The Macrosite for News, Analysis and Opinion about the Future of the Internet
Ira Winkler

How to Take Down the Power Grid

Written by Ira Winkler
10/16/2007 6 comments
DISCUSS   Digg   Del.icio.us   Reddit   Email This   TWEET THIS

The first time I broke into our country’s electrical power grid was a decade or so ago. Hacking into the control systems set up by utility companies wasn’t surprising then, and it isn’t surprising now. While people find this shocking, it really isn’t. When you think about how insecure computer infrastructures are, why would you think that the power grid would be any more secure? Frankly, the power grid is even less secure than most other computer networks. I wrote about it many times, including some details in my recent book, Spies Among Us.

All of this came back to me as I watched news stories about “Hackers Blow Up a Generator.” The Department of Homeland Security (DHS) put out a video showing a test from Idaho Nuclear Laboratory where someone broke into a SCADA (Supervisory Control and Data Acquisition) computer and caused the generator to run wild until it blew itself up.

News reports by Fox News and other networks explained how this process could bring down the power grid. Of course, they were all wrong. If the worst of our problems was that a couple of generators would blow themselves up, we should be happy.

For anyone who’s not aware of my background, I am most noted for performing espionage or terrorist simulations -- or what most people might naively refer to as penetration tests. In the case I mentioned at the beginning of this article, my team was supposed to perform a simple assessment of the security of a Website owned by a power company. The Website had security vulnerability and provided us a connection to the company’s internal network. From there, we could get to any system in the company, including its SCADA systems. We were told by the security manager to leave out access to the SCADA system in our report, but we were allowed to download the personnel records of the CEO and CIO, so that the results would be hard for them to ignore.

Since many readers might not be computer security experts, let me first cover some basic computer security issues to explain how computer systems can be compromised. There are two primary ways to break into a computer: (1) take advantage of bugs in the software, and (2) take advantage of the way a user or administrator configures or uses the computer.

With regard to taking advantage of bugs in the software, everyone will acknowledge that all software has bugs. Some bugs create elevated privileges, provide unauthorized access, or cause information leakage. These are security vulnerabilities. If you can connect to a computer that has not corrected such a vulnerability, you can take it over. It is that simple.

The vulnerability can exist in the operating system, SCADA applications software, Web browser, or any other software on the computer. In the case of SCADA and its supporting systems, power companies are very slow to mitigate the vulnerabilities, and may never do so, because they are afraid that any change can create problems. This is why power grid systems are likely to be more vulnerable to cyber attacks than most other computers.

With regard to taking advantage of configuration problems, even perfectly secure software can be set up insecurely. For example, I have seen many computers where the password on the Administrator account is “administrator.” Passwords can otherwise be insecure. Low-level users can be given high-level access. There are also more technical ways to insecurely configure a computer. Again, if you can access a poorly configured computer, you can take it over.

Many people might now be thinking, “But isn’t it impossible to actually connect to or otherwise access a power grid SCADA system?” The answer is very sadly, “Hell no!”

Initially, the power grid control systems were on closed networks. However when the Internet started to blossom, power companies decided that it was too costly to maintain separate networks. After all, they would need two computers on every desk, which wouldn’t be able to talk to each other. At the time, they rationalized that this only required adding extra protection to logically separate the power grid from the corporate networks. Don’t count on the hope that they actually followed through with that.

In addition to being able to access the SCADA systems through the Internet, there are still elements of the traditional power grid that provide access to outsiders. For example, there are modems connected to critical systems for maintenance purposes. Wireless access has been added to many systems. Now, since power companies can buy and trade power with other companies, they need to know the available capacity. In order to know the available capacity, you have to eventually connect to SCADA systems. So there is even an outside connection engineered into the power grid.

So fundamentally, you can connect to the power grid, and critical supporting systems are vulnerable to cyber attacks and will remain that way.

