[ISN] Weak links in U.S. grid

From: InfoSec News (isn@private)
Date: Tue Oct 28 2003 - 02:18:40 PST

  • Next message: InfoSec News: "[ISN] Iran's banking system hit by first ever electronic robbery"

    http://www.ohio.com/mld/beaconjournal/7100991.htm
    
    By Ed Meyer
    Beacon Journal staff writer
    Oct. 25, 2003
    
    Electrical engineers in the high-mountain desert region of
    southeastern Idaho have spent the last six months testing the
    vulnerability of the computer system that controls the nation's vast
    electrical grid.
    
    The concern among some at this 890-square-mile facility the size of
    Rhode Island is that the system has serious flaws that leave it open
    to cyber terrorists.
    
    Utilities use the system, known within the industry as SCADA, to
    monitor hundreds of miles of high-voltage wires and to operate other
    unmanned equipment by remote control.
    
    SCADA is standard in the industry. Many countries, including those
    that harbor terrorists, use it.
    
    The same system malfunctioned at Akron-based FirstEnergy Corp.'s
    control center during the Aug. 14 blackout that cascaded through eight
    states and two Canadian provinces.
    
    Company officials say they are close to determining the cause of the
    malfunction, but they declined to provide details. One official with
    the Akron utility said that in his experience, the system, Supervisory
    Control and Data Acquisition, has never succumbed to cyber attack.
    
    Although the role the SCA = [100.0]DA malfunction played in the
    blackout remains unclear, any recommendations by the U.S.-Canadian
    task force investigating the events of that day must address the
    security issues, experts say.
    
    As far back as May 1998, the North American Electric Reliability
    Council, the organization that monitors the nation's electric
    utilities, identified security concerns with SCADA and established a
    program for reporting intrusions.
    
    NERC files show that the threat of a cyber attack on SCADA ``goes to
    the very heart of our... national security and economic well-being.''
    
    
    Potential damage
    
    Joseph Weiss, an engineer with KEMA Consulting in Cupertino, Calif.,
    and a leading expert in control system security, said in a recent
    interview that it is difficult to quantify the potential damage of
    such an attack, but the complications could be far more extensive than
    those involved Aug. 14 during the largest blackout in U.S. history.
    
    A SCADA attack could cause major transmission equipment to be down and
    out ``anywhere from two hours to two months,'' Weiss said.
    
    Damage could be incalculable, he said.
    
    Major, heavy equipment could cost tens of millions to replace, and
    Weiss said ``that may not include having to rebuild a roadway or a
    bridge to handle 20 tons, because we've got this stuff out in the
    middle of nowhere. And it was put there 20 years ago where we may not
    have a railroad spur anymore.''
    
    Richard A. Clarke, former special adviser to President Bush for
    Cyberspace Security, warned the U.S. Senate of the dangers more than a
    year ago. In testimony on Feb. 13, 2002, he said information on
    computerized water systems, many of which also use SCADA, was found in
    terrorist camps in Afghanistan.
    
    Following up on his remarks in a speech the next day, Clarke said
    terrorist attacks are not the only worry.
    
    ``There is a threat spectrum,'' he said, ``that ranges from the
    14-year-old hacker joy-riding on the Internet, through the criminal
    engaged in fraud and extortion... through companies engaged in
    corporate espionage, to nation states engaged in espionage.''
    
    Weiss said from his home in the San Francisco Bay area that SCADA's
    original design is a principal problem.
    
    Utilities wanted a control system that continually monitors electrical
    equipment and, in the event of emergency power overloads,
    automatically shuts off relay switches in milliseconds before serious
    damage occurs to the big equipment.
    
    Security was not the highest priority, he said.
    
    A relatively small number of computer vendors devised the system,
    using training procedures that are virtually the same in the United
    States as in countries suspected of harboring terrorists, he said.
    
    It was designed for ``economic reasons,'' he said, and for the simple
    proposition that it will ``keep the lights on and the electricity
    running 24 hours a day.''
    
    ``That is where the entire industry was, and still is, to a large
    extent,'' Weiss said.
    
