In this sixth article in a series focusing on the need for improved information assurance and cyber situational awareness in the electric power industry, we continue a survey of government and industry consensus about the need for increased security of SCADA systems in the power industry.
2002 Cyberterrorism: The Real Risks
In their analysis of cyberterrorism published in August 2002, John Borland and Lisa Bowman make valuable points about SCADA security that counter the sometimes heated rhetoric about catastrophic consequences of cyberattacks[1]
• Cyberattacks on critical infrastructures would likely disrupt data flows and operations but would not easily threaten human life.
• Government-sponsored penetration tests of critical infrastructure control systems have sometimes taken extensive research, not the quick attacks pictured in the popular press.
• Successful attacks on the power grid might not result in total catastrophe: "Even in a successful attack on a metropolitan power grid, many critical systems – such as hospitals and prison operations – would continue running because they have independent generators. In addition, utilities and infrastructure operators have elaborate backup measures to protect the public even if a system is breached."[2]
Nonetheless, the authors admit, "Cascading failures could cause widespread social disruption: "SCADA systems could be attacked by overloading a system that, upon failure, causes other operations to malfunction as well, said John Dubiel, a Gartner consultant who worked on the electrical power attack in last month's [i.e., July 2002] war games. Such domino effects have been seen in incidents resulting from natural events."
2003 Don't Underestimate Cyberterrorists, Experts Warn
A February 2003 report in PC World summarized growing concern among information assurance experts about deliberate attacks on critical infrastructure launched by politically-motivated hackers.[2] A summary posted in the Daily Open Source Infrastructure Report[3] of the Department of Homeland Security (DHS) for Feb. 11, 2003 was as follows:
The Internet is becoming a new battleground for warfare, according to experts concerned about the potential of a cyberattack to cripple the public infrastructure. The recent Slammer worm, which blocked Internet traffic and crippled some corporate networks for most of a weekend, is just a watered-down version of a cybercrisis that could disrupt everything from banks to water supplies, critics say. In the Mideast conflict, pro-Palestinian hackers have successfully taken down Web sites of the Israeli Parliament, the Israeli Defense Force, the Foreign Ministry, the Bank of Israel, the Tel Aviv Stock Exchange, and others, according to a report by Dartmouth College's Institute for Security Technology Studies.
Dartmouth's study charts how political cyberattacks often precede physical attacks. Cyberattacks after U.S.-led military action are "extremely likely" and could possibly be catastrophic, according to the report. Information systems — like electrical infrastructures, water resources, and oil and gas — should be considered likely targets, it warns. While cyberattacks can take a variety of forms and may originate from terrorist groups or targeted nation states, they are more likely to be launched by sympathizers or thrill-seekers, according to the institute's report.
2003 Cyber War! PBS FRONTLINE Report
The Public Broadcasting System FRONTLINE television program for April 24, 2003[4] featured a number of security luminaries. One of the particularly interesting passages was a comment from Michael Skroch[5], Manager, Interactive Systems Simulation & Analysis, Sandia National Laboratories of the US Department of Energy and a former manager of the Information Operations Red Team & Assessments at Sandia National Laboratories of the Department of Energy:
When we go after an electrical power system, electrical power provider for the critical infrastructures, we always penetrate that system. During an attack on a SCADA system, an operator will see what the adversary wants them to see…. So an operator may see a false indication of the condition of their infrastructure. They may be fooled into taking actions that are unwarranted, so that they themselves damage the infrastructure, not the attacker.
What the attacker did was implement an attack script that befuddled the display of the controller, so that when they move one control on a generator, it affects a second. This will confuse the operator and perhaps cause an effect on the infrastructure that's damaging.
At the solar facility, when we attacked the IT infrastructure, what we did was, we hacked into the system using a common technique. Once we were into the system, we were able to access any of the command and control functions that the operator would be able to use. In this case, we simply executed a script that moved four of the mirrors and danced them around on the solar facility.
The Red Team could have gained access to the system, written a more specific script to have a specific effect on the mirrors, such as moving them to the wrong location or causing damage to the solar facility.
Noted information warfare expert John Arquilla[6], professor and director of the Information Operations Center in the Graduate School of Operational and Information Sciences of the Naval Postgraduate School, contributed this perspective to a segment discussing whether terrorists would be likely to use cyber attacks (as opposed to physical violence) against their targets:
If I were establishing a terror organization today, I would be more interested in doing costly disruption by cyberspace-based means. If I did physical destruction, I would know that I would have to deal with a bunch of angry Americans who would track me to the ends of the Earth. On the other hand, if I could engage in acts that would cause hundreds of billions of dollars worth of costly economic damage, and I could do it relatively secretly, why wouldn't I pursue that aim? And why wouldn't that make me a great hero to the constituency I was serving, my people, those who believe as I would? So if I were a terrorist, I would be thinking these days about mass disruption rather than mass destruction.
Steven Iatrou[7], Senior Lecturer, Department of Information Science, Graduate School of Operational and Information Sciences, Naval Postgraduate School added, "SCADA is everything. It's the heart and soul of the systems. If you can get into that, then you have control or you disrupt their control. Or if you can even get them to think you're in there, then you can lower their confidence in their ability to manage their systems."
* * *
More comments on SCADA and power-industry security from industry experts next time.
* * *
EndnotesDHS does not archive its reports longer than 10 days.LinkedInCVCV
[1] This paper uses the form cyberattack(s) but leaves all original uses of cyber attack(s) as found in any quoted materials.
[2] Costello-Dougherty 2003
[3] The
[4] Kirk, Cyber War! Streaming video 2003; Kirk, Cyber War! Script 2003
[5]
[6]
[7]
BibliographyDon't Underestimate Cyberterrorists, Experts Warn: Greater network dependence boosts risk of damage by cybervandals who code with vengeance." PC World. Feb 7, 2003. (accessed Sept. 12, 2010).Cyber War! Script." Public Broadcasting System FRONTLINE Program. April 24, 2003. (accessed Sept. 12, 2010).Cyber War! Streaming video." Public Broadcasting System FRONTLINE Program. April 24, 2003. (accessed Sept. 12, 2010).
• Costello-Dougherty, Malaika. "
• Kirk, Michael. "
• —. "