[ISN] Power Grid Vulnerable to Hackers

From: InfoSec News (isnat_private)
Date: Tue Aug 14 2001 - 02:58:32 PDT

  • Next message: InfoSec News: "RE: [ISN] The Code Red hype Hall of Shame"

    Forwarded by: Jonathan Rickman <jonathanat_private>
    The Code Red hype must be finally dying out. This article from the LA
    Times made me wish we could go back to the first few days of Code Red.
    At least then, the hype was based on something closer to reality...
    Jonathan Rickman
    X Corps Security
    Power Grid Vulnerable to Hackers
    August 13 2001
    Computer hackers have stopped access to Yahoo and EBay, blocked orders
    to Amazon.com, inflicted a plague of data-consuming viruses on
    corporate America and defaced thousands of Web sites with graffiti,
    including many sites operated by the U.S. Department of Defense.
    And their next target may be the nation's energy utilities.
    For two weeks last spring, hackers wormed their way inside a computer
    system that plays a key role in moving electrical power where it is
    needed around the state. The computers belong to the California
    Independent Service Operator, an agency that oversees much of the
    state's electricity transmission grid--including the massive complex
    of power plants and transmission lines. Cal-ISO patched the flaw that
    allowed hackers to roam through portions of its network before power
    supplies were affected. But the episode sent shock waves throughout
    the energy industry.
    So far, no utility has blamed computer hackers for a power disruption.
    But two trends may soon change that, experts say.
    Deregulation of the energy industry has led to the formation of dozens
    of online energy trading networks where buyers and sellers manage
    real-time sales of electricity over the Internet. Experts believe that
    such trading networks are less secure than computer networks
    maintained by utility companies and if hacked into could disrupt power
    They also warn that increasing links between computers that control
    the grid and those used for administration, Internet e-mail or Web
    surfing make hacker-induced blackouts likely.
    Riptech Inc., a security company in Alexandria, Va., has tested
    security for dozens of energy-industry clients. In every case, the
    firm penetrated Internet-connected corporate networks--and often
    hopped from those networks into supposedly sealed grid-control
    systems, according to Riptech's president, Amit Yoran.
    Other security companies report similar experiences, suggesting there
    has been scant progress since 1997, when Defense Department engineers
    successfully hacked into control systems for the nation's electrical
    grid in a security trial. Once inside a power-control network, hackers
    could find diagrams of switches and power supplies that could enable
    widespread sabotage.
    "You can black out whole cities," said Anjan Bose, a power-grid expert
    and dean of the College of Engineering and Architecture at Washington
    State University. Other specialists said that hackers could cause
    physical damage to generating plants or other energy-industry
    "I'm not sure that any [network] manager is totally confident. Those
    hackers are sharp. If there's a way to get in, they usually try to
    figure it," said Carl Lindau, director of computer information systems
    for South Mississippi Electrical Power Assn., a small co-op in
    Hattiesburg, Miss. "We all worry about it." Lindau said he monitors
    his network constantly and plans to upgrade security software.
    Security Shortfalls Left Door Open
    Even major energy-industry companies have committed missteps that
    amount to leaving out a virtual welcome mat. The computer network that
    operates the Alaska oil pipeline was found by its own security experts
    to be "in great jeopardy."
    According to 1997 court documents, "a decent hacker--[could] get into
    that system and actually burst or cause the pipeline to--to stop its
    flow," said Alan Gibson, a consultant for the Alyeska Pipeline Service
    Co., which runs the oil pipeline.
    In a recent interview, Gibson said Alyeska allowed contractors direct
    access to its internal computer networks, opening security holes that
    could have led to environmental disaster.
    Alyeska declined to comment on past conditions. But Erv Barnes, the
    company's chief information officer, said improvements and rigorous
    testing have made the pipeline nearly impervious to hacking.
    In a separate case last year, an audit found that the electrical
    transmission network at ISO New England, a group similar to
    California's, permitted computer access passwords to be blank, with no
    expiration date, leaving it open to anyone who got into the system.
    And the system's lockout settings were disabled, opening the door to
    virtually anyone who sat down at the computer, which was in an
    unsecured area.
    An ISO New England representative said the problems have been
    Utilities historically have maintained security of their power supply
    by isolating and strictly controlling access to computers used to
    monitor and manage power flow. But increasingly, administrative and
    supervisory computers are linked for efficiency. Security officials
    normally use computer firewalls to protect their grid-control systems,
    but hackers have been able to defeat almost any firewall.
    And supervisory computer systems used by utilities often are equipped
    with dial-up modems so that engineers can monitor the grid remotely.
    But modem access opens serious security holes, experts say.
    At South Mississippi Electrical, the supervisory computer systems have
    modem access and other features that experts view as an open
    invitation to hackers. The utility's grid-management machines have
    Internet connections and lack intrusion-detection software or
    computers to serve as a buffer between their internal network and the
    But Lindau said some risk is the price of doing business.
    "If you want to be able to do things today electronically, you have to
    be connected" to the Internet. "It's a matter of putting in the
    controls and educating your users," he said.
    Some utilities--including those that might be considered bigger
    targets--use greater caution. Pacific Gas & Electric Co. maintains a
    completely separate supervisory network with no links to the Internet
    or to the company's administrative computer systems, and no dial-up
    But South Mississippi Electrical is closer to the norm. Veridian Inc.,
    another security firm based in Alexandria, Va., has tested the network
    security of many large electric utilities and has penetrated all of
    "A determined hacker [who] really wants to get into most information
    systems in America today will do so," said Michael Farmer, Veridian's
    chief operating officer.
    Another efficiency measure that also has reduced security at utilities
    is the move to standardized software.
    A decade ago, "the phones, the power grid, 911 and fire dispatch were
    all separate systems," said Bruce Schneier, chief technical officer at
    the San Jose-based monitoring firm Counterpane Internet Security. Such
    systems were unique and arcane. "Sure, they were hackable, but they
    were proprietary systems. You had to be smart to do it."
    Today, power companies are migrating to easier-to-use software, such
    as Microsoft's Windows NT operating system. That allows hackers to
    more easily penetrate and operate inside them.
    Once inside the control system, "you have access to open the switches
    for the transmission lines" throughout a state or region, Washington
    State University's Bose said. "You can open the switches for the big
    generators. Even random switching without someone knowing the
    consequences could be devastating."
    Likelihood of Hacking Leads to Usual Suspects
    Experts are divided on which individuals or groups might be targeting
    the grid. But they agree that the recent emergence of hundreds of new
    energy firms and online power traders could create new incentives for
    hacking because of industrial espionage.
    "The whole deregulation environment has made the electric power system
    look a lot like the Internet--lots of small players that may have
    adversarial relationships," said Howard Lipson, an expert with the
    CERT Coordination Center, a computer emergency response team at
    Carnegie Mellon University.
    The federal government has long considered electric utilities a prime
    target for foreign enemies' information-warfare efforts. But the
    apparent lack of success suggests an imbalance between motivation and
    expertise among likely perpetrators.
    "Most sophisticated foreign governments are unlikely to want to run
    the risk of shutting down someone's electrical grid," for fear of
    retaliation, Veridian's Farmer said. "Terrorist groups that might want
    to do that have a lot less [hacking] sophistication."
    That's one reason many experts see the primary threat to the power
    system as the same forces that have haunted cyberspace for years:
    disgruntled employees, corporate spies and teens testing their limits.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Aug 14 2001 - 04:55:12 PDT