[ISN] Infrastructure vulnerable to hacker attacks

From: InfoSec News (alerts@private)
Date: Mon Oct 02 2006 - 23:02:17 PDT


http://www.ajc.com/business/content/business/stories/2006/10/02/1001sbizscada.html

By BOB KEEFE
The Atlanta Journal-Constitution
Published on: 10/01/06

In June 1982, in a remote patch of Russian wilderness, a huge explosion 
ripped apart a trans-Siberian pipeline.

It wasn't a bomb that destroyed the natural gas pipeline and sent shock 
waves through the economy of what was then the Soviet Union. Instead, it 
was a software virus created by the CIA, according to a book by Thomas 
Reed, a former U.S. Air Force secretary and National Security Council 
member.

The virus took over the computers controlling valves and pumps, 
increasing the pressure until the pipeline was ripped apart by a blast 
equal to 3,000 tons of TNT.

The secret attack was one of the first known hacker strikes on a 
Supervisory Control and Data Acquisition, or SCADA, network. Computer 
security experts say it won't be the last.

Across America and around the world, SCADA networks control nuclear 
power stations, water and gas lines, chemical plants and other critical 
infrastructure. Many of them could be just as vulnerable today to 
attacks from computer hackers — or terrorists — as the Soviet system was 
nearly 25 years ago.

Or even more vulnerable. That's because in today's Internet age, 
machines and computers are increasingly connected haphazardly to the 
Web, whether their owners realize it or not. In addition, there has been 
rapid growth in easy-to-access wireless networks and the use of 
off-the-shelf software from Microsoft Corp. and others.

Hence the fear that five years after the Sept. 11 attacks, SCADA 
networks could become "the new airplanes," said Alan Paller, director of 
research for the SANS Institute, a computer security research and 
training group.

Air of complacency

We all depend on SCADA networks, whether we know it or not.

SCADA computers monitor and control the flow of electricity across the 
nation's power grids. They turn pump switches on and off to make oil and 
gas and water pipelines flow. They make sure robots and mixing machines 
and other factory equipment do what they are supposed to do.

Although the networks are so critical, SCADA security is often an 
afterthought for corporate cyber-security departments. That's because — 
so far — SCADA networks haven't attracted computer hackers like 
financially oriented e-mail and online billing systems and corporate Web 
sites.

"It's kind of like, 'out of sight, out of mind,' " said Brian Davison, 
manager of operations engineering for Austin Energy, a municipal 
electric company in Texas.

Austin Energy is considered on the forefront of SCADA security. At many 
utilities, though, "management has been away from the table," he said. 
"They say they haven't seen anything major yet, so it can't be too bad. 
But if somebody wanted to do harm to our industry, they could do it."

Government regulators are just beginning to pay more attention to SCADA 
security.

Only recently, for instance, did the North American Electric Reliability 
Council start working on mandatory rules requiring the electricity 
industry to audit and monitor its SCADA networks and take steps that 
would be basic for any PC user, like installing software patches in a 
timely fashion.

Even so, power companies won't have to meet the new rules for several 
years. Many in the industry already acknowledge the new rules are so 
vague and open to interpretation that they'll be ineffective.

The power industry is considered further along in SCADA security than 
other critical industries. Government regulators are at least developing 
mandatory SCADA-specific regulations there.

"I don't think that the sky is necessarily falling ... and that the 
entire United States could be shut down tomorrow," said Eric Byres, a 
longtime SCADA researcher who's now director of industry security at 
consulting firm Wurldtech Research.

"But I think we've got ourselves in a real fix," he said. "We're walking 
on a tightrope."

In January 2003, the power industry got a wake-up call.

An event in Ohio "illustrated how accessible and vulnerable SCADA 
systems are at nuclear power plants," the SANS Institute's Paller told a 
House subcommittee last fall.

He testified that a computer worm circulating on the Internet had 
infected Microsoft database software used by a contractor at the 
Davis-Besse nuclear plant near Toledo, Ohio.

Bypassed firewall

Even though the plant's operator, FirstEnergy Corp., had protected the 
plant with a software firewall, the worm used the contractor's network 
to bypass it.

"Because of Davis-Besse's widespread use of vulnerable Microsoft 
software, the worm jumped to the plant network and crashed the Safety 
Parameter Display System, keeping it offline for eight hours," Paller 
testified.

Another incident, though not hacker-related, shows the potential impact 
of SCADA computer problems.

In August 2003, computer glitches in Ohio caused inaccurate readings 
along FirstEnergy's power lines. Cascading effects among Northeastern 
utilities dealing with the summer heat prompted the shutdown of more 
than 500 generating units in the United States and Canada.