Again, the news video of the generator blowing itself up is really cheesy, and too much was made of that individual demonstration. However, that is really a misapplication of the video, which was released to create fear, uncertainty, and doubt. It should be interpreted to mean: If a malicious party were to connect to a SCADA system, here is one, small result. More importantly, it is easy for malicious parties to connect to many systems throughout the power grid and create damage on a massive scale with the proper planning.

I hope the intent of the DHS was to create enough fear for Congress to start writing laws that force power companies to secure their computers. Right now, computer security on the power grid is an oxymoron. The reality is that Congress doesn’t have the balls to pass such laws, bowing to the mind games of power company lobbyists like a storm trooper bowing to the mind games of a Jedi.

The situation is really this bad. Congress is impotent, as the power grid remains incredibly vulnerable, and people need to be outraged.

There are many people out there who are trying to downplay the DHS video, and ridiculing it. Again, it is true that the video has not been put in the proper context. However, anyone who claims that the power grid is not at serious risk is very naïve and/or ignorant.

For the record, the last time I broke into a nuclear power generation system was about a year ago. The “simulation” had to be called off after a few hours, because the results were “too successful”. It is that bad.

— Ira Winkler, Former National Security Agency analyst and author of Spies Among Us

DISCUSS   Digg   Del.icio.us   Reddit   Email This
Current display:       newest comments first       display in chronological order
orchid1
Rank: Cave Painter
Monday November 16, 2009 1:46:34 AM
no ratings

I agree, it is not surprising and whats more, all this without any social engineering. I think the government needs to realize that this sort of attack will never go away and the only thing the govenment do is minimize damage.

I say this only because I realize how much more could be done with less technical skills and more social skills. One might get 100 percent technical coverage but social engineering will make all that tech stuff incosequential.

Love the article. Think it has the correct perpective. But it is also deflating. There are way too many loopholes in the system for the country to ever be even 50% safe right now we are naked and the tide has gone out.

 

chadwyk
IQ Crew
Friday October 19, 2007 3:12:44 AM
no ratings
Not only did he break in to the 911 system, he sent a SWAT unit to a house with two children.  Apparently the guy had a knife in his hand as he knew something wasn't right.  It is a good thing he didn't get shot!
Michael Singer
IQ Crew
Wednesday October 17, 2007 4:49:11 PM
no ratings

Ira, What continues to confound and amaze me is that security is continually breached on mission-critical systems.

Certainly decentralization is helpful, but it seems internal and external threats are on the rise. Unplugging them from the network or setting up a siloed grid is an acceptable answer.

However, it doesn't seem like it's going to let up if the management is eager to adopt software-based communications. Forget malicious Web browsers or bot attacks, looks like VoIP is the latest weak link in the chain.

Just last week, security firm Radu State found a vulnerability in the Linksys SPA-941 (version 5.1.8) that allows a malicious hacker to conduct a cross-site scripting (XSS) attack using SIP. That kind of exposure is scary considering some of the CIOs I talk with are eager to migrate from PBX systems.

But, that's just fine with hackers who suggest that breaking systems is "so easy a caveman can do it."

Ken Trough
Thinkernetter
Wednesday October 17, 2007 12:46:13 PM
When it comes to security testing, I can certainly understand not publicizing results widely, but here you have a report (from a more than credible expert) detailing internal security managers instructing the experts to leave key information out of internal reports in order to hide the worst vulnerabilities from their own executive staff. Further, you have testing that is being stopped early due to it being too successful.  This is certainly outrageous if not criminal negligence. The fact that vulnerabilities exist does not concern me especially, as there are vulnerabilities in every system. That is what you pay security experts to discover and illuminate for you. But when the worst of the exposure is obscured at best, or intentionally omitted at worst, then the companies don’t get an accurate risk analysis and they don’t build an appropriate culture of security vigilance for these critical infrastructure systems. We live in a world where computer security is being hammered on by parties from all over the planet with both malevolent and benign intent on a 24/7/365 basis. This is not a matter of speculation nor of interpolation. It is well established fact.  Which is the easier mountain to move? Energy company executives that don’t understand or don’t believe their company’s current risk exposure or an ineffective congress who is either completely reactionary or proactive (but only on the behalf of major corporate and sponsor interests)?  Given the interconnected nature of the grid, I believe a company by company approach to infrastructure security insures that you will always have weak entry points and overall grid vulnerability (the weakest link syndrome). As such, I think this is properly addressed at the national infrastructure security level. 

