In this seventh article in a series focusing on the need for improved information assurance and cyber situational awareness in the electric power industry, we continue a survey of government and industry consensus about the need for increased security of SCADA systems in the power industry.
2003 US Infrastructure Still Vulnerable to Cyber Attack
The DHS Daily Open Source Infrastructure Report for May 16, 2003 included the following item:
The United States remains ill-prepared to defend against a strike on the nation's critical computer systems because of slow-moving federal research efforts, members of Congress said Wednesday [May 14, 2003]. "The nation quite simply has been under-investing woefully in cyber security R&D," said Rep. Sherwood Boehlert (R-NY), chair of the House Science Committee…. Terrorism experts fear attacks on computer systems that operate electricity grids, phone systems or other critical infrastructure as part of a terrorist strike.[1]
2004 Cyberterror Impact, Defense Under Scrutiny
The DHS Daily Open Source Infrastructure Report for Aug. 4, 2004 included the following item summarizing work by Jon Swartz of USA TODAY:
A coordinated cyberattack against the U.S. could topple parts of the Internet, silence communications and commerce, and paralyze federal agencies and businesses, government officials and security experts warn. Such an attack could disrupt millions of dollars in financial transactions, hang up air traffic control systems, deny access to emergency 911 services, shut down water supplies and interrupt power supplies to millions of homes, security experts say. But from whom the attacks would come is unclear. Intelligence shows al Qaeda is more fixated on physical threats than electronic ones, government officials and cybersecurity experts say.… More than two dozen countries, including China and Russia, have developed "asymmetrical warfare" strategies targeting holes in U.S. computer systems. Because of U.S. military firepower, those countries see electronic warfare as their best way to pierce U.S. defenses, military experts say.[2]
2005 Security Expert: More Sophisticated Cyber Attacks Likely
A DHS Open Source Infrastructure Report for Nov. 29, 2005 summarized an article by Grant Gross published in Network World:
The cyber attacks of recent years have been relatively unsophisticated and inexpensive compared to the potential of organized attacks, a cybersecurity expert said Tuesday, Nov. 29. Organized attacks by teams of hackers that have members with expertise in business functions and processes – as well the rudimentary access and coding expertise that many current attackers have – could have a huge impact on a nation's economy, said Scott Borg, director of the U.S. Cyber Consequences Unit…. "We will probably see terrorist groups, criminal organizations putting together combinations of talent," Borg said….
While past cyber attacks have done relatively small amounts of damage, coordinated attacks on important targets such as the U.S. electrical grid, the banking and finance industry, or the telecommunications and Internet industries could potentially cause many billions of dollars in damage, he said. Most viruses and worms knock out company networks for two or three days at most, but costs would multiply quickly for any coordinated attack on a critical U.S. industry that knocked out service for more than three days, said Borg, an economist.[3]
2008 Experts Hack Power Grid in No Time
Security expert Ira Winkler[4] and his penetration team performed penetration tests on the systems of an unnamed electric power company and broke into their systems, including getting access to their SCADA networks, within the first minutes of testing. The power company aborted the tests within a few hours because the team was too successful. The red team used a combination of social engineering and simple rootkits to gain control of the networks.[5]
2008 Hackers Demanding Cash Disrupted Power
According to Tom Donahue, a senior CIA analyst, "Hackers literally turned out the lights in multiple cities after breaking into electrical utilities and demanding extortion payments before disrupting the power…." wrote Ted Bridis.[6] The official declined to reveal which countries were involved, but said, "In at least one case, the disruption caused a power outage affecting multiple cities…. We do not know who executed these attacks or why, but all involved intrusions through the Internet."
2009 Electricity Grid in U.S. Penetrated by Russian, Chinese Spies
In April 2009, Siobhan Gorman of the Wall Street Journal wrote that "Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials. The spies came from China, Russia and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven't sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war."
Intelligence investigators discovered root kits and other malware that could potentially grant remote control of the affected plants. For the time being, said experts, there was no evidence that China or Russia were intent on launching a cyberoffensive, but the potential exists for exploitation of these resources in a time of war.
