Attacks on power systems: Hackers, malware

In this fourth article in a series focusing on the need for improved information assurance and cyber situational awareness in the electric power industry, we look at incidents involving the electric power industry and criminal hackers and malware.

Criminal Hackers and Malware vs Power Systems

Criminal hackers take advantage of both technical vulnerabilities[1] and human failings[2] to penetrate insecure systems.

1998 12-Year-Old Hacker Penetrates Arizona’s Roosevelt Dam: FALSE

There are many references in published articles to a story summarized as follows in a review of cyberterrorism by John Borland and Lisa Bowman published in 2002 by ZDNet UK:[3]

In 1998, a 12-year-old hacker broke into the computer system that controlled the floodgates of the Theodore Roosevelt Dam in Arizona, according to a June [2002] Washington Post report. If the gates had been opened, the article added, walls of water could have flooded the cities of Tempe and Mesa, whose populations total nearly one million.

The authors continue: There was just one problem with the account: it wasn't true.

A hacker did break into the computers of an Arizona water facility, the Salt River Project in the Phoenix area. But he was 27, not 12, and the incident occurred in 1994, not 1998. And while clearly trespassing in critical areas, the hacker never could have had control of any dams – leading investigators to conclude that no lives or property were ever threatened.

"It's like the children's game of 'telephone,'" said Gail Thackery, assistant attorney general for Arizona and the prosecutor on the Salt River hacking case. "You get the reality at one end and, at the other end, something completely different."

2000 Hacker Shocks Electric Company

On Dec. 29, 2008 at 21:09, someone hacked into the Ozarks Electric Cooperative Corporation's telephone-based outage-reporting system and altered the voice greeting to say that "All of Ozarks Electric's employees have gone home. Call someone who cares."

Law enforcement officials were working with Ozarks Electric and AT&T investigators to uncover the criminal hacker. A newspaper report stated that "Ozarks Electric is beefing up its computer security as a result of the incident. Johnson said new measures would likely include a two-tiered password system that's already in the works by automated answering system vendor DataVoice International Inc. of Dallas."[4]

2003 Slammer Worm Crashes Ohio Nuclear Plant Network

In January 2003, wrote Kevin Poulson in SecurityFocus, "The Slammer worm penetrated a private computer network at Ohio's Davis-Besse nuclear power plant in January and disabled a safety monitoring system for nearly five hours, despite a belief by plant personnel that the network was protected by a firewall…."[5]

The FirstEnergy Corporation[6] operates the Davis-Besse Nuclear Power Station in Oak Harbor, Ohio near Toledo.[7] According to several published reports cited in Poulson's article, the sequence of events was as follows (summarizing and placing in point-form list):

• Slammer worm[8] infected computers at one of Davis-Besse's contractors.

• Code travelled through T1 bridge between infected network and Davis Besse's corporate network. Poulson added, "The T1 line, investigators later found, was one of multiple ingresses into Davis-Besse's business network that completely bypassed the plant's firewall, which was programmed to block the port Slammer used to spread."

• Some of the system administrators at FirstEnergy were aware of the T1 backdoor network.

• At 09:00 on Saturday 25 Jan. 2003, business users noticed their network bogging down.

• Worm spread from the business network to the SCADA systems controlling the nuclear power plant and infected "at least one unpatched Windows server. According to the reports, plant computer engineers hadn't installed the patch for the MS-SQL vulnerability that Slammer exploited. In fact, they didn't know there was a patch, which Microsoft released six months before Slammer struck."

• By 16:00, plant workers reported network congestion.

• At 16:50, the Safety Parameter Display System (SPDS) – the plant's HMI – crashed. This system "monitors the most crucial safety indicators at a plant, like coolant systems, core temperature sensors, and external radiation sensors."

• At 17:13, the Plant Process Computer (PPC) crashed. "The unavailability of the SPDS and the PPC was burdensome on the operators," according to a report to the Nuclear Regulatory Commission quoted by Poulson.

• SPDS recovery took 4:50 (h:m) and PPC recovery took 6:09.

The North American Electric Reliability Council (NERC) issued a three page analysis of the incident in June 2003.[9] The key paragraphs are as follows:

The essence of the SQL worm incident:

The SQL worm incident was so impacting due to inadequate security patch installs on SQL servers; the patch was released six months earlier in July 2002. The resulting consequence was high traffic volumes on LANs, WANs, Internet, and inter-dependent frame relay. The traffic consumed bandwidth and resulted in loss of data packets in some applications that were sensitive to time-out.

