The first time I broke into our country’s electrical power grid was a decade or so ago. Hacking into the control systems set up by utility companies wasn’t surprising then, and it isn’t surprising now. While people find this shocking, it really isn’t. When you think about how insecure computer infrastructures are, why would you think that the power grid would be any more secure? Frankly, the power grid is even less secure than most other computer networks. I wrote about it many times, including some details in my recent book, Spies Among Us.
All of this came back to me as I watched news stories about “Hackers Blow Up a Generator.” The Department of Homeland Security (DHS) put out a video showing a test from Idaho Nuclear Laboratory where someone broke into a SCADA (Supervisory Control and Data Acquisition) computer and caused the generator to run wild until it blew itself up.
News reports by Fox News and other networks explained how this process could bring down the power grid. Of course, they were all wrong. If the worst of our problems was that a couple of generators would blow themselves up, we should be happy.
For anyone who’s not aware of my background, I am most noted for performing espionage or terrorist simulations -- or what most people might naively refer to as penetration tests. In the case I mentioned at the beginning of this article, my team was supposed to perform a simple assessment of the security of a Website owned by a power company. The Website had security vulnerability and provided us a connection to the company’s internal network. From there, we could get to any system in the company, including its SCADA systems. We were told by the security manager to leave out access to the SCADA system in our report, but we were allowed to download the personnel records of the CEO and CIO, so that the results would be hard for them to ignore.
Since many readers might not be computer security experts, let me first cover some basic computer security issues to explain how computer systems can be compromised. There are two primary ways to break into a computer: (1) take advantage of bugs in the software, and (2) take advantage of the way a user or administrator configures or uses the computer.
With regard to taking advantage of bugs in the software, everyone will acknowledge that all software has bugs. Some bugs create elevated privileges, provide unauthorized access, or cause information leakage. These are security vulnerabilities. If you can connect to a computer that has not corrected such a vulnerability, you can take it over. It is that simple.
The vulnerability can exist in the operating system, SCADA applications software, Web browser, or any other software on the computer. In the case of SCADA and its supporting systems, power companies are very slow to mitigate the vulnerabilities, and may never do so, because they are afraid that any change can create problems. This is why power grid systems are likely to be more vulnerable to cyber attacks than most other computers.
With regard to taking advantage of configuration problems, even perfectly secure software can be set up insecurely. For example, I have seen many computers where the password on the Administrator account is “administrator.” Passwords can otherwise be insecure. Low-level users can be given high-level access. There are also more technical ways to insecurely configure a computer. Again, if you can access a poorly configured computer, you can take it over.
Many people might now be thinking, “But isn’t it impossible to actually connect to or otherwise access a power grid SCADA system?” The answer is very sadly, “Hell no!”
Initially, the power grid control systems were on closed networks. However when the Internet started to blossom, power companies decided that it was too costly to maintain separate networks. After all, they would need two computers on every desk, which wouldn’t be able to talk to each other. At the time, they rationalized that this only required adding extra protection to logically separate the power grid from the corporate networks. Don’t count on the hope that they actually followed through with that.
In addition to being able to access the SCADA systems through the Internet, there are still elements of the traditional power grid that provide access to outsiders. For example, there are modems connected to critical systems for maintenance purposes. Wireless access has been added to many systems. Now, since power companies can buy and trade power with other companies, they need to know the available capacity. In order to know the available capacity, you have to eventually connect to SCADA systems. So there is even an outside connection engineered into the power grid.
So fundamentally, you can connect to the power grid, and critical supporting systems are vulnerable to cyber attacks and will remain that way.
Again, the news video of the generator blowing itself up is really cheesy, and too much was made of that individual demonstration. However, that is really a misapplication of the video, which was released to create fear, uncertainty, and doubt. It should be interpreted to mean: If a malicious party were to connect to a SCADA system, here is one, small result. More importantly, it is easy for malicious parties to connect to many systems throughout the power grid and create damage on a massive scale with the proper planning.
I hope the intent of the DHS was to create enough fear for Congress to start writing laws that force power companies to secure their computers. Right now, computer security on the power grid is an oxymoron. The reality is that Congress doesn’t have the balls to pass such laws, bowing to the mind games of power company lobbyists like a storm trooper bowing to the mind games of a Jedi.
The situation is really this bad. Congress is impotent, as the power grid remains incredibly vulnerable, and people need to be outraged.
There are many people out there who are trying to downplay the DHS video, and ridiculing it. Again, it is true that the video has not been put in the proper context. However, anyone who claims that the power grid is not at serious risk is very naïve and/or ignorant.
For the record, the last time I broke into a nuclear power generation system was about a year ago. The “simulation” had to be called off after a few hours, because the results were “too successful”. It is that bad.
— Ira Winkler, Former National Security Agency analyst and author of Spies Among Us