About a year ago, I blogged about attacking power grid control systems as part of a penetration test. At the time, a lot of people claimed it was complete nonsense. I was even told by a Washington Post reporter that the Nuclear Regulatory Commission was offering detailed presentations to discredit my comments. It was actually quite entertaining that the government would waste so much time on me. However, while they were wasting time to discredit me, they were leaving our power grid wide open.
In May 2008, the GAO released a report and testified to Congress about how the Tennessee Valley Authority, a Southern power company, intermingles its control systems with its business systems on the same network, which was, not so ironically, how I described the vulnerabilities exploited by my penetration test. There was also a widely noted statement by a CIA analyst that details the same problem of foreign governments being extorted by computer hackers who compromised their power grids.
Worried about internal data theft? Check out
IE's tutorial on mitigating the insider threat
The Wall Street Journal recently reported that foreign intelligence agencies have infiltrated the U.S. power grid and have planted malware to selectively sabotage the grid at a time of their choosing. Given the well documented weaknesses in the power grid, this should not be surprising.
Most people wonder why the power grid is so insecure, and the answer is simple: Well paid lobbyists and naïve Congresspeople. For more than a decade, the U.S. government has relied on the power companies to protect themselves, despite no real improvement over the years. Yet the Department of Homeland Security (DHS) continues to call for "voluntary" efforts.
The cliché definition of insanity is doing the same thing again and again, and expecting different results. The DHS is clearly insane.
Energy company lobbyists have long flogged the policy of voluntary cooperation, and the U.S. government has bowed at their feet. To create the illusion of proactive security efforts, energy companies joined together to form the North American Electric Reliability Corp. (NERC). They are apparently very clever in using a name that was almost identical to the FERC (Federal Energy Regulatory Commission), so as to make it seem as if it too were a government regulatory body.
However, NERC cannot get its members to even try to uphold the illusion that they are taking basic measures to improve the security of the power grid. In a NERC memo to "Industry Stakeholder," its CSO reports that only 31 percent of its members believe that they have even a single asset that can be considered a "Critical Asset." Worse yet is that only 23 percent of its members believe that they have even a single "Critical Cyber Asset." So basically only about 1 in 4 electric companies, which are by definition part of the "Critical Infrastructure," actually believe that even a small part of their company is actually "Critical."
Apparently, NERC believes in a process that it calls "Self-Certification Compliance." Let's consider that term. NERC is basically relying, not on its organization to ensure security, but on its member companies to certify themselves. In response, the NERC CSO (whom I know personally and believe is one of the sharpest security professionals in the field) asked companies to go back and reexamine how they define an asset as Critical.
Let me help: The entire power grid is itself critical. If you determine that some trees in a forest are valuable, and you only choose to protect those individual trees from forest fires, it's pretty much impossible to save those individual trees in the event of an actual fire. Likewise, when we are talking about the power grid, you can theoretically keep the generators up and running. However, the power is completely useless without a distribution mechanism. Anyone who has been without electricity for any significant amount of time will attest to the criticality of electricity.
Normally, I would praise data (or system) classification as a great first step in securing an organization. However, power grid security should be well beyond the first step. Even more critical, though, they are not even close to getting the first step right.
Anybody who continues to buy the argument for Self-Certification Compliance for securing the power grid is a fool, in my opinion.
— Ira Winkler, Former National Security Agency analyst and author of Spies Among Us
Although the 2003 Northeast blackout was a rather rare event, it affected about 55 million people and resulted in multi billion dollars in the economic impacts, and moreover, it demonstrated the weakness of the interconnection complexity of the grid. Since then, the gov has realized that the aging grid needs modernization, which is outlined in the Energy Independence and Security Act of 2007.
Another example of a failure of complex system is the recent financial system collapse. It is yet another thing people have had to learn the hard way. The climate change can also be considered as an extremely complex system awaiting chaos, but hopefully, we can deal with it before it's too late.
Re: "they don't have to shut down the plant to cause some impact." - there seems to be some confusion here between losing the plant and losing the "control" of the plant. In fact, shutting the plant down is not as much of a concern as being unable to shut it down safely when required. If a nuclear or chemical plant is hijacked, it's probably more likely that the attackers would try to "prevent" the plant from shutting down properly even when critical alarm limits, such as over pressure or temperature, are reached. As in my earlier comment, the emergency shutdown sequence is designed to protect equipment and safety of people should anything goes wrong. If my plant lost control to a hacker, one of my priorities would be to try to shut it down safely before too much damage done by the hacker. If this emergency plan were software-based only (not hardwired), hacker could alter or manipulate its program.
