Forwarded from: William Knowles <wk@private> http://www.washingtonpost.com/wp-dyn/articles/A25738-2005Mar10.html By Justin Blum Washington Post Staff Writer March 11, 2005 Hundreds of times a day, hackers try to slip past cyber-security into the computer network of Constellation Energy Group Inc., a Baltimore power company with customers around the country. "We have no discernable way of knowing who is trying to hit our system," said John R. Collins, chief risk officer for Constellation, which operates Baltimore Gas and Electric. "We just know it's being hit." Hackers have caused no serious damage to systems that feed the nation's power grid, but their untiring efforts have heightened concerns that electric companies have failed to adequately fortify defenses against a potential catastrophic strike. The fear: In a worst-case scenario, terrorists or others could engineer an attack that sets off a widespread blackout and damages power plants, prolonging an outage. Patrick H. Wood III, the chairman of the Federal Energy Regulatory Commission, warned top electric company officials in a private meeting in January that they need to focus more heavily on cyber-security. Wood also has raised the issue at several public appearances. Officials will not say whether new intelligence points to a potential terrorist strike, but Wood stepped up his campaign after officials at the Energy Department's Idaho National Laboratory showed him how a skilled hacker could cause serious problems. Wood declined to comment on specifics of what he saw. But an official at the lab, Ken Watts, said the simulation showed how someone could hack into a utility's Internet-based business management system, then into a system that controls utility operations. Once inside, lab workers simulated cutting off the supply of oil to a turbine generating electricity and destroying the equipment. Describing his reaction to the demonstration, Wood said: "I wished I'd had a diaper on." Many electric industry representatives have said they are concerned about cyber-security and have been taking steps to make sure their systems are protected. But Wood and others in the industry said the companies' computer security is uneven. "A sophisticated hacker, which is probably a group of hackers . . . could probably get into each of the three U.S. North American power [networks] and could probably bring sections of it down if they knew how to do it," said Richard A. Clarke, a former counterterrorism chief in the Clinton and Bush administrations. Clarke said government simulations show that electric companies have not done enough to prevent hacking. "Every time they test, they get in," Clarke said. "It's nice that the power companies think that they've done things, and some of them have. But as long as there's a way to get into the grid, the grid is as weak as its weakest company." Some industry analysts play down the threat of a massive cyber-attack, saying it's more likely that terrorists would target the physical infrastructure such as power plants and transmission lines. James Andrew Lewis, director of technology policy at the Center for Strategic and International Studies in the District, said a coordinated attack on the grid would be technically difficult and would not provide as much "bang for the buck" as high-profile physical attacks. Lewis said the bigger vulnerability may be posed not by outside hackers but by insiders who are familiar with their company's computer networks. But in recent years, terrorists have expressed interest in a range of computer targets. Al Qaeda documents from 2002 suggest cyber-attacks on various targets, including the electrical grid and financial institutions, according to a translation by the IntelCenter, an Alexandria firm that studies terrorist groups. A government advisory panel has concluded that a foreign intelligence service or a well-supported terrorist group "could conduct a structured attack on the electric power grid electronically, with a high degree of anonymity, and without having to set foot in the target nation," according to a report last year by the Government Accountability Office, the investigative arm of Congress. Cyber-security specialists and government officials said that cyber-attacks are a concern across many industries but that the threat to the country's power supply is among their top fears. Hackers have gained access to U.S. utilities' electronic control systems and in a few cases have "caused an impact," said Joseph M. Weiss, a Cupertino, Calif.-based computer security specialist with Kema Inc., a consulting firm focused on the energy industry. He said computer viruses and worms also have caused problems. Weiss, a leading expert in control system security, said officials of the affected companies have described the instances at private conferences that he hosts and in confidential conversations but have not reported the intrusions publicly or to federal authorities. He said he agreed not to publicly disclose additional details and that the companies are fearful that releasing the information would hurt them financially and encourage more hacking. Weiss said that "many utilities have not addressed control system cyber-security as comprehensively as physical security or cyber-security of business networks." The vulnerability of the nation's electrical grid to computer attack has grown as power companies have transferred control of their electrical generation and distribution equipment from private, internal networks to supervisory control and data acquisition, or SCADA, systems that can be accessed through the Internet or by phone lines, according to consultants and government reports. That technology has led to greater efficiency because it allows workers to operate equipment remotely. Other systems that feed information into SCADA or that operate utility equipment are vulnerable and have been largely overlooked by utilities, security consultants said. Some utilities have made hacking into their SCADA systems relatively easy by continuing to use factory-set passwords that can be found in standard documentation available on the Internet, computer security consultants said. The North American Electric Reliability Council, an industry-backed organization that sets voluntary standards for power companies, is drafting wide-ranging guidelines to replace more narrow, temporary precautions already on the books for guarding against a cyber-attack. But computer security specialists question whether those standards go far enough. Officials at several power companies said they had invested heavily in new equipment and software to protect their computers. Many would speak only in general terms, saying divulging specifics could assist hackers. "We're very concerned about it," said Margaret E. "Lyn" McDermid, senior vice president and chief information officer for Dominion Resources Inc., a Richmond-based company that operates Dominion Virginia Power and supplies electricity and natural gas in other states. "We spend a significant amount of time and effort in making sure we are doing what we ought to do." Executives at Constellation Energy view the constant hacking attempts -- which have been unsuccessful -- as a threat and monitor their systems closely. They said they assume many of the hackers are the same type seen in other businesses: people who view penetrating corporate systems as fun or a challenge. "We feel we are in pretty good shape when it comes to this," Collins said. "That doesn't mean we're bulletproof." The biggest threat to the grid, analysts said, may come from power companies using older equipment that is more susceptible to attack. Those companies many not want to invest large amounts of money in new computer equipment when the machines they are using are adequately performing all their other functions. Security consulting firms said that they have hacked into power company networks to highlight for their clients the weaknesses in their systems. "We are able to penetrate real, running, live systems," said Lori Dustin, vice president of marketing for Verano Inc., a Mansfield, Mass., company that sells products to companies to secure SCADA systems. In some cases, Dustin said, power companies lack basic equipment that would even alert them to hacking attempts. O. Sami Saydjari, chief executive of the Wisconsin Rapids, Wis.-based consulting firm Cyber Defense Agency LLC, said hackers could cause the type of blackout that knocked out electricity to about 50 million people in the Northeast, Midwest and Canada in 2003, an event attributed in part to trees interfering with power lines in Ohio. He said that if hackers destroyed generating equipment in the process, the amount of time to restore electricity could be prolonged. "I am absolutely confident that by design, someone could do at least as [much damage], if not worse" than what was experienced in 2003, said Saydjari, who was one of 54 prominent scientists and others who warned the Bush administration of the risk of computer attacks following Sept. 11, 2001. "It's just a matter of time before we have a serious event." *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* _________________________________________ Bellua Cyber Security Asia 2005 - http://www.bellua.com/bcs2005
This archive was generated by hypermail 2.1.3 : Fri Mar 11 2005 - 02:39:04 PST