So, the real question is how do we engage our leadership to implement the fundamental policy changes and security improvements that we desperately need? Are we going to wait until our grid is totally and publicly compromised on a regular basis before political will to implement effective policies is generated?

 Perhaps this would best be driven by the executive branch by this or the next president. As security conscious as we are supposed to be, it seems like the concept of improving national infrastructure in a meaningful way would not be a hard sell, and there are always a lot of resources in the energy markets to work with so funding should not be a significant issue either. 

Is there a better approach?

Jabbermouth
Rank: Cave Painter
Wednesday October 17, 2007 11:45:51 AM
no ratings
Seems we can't be riminded too often of how vulnerable all network types are. Here's a disturbing account of a kid who broke into four states' 911 systems to generate faux emergency calls:

FredMars
Rank: Cave Painter
Tuesday October 16, 2007 3:27:00 PM
no ratings
It does seem that the best defense against an attack would be first to decentralize the power grid. Decentralization would make taking down any one part of the grid isolated from disturbing the rest.
Computer security aside, and while this is a major issue. The way everything is centrally controlled and distributed is an issue that makes cyber-based attacks so devastating.
Biometrics can and should be used for all power grid control terminals, so that only authorized users can access the control applications. Internet access may be breached, but that should only gain access to viewing data, not changing it.
Security like other requirements that are often put aside, are more a matter of economics than technology. Throw enough money at a problem and it can be fixed. The ability or willingness to throw money at a problem is another story. It seems that most of the software industry uses blame to abstain from taking on the responsibility themselves. If the operating system has a security flaw, that means all of the applications running under that OS will have security issues. As you said, bugs in software are a fact and fixing a bug in one application will not fix a bug in another app or the OS.
With all of the alternative energy generation technologies emerging to replace burning fossil fuels, it should be paralleled with an equal amount of innovation withregard to distributing that power and securing access to the control system(s) for it. And Congress cannot legislate against stupidity, so it is up to the power utilities themselves to provide secure generation and distribution of power. DHS guidlines would help set standards, but only the diligence of the industry will close the holes.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
previous posts from Ira Winkler
Ira Winkler
Ira Winkler   10/29/2009   29 comments
When Comcast Corp. (Nasdaq: CMCSA, CMCSK) voluntarily took action to proactively remove infected users from its networks, I applauded because I think ISPs should try harder to protect customers.
Ira Winkler
Ira Winkler   10/19/2009   44 comments
For years, I have advocated that Internet Service Providers (ISPs) be responsible for taking proactive steps in mitigating infected subscriber computer systems. While I never said that ISPs were responsible for the infections, they are enablers for criminal activity. But ISPs have so far hidden behind the law that makes them publishers -- and not responsible -- for the actions of their subscribers.
Ira Winkler
Ira Winkler
Ira Winkler   9/10/2009   55 comments
A critical lawsuit that's taking place almost under the radar may end up having a big impact on your banking rights and online banking security.
Ira Winkler
Ira Winkler   9/2/2009   11 comments
A few months ago, I wrote about the backlash, including death threats, incurred by a local political group when it posted comments online equating President Obama to Hitler. While the group tried to distance itself from the individual (its president) whose comments drew ire, I commented that the group should suffer repercussions as well as the individual. After all, the group provided the venue for the offensive comments.
5
of
IETV: the thinkerNet on film
5
of
2pm EST
Tue
Dec 1st
an IBM information resource
sponsored content
big blue blog
Todd Watson
Todd Watson   11/20/2009   Post a comment
While Google introduces its new Chrome OS (which I'm hearing will be widely available in one year?  Did I mishear that?), IBM announced 10 new products today to help companies using IBM System z mainframe technology.
white papers & case studies
an IBM information resource
sponsored content
Smarter Collaboration: How to Thrive in a Challenging Business Environment
Market conditions are changing faster than ever, and organizations need to improve their agility and adaptability in order to provide better service and improve processes. The ability to work with customers, business partners, and employees as effectively as possible - while at the same time holding down costs - is a key to success.
READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE!
REGISTER HERE
Wanted! Site Moderators
Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?

