Hacking the Grid
Security experts warn it wouldn�t be hard for a cyberpunk or terrorist to
turn off the lights in a large portion of the U.S.
Red Herring Magazine
May 18, 2005
http://www.redherring.com/PrintArticle.aspx?a=12117§or=Industries
First of three parts
The U.S. power grid, with its billions of dollars worth of electrical
lines, switching stations, and electrical generators, is like a big shiny
toy for computer hackers.
Imagine the attraction to a teenage computer nerd of flipping the light
switch to the Northeast corridor when he doesn�t have a date for the prom.
This attractive nuisance has Washington spooked and is developing into an
opportunity for startup security companies.
Power companies rely on a complex relay of information between delivery
stations to regulate electrical flow. They send commands back to these
stations to control the voltage and amperage allowed to flow to consumers.
It is a network, just like the Internet. And just like the Internet, it is
subject to attack.
�Just thinking about it makes me feel almost sick,� said Justin Bingham, a
security expert and CTO of software startup Intrusic. �This is stuff I
can�t live without. It isn�t some internal database someplace.�
Grid operators monitor and control the flow of electricity via computer
networks called Supervisory Control and Data Acquisition (SCADA) systems.
These systems once operated in a vacuum using language that only experts
understood. The power companies and the government thought they were safe.
But several new developments have made SCADA systems vulnerable. When power
companies hook their business computers to the Internet, and then plug the
business computers to the SCADA computers, critical systems can be exposed
to viruses and worms.
Standard software doesn�t help, either. Power companies used to buy their
control systems from a series of disparate vendors. A hacker could expect
to run into at least five different types of computer networks and would
have to know many different communications protocols.
Industry consolidation has led to standardization on one or two well-known
systems with well-researched security holes. Hacking one system takes less
expertise than hacking seven.
It�s a lot easier to learn the hacking skills you need, too. The Internet
allows people from around the world to easily research the technical ins
and outs of a SCADA system. A cyber-punk may not understand the networking
diagrams of complicated systems, but he or she can easily communicate with
people who do.
Almost anyone who wants to know about SCADA systems can quickly learn that
the default username and password for one of the major vendor�s computers
is �Otter, Otter.� It doesn�t take a computer scientist to log in as an
authorized user and start playing around with the power supply to the
Northeast corridor.
This vulnerability has attracted startups looking to cash in on skittish
policymakers with terrorism on their minds. The U.S. Department of Homeland
Security has funded advanced research into low-cost security solutions.
In mid-November 2003, the department started accepting submissions for its
Homeland Security Advanced Research Projects Agency�s (HSARPA) Small
Business Innovation Research Grants (SBIR).
Sixty-seven companies competed for just under $100,000 each to prove their
security concept and take a shot at a second round of funding. The
department funded 13 companies with one of five types of solutions:
encryption, authentication, intrusion detection, open-source security
components, and grid monitoring. Four of the Phase I winners went on to
secure another $300,000 for Phase II trials.
The Challenge
A key aspect of these solutions is compatibility with existing control
systems, so a program must be able to run on very limited resources without
affecting operability. Successful businesses have to show the department
that their solutions are not only effective, but also efficient.
The thousands of SCADA systems deployed in the United States�including
those used to control power systems, trains, water systems, and other
utilities�all have multiple access points that need to be secured.
�We know that people look at security as� not the primary function of a
SCADA system,� said Peter Miller, the department�s SCADA specialist. �We
have tried to focus on businesses that pose cost-effective solutions.�
In legacy systems, some of which date back 20 years, the memory and
processing capabilities of the control system computers are minimal. Most
of the existing infrastructure runs on Intel 8080 chips that were first
introduced in 1974. The chip clocked in at 2 Megahertz, or about 1,850
times slower than today�s 3.7-gigahertz chips.
The communications systems aren�t much better. It�s not unusual to see a
300-bits-per-second modem attached to a SCADA system. A typical cable modem
gets 1.5 Megabits per second, or about 5,000 times faster than the SCADA
modems.
It�s not like these systems need to be as fast as a home computer. They
were only designed to communicate small amounts of data and on/off
switching functions. But you can�t run antivirus on this network or do
basic encryption. It would be like using a Cooper Mini to haul a big-rig
full of bricks up a hill.