The Electricity Sector cases had two distinct causes:

• Case-1: A server on the control center LAN running SQL was not patched. The worm did not reach the server via the organization's connection to the Internet. It did apparently migrate through the corporate networks until it finally reached the critical SCADA network via a remote computer through a VPN connection. The worm propagated, blocking SCADA traffic.

• Case-2: The control network uses frame relay. The telecommunications frame relay provider utilizes Asynchronous Transfer Mode through the telecommunications network backbone for a variety of services. The ATM bandwidth became overwhelmed by the worm, blocking SCADA traffic.

One of the significant recommendations for improvement was as follows: "Install, maintain, and monitor intrusion detection processes. At a minimum, intrusion detection sensors should be installed inside the critical system networks."

2006 National Nuclear Security Administration Computers Hacked; Info on 1,500 Taken

In September 2005, someone broke into the National Nuclear Security Administration (NNSA) of the U.S. Department of Energy's (DOE) in Albuquerque, N.M. The criminal apparently stole personally-identifiable information about 1,500 contractors and employees that had been compiled during their security clearances; data included name, date of birth, Social Security number, work location, and security level. Officials admitted that the incident was noticed at the time but that no one reported it to higher levels until June 2006.[10]

2010 Stuxnet Worm Attacks SCADA Vulnerabilities

In July 2010, reports surfaced of a zero-day threat to SCADA systems using Siemens AG's Simatic WinCC and PCS 7 software. Analysts found that the Stuxnet worm was designed for industrial espionage; however, the same techniques could have been used for sabotage. Experts expressed concern that the worm was signed using valid digital certificates from Taiwanese companies and that the complex code implied considerable knowledge of the SCADA software.[11]

In the next articles in this series we'll look at government and industry consensus about the need for increased security of SCADA systems in the power industry.

Endnoteshome page[7] Energy Information Administration 2009

[1] Cobb, Cobb and Kabay 2009

[2] Raman, et al. 2009

[3] Borland and Bowman, Cyberterrorism: The real risks 2002

[4] Arkansas Business 2001

[5] Poulson 2003

[6] FirstEnergy Corp.

[8] CERT-CC 2003

[9] North American Electric Reliability Council 2003

[10] Washkuch 2006

[11] Vijayan 2010

BibliographyHacker Shocks Electric Company." Entrepreneur. Jan 8, 2001. (accessed Nov 3, 2009).Cyberterrorism: The real risks." ZDNet UK Online Business Toolkit. Aug 27, 2002.  (accessed Nov 27, 2009).CERT® Advisory CA-2003-04 MS-SQL Server Worm." Computer Security Incident Response Team Coordination Center, Carnegie Mellon University Software Engineering Institute. Jan 27, 2003. (accessed Nov 27, 2009).Davis-Besse Nuclear Generating Station, Ohio." EIA -- US Department of Energy. Sep 10, 2009.  (accessed Nov 27, 2009).SQL Slammer Worm Lessons Learned for Consideration by the Electricity Sector." NERC Library of CIP Documents. Jun 20, 2003.  (accessed Nov 27, 2009)."Slammer worm crashed Ohio nuke plant network." SecurityFocus. Aug 19, 2003.  (accessed Nov 27, 2009).Stuxnet renews power grid security concerns. 07 26, 2010. (accessed 09 01, 2010).Hackers break into Energy Department's nuclear weapons wing." SC Magazine. Jun 13, 2006. (accessed Oct 24, 2009).

• Arkansas Business. "

• Borland, John, and Lisa Bowman. "

• CERT-CC. "

• Cobb, Chey, Stephen Cobb, and M. E. Kabay. Penetrating Computer Systems and Networks. Vol. 1, chap. 15 in Computer Security Handbook, edited by Seymour Bosworth, M. E. Kabay and Eric Whyne, 2035. Hoboken, NJ: Wiley, 2009.

• Energy Information Administration. "

• North American Electric Reliability Council. "

• Poulson, Kevin.

• Raman, Karthik, Susan Baumes, Kevin Beets, and Carl Ness. Social Engineeering and Low-Tech Attacks. Vol. 1, chap. 19 in Computer Security Handbook, edited by Seymour Bosworth, M. E. Kabay and Eric Whyne, 2035. Hoboken, NJ: Wiley, 2009.

• Vijayan, Jaikumar.

• Washkuch, Jr, Frank. "

Learn more about this topic

Cyber situational awareness for the electric power industry

Electric power industry as critical infrastructure

Attacks on power systems: Data leakage, espionage, insider threats, sabotage

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10