Please email: moderators@internetevolution.com
Copyright © 2009 United Business Media Limited - All rights reserved.      About Us  |  Privacy Policy and Terms of Use  |  Contact Us
CMP Media LLC
Internet Evolution – not for thickies
To Cloud or Not to Cloud: IT Vendors Ponder the Question
Gordon Haff
Arms merchant or army? That's a fundamental question for vendors in the cloud computing space. Do they just sell their tooling to any and all comers, who then become the actual purveyors of hosted infrastructure, developer platforms, and software? Or do they offer their own cloud-based services, perhaps even keeping much of their technology in-house for competitive advantage?
CLICK FOR MORE
Groups Join Fight to Keep Big Brother Offline
Don Reisinger
Much has been made over the possibility of the U.S. government spying on Web users. There is a fear that through advanced technology, loopholes in federal regulations, and sheer gall, government officials will engage in acts that put the U.S. citizenry at risk. But whether or not the government is actually engaging in any activities online that puts its intentions into question is up for debate.
CLICK FOR MORE
Banks Cooperate for Better Risk Analytics
Mary E. Shacklett
With the value of toxic assets on the rise, large U.S. and European banks face many challenges on the road to recovery. Sharing key information may help these firms effectively track the way forward.
CLICK FOR MORE
How to Score, Not Bore, With Web Newsletter Graphics
Dan Cypra
A picture is worth a thousand words, or so the old saying goes. So understanding how to use images in e-newsletters effectively is quite important. Here are a few tips to ensure that your images in email newsletters work to your advantage.
CLICK FOR MORE
Full Nelson
Cyber Crime as Cyber War
10|19|09   |   2:02   |   4 comments

Earlier this year, Heartland Payment Systems was breached by Russian hackers who had also hit 300 other financial institutions. The scope of the Russian operation is mind-blowing and points to a new era in cyber attacks.
Full Nelson
The New Cyber War
10|8|09   |   3:06   |   4 comments

Cyber Warfare may be the next frontier for tactical hacking. It has already reared its head in Estonia, Russia, and Georgia, and some say it has been used by North Korea, China, and other world powers. The implications and the potential are both fascinating and scary.
Robert D. Atkinson
America Has Much to Learn About Digital Piracy
11|18|09   |   2:09   |   No comments

The US loses about $20 billion a year on pirated software, movies, and music. But public policy can help stem the tide of digital theft. For example, France has recently passed a 'three strikes and you’re out' law, whereby if after two warning letters an individual continues to download pirated software then his Internet access will be cut off. US policy makers should consider adopting similar policies.
Sweeney Blog
Microsoft's Relevance in the Windows 7 Era
11|13|09   |   2:17   |   3 comments

The release of Microsoft's newest OS raises the question of the company's relevance in an era when Google dominates applications and search, and Apple runs circles around Redmond with its gadgets and user interfaces.
Jart Armin
Methods From the Dark Side: RFI Attacks
11|6|09   |   2:22   |   No comments

Exploring methods from the 'Dark Side' of the Internet – in this case 'Remote File Inclusion.'
John Soat
Internet Anonymity: A Gray Area
11|6|09   |   2:45   |   4 comments

Is there such a thing as complete anonymity on the Internet? It is something of a philosophical question, but the consensus among experts seems to be 'No.' However, there are degrees of anonymity, which might be more practical for most people – and more necessary than ever before.
Steve Saunders' Outernet
The Death of Anonymity: Part 4
Part 4 of 4   |   See complete series
10|29|09   |   1:40   |   7 comments