Re: "There's always an entry point, even if that entry point has to be the security office..." - true statement, but that involves "physical" security - that would mean, to hack into the system, the hacker would have to physically get into the secured control room first. Security for nuclear power plants is normally extremely tight. But that's out of the scope of the cyber-security.
There's always an entry point, even if that entry point has to be the security office that is in charge of turning it on or off. And besides, they don't have to shut down the plant to cause some impact.
Very true, Ira. We need outrage, but the American people just aren't willing to care that much. They're only outraged that they lost power in the events you mention. Once power is restored, it's back to the daily grind. Dealing with my boss is more important than dealing with my power grid.
This is true about most aspects of running the country. Sure everyone has an opinion, but most do not engage in activity to promote the change.
Often times when people do act on their opinions, they do so uninformed. This was most recently visible in the Tea Parties. While there may be a core of those people that truly understood what they were protesting, many others were just there for their own misinformed agendas.
We can bring awareness of such issues in blogs like IE, but how do we go about making change.
Yes, the power grid is a huge interconnected system of generators, loads, and trainsmission and distribution (T&D) systems. I think it's believed to be the most complex manmade system, and so managing its reliability is and has been a big engineering challenge. It's essentially a very large optimization problem to manage the reliability and the electricity markets. However, I think the traditional concept of the power grid reliability included the system "adequacy" (i.e. ability to meet the demand) and "security" (i.e. ability to withstand contigency events), but it left out cyber-security, which poses a different kind of vulnerabilities from those related to the grid interconnection.
You're right that losing a single genset (or even a power line) doesn't matter much, but I can imagine the concern about losing control of facilities such as nuclear power plants or some strategically important interconnection substations.
There are a variety of issues here, however the primary issue is that even under the proven wrong assumption that the control systems of all power generation systems (ie nuclear reactors and other generators and all of their hundreds of control systems) are on isolated networks, the problem is that the power grid is a widely interconnected system. The generators require distribution, and the distribution system is proven vulnerable. Likewise, it is widely demonstrated the the generators are vulnerable.
Frankly nobody cares if an individual generator goes down. The issue is, "Can I get power where and when I need it?" Any issues about individual power generators being safe and vulnerable is irrelevant. They are part of a system known as "The Power Grid".
However, the fact is that if one system on the grid is vulnerable, the same vulnerability likely exists in a large portion of the grid.
For completeness, I wanted to provide the following comment from a friend at the NERC:
The self certification portion of the CIP standards is just until the standards become auditably compliant which begins in July 2009. Self Certifications have only been used during this period where entities are coming up to their audit start dates (entities went from “working towards compliant” to “substantially compliant” to “compliant” and in July they will be in full audits).
I visited one of Exelon nuclear power plants, and I was told their control systems network is isolated from the outside network, i.e. basically it runs only between the plant controllers and the central control room. And most safety and emergency sequences are "hardwired" (with physical switches). As for the power grid, the comm networks often utilize microwave radio and/or power line carrier (PLC), which in theory, can be tapped. But sometimes, the monitoring-only/database network for use in business and admin can create an access path to the control systems network.
If you've seen the movie Eagle Eye (2008) where the AI computer cuts the power line at an exact certain location, that's still far from reality. With the existing protection mechanism, even if allowed to, the systems just don't have capability to do something like that. Also, in Jack Bauer's "24" where terrorists could hijack the chemical plant and prevented it from shutdown, in reality, the safety shutdown sequence is likely to be hardwired and if the pressure or temperature is too high for some critical period of time, the emergency sequence will kick in and overide the software control systems.
Was it not less than six years ago when a former Secreatary of State in front of a wordl audience paraded what seemingly looks like crystal-ball evidence that Saddam Hussein/Iraq could mount up a biological/chemical attcak within nine months. I was holdng my breath that day as the once respected General lured me to even wanted to join the coalition forces as a volunteer!! Well we all know how that one turns out to be!!!
There has been a calculated attempts by the government to impose more control on the internet and what a better and subtle way to achieve this goal by scaring us to believe that evne oiur utilities are now been object of cyberattack. In so doing, any opposition to such bills like the one been introduced by Rockefeller can be soften and removed. Don't be surprise to hear very soon that your local grocery store is now a very big target of cyberattack!! Honestly i don't belive that there is any imminent threat to our power grids from outside forces and as one person rightly put it, it is all been hype in order to give governmnet more control over the internet:
" There's no coordinated conspiracy here, but there are a lot of government officials who stand to gain by this attempt at drastically increasing government control over the Internet. They will certain call up reporters they know and attempt to get them to write scare stories precisely like this".
