Electrical Grid Vulnerable to Hackers

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.washingtonpost.com/wp-dyn/articles/A60600-2003Sep11.html

By Jim Krane
AP Technology Writer
September 11, 2003

NEW YORK -- Since last month's Northeast Blackout, utilities have
accelerated plans to automate the electric grid, replacing aging
monitoring systems with digital switches and other high-tech gear.

But those very improvements are making the electricity supply
vulnerable to a different kind of peril: computer viruses and hackers
who could black out substations, cities or entire states.

Researchers working for the U.S., Canadian and British governments
have already sniffed out "back doors" in the digital relays and
control room technology that increasingly direct electricity flow in
North America.

With a few focused keystrokes, they say, they could shut the computer
gear down - or change settings in ways that might trigger cascading
blackouts.

"I know enough about where the holes are," said Eric Byres, a 
cybersecurity researcher for critical infrastructure at the British 
Columbia Institute of Technology in Vancouver. "My team and I could 
shut down the grid. Not the whole North American grid, but a state, 
sure."

Security experts have warned about the grid's growing vulnerabilities 
before, especially after U.S. National Security Agency hackers showed 
they could break into grid control networks in 1998.

Byres and other researchers say the holes exploited then have gone 
unpatched. With an expected spate of post-blackout upgrades, the 
computer-heavy grid will be even more vulnerable to terrorists and 
hackers, they say.

Computer viruses are another new worry.

The "Blaster" worm that flummoxed an estimated half-million computers 
around the world last month might have exacerbated utilities' problems 
during the August blackout, bringing down - or perhaps blocking 
communications - on computers used to monitor the grid, said Joe 
Weiss, a utility control system expert.

"It didn't cause what happened but it could've exacerbated what 
happened," said Weiss, with Kema Consulting in Cupertino, Calif., The 
blackout followed the Aug. 11 Blaster outbreak by just three days.

The Ohio utility that is the chief focus of the blackout 
investigation, FirstEnergy Corp., is investigating whether the Blaster 
worm might have caused computer trouble that was described on 
telephone transcripts as hampering its response to multiple power line 
failures.

"We haven't detected a worm or a virus but we're not ruling anything 
out," said FirstEnergy spokesman Ralph DiNicola. The bi-national task 
force investigating the country's biggest blackout is also looking 
into the issue, said U.S. Energy Department spokesman Joe Davis.

In January, the "Slammer" Internet worm took down monitoring computers 
at FirstEnergy's idled Davis-Besse nuclear plant. A subsequent report 
by the North American Electric Reliability Council said the infection 
blocked commands that operated other power utilities, although it 
caused no outages.

In the past, the grid's old electromechanical switches and analog 
technology made it more or less impervious to computer maladies, Weiss 
said.

But now, switches and monitoring gear can be upgraded and programmed 
remotely with software — and that requires a vulnerable connection to 
a computer network. If that network runs on Microsoft Corp. operating 
systems - which virus-writers favor - or connects to the Internet, the 
vulnerabilities are sharpened, say experts who test such gear for the 
U.S. Department of Energy's Office of Energy Assurance and the 
Department of Homeland Security.

In one test, Byres found that a tiny piece of corrupted data could 
crash a crucial computerized control device that is installed in most 
grid substations.

Byres said he contacted the well-known manufacturer - whom he declined 
to name for security reasons - and urged that the weakness be fixed 
before hackers found it.

"I've been trying to get these guys to patch and they won't patch it," 
he said. "I've been on their case for over six months."

Other researchers have figured out how to hack into the device, known 
as a remote terminal unit, and command it to trip and reset a breaker.

That would incapacitate a substation, the electricity distribution 
points for towns and neighborhoods where high-voltage electricity is 
transformed for local use.

One feared hacking scenario involves changing the settings on 
substations' programmable circuit breakers. A hacker could lower 
settings from, say 500 amperes to 200 on some breakers, while raising 
others to 900, said Gary Seifert, a researcher with the Energy 
Department's Idaho National Engineering and Environmental Laboratory.

Normal power usage could trip the 200 amp breakers and take those 
lines out of service, diverting power and overloading neighboring 
lines.

With their breakers set at 900 amps - too high to trip - the overloads 
would cause transformers and other critical equipment to melt down, 
requiring major repairs that would prolong a blackout, Byres said.

"We have a plethora of intelligent electrical devices going into 
substations and power stations all over the United States," Seifert 
said. "What's to keep somebody from accessing those devices and 
changing the settings?"

Some of the most technically advanced relays, made by companies like 
Schweitzer Engineering, General Electric and Siemens, can be 
programmed over a telephone modem connection after typing a simple 
eight-digit password, Seifert said.

"Hackers have very little trouble cracking an eight-digit password," 
he said, and finding substation phone lines that connect to these 
relays can be done with so-called "war dialers," simple PC programs 
that dial consecutive phone numbers looking for modems.

Seifert said he and other researchers are asking manufacturers to take 
countermeasures, including programming their control devices to accept 
calls only from certain phone numbers, or simply disconnecting idle 
modems.

Like anyone dependent on networked computers for crucial operations, 
grid operators will be vulnerable to hackers, said Seifert.

"We're still going to have back doors no matter how hard we try," he 
said. "You can't keep them out but you hope to slow them down." 



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
----------------------------------------------------------------
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
================================================================
Help C4I.org with a donation: http://www.c4i.org/contribute.html
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.