In the final episode of this series about the death of Internet anonymity, Saunders describes how the Internet of the future will start to attain a level of intelligence that requires no human intervention. Scary.
Steve Saunders' Outernet
The Death of Anonymity: Part 3
Part 3 of 4   |   See complete series
10|28|09   |   1:35   |   4 comments

What can users today do to protect their online privacy? The simplest and most obvious option is to not use the Internet – at all. However, once all digital information is consolidated over the Internet, trying to protect digital identity by simply unplugging from the Internet becomes impossible – a fact that has manifest implications for civil liberties, Saunders says.
Steve Saunders' Outernet
The Death of Anonymity: Part 2
Part 2 of 4   |   See complete series
10|27|09   |   2:08   |   8 comments

By 2011 the number of Internet-connected sensors will exceed 1 trillion, making your chances of doing anything or going anywhere unnoticed pretty much zero. Saunders talks about how the 'sensortization' of the Internet is eliminating the traditional divide between online and offline populations.
Steve Saunders' Outernet
The Death of Anonymity: Part 1
Part 1 of 4   |   See complete series
10|26|09   |   1:29   |   13 comments

The 20th Century Internet was characterized by the ability to interact with other people and information on the Internet largely without anyone knowing who you were. The Internet of this century, conversely, will be defined by identity. Saunders explains how Internet users are unwittingly contributing to the demise of the anonymous Internet.
what.the.ferraro
Facebook Lacks Social Skills
11|20|09   |   1:53   |   No comments

Facebook's 'Suggestions' for users demonstrate how little social networking sites understand about true social relationships.
Singer at C-Level
Smart Grid Opportunities
11|20|09   |   2:49   |   No comments

Industry initiatives and government stimulus funds are giving enterprise software vendors a great opportunity to help build out and manage smart grid technologies.
Tom Nolle
Total Telephony Transcends Telepresence
11|20|09   |   2:11   |   2 comments

The problem with telepresence is that it's not universally accepted, because video calling isn't. While we can all do video calling, we also apparently worry too much about how we look. If we want HD telepresence in our future, we have to dress down, mess up our hair, and dive into our online life.
what.the.ferraro
ThinkerNet Wins Min's Award for Best Blogs!
11|19|09   |   1:13   |   4 comments

ThinkerNet wins the Min's award for 'Best Blogs' – Internet Evolution's fifth award this year!
Full Nelson
SanFran.gov
11|19|09   |   8:51   |   No comments

Fritz has an exclusive talk with the mayor and CTO of San Francisco about that city's latest e-government efforts.
Robert D. Atkinson
America Has Much to Learn About Digital Piracy
11|18|09   |   2:09   |   No comments

The US loses about $20 billion a year on pirated software, movies, and music. But public policy can help stem the tide of digital theft. For example, France has recently passed a 'three strikes and you’re out' law, whereby if after two warning letters an individual continues to download pirated software then his Internet access will be cut off. US policy makers should consider adopting similar policies.
Singer at C-Level
Connecting Stakeholders: Part 3
Part 3 of 3   |   See complete series
11|18|09   |   2:09   |   No comments

Financial management planning does not need to include Voodoo economics, but it does help to tap into the knowledge base of your team through some sort of real-time system. We explore your options.
Reiter's Block
Tweeting for Customer Support
11|18|09   |   2:20   |   No comments

When Reiter gets incensed over incompetent Verizon FiOS order-taking and support, he broadcasts it via Twitter. Did it do any good? How should your company offer Twitter support? Watch this for all the answers.
what.the.ferraro
Dogster.com More Popular Than Gov 2.0
11|17|09   |   2:05   |   1 comment

A lot of attention is being paid to launching Gov 2.0 Websites, but these sites aren't attracting a lot of visitors.
Reiter's Block
Is the BlackBerry 9700 'Bold' Enough?
11|17|09   |   3:07   |   4 comments

The successor to the BlackBerry Bold 9000 – the Bold 9700 – will be available soon in the US. Is it worth upgrading? Reiter's got one, and offers advice.
TechWeb The Global Leader In Technology Media