"By the first day, we had penetrated the network. Within a week, we were controlling a nuclear power plant"
This is what Scott Lunsford said about a hacking a nuclear plant, the owner said it was impossible to hack. The owner claimed that their critical components couldn't be accessed from the internet. This was a programmed hack, the hacker was hired by the owner but there's a case of a man that released toxics into rivers from a plant as an attempt to get hired to fix the leak.
So nothing to fear about the electrical grid being hijacked? yikes.
Internet Evolution RSS Updates Want to stay up to date on the topics covered in this article? Use the links below to subscribe to our topical RSS feeds:
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Given all the issues we have with cybersecurity, it amazes me that every time there is a government effort to improve security, it always involves calls for more research. Such is the case with the proposed Cybersecurity Enhancement Act.
When Comcast Corp. (Nasdaq: CMCSA, CMCSK) voluntarily took action to proactively remove infected users from its networks, I applauded because I think ISPs should try harder to protect customers.
For years, I have advocated that Internet Service Providers (ISPs) be responsible for taking proactive steps in mitigating infected subscriber computer systems. While I never said that ISPs were responsible for the infections, they are enablers for criminal activity. But ISPs have so far hidden behind the law that makes them publishers -- and not responsible -- for the actions of their subscribers.
Smarter Collaboration: How to Thrive in a Challenging Business Environment Market conditions are changing faster than ever, and organizations need to improve their agility and adaptability in order to provide better service and improve processes. The ability to work with customers, business partners, and employees as effectively as possible - while at the same time holding down costs - is a key to success. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
E-discovery is the requirement to make available all digital information related to, and in conjunction with, a legal proceeding. An appeals court ruled recently to limit the scope of e-discovery searches, which gives corporate counsel and IT executives a bit more power over the e-discovery process.
Industry initiatives and government stimulus funds are giving enterprise software vendors a great opportunity to help build out and manage smart grid technologies.
The release of Microsoft's newest OS raises the question of the company's relevance in an era when Google dominates applications and search, and Apple runs circles around Redmond with its gadgets and user interfaces.
Earlier this year, Heartland Payment Systems was breached by Russian hackers who had also hit 300 other financial institutions. The scope of the Russian operation is mind-blowing and points to a new era in cyber attacks.
Cyber Warfare may be the next frontier for tactical hacking. It has already reared its head in Estonia, Russia, and Georgia, and some say it has been used by North Korea, China, and other world powers. The implications and the potential are both fascinating and scary.
Ever since the iPhone debuted, cellular manufacturers are rushing to incorporate touch screens into their phones. Alas, cellphone touch screens have significant problems that can actually harm business productivity. And doing business isn’t about getting the high score on Super Monkey Ball!
Both the federal intelligence agencies and the metropolitan police forces are likely monitoring your social networks. So should you lay low, or make it worth their while?
Ever since the iPhone debuted, cellular manufacturers are rushing to incorporate touch screens into their phones. Alas, cellphone touch screens have significant problems that can actually harm business productivity. And doing business isn’t about getting the high score on Super Monkey Ball!
Both the federal intelligence agencies and the metropolitan police forces are likely monitoring your social networks. So should you lay low, or make it worth their while?
The iPhone has created a new form of the 80/20 rule, according to AT&T, which claims only 3% of iPhone users generate 40% of wireless traffic. But is that really a justification for usage caps and pricing tiers? What did AT&T think was going to happen with the iPhone pricing plan, and are they shoveling something else at us now that we're hooked?
The problem with infrastructure these days is not the cost of the network but the cost of the people managing the network. Sebastian Stadil discusses how he'd like to see companies evolve towards a more manageable infrastructure using cloud computing.
What does a $0.62 refund check from a service provider mean? It could mean that, unlike Google, Amazon, and Apple, telcos aren't ready to use what they know about their customers to sell better, more personalized services.
It’s Alvi and the chipmunks! Eduify CTO Rafat Alvi talks about how distance learning can help entitled Bay Area prepsters learn remotely using their iPhones.
As enterprises are building out their business intelligence solutions and prepping their strategies for 2010, isn't it time to do something about all that redundant data in the network?
Digg
Del.icio.us
Reddit
Email This
TWEET THIS
