Also posted at my little internet sandbox. Now with less cat poop!
I know that most people who will stumble across this blog are aware that Republicans are not the party of "National Security." The normal reasons we get into with our more politically elephantine acquaintances tend to involve discussions about The War on Terra, 9/11, torture, foreign policy and the like.
We also know about domestic concerns that are related to Terra, like inspecting cargo containers or physical access to power and water supplies. What gets overlooked by us in our arguments are the more mundane things, like network security.
Network security? Yes, network security. So much of our infrastructure is computerized these days --control switches, safety monitors, remote monitors-- and in order for these things to be really useful, you have to connect them to something over a network. Which means that whomever is in charge of this infrastructure has to be worried about the same random h4X0r and script kiddie stuff you do at your home or office --security updates, firewalls, virus scans, access controls-- plus guard against the cyberterrorists.
Well guess what? They ain't doin' so good at it.
The Government Accountability Office today issued a searing indictment of the network security systems, or lack thereof, guarding the control systems that regulate the country’s largest public power company.
The Tennessee Valley Authority (TVA) is a federal corporation that generates power using 52 fossil, hydro and nuclear facilities in an area of about 80,000 square miles and has not fully implemented appropriate security practices to protect the control systems used to operate its critical infrastructures, the GAO concluded.
TVA’s corporate network infrastructure and its control systems networks and devices at individual facilities and plants reviewed were vulnerable to disruptions that could endanger a good portion of the country’s economic security and public health and safety, the GAO said.
Here is a list of the GAO's findings for the TVA:
On the corporate network, one remote access system we reviewed that was used for the network was not securely configured, and individual workstations we reviewed lacked key patches and had inadequate security settings for key programs. Further, network infrastructure protocols and devices provided limited protections.
The intrusion detection system that TVA used had significant limitations on its ability to effectively monitor the network. Although a network intrusion detection system was deployed by TVA to monitor network traffic, it could not effectively monitor certain data for key computer assets.
On control systems networks, firewalls were bypassed or inadequately configured, passwords were not effectively implemented, logging of certain activity was limited, configuration management policies for control systems software were not consistently implemented, and servers and workstations lacked key patches and effective virus protection. In addition, physical security at multiple locations did not sufficiently protect critical control systems.
Interconnections between TVA’s control system networks and its corporate network increase the risk that security weaknesses on the corporate network could affect control systems networks. Although TVA used multiple network segments to separate more sensitive equipment, such as control systems, from the corporate network, weaknesses in the separation of these network segments could allow an attacker who gained access to a less secure portion of the interconnected network, such as the corporate network, to compromise equipment in a more secure portion of the interconnected network.
The agency lacked a complete inventory of its control systems and had not categorized all of its control systems according to risk, thereby limiting assurance that these systems were adequately protected. Agency officials stated that they plan to complete these risk assessments and related activities but have not established a completion date. Key information security policies and procedures were also in draft or under revision.
Only 25% of relevant agency staff had completed required role-based security training in fiscal year 2007. Furthermore, while the agency had developed a process to track remedial actions for information security, this process had not been implemented for the majority of its control systems. Until TVA fully implements these security program activities, it risks a disruption of its operations as a result of a cyber incident, which could impact its customers.
Many of these are just ridiculous! Behind on security patches? Bypassed firewalls? Not even having an inventory of your control system?
Feel safer yet?
Granted, the article mentions that the TVA is taking steps to implement the GAO's recommendations, but . . . AGH! The fact that these issues were there to begin with is inexcusable!
Yes, computer and network security is always a fine balance between security and usability. An optimally secure computer would be useless, as you'd have to severely limit its installed software, disable user logins, and take it off the network. Then yank the power cord and configure the disk drive to self-destruct if removed, for good measure. It looks like the TVA has tilted way too far to the "usability" side of things --bypassed firewalls, inadequate settings for programs, lack of staff training, poor password implementation-- and the security has suffered.
Why would they do that? Well, users like to complain. That damn firewall causes an extra step or two before I can monitor the gauges on the generators. Locking down my desktop applications makes me have to click through approval messages every time I try to do something. Meetings take time out of my busy schedule. I don't like remembering new passwords. Get too many users complaining, and the security staff will give up a little and bypass the firewall, weaken the settings for the programs, or relax the password policy.
Of course, that puts it all on the users, and unfairly assumes that the security staff was trying to properly implement these measures in the first place. That may not be the case. Likely it is some combination of the two.
You see this sort of slipshod crap in far too many corporate networks, excused away by the mistaken assumption that "no one is interested in stealing our stuff. However, the fact that this could happen to something as crucial as the TVA is astounding, and points to a clear lack of policy and downward pressure from the people in the Federal Government that should be making sure that such important aspects of our national infrastructure are as safe as realistically possible.
Take the time to make some damn rules, tell people to follow them, and then *gasp* monitor them for compliance, with harsh penalties for departments that don't follow through. This isn't something trivial we're playing with here, like my blog archives. The fact that the computer security for the TVA and other government agencies is such a clusterfuck is yet another indication of just how inept the Republicans are at managing to keep us safe.
*Man, I hate that word.