    
    `Something bad'
    
    The additional demands of sophisticated security software, he said,
    slows the system markedly.
    
    ``Unlike your desktop, where you simply get upset when the system
    slows down, if the system slows down in a control system, it shuts
    down or something bad happens,'' Weiss said.
    
    Lynn Costantini, a NERC official, said the system was deployed ``with
    little or no thought given to security... for a lot of different
    reasons.''
    
    Foremost, she said, was that cyber attacks by anti-U.S. terrorists
    were not in the nation's psyche in the mid-1990s.
    
    Now that those concerns are very real, she said, SCADA vendors have
    developed security measures.
    
    But significant security lapses persist, she said.
    
    A continuous link to the system vendor's technical Web site, done
    through computer modem for maintenance purposes and other glitches,
    leaves SCADA's front door ``wide open,'' Costantini said.
    
    To close the front door, she said, companies must limit remote access
    to the Web site, using it only in dire circumstances.
    
    Many system operators, she said, also are not vigilant in updating
    their training or in changing passwords, she said.
    
    Gary Seifert, an electrical engineer for the Idaho National
    Engineering and Environmental Laboratory, said the desert project,
    called National SCADA Test Bed, was in the planning stages long before
    Aug. 14.
    
    The U.S. Department of Energy project was conceived about 13 months
    ago, with Seifert, who has 25 years of experience in the field, as its
    program manager.
    
    Officials with the Energy Department, which has responsibility for the
    security of the electrical grid, did not return phone calls for
    comment on the project.
    
    Officials at the laboratory's headquarters in the Snake River Plain in
    Idaho Falls said the Test Bed is a high-tech model of much of our
    nation's critical infrastructure, with its own electrical grid. Part
    of the site is secure.
    
    The Test Bed has SCADA systems that are expendable as engineers
    challenge its inner workings to gain a better understanding of how
    much damage could occur if it is destroyed, Seifert said.
    
    The project had a relatively small budget of about $1 million for the
    last fiscal year, but Seifert said it recently received DOE approval
    for additional funding.
    
    
    Threat taken seriously
    
    Although there has been no direct evidence of a terrorist attack on
    the various systems in use on Aug. 14, according to congressional
    testimony, Seifert said the threat must be ``taken seriously.''
    
    He declined to discuss what has been learned thus far because that
    could lead to ``increased susceptibility.''
    
    FirstEnergy, which said two days after the blackout that its SCADA
    computer system malfunctioned, has contracted with General Electric
    and KEMA to investigate the problem.
    
    Ali Jamshidi, a FirstEnergy vice president and chief information
    officer in the company's computer division, said the investigation's
    findings are expected soon but will not be publicly released. The
    GE/KEMA report will be sent directly to the Energy Department to be
    included in the task force investigation, he said.
    
    In the meantime, Jamshidi challenged the assertions that SCADA has
    gaping security holes, saying he ``does not recall a single security
    breach on our SCADA system.''
    
    Weiss, who depicted himself as ``a fish swimming upstream'' on the
    issue, said it is often difficult for officials to see a breach of
    SCADA.
    
    Although SCADA is superb for monitoring voltage, frequency and
    potential overloads, he said, the system does not have, in most cases,
    an effective firewall for detecting cyber attacks on power substations
    and the like.
    
    ``All that stuff is in your business office area,'' Weiss said. ``If
    they try to hack into a plant, they could do it. You just wouldn't
    know they did it.''
    
    Several years ago in Australia, for example, Weiss said an operator
    who worked for a SCADA company was fired. He then tried and failed to
    get a similar job with a water company.
    
    Angered, the worker built a homemade radio transmitter, Weiss said.  
    Knowing how SCADA worked, he got into the system and opened a sewage
    valve, dumping hundreds of gallons of waste onto the grounds of a
    Hyatt Regency hotel.
    
    ``You know when they caught him? The 46th time he did it,'' Weiss
    said.
    
    In his estimation, SCADA vulnerabilities in this country could lead to
    ``a cyber version of Pearl Harbor.''
    
    
    Ed Meyer can be reached at 330-996-3784 or emeyer@private
     
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Oct 28 2003 - 05:05:24 PST