[ISN] US Video Shows Hacker Hit on Power Grid

From: InfoSec News (alerts@private)
Date: Wed Sep 26 2007 - 23:04:27 PDT


http://www.washingtonpost.com/wp-dyn/content/article/2007/09/26/AR2007092602170.html

By Ted Bridis and Eileen Sullivan
The Associated Press
September 27, 2007

WASHINGTON -- A government video shows the potential destruction caused 
by hackers seizing control of a crucial part of the U.S. electrical 
grid: an industrial turbine spinning wildly out of control until it 
becomes a smoking hulk and power shuts down.

The video, produced for the Homeland Security Department and obtained by 
The Associated Press on Wednesday, was marked "Official Use Only." It 
shows commands quietly triggered by simulated hackers having such a 
violent reaction that the enormous turbine shudders as pieces fly apart 
and it belches black-and-white smoke.

The video was produced for top U.S. policy makers by the Idaho National 
Laboratory, which has studied the little-understood risks to the 
specialized electronic equipment that operates power, water and chemical 
plants. Vice President Dick Cheney is among those who have watched the 
video, said one U.S. official, speaking on condition of anonymity 
because this official was not authorized to publicly discuss such 
high-level briefings.

"They've taken a theoretical attack and they've shown in a very 
demonstrable way the impact you can have using cyber means and cyber 
techniques against this type of infrastructure," said Amit Yoran, former 
U.S. cybersecurity chief for the Bush administration. Yoran is chief 
executive for NetWitness Corp., which sells sophisticated network 
monitoring software.

"It's so graphic," Yoran said. "Talking about bits and bytes doesn't 
have the same impact as seeing something catch fire."

The electrical attack never actually happened. The recorded 
demonstration, called the "Aurora Generator Test," was conducted in 
March by government researchers investigating a dangerous vulnerability 
in computers at U.S. utility companies known as supervisory control and 
data acquisition systems. The programming flaw was quietly fixed, and 
equipment-makers urged utilities to take protective measures.

There was no evidence any U.S. utility company suffered damage from 
hackers or terrorists using this technique, U.S. officials said. But 
these officials cautioned that affected systems are not routinely 
monitored as closely as many modern corporate computer networks, so 
there would be little forensic evidence to study after such a break-in.

Industry experts cautioned that intruders would need specialized 
knowledge to carry out such attacks, including the ability to turn off 
warning systems.

"The video is not a realistic representation of how the power system 
would operate," said Stan Johnson, a manager at the North American 
Electric Reliability Corp., the Princeton, N.J.-based organization 
charged with overseeing the power grid.

A top Homeland Security Department official, Robert Jamison, said 
companies are working to limit such attacks.

"Is this something we should be concerned about? Yes," said Jamison, who 
oversees the department's cybersecurity division. "But we've taken a lot 
of risk off the table."

President Bush's top telecommunications advisers concluded years ago 
that an organization such as a foreign intelligence service or a 
well-funded terror group "could conduct a structured attack on the 
electric power grid electronically, with a high degree of anonymity, and 
without having to set foot in the target nation." Ominously, the Idaho 
National Laboratory _ which produced the new video _ has described the 
risk as "the invisible threat."

Experts said the affected systems were not developed with security in 
mind.

"What keeps your lights on are some very, very old technology," said Joe 
Weiss, a security expert who has testified before Congress about such 
threats. "If you can get access to these systems, you can conceptually 
cause them to do whatever it is you want them to do."

The Homeland Security Department has been working with industries, 
especially electrical and nuclear companies, to enhance security 
measures. The electric industry is still working on their internal 
assessments and plans, but the nuclear sector has implemented its 
security measures at all its plants, the government said.

In July the Federal Energy Regulatory Commission proposed a set of 
standards to help protect the country's bulk electric power supply 
system from cyber attacks. These standards would require certain users, 
owners and operators of power grids to establish plans and controls.

© 2007 The Associated Press



__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Wed Sep 26 2007 - 23:23:06 PDT