Power Grid Vulnerable to Hackers

[InfoSec News <isn () c4i org>]

Forwarded by: Jonathan Rickman <jonathan () xcorps net>


The Code Red hype must be finally dying out. This article from the LA
Times made me wish we could go back to the first few days of Code Red.
At least then, the hype was based on something closer to reality...

-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net



http://www.latimes.com/business/la-000065693aug13.story?coll=la%2Dheadlines%2Dbusiness

Power Grid Vulnerable to Hackers
By CHARLES PILLER
TIMES STAFF WRITER

August 13 2001

Computer hackers have stopped access to Yahoo and EBay, blocked orders
to Amazon.com, inflicted a plague of data-consuming viruses on
corporate America and defaced thousands of Web sites with graffiti,
including many sites operated by the U.S. Department of Defense.

And their next target may be the nation's energy utilities.

For two weeks last spring, hackers wormed their way inside a computer
system that plays a key role in moving electrical power where it is
needed around the state. The computers belong to the California
Independent Service Operator, an agency that oversees much of the
state's electricity transmission grid--including the massive complex
of power plants and transmission lines. Cal-ISO patched the flaw that
allowed hackers to roam through portions of its network before power
supplies were affected. But the episode sent shock waves throughout
the energy industry.

So far, no utility has blamed computer hackers for a power disruption.
But two trends may soon change that, experts say.

Deregulation of the energy industry has led to the formation of dozens
of online energy trading networks where buyers and sellers manage
real-time sales of electricity over the Internet. Experts believe that
such trading networks are less secure than computer networks
maintained by utility companies and if hacked into could disrupt power
transfers.

They also warn that increasing links between computers that control
the grid and those used for administration, Internet e-mail or Web
surfing make hacker-induced blackouts likely.

Riptech Inc., a security company in Alexandria, Va., has tested
security for dozens of energy-industry clients. In every case, the
firm penetrated Internet-connected corporate networks--and often
hopped from those networks into supposedly sealed grid-control
systems, according to Riptech's president, Amit Yoran.

Other security companies report similar experiences, suggesting there
has been scant progress since 1997, when Defense Department engineers
successfully hacked into control systems for the nation's electrical
grid in a security trial. Once inside a power-control network, hackers
could find diagrams of switches and power supplies that could enable
widespread sabotage.

"You can black out whole cities," said Anjan Bose, a power-grid expert
and dean of the College of Engineering and Architecture at Washington
State University. Other specialists said that hackers could cause
physical damage to generating plants or other energy-industry
facilities.

"I'm not sure that any [network] manager is totally confident. Those
hackers are sharp. If there's a way to get in, they usually try to
figure it," said Carl Lindau, director of computer information systems
for South Mississippi Electrical Power Assn., a small co-op in
Hattiesburg, Miss. "We all worry about it." Lindau said he monitors
his network constantly and plans to upgrade security software.

Security Shortfalls Left Door Open

Even major energy-industry companies have committed missteps that
amount to leaving out a virtual welcome mat. The computer network that
operates the Alaska oil pipeline was found by its own security experts
to be "in great jeopardy."

According to 1997 court documents, "a decent hacker--[could] get into
that system and actually burst or cause the pipeline to--to stop its
flow," said Alan Gibson, a consultant for the Alyeska Pipeline Service
Co., which runs the oil pipeline.

In a recent interview, Gibson said Alyeska allowed contractors direct
access to its internal computer networks, opening security holes that
could have led to environmental disaster.

Alyeska declined to comment on past conditions. But Erv Barnes, the
company's chief information officer, said improvements and rigorous
testing have made the pipeline nearly impervious to hacking.

In a separate case last year, an audit found that the electrical
transmission network at ISO New England, a group similar to
California's, permitted computer access passwords to be blank, with no
expiration date, leaving it open to anyone who got into the system.
And the system's lockout settings were disabled, opening the door to
virtually anyone who sat down at the computer, which was in an
unsecured area.

An ISO New England representative said the problems have been
corrected.

Utilities historically have maintained security of their power supply
by isolating and strictly controlling access to computers used to
monitor and manage power flow. But increasingly, administrative and
supervisory computers are linked for efficiency. Security officials
normally use computer firewalls to protect their grid-control systems,
but hackers have been able to defeat almost any firewall.

And supervisory computer systems used by utilities often are equipped
with dial-up modems so that engineers can monitor the grid remotely.
But modem access opens serious security holes, experts say.

At South Mississippi Electrical, the supervisory computer systems have
modem access and other features that experts view as an open
invitation to hackers. The utility's grid-management machines have
Internet connections and lack intrusion-detection software or
computers to serve as a buffer between their internal network and the
Internet.

But Lindau said some risk is the price of doing business.

"If you want to be able to do things today electronically, you have to
be connected" to the Internet. "It's a matter of putting in the
controls and educating your users," he said.

Some utilities--including those that might be considered bigger
targets--use greater caution. Pacific Gas & Electric Co. maintains a
completely separate supervisory network with no links to the Internet
or to the company's administrative computer systems, and no dial-up
access.

But South Mississippi Electrical is closer to the norm. Veridian Inc.,
another security firm based in Alexandria, Va., has tested the network
security of many large electric utilities and has penetrated all of
them.

"A determined hacker [who] really wants to get into most information
systems in America today will do so," said Michael Farmer, Veridian's
chief operating officer.

Another efficiency measure that also has reduced security at utilities
is the move to standardized software.

A decade ago, "the phones, the power grid, 911 and fire dispatch were
all separate systems," said Bruce Schneier, chief technical officer at
the San Jose-based monitoring firm Counterpane Internet Security. Such
systems were unique and arcane. "Sure, they were hackable, but they
were proprietary systems. You had to be smart to do it."

Today, power companies are migrating to easier-to-use software, such
as Microsoft's Windows NT operating system. That allows hackers to
more easily penetrate and operate inside them.

Once inside the control system, "you have access to open the switches
for the transmission lines" throughout a state or region, Washington
State University's Bose said. "You can open the switches for the big
generators. Even random switching without someone knowing the
consequences could be devastating."

Likelihood of Hacking Leads to Usual Suspects

Experts are divided on which individuals or groups might be targeting
the grid. But they agree that the recent emergence of hundreds of new
energy firms and online power traders could create new incentives for
hacking because of industrial espionage.

"The whole deregulation environment has made the electric power system
look a lot like the Internet--lots of small players that may have
adversarial relationships," said Howard Lipson, an expert with the
CERT Coordination Center, a computer emergency response team at
Carnegie Mellon University.

The federal government has long considered electric utilities a prime
target for foreign enemies' information-warfare efforts. But the
apparent lack of success suggests an imbalance between motivation and
expertise among likely perpetrators.

"Most sophisticated foreign governments are unlikely to want to run
the risk of shutting down someone's electrical grid," for fear of
retaliation, Veridian's Farmer said. "Terrorist groups that might want
to do that have a lot less [hacking] sophistication."

That's one reason many experts see the primary threat to the power
system as the same forces that have haunted cyberspace for years:
disgruntled employees, corporate spies and teens testing their limits.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.