[ISN] Electrical Grid Vulnerable to Hackers

From: InfoSec News (isnat_private)
Date: Fri Sep 12 2003 - 00:16:07 PDT

  • Next message: InfoSec News: "[ISN] Organizations scramble to patch Microsoft flaws"

    Forwarded from: William Knowles <wkat_private>
    By Jim Krane
    AP Technology Writer
    September 11, 2003
    NEW YORK -- Since last month's Northeast Blackout, utilities have
    accelerated plans to automate the electric grid, replacing aging
    monitoring systems with digital switches and other high-tech gear.
    But those very improvements are making the electricity supply
    vulnerable to a different kind of peril: computer viruses and hackers
    who could black out substations, cities or entire states.
    Researchers working for the U.S., Canadian and British governments
    have already sniffed out "back doors" in the digital relays and
    control room technology that increasingly direct electricity flow in
    North America.
    With a few focused keystrokes, they say, they could shut the computer
    gear down - or change settings in ways that might trigger cascading
    "I know enough about where the holes are," said Eric Byres, a 
    cybersecurity researcher for critical infrastructure at the British 
    Columbia Institute of Technology in Vancouver. "My team and I could 
    shut down the grid. Not the whole North American grid, but a state, 
    Security experts have warned about the grid's growing vulnerabilities 
    before, especially after U.S. National Security Agency hackers showed 
    they could break into grid control networks in 1998.
    Byres and other researchers say the holes exploited then have gone 
    unpatched. With an expected spate of post-blackout upgrades, the 
    computer-heavy grid will be even more vulnerable to terrorists and 
    hackers, they say.
    Computer viruses are another new worry.
    The "Blaster" worm that flummoxed an estimated half-million computers 
    around the world last month might have exacerbated utilities' problems 
    during the August blackout, bringing down - or perhaps blocking 
    communications - on computers used to monitor the grid, said Joe 
    Weiss, a utility control system expert.
    "It didn't cause what happened but it could've exacerbated what 
    happened," said Weiss, with Kema Consulting in Cupertino, Calif., The 
    blackout followed the Aug. 11 Blaster outbreak by just three days.
    The Ohio utility that is the chief focus of the blackout 
    investigation, FirstEnergy Corp., is investigating whether the Blaster 
    worm might have caused computer trouble that was described on 
    telephone transcripts as hampering its response to multiple power line 
    "We haven't detected a worm or a virus but we're not ruling anything 
    out," said FirstEnergy spokesman Ralph DiNicola. The bi-national task 
    force investigating the country's biggest blackout is also looking 
    into the issue, said U.S. Energy Department spokesman Joe Davis.
    In January, the "Slammer" Internet worm took down monitoring computers 
    at FirstEnergy's idled Davis-Besse nuclear plant. A subsequent report 
    by the North American Electric Reliability Council said the infection 
    blocked commands that operated other power utilities, although it 
    caused no outages.
    In the past, the grid's old electromechanical switches and analog 
    technology made it more or less impervious to computer maladies, Weiss 
    But now, switches and monitoring gear can be upgraded and programmed 
    remotely with software  and that requires a vulnerable connection to 
    a computer network. If that network runs on Microsoft Corp. operating 
    systems - which virus-writers favor - or connects to the Internet, the 
    vulnerabilities are sharpened, say experts who test such gear for the 
    U.S. Department of Energy's Office of Energy Assurance and the 
    Department of Homeland Security.
    In one test, Byres found that a tiny piece of corrupted data could 
    crash a crucial computerized control device that is installed in most 
    grid substations.
    Byres said he contacted the well-known manufacturer - whom he declined 
    to name for security reasons - and urged that the weakness be fixed 
    before hackers found it.
    "I've been trying to get these guys to patch and they won't patch it," 
    he said. "I've been on their case for over six months."
    Other researchers have figured out how to hack into the device, known 
    as a remote terminal unit, and command it to trip and reset a breaker.
    That would incapacitate a substation, the electricity distribution 
    points for towns and neighborhoods where high-voltage electricity is 
    transformed for local use.
    One feared hacking scenario involves changing the settings on 
    substations' programmable circuit breakers. A hacker could lower 
    settings from, say 500 amperes to 200 on some breakers, while raising 
    others to 900, said Gary Seifert, a researcher with the Energy 
    Department's Idaho National Engineering and Environmental Laboratory.
    Normal power usage could trip the 200 amp breakers and take those 
    lines out of service, diverting power and overloading neighboring 
    With their breakers set at 900 amps - too high to trip - the overloads 
    would cause transformers and other critical equipment to melt down, 
    requiring major repairs that would prolong a blackout, Byres said.
    "We have a plethora of intelligent electrical devices going into 
    substations and power stations all over the United States," Seifert 
    said. "What's to keep somebody from accessing those devices and 
    changing the settings?"
    Some of the most technically advanced relays, made by companies like 
    Schweitzer Engineering, General Electric and Siemens, can be 
    programmed over a telephone modem connection after typing a simple 
    eight-digit password, Seifert said.
    "Hackers have very little trouble cracking an eight-digit password," 
    he said, and finding substation phone lines that connect to these 
    relays can be done with so-called "war dialers," simple PC programs 
    that dial consecutive phone numbers looking for modems.
    Seifert said he and other researchers are asking manufacturers to take 
    countermeasures, including programming their control devices to accept 
    calls only from certain phone numbers, or simply disconnecting idle 
    Like anyone dependent on networked computers for crucial operations, 
    grid operators will be vulnerable to hackers, said Seifert.
    "We're still going to have back doors no matter how hard we try," he 
    said. "You can't keep them out but you hope to slow them down." 
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    Help C4I.org with a donation: http://www.c4i.org/contribute.html
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Sep 12 2003 - 02:50:48 PDT