Chinese and Russian officials flatly denied any state involvement in these penetrations.[7]
2009 The Growing Cyberthreat
John P. Avlon, a senior fellow at the Manhattan Institute[8], wrote: "We know that al-Qaeda is interested in cyberterrorism. Seized al-Qaeda computers show details about Supervisory Control and Data Acquisition (SCADA) systems in America, which control critical infrastructure, including electrical grids, nuclear plants, fiber-optic cables, oil and gas pipelines, dams, railroads and water storage and distribution facilities.
SCADA systems were never meant to be accessed by the public, but many are now controlled via the Internet, leaving them vulnerable to infiltration and attack. The al-Qaeda computers also contained schematics of a U.S. dam, along with engineering software that enabled operatives to simulate its catastrophic failure and flooding of populated areas. One al-Qaeda safe house in Pakistan was devoted to the operational study of Internet attacks, according to terrorism expert Magnus Ranstorp.
Perhaps America's most dangerous online adversary is not the Islamic radical but the "hacktivist," the technological equivalent of the lone gunman. "We're facing people who, to quote the Joker, 'just want to watch it all burn,'" says Tom Rushmore, whose New York-based small business lost $1.7 million between 2001 and 2003 to hacktivists.[9]
2009 Massive Power Failure in Brazil Exposes Control Network Weaknesses
On Tuesday Nov. 10, 2009 at 22:13 local time, the Itaipú hydroelectric plant was offline due to failure of three of its electric power transmission lines. As a result,18 of the 26 states of Brazil were without electricity until 00:30 Wednesday morning the 11th of November, putting millions of people in São Paulo and Rio de Janeiro in the dark. Paraguay derives 90% of its power from the Itaipú plant. Parts of Argentina were also affected.
Reporter Alexei Barrionuevo interviewed experts in the power industry in Brazil:
…[E]nergy experts in both countries said the widespread blackout showed the potential weaknesses in Brazil's transmission system and the need for better management of the interconnected electrical grids.
"This was a management failure," said Ildo Sauer, a professor of energy at the University of São Paulo. "There is not a lack of generation capacity, there is not a lack of transmission capacity, there has not been a lack of investments" in the sector, he said.
"What is lacking is management, command and control of the operations."[10]
* * *
In the next article, I'll start summarizing particularly valuable industry and government reports on SCADA and power-industry security.
* * *
EndnotesIra Winkler home page; his biographyManhattan Institute has "nine policy centers, which study and promote reform in areas ranging from healthcare, higher education, legal policy, and urban development to race relations, immigration, energy, and counterterrorism."
[1] Information Analysis and Infrastructure Protection 2003
[2] Swartz 2004
[3] Gross 2005
[4]
[5] Greene 2008
[6] Bridis 2008
[7] Gorman, Electricity Grid in U.S. Penetrated By Spies 2009
[8] The
[9] Avlon 2009
[10] Barrionuevo 2009
BibliographyThe Growing Cyberthreat." Forbes. Oct 20, 2009. (accessed Nov 3, 2009).Officials Search for Answers in Extensive Brazil Blackout." The New York Times. Nov 12, 2009. (accessed Nov 29, 2009).CIA: Hackers demanding Cash Disrupted Power: Electrical utilities in multiple overseas cities affected." MSNBC Technology & Science / Security. Jan 18, 2008. (accessed Nov 28, 2009).Electricity Grid in U.S. Penetrated By Spies." Wall Street Journal. April 8, 2009. (accessed Nov 3, 2009).Experts hack power grid in no time: Basic social engineering and browser exploits expose electric production and distribution network." NetworkWorld. April 9, 2008. (accessed Nov 28, 2009).Security expert: More sophisticated cyber attacks likely." Network World. Nov 29, 2005. (accessed Nov 3, 2009).Cyberterror impact, defense under scrutiny." USA TODAY. Aug 3, 2004. (accessed Nov 3, 2009).
• Avlon, John P. "
• Barrionuevo, Alexei. "
• Bridis, Ted. "
• Gorman, Siobhan. "
• Greene, Tim. "
• Gross, Grant. "
• Information Analysis and Infrastructure Protection. "U.S. still vulnerable to cyber attack." Daily Open Source Infrastructure Report, May 16, 2003: 11.
• Swartz, Jon. "