The blackout cut power to an estimated 50 million people, shut down 
transportation and communication networks, and caused an estimated $6 
billion in economic damage.

"The longer we wait, it's inevitable [that] somebody decides to turn off 
a major U.S. city," said Rob Ciampa, vice president of marketing and 
business strategy for Atlanta-based computer security company Trusted 
Network Technologies Inc.

Utility industry officials sometimes accuse consultants like Ciampa of 
scare tactics. Companies like his, after all, make a living selling 
software fixes.

But the danger is real.

According to government officials, the U.S. military in 2001 found 
evidence in Afghanistan that al-Qaida terrorists were researching SCADA 
systems and cyber-terrorism.

Paller and other computer security experts say the risk is relatively 
small that terrorists will attack a SCADA network, because the effects 
would not be as destructive as those from a car bomb or airplane 
hijacking.

"Can they hack any system? The answer is yes," said Pete Allor, a former 
U.S. Army security officer who now is director of intelligence at 
Atlanta-based Internet Security Systems Inc. "The problem is making 
spectacular results."

The bigger threat, Allor and others said, is from hackers trying to 
extort money from a company or from disgruntled employees trying to 
cause trouble.

Incident in Australia

That was the case in Australia in April 2000. Vitek Boden, a former 
contractor, took control of the SCADA system controlling the sewage and 
water treatment system at Queensland's Maroochy Shire. Using a wireless 
connection and a stolen computer, Boden released millions of gallons of 
raw sewage and sludge into creeks, parks and a nearby hotel. He later 
went to jail for two years.

Not surprisingly, U.S. companies are hesitant to talk about the security 
of their SCADA networks for fear they may give clues to hackers. But 
security consultants say problems with them are widespread.

Allor's company, for instance, regularly does audits of SCADA systems at 
major installations such as power plants, oil refineries and water 
treatment systems.

Almost invariably, Allor said, the companies claim their SCADA systems 
are secure and not connected to the Internet. And almost invariably, he 
said, ISS consultants find a wireless connection that company officials 
didn't know about or other open doors for hackers.

Realizing the growing threat, the federal government two years ago 
directed its Idaho National Laboratory to focus on SCADA security. The 
lab created the nation's first "test bed" for SCADA networks and began 
offering voluntary audits for companies.

Officials at the Idaho lab declined to reveal details about the audits, 
citing security concerns. But Rita Wells, who manages the program, 
called the companies' approaches to SCADA security "a mixed bag."

"We've gone into some entities and we've seen things so tight that we 
were awestruck," she said. "But we've also gone into other places where 
they were wide open."

As the former head of information security for Columbus, Ohio-based 
American Electric Power, Mike Assante has firsthand experience with 
SCADA security.

While he was at AEP, Assante said he never experienced an attack on his 
company's SCADA network. But that doesn't mean hackers weren't 
interested.

Almost daily, Assante said, the company noticed mysterious outside scans 
and probes of its computers. Often, he said, they could be traced to 
computers in Russia and China, two international hacker hotbeds.

"It was so [frequent] that I never really slept very well," said 
Assante, who now helps direct SCADA strategy at the Idaho National 
Laboratory.

The electricity industry's computers are considered among the most 
vulnerable of any SCADA networks. In part, that's because many electric 
grids operate on equipment that is decades old, pieced together from 
municipality to municipality and state to state.

Generally, the power grids were designed with reliability in mind. 
Cyber-security was an afterthought at best.

"With the technology in use today, totally avoiding touches with the 
outside word or with the wireless world is very difficult," said Billy 
Ball, senior vice president for transmission planning and operations for 
Southern Co., the giant Atlanta-based electricity company. At Southern, 
between 50 and 70 employees now work solely on SCADA security and 
implementing the forthcoming federal regulations.

135 incidents in 41/2 years

In a survey of utility industry officials last year by Trusted Network 
Technologies, about 20 percent of respondents said their SCADA systems 
had already been subjected to outside threats. About 30 percent said 
they expected a utility SCADA network would be attacked soon.

A more comprehensive study, managed by the British Columbia Institute of 
Technology, shows that major companies in the United States and four 
other nations have recorded about 135 SCADA security incidents over the 
past 41/2 years.

Byres of Wurldtech Research said the numbers could soon rise.

"We're seeing an interest in the black hat [hacker] community that we 
never, ever saw before," he said. "All of the sudden we have people with 
malicious intent learning and understanding what a SCADA system is."



_________________________________
Donate online for the Ron Santo Walk to Cure Diabetes!
http://www.c4i.org/ethan.html



This archive was generated by hypermail 2.1.3 : Mon Oct 02 2006 - 23:18:36 PDT