This article focuses on United States’ power grid vulnerability to cyber attack. None of the industrial control systems used to monitor and operate the nation's utilities and factories were designed with security in mind. Moreover, their very nature makes them difficult to secure. Linking them to networks and the public Internet only makes them harder to protect. The Internet made it easy. Instead of installing expensive private telecommunications links, companies let the Internet carry SCADA messages. Encryption may prevent a remote attack on data, but also may leave utilities vulnerable to attacks over corporate networks that are often linked to facilities. Someone on the inside may be able to unscramble encrypted data. Similarly, drive-by hackers will still be able to take advantage of security flaws in a wireless system to sneak into a plant network behind any encryption device. Stronger IT policies and encryption are good first steps. But the US power grid—and the entire nation’s utility and industrial infrastructure—remain vulnerable to cyberattack from terrorists and angry employees.
As far as we know, no one has ever deliberately hacked into the U.S. electrical grid and pulled the plug on millions or even thousands of people. Just as on Sept. 10, 2001, no one had ever deliberately crashed a jet airliner into a skyscraper.
Is the power grid vulnerable to cyberattack? What about natural gas pipelines, nuclear plants, and water systems? Or refineries and other industrial facilities that run on similar Internet-enabled digital control systems? Could a terrorist or disgruntled employee cause lethal accidents and millions of dollars of damage? What about a bored 14-year-old?
"Are we vulnerable?" asked Joseph Weiss, executive consultant for KEMA Consulting, which is based in Fairfax, Va. "Of course, we are. We designed ourselves that way."
None of the industrial control systems used to monitor and operate the nation's utilities and factories were designed with security in mind. Moreover, their very nature makes them difficult to secure. Linking them to networks and the public Internet only makes them harder to protect.
Paul Blomgren, manager of sales engineering at cybersecurity firm Rainbow Mykotronx in Torrance, Calif., measures control system vulnerabilities. Last year, his company assessed a large southwestern utility that serves about four million customers.
"Our people drove to a remote substation," he recalled. "Without leaving their vehicle, they noticed a wireless network antenna. They plugged in their wireless LAN cards, fired up their notebook computers, and connected to the system within five minutes because it wasn't using passwords.
"Within 10 minutes, they had mapped every piece of equipment in the facility," Blomgren said. "Within 15 minutes, they mapped every piece of equipment in the operational control network. Within 20 minutes, they were talking to the business network and had pulled off several business reports. They never even left the vehicle."
Blomgren, of course, is a professional with a professional's tools. But Eric Byres, research manager at the Internet Engineering Laboratory of the British Columbia Institute of Technology in Burnaby, maintains that any hacker could achieve similar results-with free software off the Internet and a can of Pringles.
Wireless systems are especially vulnerable to attack, Byres said. He cited as an example a petrochemical plant that he just finished assessing. "They had an overflow pond that wound around the plant site and wanted to put sensors on it, but they were worried that if they ran fiber, someone might dig it up," he said. "So they put in a wireless system."
Because the wireless system was part of the plant network, information technology engineers assumed the firewall would protect it from unauthorized access. That was not the case. Because they thought they were secure, they never even turned on the wireless transmitters' security features . Byres said that many information technology, or IT, professionals don't even know these options exist.
Anyone driving by could pick up the wireless traffic. All they need is a lap top PC, a $60 wireless network card, and a directional antenna, which can be made from a Pringles can. Don't know how to make the antenna? A Google Internet search of "Pringles antenna" returns nearly 400 Web sites, many with do-it-yourself instructions, pictures, and even videos.
Wireless security features are easily defeated. All wireless transmitters communicate using a single standard, IEEE 802.11 b, and it has serious security flaws, according to Byres. Widely available free software, such as AirSnort (11,900 hits on Google) and NetStumbler (7,270 hits), give hackers free tools to crack wireless codes within 15 minutes.
Once they steal the wireless encryption key, they can use a freebie protocol analyzer like Ethereal (21,000 Google hits) or Sniffit (2,490 hits) to spy on the network. "They will listen until a maintenance engineer signs onto a PLC," said Byres, referring to the programmable logic controllers that control the facility's sensors and actuators.
"Here's where human engineering comes in," Byres said. "No one likes to have 20 different passwords, so the password for this PLC is probably the password for the other PLCs and the Windows server as well. Now they have the password to your secure systems and networks."
A facility may not even realize it is under attack, Byres warned. In Queensland, Australia, a disgruntled job seeker remotely discharged raw sewage into local parks and rivers 46 times during March and April 2001 before he was caught. During most of the spree, everyone assumed the discharges were caused by valve or control system failures, so no one even bothered looking for a hacker.
Unlike business networks and the Internet, the industrial control system world has not developed the tools needed to monitor system intrusions. It has become a much higher priority since 9/11.
Patching Wireless Leaks
Byres said that potential fixes exist for wireless security leaks. Vendors have developed software to get around 802.11b's security flaws, and the Institute of Electrical and Electronics Engineers is currently revising its standard.
Developers, such as Vernier Networks and Bluesocket, are attempting to bring conventional network security measures to industrial control systems. "They work well in an IT environment, but it's been a struggle to adapt them to control systems," Byres said. "They assume a device is competent to answer a password and identify itself, but most PLCs can't answer passwords."
The problem is that programmable logic controllers, digital control systems, and supervisory control and data acquisition, or SCADA, systems were never designed with security in mind.
"When companies designed control systems worldwide, there were always two unwritten assumptions," said Weiss, who served as the technical lead for control system cybersecurity at the Electric Power Research Institute in Palo Alto, Calif., before joining KEMA. "Everyone assumed the system would be isolated, not connected to anything else. We also assumed that the only people who would use the control system were people who were supposed to use it. That was a good assumption for another day."
