http://www.ohio.com/mld/beaconjournal/7100991.htm By Ed Meyer Beacon Journal staff writer Oct. 25, 2003 Electrical engineers in the high-mountain desert region of southeastern Idaho have spent the last six months testing the vulnerability of the computer system that controls the nation's vast electrical grid. The concern among some at this 890-square-mile facility the size of Rhode Island is that the system has serious flaws that leave it open to cyber terrorists. Utilities use the system, known within the industry as SCADA, to monitor hundreds of miles of high-voltage wires and to operate other unmanned equipment by remote control. SCADA is standard in the industry. Many countries, including those that harbor terrorists, use it. The same system malfunctioned at Akron-based FirstEnergy Corp.'s control center during the Aug. 14 blackout that cascaded through eight states and two Canadian provinces. Company officials say they are close to determining the cause of the malfunction, but they declined to provide details. One official with the Akron utility said that in his experience, the system, Supervisory Control and Data Acquisition, has never succumbed to cyber attack. Although the role the SCA = [100.0]DA malfunction played in the blackout remains unclear, any recommendations by the U.S.-Canadian task force investigating the events of that day must address the security issues, experts say. As far back as May 1998, the North American Electric Reliability Council, the organization that monitors the nation's electric utilities, identified security concerns with SCADA and established a program for reporting intrusions. NERC files show that the threat of a cyber attack on SCADA ``goes to the very heart of our... national security and economic well-being.'' Potential damage Joseph Weiss, an engineer with KEMA Consulting in Cupertino, Calif., and a leading expert in control system security, said in a recent interview that it is difficult to quantify the potential damage of such an attack, but the complications could be far more extensive than those involved Aug. 14 during the largest blackout in U.S. history. A SCADA attack could cause major transmission equipment to be down and out ``anywhere from two hours to two months,'' Weiss said. Damage could be incalculable, he said. Major, heavy equipment could cost tens of millions to replace, and Weiss said ``that may not include having to rebuild a roadway or a bridge to handle 20 tons, because we've got this stuff out in the middle of nowhere. And it was put there 20 years ago where we may not have a railroad spur anymore.'' Richard A. Clarke, former special adviser to President Bush for Cyberspace Security, warned the U.S. Senate of the dangers more than a year ago. In testimony on Feb. 13, 2002, he said information on computerized water systems, many of which also use SCADA, was found in terrorist camps in Afghanistan. Following up on his remarks in a speech the next day, Clarke said terrorist attacks are not the only worry. ``There is a threat spectrum,'' he said, ``that ranges from the 14-year-old hacker joy-riding on the Internet, through the criminal engaged in fraud and extortion... through companies engaged in corporate espionage, to nation states engaged in espionage.'' Weiss said from his home in the San Francisco Bay area that SCADA's original design is a principal problem. Utilities wanted a control system that continually monitors electrical equipment and, in the event of emergency power overloads, automatically shuts off relay switches in milliseconds before serious damage occurs to the big equipment. Security was not the highest priority, he said. A relatively small number of computer vendors devised the system, using training procedures that are virtually the same in the United States as in countries suspected of harboring terrorists, he said. It was designed for ``economic reasons,'' he said, and for the simple proposition that it will ``keep the lights on and the electricity running 24 hours a day.'' ``That is where the entire industry was, and still is, to a large extent,'' Weiss said. `Something bad' The additional demands of sophisticated security software, he said, slows the system markedly. ``Unlike your desktop, where you simply get upset when the system slows down, if the system slows down in a control system, it shuts down or something bad happens,'' Weiss said. Lynn Costantini, a NERC official, said the system was deployed ``with little or no thought given to security... for a lot of different reasons.'' Foremost, she said, was that cyber attacks by anti-U.S. terrorists were not in the nation's psyche in the mid-1990s. Now that those concerns are very real, she said, SCADA vendors have developed security measures. But significant security lapses persist, she said. A continuous link to the system vendor's technical Web site, done through computer modem for maintenance purposes and other glitches, leaves SCADA's front door ``wide open,'' Costantini said. To close the front door, she said, companies must limit remote access to the Web site, using it only in dire circumstances. Many system operators, she said, also are not vigilant in updating their training or in changing passwords, she said. Gary Seifert, an electrical engineer for the Idaho National Engineering and Environmental Laboratory, said the desert project, called National SCADA Test Bed, was in the planning stages long before Aug. 14. The U.S. Department of Energy project was conceived about 13 months ago, with Seifert, who has 25 years of experience in the field, as its program manager. Officials with the Energy Department, which has responsibility for the security of the electrical grid, did not return phone calls for comment on the project. Officials at the laboratory's headquarters in the Snake River Plain in Idaho Falls said the Test Bed is a high-tech model of much of our nation's critical infrastructure, with its own electrical grid. Part of the site is secure. The Test Bed has SCADA systems that are expendable as engineers challenge its inner workings to gain a better understanding of how much damage could occur if it is destroyed, Seifert said. The project had a relatively small budget of about $1 million for the last fiscal year, but Seifert said it recently received DOE approval for additional funding. Threat taken seriously Although there has been no direct evidence of a terrorist attack on the various systems in use on Aug. 14, according to congressional testimony, Seifert said the threat must be ``taken seriously.'' He declined to discuss what has been learned thus far because that could lead to ``increased susceptibility.'' FirstEnergy, which said two days after the blackout that its SCADA computer system malfunctioned, has contracted with General Electric and KEMA to investigate the problem. Ali Jamshidi, a FirstEnergy vice president and chief information officer in the company's computer division, said the investigation's findings are expected soon but will not be publicly released. The GE/KEMA report will be sent directly to the Energy Department to be included in the task force investigation, he said. In the meantime, Jamshidi challenged the assertions that SCADA has gaping security holes, saying he ``does not recall a single security breach on our SCADA system.'' Weiss, who depicted himself as ``a fish swimming upstream'' on the issue, said it is often difficult for officials to see a breach of SCADA. Although SCADA is superb for monitoring voltage, frequency and potential overloads, he said, the system does not have, in most cases, an effective firewall for detecting cyber attacks on power substations and the like. ``All that stuff is in your business office area,'' Weiss said. ``If they try to hack into a plant, they could do it. You just wouldn't know they did it.'' Several years ago in Australia, for example, Weiss said an operator who worked for a SCADA company was fired. He then tried and failed to get a similar job with a water company. Angered, the worker built a homemade radio transmitter, Weiss said. Knowing how SCADA worked, he got into the system and opened a sewage valve, dumping hundreds of gallons of waste onto the grounds of a Hyatt Regency hotel. ``You know when they caught him? The 46th time he did it,'' Weiss said. In his estimation, SCADA vulnerabilities in this country could lead to ``a cyber version of Pearl Harbor.'' Ed Meyer can be reached at 330-996-3784 or emeyer@private - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Oct 28 2003 - 05:05:24 PST