Weak links in U.S. grid

[InfoSec News <isn () c4i org>]

http://www.ohio.com/mld/beaconjournal/7100991.htm

By Ed Meyer
Beacon Journal staff writer
Oct. 25, 2003

Electrical engineers in the high-mountain desert region of
southeastern Idaho have spent the last six months testing the
vulnerability of the computer system that controls the nation's vast
electrical grid.

The concern among some at this 890-square-mile facility the size of
Rhode Island is that the system has serious flaws that leave it open
to cyber terrorists.

Utilities use the system, known within the industry as SCADA, to
monitor hundreds of miles of high-voltage wires and to operate other
unmanned equipment by remote control.

SCADA is standard in the industry. Many countries, including those
that harbor terrorists, use it.

The same system malfunctioned at Akron-based FirstEnergy Corp.'s
control center during the Aug. 14 blackout that cascaded through eight
states and two Canadian provinces.

Company officials say they are close to determining the cause of the
malfunction, but they declined to provide details. One official with
the Akron utility said that in his experience, the system, Supervisory
Control and Data Acquisition, has never succumbed to cyber attack.

Although the role the SCA = [100.0]DA malfunction played in the
blackout remains unclear, any recommendations by the U.S.-Canadian
task force investigating the events of that day must address the
security issues, experts say.

As far back as May 1998, the North American Electric Reliability
Council, the organization that monitors the nation's electric
utilities, identified security concerns with SCADA and established a
program for reporting intrusions.

NERC files show that the threat of a cyber attack on SCADA ``goes to
the very heart of our... national security and economic well-being.''


Potential damage

Joseph Weiss, an engineer with KEMA Consulting in Cupertino, Calif.,
and a leading expert in control system security, said in a recent
interview that it is difficult to quantify the potential damage of
such an attack, but the complications could be far more extensive than
those involved Aug. 14 during the largest blackout in U.S. history.

A SCADA attack could cause major transmission equipment to be down and
out ``anywhere from two hours to two months,'' Weiss said.

Damage could be incalculable, he said.

Major, heavy equipment could cost tens of millions to replace, and
Weiss said ``that may not include having to rebuild a roadway or a
bridge to handle 20 tons, because we've got this stuff out in the
middle of nowhere. And it was put there 20 years ago where we may not
have a railroad spur anymore.''

Richard A. Clarke, former special adviser to President Bush for
Cyberspace Security, warned the U.S. Senate of the dangers more than a
year ago. In testimony on Feb. 13, 2002, he said information on
computerized water systems, many of which also use SCADA, was found in
terrorist camps in Afghanistan.

Following up on his remarks in a speech the next day, Clarke said
terrorist attacks are not the only worry.

``There is a threat spectrum,'' he said, ``that ranges from the
14-year-old hacker joy-riding on the Internet, through the criminal
engaged in fraud and extortion... through companies engaged in
corporate espionage, to nation states engaged in espionage.''

Weiss said from his home in the San Francisco Bay area that SCADA's
original design is a principal problem.

Utilities wanted a control system that continually monitors electrical
equipment and, in the event of emergency power overloads,
automatically shuts off relay switches in milliseconds before serious
damage occurs to the big equipment.

Security was not the highest priority, he said.

A relatively small number of computer vendors devised the system,
using training procedures that are virtually the same in the United
States as in countries suspected of harboring terrorists, he said.

It was designed for ``economic reasons,'' he said, and for the simple
proposition that it will ``keep the lights on and the electricity
running 24 hours a day.''

``That is where the entire industry was, and still is, to a large
extent,'' Weiss said.


`Something bad'

The additional demands of sophisticated security software, he said,
slows the system markedly.

``Unlike your desktop, where you simply get upset when the system
slows down, if the system slows down in a control system, it shuts
down or something bad happens,'' Weiss said.

Lynn Costantini, a NERC official, said the system was deployed ``with
little or no thought given to security... for a lot of different
reasons.''

Foremost, she said, was that cyber attacks by anti-U.S. terrorists
were not in the nation's psyche in the mid-1990s.

Now that those concerns are very real, she said, SCADA vendors have
developed security measures.

But significant security lapses persist, she said.

A continuous link to the system vendor's technical Web site, done
through computer modem for maintenance purposes and other glitches,
leaves SCADA's front door ``wide open,'' Costantini said.

To close the front door, she said, companies must limit remote access
to the Web site, using it only in dire circumstances.

Many system operators, she said, also are not vigilant in updating
their training or in changing passwords, she said.

Gary Seifert, an electrical engineer for the Idaho National
Engineering and Environmental Laboratory, said the desert project,
called National SCADA Test Bed, was in the planning stages long before
Aug. 14.

The U.S. Department of Energy project was conceived about 13 months
ago, with Seifert, who has 25 years of experience in the field, as its
program manager.

Officials with the Energy Department, which has responsibility for the
security of the electrical grid, did not return phone calls for
comment on the project.

Officials at the laboratory's headquarters in the Snake River Plain in
Idaho Falls said the Test Bed is a high-tech model of much of our
nation's critical infrastructure, with its own electrical grid. Part
of the site is secure.

The Test Bed has SCADA systems that are expendable as engineers
challenge its inner workings to gain a better understanding of how
much damage could occur if it is destroyed, Seifert said.

The project had a relatively small budget of about $1 million for the
last fiscal year, but Seifert said it recently received DOE approval
for additional funding.


Threat taken seriously

Although there has been no direct evidence of a terrorist attack on
the various systems in use on Aug. 14, according to congressional
testimony, Seifert said the threat must be ``taken seriously.''

He declined to discuss what has been learned thus far because that
could lead to ``increased susceptibility.''

FirstEnergy, which said two days after the blackout that its SCADA
computer system malfunctioned, has contracted with General Electric
and KEMA to investigate the problem.

Ali Jamshidi, a FirstEnergy vice president and chief information
officer in the company's computer division, said the investigation's
findings are expected soon but will not be publicly released. The
GE/KEMA report will be sent directly to the Energy Department to be
included in the task force investigation, he said.

In the meantime, Jamshidi challenged the assertions that SCADA has
gaping security holes, saying he ``does not recall a single security
breach on our SCADA system.''

Weiss, who depicted himself as ``a fish swimming upstream'' on the
issue, said it is often difficult for officials to see a breach of
SCADA.

Although SCADA is superb for monitoring voltage, frequency and
potential overloads, he said, the system does not have, in most cases,
an effective firewall for detecting cyber attacks on power substations
and the like.

``All that stuff is in your business office area,'' Weiss said. ``If
they try to hack into a plant, they could do it. You just wouldn't
know they did it.''

Several years ago in Australia, for example, Weiss said an operator
who worked for a SCADA company was fired. He then tried and failed to
get a similar job with a water company.

Angered, the worker built a homemade radio transmitter, Weiss said.  
Knowing how SCADA worked, he got into the system and opened a sewage
valve, dumping hundreds of gallons of waste onto the grounds of a
Hyatt Regency hotel.

``You know when they caught him? The 46th time he did it,'' Weiss
said.

In his estimation, SCADA vulnerabilities in this country could lead to
``a cyber version of Pearl Harbor.''


Ed Meyer can be reached at 330-996-3784 or emeyer () thebeaconjournal com
 


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.