[ISN] Hacking the Power Grid

From: mea culpa (jerichoat_private)
Date: Fri Jun 05 1998 - 05:19:39 PDT

  • Next message: mea culpa: "[ISN] Net Messaging Called 'Catastrophic'"

    Forwarded From: Simon Gardner <juniperat_private>
    
    Hacking the Power Grid
    
    by Gene Koprowski
    
    Could hackers flip the switch on the US electric-power grid and leave the
    country in the dark, as if a national natural disaster had occurred? The
    question is not as absurd as it sounds, computer experts say.
    
    As electric utilities from California to Maine prepare for the era of
    deregulated competition, many are adopting customer-friendly Web sites.
    Some of these sites are integrated with databases inside the utilities
    themselves, leaving them potentially vulnerable to penetration by hackers.
    
    But the highly decentralized structure of the power plants -- generators
    are not connected to the networks which are hooked to the Internet --
    means that the damage hackers can cause is limited, says Bruce Wallenberg,
    a professor of electrical engineering at the University of Minnesota, who
    has worked extensively with utilities.
    
    "The government recently put together a group which claimed that they
    hacked into computers controlling the entire electric power grid of the
    US, and then claimed they could have shut it down," said Wallenberg,
    referring to recent press accounts. "My contention with that is just
    because you can break into a computer, it does not mean that you have
    suddenly acquired the ability to shut the process of controlling the
    plant."
    
    Power plants are complex technological organizations, Wallenberg
    explained. To shut down a generator, one has to open circuit breakers and
    instruct generators to lower the "set points," the levels at which they
    are transmitting power. This is not something that can be done solely via
    a computer network. Often the task is done manually through process
    controls, or, if computerized, requires smart-card access.
    
    "To change our computers you would physically have to be there," said Mark
    DuBois, the technical team leader for Web development at the Central
    Illinois Power Co., an electric utility located in Peoria. "Someone would
    notice."
    
    The fact that hackers have gotten into power plants, Wallenberg said,
    simply proves what everybody already knew: Networks linked to the Web are
    vulnerable.
    
    Still, Wallenberg and others, like Nick Simicich, a senior consultant with
    Florida's IBM Consulting, Inc., think that there are dangers for the
    electric-power industry now that they are online. Companies like Central
    Illinois Light Co. recently launched a Web-based service for its
    customers, which will eventually offer services including online bill
    payment. This is where the companies are vulnerable, Simicich believes. A
    hacker could break into the network and wreak havoc with the billing
    system.
    
    The Central Illinois site, which uses an Integraph server with one
    gigabyte of memory and 10 gigabytes of disk space, is linked to seven
    Sybase databases and located offsite, in Arlington, Va., at a Web-hosting
    service.
    
    "We did physically locate it offsite to keep them separate from our
    network," said DuBois, the technical team leader for the Web project at
    CILCO. "There is still a fair amount of security, but hackers would go
    nowhere if they break in there. I can guarantee that."
    
    There's another concern for these energy computing experts. With
    deregulation, there is an increasing interest in energy futures trades at
    the commodities exchange on Wall Street. Simicich said hackers might use
    social engineering techniques to obtain passwords to computers with access
    to the networks containing sensitive information from these sources.
    
    Others in the computer-security industry have raised concerns about the
    government simulating attacks on these kinds of systems, and whether or
    not that was proper. But Susan Hansen, a spokeswoman for the Office of the
    Secretary of Defense, defends the practice and says that most information
    remained secure. But a government source claims that government hackers
    were able to penetrate beyond the Web site in their tests of utility
    networks.
    
    Security experts say that energy companies are becoming increasingly
    sophisticated with network security, and have software systems in place
    allowing them to monitor any suspicious activity. That's important,
    because while the networks controlling power grids are currently offline,
    the utilities will come to rely more and more on the Internet. As they do,
    their vulnerability will increase.
    
    "With deregulation, as the separation of power from transmission grows,
    companies are going to be sharing information with each other and with
    customers over networks," says Patrick Taylor, a consultant at Internet
    Security Systems, an Atlanta-based security software vendor. "You are
    opening up the systems. It is no longer just PG&E or another utility
    running everything. It is Bill's Power Co., too. So Net security is now on
    the radar screen of the electric industry."
    
    [Wired News]
    [http://www.wired.com/news/news/technology/story/12746.html]
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:55:21 PDT