The supposedly secret conference was not able to pursue all its agenda due to legal threats from companies involved. Two topics about vulnerabilities of a nuclear power plant did not push through following an equipment supplier’s threat to file a case against the organizers although nuclear plant officers approved the presentations. The equipment vendor said it was obliged to sue if the agenda would not be cancelled as it would reveal way too much information about its equipment.
A security firm also told participants of the conference that it had uncovered thousands of pieces of control equipment that are vulnerable to online threats but did not tell the United States government for fear of legal implications from equipment vendors.
The attendees were also concerned when told that the government had known a technique how to attack electrical generation equipment for five years but did not reveal them, letting the vulnerability remained unaddressed for too long.
Such challenge in information sharing has concerned experts for years. The United States Congress delayed legislations that would have dealt with such issues. The White House is expecting to release an executive order to add oversight of cybersecurity among private companies.
Leon Panetta, the Defense Secretary, reiterated the concern earlier this month by citing examples of how an enemy country can “contaminate the water supply in major cities or shut down the power grid across large parts of the country.”
Although the government had been trumpeting the grave concern of cyberthreats for the private sector, the confidential conference held in Old Dominion University in Virginia underlined the difficulty in driving the said concern to cause enough effort.]
Conference organizer Joe Weiss, a top expert who once testified to the United States Congress regarding threats to computers called control systems, said that sharing of relevant and significant information among private firms is still a challenge.
Control systems are central computers directing all actions in a manufacturing gear, and uses a special set of software to function. There is an ongoing trend among security researchers, after the Stuxnet debacle that crippled Iran’s nuclear centrifuges, to identify what type of control systems can be manipulated remotely.
The results of research are not encouraging as many of the equipment involved in the study were designed without any security or internet connectivity in mind. Some equipments can last for decades without their software needing any update like conventional commercial software today.
Also, regulators have little or no authority to tell equipment vendors to fix known vulnerabilities in their gear.
Kevin McDonald of Alvaka Networks based in Irvine, California said that the United States government is partly to blame by tagging too many things as secret and failing to come up with an effective regulation for utilities to follow. McDonald attended the conference together with more than 130 other participants from Asia and Europe.
The cancelled agenda about nuclear plant vulnerabilities was about a study of a plant outside the United States.
The said review was conducted by a utility although the regulators did not require them to do so.
Conference organizer Weiss said that the review a good way for a utility to learn about their own weaknesses by not just meeting the minimum requirements in studying their defensibility. Weiss did not reveal the name of the utility or the vendor that threatened to sue.