Government May Tap Older Tech to Secure Modern Infrastructure

There is something inherently satisfying about older technology. You could trust tech more when hardware was mostly about mechanics, physics and electrical engineering, and less about the near-magical black boxes that drive everything today. 

Back in the day, we didn’t have to worry about some hacker using an unknown vulnerability to sneak a malicious command into the billions of lines of code of today’s modern systems. Cybersecurity platforms didn’t cost more than the computers they were designed to protect. And if something did go wrong, a hard reset or even a screwdriver might be the only tools needed to craft a fix.

The idea of older technology, at least in some circumstances, being superior to modern systems has been proposed in popular culture from time to time. One of my favorite books that I read in high school was “Flight of the Old Dog” by Dale Brown, written before he was a famous author of technological thrillers. In it, the United States must blend aging technology in the form of a Cold War-ear Boeing B-52 Stratofortress with modern equipment and weapons in order to penetrate Russian air defenses on a mission to destroy an advanced laser that is threatening the world.

A clearer version of this theme was found in the 2012 movie “Battleship,” which was surprisingly good despite being based on a kids board game. In that movie, it’s not the Russians but alien invaders that threaten the world, in this case sealing off the Hawaiian islands and destroying all modern military technology inside that zone. This leads the heroes of the film, which includes some actual elderly naval combat veterans, to bring the decommissioned USS Missouri (BB-63) museum ship back to life for one final fight. 

That kind of “use the old to combat the new” thinking works great in movies and novels but has never really been attempted in the real world, at least not officially. That may soon change as the Senate just passed the Securing Energy Infrastructure Act. The act calls on government and the utility industry to “develop a national cyber-informed engineering strategy.” What that means is, with cybersecurity in mind, the nation should employ engineering fixes (basically physical assemblies of some type) to protect the utility grid. While this makes it more difficult to manage things like the power grid remotely, it also makes it impossible for a remote hacker to do significant damage. They would need to flip a physical switch for example, to accomplish anything with devastating consequences.

A strategy of inserting older technology into a cybersecurity defense plan would not work everywhere. Sure, you could require that remote database queries be printed out on punch cards and walked over to a mainframe for processing, with the answers brought back the same way. That would all but eliminate the ubiquitous SQL Injection attacks. But it would also bring many businesses to a screeching halt.

Utilities, however, are different. Over the past few years I have written countless white papers, case studies and articles about the utility industry, and visited several power plants, both hydroelectric and nuclear. Many of them, especially the older plants, run just fine on aging hardware that isn’t even networked outside of the plant itself. It’s not called information technology, but instead operational technology, or OT. Industrial control systems inside utilities are often a combination of both IT-like components and more manual buttons and switches that can’t be operated remotely. The SEI Act, should it pass the House and become law, would simply put more emphasis on those physical control devices, perhaps even inserting them into an evolving infrastructure that is slowly starting to use more IT.

The utility industry—mostly run by private firms but heavily regulated by government—has been slow to embrace new technology. The process of generating power and sending it down the line has not changed very much at all since its inception. What is changing now is that engineers who have worked in utilities for years are retiring in droves, and young people are not very anxious to take over those jobs, which are seen as more physical and also dirtier, than other technology careers. That has led utility companies to begin implementing networked IT to control more of their infrastructure remotely. Waiting for a person to drive out to an isolated substation to flip some physical switches simply takes too long, and there are fewer people available to make those trips—especially ones that know what they are doing.

If the SEI Act is approved, it may put a halt to those remote networking efforts, though there may be a way to make it work, perhaps by allowing remote changes to be approved physically by someone other than an engineer. Then you would just need a local person to approve changes, pushing a button or flipping a switch when directed, though they would not have to know anything about how the substation is wired. While the SEI Act could create more headaches for utility companies, the logic behind it is sound. We know that Russian hackers and other groups are already probing utilities. Perhaps it’s time to pull a “Flight of the Old Dog” on them by blending in some old technologies with the new to protect our modern utility grid.

John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology. He is the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys