Lights Out

[InfoSec News <isn () C4I ORG>]

http://www.securityfocus.com/templates/article.html?id=41

A year in the making, NIPC's Michael Vatis unveils a plan to monitor
cyber attacks on the power grid. Is it enough to prevent a blackout?

By Kevin Poulsen
May 25, 2000 11:36 PM PT

The FBI's National Infrastructure Protection Center (NIPC) will be the
hub of a nationwide alert network designed to react quickly against
cyber attacks targeting the computerized controls of the North
American power grid, in a pilot program announced by NIPC chief
Michael Vatis to a Senate committee Thursday.

Vatis unveiled the "Electrical Power Indications and Warning System"
in his written testimony to the full Senate Judiciary committee as it
conducted a hearing on cybercrime. "Under the pilot program, electric
utility companies and other power entities transmit cyber incident
reports to the NIPC," Vatis testified. "These reports are analyzed and
assessed to determine whether an NIPC warning, alert, or advisory is
warranted to the electric utility community."

The FBI established the program in concert with the North American
Electrical Reliability Council (NERC), a not-for-profit industry group
that umbrellas electric utilities in the U.S. and Canada. "We've been
working with NIPC over the past year, maybe a little longer, to
develop the program," said Eugene F. Gorzelnik, NERC's communications
director. Gorzelnik said the program is being tested by one of the
nine regional councils that make up NERC, but declined to say which
one. "They've been working through some of the bugs, and we've had
several utilities around the country volunteer to participate as
well," Gorzelnik said.

NERC formed in the wake of the catastrophic November 9, 1965 blackout
that knocked-out power to 30 million people in the Northeastern United
States and Ontario, Canada for as long as thirteen hours. Runway
landing lights went dark, people were trapped in elevators, traffic
snarled at busy intersections that were suddenly left without signals.
Decades before buzzwords like "critical infrastructure" and
"cyberterrorism" would enter the vernacular, President Lyndon Johnson
viewed the blackout as a national security matter and set the FBI and
the Pentagon to investigate. Utility engineers eventually traced the
genesis of the cascading outage to the failure of a single relay in a
transmission line.

Today, the "Great Northeast Blackout" influences the most popular
cyberterror fears. The inevitable hacker-induced blackout goes with
the hacker-induced 911 outage as a central doctrine for executive,
congressional and industry believers who say that cyberterrorism is a
serious and immediate threat to the Western World. National Security
Council Terrorism Coordinator Richard Clarke put it this way to the
New York Times: "You black out a city, people die. Black out lots of
cities, lots of people die. It's as bad as being attacked by bombs."

Actual incidents of computer-based attacks against the power grid are
hard to find. While the past two decades have seen no shortage of
attacks on critical infrastructures -- including a hacker taking over
an HBO broadcast through a communications satellite, a group
trespassing into the computers controlling a Time Warner cable system,
and intruders of all types routinely gaining influence over huge
swaths of the telephone network -- tales of intrusions into electric
utilities remain apocryphal. An October Wall Street Journal report on
the 1995 Dallas "Phone Masters" case included a casual paragraph-eight
disclosure that the three hackers involved "had access to portions of
the national power grid," but no such charges were filed against the
defendants, who admitted to cracking telephone company computers, and
the prosecutor on the case denies it. "I don't remember any example of
them accessing the power grid," said former Assistant U.S. Attorney
Matt Yarbrough, now with a Dallas law firm.

The electric industry is closed mouthed on the question. "When it
comes to saying something specific about whether anything has happened
on the electric system, I don't answer," said Gorzelnik. Asked to what
degree the power grid is vulnerable to such an assault, Gorzelnik
said, "I just won't answer that question. It's not something that we
want to talk about in the press. It doesn't serve any useful purpose."

But a detailed 1997 report by the White House's National Security
Telecommunications Advisory Committee paints a sobering picture.

Open Modems

The committee's Electric Power Risk Assessment was
conducted at the request of President Clinton, and involved six months
of investigation and interviews with workers at eight utilities and
three industry groups, including NERC. While the report concluded that
physical destruction of electric facilities was a far greater threat
than online attacks, it also described a power grid controlled by
Byzantine systems riddled with basic security holes.

Networks controlling critical portions of the grid were accessible
through corporate LANs, the report said. Digital circuit breakers
could be remotely tripped by anyone with the right phone number. Fixed
passwords for remote vendor access went unchanged for years. Of
particular concern to the committee was the widespread use of
unsecured supervisory control and data acquisition (SCADA) systems.
The SCADA systems consist of central hosts that can monitor and
control smaller Remote Terminal Units (RTUs) sprinkled throughout the
grid, which in turn control power flow at any given point. Many RTUs
in electrical substations were accessible through telephone dial-ups,
some of which were protected only with dial-back systems -- modems
that call a user back at a pre-programmed number before granting
access -- while others lacked even that weak security mechanism and
were accessable to anyone who found the telephone number. "An intruder
could dial into this port and issue commands to the substation
equipment," the report notes.

"Open sources, including... electric industry publications, regional
maps, and the Internet would provide enough information to identify
the most heavily loaded transmission lines and most critical
substations in the power grid," reads the report. "Relatively simple
hacking techniques could then be used to locate dial-in ports to these
points and modify settings to trigger an outage."

Overall, the report found that that utility workers "believed that
firewalls and dial-back modems were sufficient to protect their
systems from intruders, and they were surprised to learn about the
experiences of the telecommunications industry with hackers defeating
these measures."

An engineer with a company that manufactures SCADA systems in use at
major electric utilities, speaking on condition that neither he nor
his company be identified, said that in recent years the government
has spurred electric utilities to increased security. But his
company's SCADA products still include dial-up support, and the
security features are identical to the ones criticized as weak in the
1997 report. "You can have the remote unit call back to verify that
the number is correct," he said. "There are security checks in many
areas across the system, via protocols, via passwords... So I'd say
it's safe. At least, it's not completely open."

"Everything you see in computer security is being applied here. There
are utilities that deem it necessary and are applying it. Is every
utility applying it? No. But at least [the government] is pushing to
see that utilities do it," he said.

NERC's Gorzelnik wouldn't comment on whether the power grid is any
more secure now than in 1997. The Electrical Power Indications and
Warning System does nothing to prevent attacks, but rather provides a
channel for electric utilities to report attacks they detect directly
to NIPC. "With the information NIPC receives, they'll be able to see
if there's any kind of trend developing, to see if there's a more
serious problem," said Gorzelnik. "They wouldn't just be looking at
the power sector, but also banking, telecommunications and other
infrastructure sectors" for signs of a coordinated attack, Gorzelnik
said.

The program will go nationwide this fall, and in Thursday's testimony
Vatis promised the Senate that it will be a model for similar programs
to monitor intrusions into other critical infrastructures. "We are
currently working with industry on a Indications and Warning model for
the telecommunications sector."

Tips, feedback, flames? Email news () securityfocus com

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".