This event does, however, raise a number of questions and points back to the long debate about the security of Supervisory Control and Data Acquisition (SCADA) systems, which are considered, in some cases, to host a soft underbelly for cyber attacks. There is also the question of timing - whilst I do understand the public notice, let us be honest here - if this were anything other than a mistake by an employee, would the public really expect to be told? Additionally, if a single employee's mistake, with just one piece equipment can have such a devastating consequence on what is national critical infrastructure, then what does this tell us about security, change management, and of course, business continuity?
The timing of this event may not, in my opinion, be a complete coincidence, coinciding as it did with the 9/11 memorial - an event that cost the lives of many innocent, ordinary people - and an event that changed the world forever. While it is not being suggested for one moment that this is the consequence of a cyber attack, in my mind the jury is still out and it is a concern I am not able to satisfactorily resolve. It may also be worth noting that in the UK, the time/date format is 9/9/11.
I believe this event again places focus in the frailties of an infrastructure that is subject to targeting by extremists who are seeking to cause disruption, to create chaos, and to possibly follow through with loss of life. It must also be accepted that to place a cyber warfare attack capability alongside a conventional theatre of war would seem to make a great deal of battle field sense - causing widespread disruption, outage of power, followed by what I would expect to be opportunist public disorder.
One last point of interest here is, only last week I was sent an image by one of my many distant contacts - and as I recall the message said, 'You may find this interesting' - it was a picture of New York in a blackout condition.
To conclude: Regardless of a mistake or cyber attack, the time has arrived to reassess just what security is surrounding the various critical national infrastructures (CNI) around the world, and to place them, where possible, in an enhanced profile of security hardening. It may also be beneficial to revisit the standard operational practices around such areas as change management, and of course business continuity. Last but not least, I am sure this has been considered, but if Al Qaeda can get one of its radicalised operatives into a prime position of flying an aircraft, gaining employment with a power company in some capacity should prove to be a much less onerous objective. As I have said before in many articles, it is time for the security professionals to take a more proactive stance and look at what needs to be done.
The first task must be to get serious about the landscape of security that surrounds these systems that we rely on to service the CNI. And here I don't just mean applying a few policies, and then following them with the religious contempt that we so very often see practiced in some sectors of IT governance, in the form of tick box security and lip serviced compliance. I am talking about serious programmes that are commensurate to the potential risk and impact posed against, and by these key point infrastructures and assets.
I am asserting that the induction processes for selecting employees into these key point areas are both robust, and consistent throughout all organisations that supply such critical services. If not, then now would be a good time to rethink the recruitment processes.
In closing, I see a need for more security professionals with a willingness to go to the next level and embrace this specialist area of SCADA systems, applications and infrastructures security. And more importantly, for these professionals to immerse themselves in learning and specialising in these environments, in particular, relative to their foibles and challenges. Possibly here, there may even be a future for focused training certification to be created specific to SCADA environments. One thing is for sure, these systems, applications and infrastructures are not just run of the mill. They are the very lifeblood of the global economy, business and our communities, and they demand special treatment to secure and govern their profiles. Nothing less will suffice.