Forwarded From: Simon Gardner <juniperat_private> Hacking the Power Grid by Gene Koprowski Could hackers flip the switch on the US electric-power grid and leave the country in the dark, as if a national natural disaster had occurred? The question is not as absurd as it sounds, computer experts say. As electric utilities from California to Maine prepare for the era of deregulated competition, many are adopting customer-friendly Web sites. Some of these sites are integrated with databases inside the utilities themselves, leaving them potentially vulnerable to penetration by hackers. But the highly decentralized structure of the power plants -- generators are not connected to the networks which are hooked to the Internet -- means that the damage hackers can cause is limited, says Bruce Wallenberg, a professor of electrical engineering at the University of Minnesota, who has worked extensively with utilities. "The government recently put together a group which claimed that they hacked into computers controlling the entire electric power grid of the US, and then claimed they could have shut it down," said Wallenberg, referring to recent press accounts. "My contention with that is just because you can break into a computer, it does not mean that you have suddenly acquired the ability to shut the process of controlling the plant." Power plants are complex technological organizations, Wallenberg explained. To shut down a generator, one has to open circuit breakers and instruct generators to lower the "set points," the levels at which they are transmitting power. This is not something that can be done solely via a computer network. Often the task is done manually through process controls, or, if computerized, requires smart-card access. "To change our computers you would physically have to be there," said Mark DuBois, the technical team leader for Web development at the Central Illinois Power Co., an electric utility located in Peoria. "Someone would notice." The fact that hackers have gotten into power plants, Wallenberg said, simply proves what everybody already knew: Networks linked to the Web are vulnerable. Still, Wallenberg and others, like Nick Simicich, a senior consultant with Florida's IBM Consulting, Inc., think that there are dangers for the electric-power industry now that they are online. Companies like Central Illinois Light Co. recently launched a Web-based service for its customers, which will eventually offer services including online bill payment. This is where the companies are vulnerable, Simicich believes. A hacker could break into the network and wreak havoc with the billing system. The Central Illinois site, which uses an Integraph server with one gigabyte of memory and 10 gigabytes of disk space, is linked to seven Sybase databases and located offsite, in Arlington, Va., at a Web-hosting service. "We did physically locate it offsite to keep them separate from our network," said DuBois, the technical team leader for the Web project at CILCO. "There is still a fair amount of security, but hackers would go nowhere if they break in there. I can guarantee that." There's another concern for these energy computing experts. With deregulation, there is an increasing interest in energy futures trades at the commodities exchange on Wall Street. Simicich said hackers might use social engineering techniques to obtain passwords to computers with access to the networks containing sensitive information from these sources. Others in the computer-security industry have raised concerns about the government simulating attacks on these kinds of systems, and whether or not that was proper. But Susan Hansen, a spokeswoman for the Office of the Secretary of Defense, defends the practice and says that most information remained secure. But a government source claims that government hackers were able to penetrate beyond the Web site in their tests of utility networks. Security experts say that energy companies are becoming increasingly sophisticated with network security, and have software systems in place allowing them to monitor any suspicious activity. That's important, because while the networks controlling power grids are currently offline, the utilities will come to rely more and more on the Internet. As they do, their vulnerability will increase. "With deregulation, as the separation of power from transmission grows, companies are going to be sharing information with each other and with customers over networks," says Patrick Taylor, a consultant at Internet Security Systems, an Atlanta-based security software vendor. "You are opening up the systems. It is no longer just PG&E or another utility running everything. It is Bill's Power Co., too. So Net security is now on the radar screen of the electric industry." [Wired News] [http://www.wired.com/news/news/technology/story/12746.html] -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:55:21 PDT