New energy systems are starting to incorporate security measures. But to
replace all the existing systems with new computers would cost billions of
dollars.
Hacking the Grid, Part 2
Startups are seeking a way to keep hackers from monkeying with the U.S.
power grid.
Knowing when a utility control system is compromised by a hacker can be
difficult. Typical intrusion-detection systems alert operators to abnormal
usage and give system administrators the option to either isolate the
abnormality or shut down the system.
Control systems intrusion can look similar to normal control functions, and
erring on the side of safety is not necessarily the best solution.
�It�s probably OK if an antivirus program turns off your computer,� said
Tom Kropp of the Electrical Power Research Institute. �That kind of failure
is not acceptable for control systems. You don�t cut off power to San
Francisco or Sacramento just because the software noticed an abnormality.�
Digital Bond, a Sunrise, Florida-based startup, is working to identify what
intrusion on a control system would look like. Founder Dale Peterson says
that the traditional managed security service providers, such as Symantec,
don�t have much knowledge of SCADA-type communication and control protocols.
Mr. Peterson founded his company in 1998, and now directs its five
employees toward developing an open-source business model that translates
SCADA vendor systems for security companies.
Intrusic did not get government grants for its anti-hacking technology. The
company, based in Waltham, Massachusetts, boot-strapped its way through
three years of development before taking its first financing in 2004. The
company recently closed a second round of financing worth $8 million.
Most intrusion-prevention software watches for patterns of events on the
network. It�s like a patrolman who ignores everything short of a 10-person
gang trying to break into a warehouse.
Intrusic�s software looks for subtler activity. Running its software on the
network is like hiring the NSA to eavesdrop on everything happening inside
and around the company instead of paying a security guard to eat donuts.
The company is run by brothers Jonathan and Justin Bingham. Jonathan runs
the business side and Justin is in charge of the technology. �It�s too
risky for most startups to go after this market,� said Justin Bingham.
�It�s a very valuable market and we�re in desperate need of technology to
secure it. If we were to have some sort of disaster in our critical
infrastructure, people would say, �What the hell? Why weren�t there better
technologies to protect these things?��
Encryption
Because SCADA systems both receive orders and send information critical to
the control of the grid, it is important that the information received is
actually coming from the system. It would be easy for a hacker to pose as a
regional transmission unit and send signals to the control center that
would set off alarms or lead to an automatic power shutdown.
�You don�t want a guy from Karachi or Riyadh controlling the power grid for
Northern California,� said Rick Morgenstern, the CEO of Digital Authentication.
Mr. Morgenstern�s company is looking to use physics equations to create
unpredictable encryption keys and location-based communication authentication.
Founded by Mr. Morgenstern and Roger Dube in 2000, the company hopes to
sell a device that confirms the identity of a SCADA control unit by
identifying its precise location.
The founders are quick to clarify that Digital Authentication�s technology
does not use global positioning, which might be forged, but rather takes a
360� snapshot of measurable sub-atomic forces.
The company claims that because its technology uses �dynamic entropy� to
generate random numbers for its encryption program, the chances of cracking
the code approximate one in a googolplex.
Digital Authentication has won similar Small Business Innovation Research
contracts from the Army Communications-Electronics Command group and the
U.S. Naval Air Warfare Center, as well as a purchase order from the U.S.
Joint Forces Command.
Its solution requires the installation of a monitor, and could impose high
overhead on power companies that would have to install the device on remote
transmission statements.
Asier Technology of Plano, Texas, is working on a strictly software
encryption solution for SCADA computers. The networks that connect regional
switches and circuit breakers with central control stations stretch for
miles and are completely unsecured.
Encryption software could make it harder for hackers to intercept and
decode control system commands.
Encrypting the time-crucial deterministic functions of a SCADA system
requires a different kind of encryption than IT security vendors have
supplied.
The priority in the encryption world has been to develop programs that
protect confidentiality, integrity, and availability�in that order. You
don�t want anyone to see your data, you want the data to be right, and you
want to be able to access the data on demand.
SCADA systems have a different set of priorities. Joe Weiss, a security
expert at KEMA consulting, explains: �If you�re sending credit card
information online, you don�t care how many times you have to send it, but
you�re absolutely rabid about no one else seeing it. In the controls world,
the most important thing is availability. The last thing I care about is
confidentiality.�
To secure legacy SCADA systems, and preserve their time-crucial
deterministic functions, encryption software must be able to operate on
outdated control system computers with little memory and low processor
requirements.
