave.

A further hindrance to development of effective security is that for all the attention given to scary scenarios, virus attacks, and theoretical system weaknesses, neither the public nor private sectors are willing to talk about real-life events: how an attacker gained entrance and what happened. No bank wants to admit somebody went rubbernecking through its credit-card accounts, and no pharmaceutical company wants to admit parties unknown took an e-tour of an antibiotic production facility. And if you think it's hard to get straight answers from federal bureaucrats, just try calling the FBI and asking for the skinny on e-raids against American industry.

But maybe the feds won't say much because they don't have much to say. According to Dennis McGrath, a senior research engineer with Dartmouth's Institute for Security Technology Studies, "Even law enforcement has a difficult time getting these things reported."

That paucity of hard information makes protection of the electronic ganglia that tie together production lines a sort of high-stakes parlor game in which one side is armed and the other has 20 never-to-be-answered questions. Though several think tanks have announced plans to launch searchable online databases setting forth the details of industrial attacks, none have yet materialized.

"Out of sight, out of mind" might be an apt description of the thousands of miles of pipeline, as well as the thousands of electrical transformers and substations, remotely administered using SCADA systems. Such systems might be tempting targets for mischief makers: There are only a handful of operating systems; passwords for remote facilities often go years without changes; and there might be satisfying payoffs with low risk.

Spoof a pipeline into thinking it's pumping oil when it isn't, for example, and you might ruin a few pumps, slow production for a few days, and send thousands of anxious motorists into long lines at gas stations.