Asier believes that its technology can do that. The company has received
two Small Business grants, one of which resulted in a Phase II award and a
$1-million contract with the missile defense program.
The Risk Goes On
Until power producers adopt a solution, SCADA system vulnerability
continues to threaten national security. Although most people acknowledge
that terrorists have much easier chances to do damage, some officials are
nervous.
Government security experts have written that terrorists might �swarm� the
United States with both physical and digital attacks that would cripple
emergency response. Stuart McClure, a security expert at McAfee, said,
�Hopefully, the DHS grants will be the snowflake that snowballs into an
avalanche.�
But even an avalanche of investment might not get SCADA security off the
ground. Without government regulation, there�s little incentive for power
companies to spend money on security.
�Businesses are concerned about security up to the point where it puts them
out of business,� said Justin Bingham of Intrusic. �If we don�t spend more
time on this problem, we�re going to wish that we had.�
Even inexpensive safety fixes can be a hard investment for electricity
providers to justify, especially without a regulatory mandate. �Somebody
has to pay for security, whether you call them the ratepayer, the taxpayer,
or the shareholder, somebody pays,� said Mr. Kropp.
And that cost may seem lower when the lights are out.
Hacking the Grid, Part 3
Hacking into public utility systems isn�t a new problem, nor is it limited
to power systems. There have been documented cases going back more than a
decade that involve sewer, water, air traffic, and power systems.
In 2000, Vitek Boden quit his job at Hunter Watertech, an Australian
company that supplies control system equipment to utilities, and decided to
become a terrorist.
Using a computer, a radio transmitter, and his car, Boden opened release
valves at the local sewage-treatment plant, dumping a foul cocktail of
waste-sludge into local parks and rivers.
It was a great hack. Boden could get in and out undetected. Security? On
these old control systems: not likely.
The sewage system operators were baffled. They thought they had a leak, but
when they went out to examine the various pipes and valves, they found
nothing. The putrid smell infuriated locals. But the best part was that
Boden�s old employer might have had to hire him back to fix the problem�and
Boden would not come cheap.
Boden attacked the Maroochy Shire�s wastewater Supervisory Control and Data
Acquisition (SCADA) system from his car. He got caught because he parked in
the wrong place and the police recognized the computer and radio equipment
as having recently been stolen.
At the time of his arrest, he had successfully pirated control 45 times and
dumped 264,000 gallons of sewage into nearby parks and rivers, according to
the Government Accounting Office.
Some Other Highlights:
1994: The Salt River Project, an electricity and water provider in Phoenix,
is hacked.
1997: A Massachusetts teen hacks the public switching network and shuts
down the air-traffic control room of a local airport.
1997: The U.S. Department of Defense asks National Security Agency hackers
to test the safety of the power supply going to military bases.
2001: In April, hackers take advantage of a known weakness in the Solaris
server systems that the California Independent Service Operator (Cal-ISO)
uses to control 75 percent of California�s power. The hackers install a
�root kit� to control the system, but in 17 days, do little to exploit
their illegal entry.
2002: One of the al Qaeda laptops captured in Afghanistan shows that
operatives had spent time on web sites that explained how to operate
digital control switches, such as those used to control the power grid, the
Washington Post reports. The newspaper claims that government
interrogations of captured al Qaeda members showed that the organization
intended to take control of critical U.S. infrastructures as part of a
terrorist attack.
2003: Computers at the Davis-Besse nuclear power plant in Ohio crash for
five hours thanks to the then-ubiquitous �Slammer� worm. Luckily for Ohio
denizens, there are no abnormal conditions to control while half of the
nuclear power plant�s network is down. Although the worm does not spread to
the control systems, it causes sufficient confusion.
================================
George Antunes, Political Science Dept
University of Houston; Houston, TX 77204
Voice: 713-743-3923 Fax: 713-743-3927
antunes at uh dot edu
Reply with a "Thank you" if you liked this post.
_______________________________________________
MEDIANEWS mailing list
[email protected]
To unsubscribe send an email to:
[EMAIL PROTECTED]