The sun had already begun to set on that day well in advance of 9/11. The cause was downsizing. Utilities responding to deregulation and corporations seeking higher productivity replaced employees with automated control systems at substations, pipeline switches, and plants.
Today, many utilities monitor scores of facilities and thousands of different operations over SCADA networks linked to a central control room.
Making It Too Easy
The Internet made it easy. Instead of installing expensive private telecommunications links, companies let the Internet carry SCADA messages. Weiss said it is almost impossible today to buy remote terminal units (RTUs, which coordinate a facility's automated field devices), or control systems that are not Web- or network-enabled. Even some field devices, such as pumps, valves, and breakers, have their own plug-in connections.
With manpower scarce, vendors often run remote diagnostics or upload software updates over phone lines. Weiss recalled a vulnerability audit of a supposedly secure nuclear power plant that turned up several unregistered modems.
Hackers find modems by dialing phone numbers sequentially until one responds. If they break through to a device on the network, they can map the system and eavesdrop for passwords. Even a facility with good network security is compromised by this backdoor.
To resist this type of attack, some facilities use a dial- back modem, which responds to a password by dialing a confidential phone number for confirmation. Yet hackers have found a way around this, too, Blomgren said. Once they find a modem, they keep redialing and entering words until they find the password.
Once they have it, they redial, enter the password, and program their modem to issue a hangup tone without really hanging up. The modem dials back with no effect. It is on the hacker's line all the time.
The obvious solution is to add security to SCADA and other control systems. Weiss thought the same thing when he first started grappling with the problem during the period that he worked at EPRI.
"Our initial thought was that security technology exists, but we don't have it in our control systems right now because utilities haven't been willing to pay for it,” he said. “If we could get the IT security people to talk with control people, how big a deal could it be? We thought it would be a six-month program at most.”
Two Operating Systems
Weiss found that industrial control systems consist of two operating systems.
The first uses Windows or Unix for the operator console. It provides role-based security, determined by an employee’s position. A plant manager and a unit operator, for example, would have access to different information. Despite occasional hacks and viruses, this system is relatively secure.
The second operating system is the actual control processor, which receives and sorts data, responds to commands, and the like. The controllers on this system were originally designed to operate in isolation and usually have rudimentary password control.
Control systems differ from conventional networks in some important ways.
A typical PC or network will run a calculation until it is finished. A real-time control system prioritizes its operations, Weiss said. Each task, from data reception to processing and device actuation, is time-sensitive. But it will also stop what it is doing if something with a higher priority appears.
Because field devices used by utility and business control systems are designed to do specific tasks, they use inexpensive, low-cost microprocessors. Some electrical industry devices in use contain the Intel 8088 processor, introduced in 1978.
Only the 486, dating from 1989, and later processors can run encrypted authentication schemes without unacceptable delays, Weiss said.
Jeff Dagle, a staff electrical engineer at the Department of Energy’s Pacific Northwest National Laboratory in Richland, Wash., exploits the weaknesses of a SCADA network testbed he built to study the vulnerability of the electrical grid.
“We bought off-the-shelf protocol analyzer software that technicians use to troubleshoot control system communications,” Dagle said. “We intercepted control messages from the communications site, took control of a network, and injected our own false commands.”
In a demonstration at a recent security conference, he hacked into his testbed system and tripped an electrical breaker. The breaker then signaled the SCADA software that it had opened. But the SCADA controller did not respond because it had not instructed the breaker to open. It was a classic denial-of-service attack. “We were demonstrating a weakness at the protocol level itself,” said Dagle.
Yet, Dagle and other control system experts see immediate steps that can make systems more secure.
“Some utilities take security very seriously,” Dagle said. “They have better awareness, better password policies, secure modems, rigorous network security, and well- trained people with the authority to make decisions. They have practiced response and recovery procedures in drills and planning exercises, so if there is an event, they know what procedures kick in.”
Yet standard IT policies by themselves are not enough, according to Byres. They must take into account the unique nature of the operating environment. “There is a reason better passwords are not installed in most plants,” he said. “IT policy is simply not appropriate for the world operations people live in.
“Standard IT policy is to lock down a console after someone makes three bad password attempts,” he added. “That’s great on your desktop. But what if someone made the mistakes because he’s panicking that a recovery boiler is going through the roof?
“In IT, data integrity and asset protection are number one. In the industrial world, plant safety is primary. Our whole starting point is different and that impacts everything from audits to passwords. We need to take what IT has given us and modify it to work for us.”
The industry has begun to develop procedures that users can apply to control systems now. In addition, several industry standards organizations, including the Institute of Electrical and Electronics Engineers, Instrumentation Society of America, and International Electrotechnical Commission, have established committees to address control system security concerns.
The other near-term initiative involves better use of encryption. William F. Rush, Jr., an assistant physicist at the Gas Technology Institute in Des Plaines, 111., has been working on SCADA encryption techniques since 1985. The original goal was to keep energy traders from gaining inside information or influencing a company’s operations.
After years of slowly working its way through committee, Rush’s project jumped to the fast track on 9/11. He expects to publish the new standard by February. It will set encryption standards for current SCADA communications systems.
The standard’s focus is deliberate. Utilities have an enormous installed SCADA base with a lifespan of 10 to 15 years. “If the standard only protected new equipment, it would take 15 years to fully deploy it,” Rush said. “We want to be able to put this in now.”
The emphasis on communications closes SCADA’s most visible security flaw, its vulnerability to an attack from a remote location over the Internet. The standard calls for placing a dedicated encryption device between the SCADA remote terminal unit and the modem that links it to the Internet. It would not only scramble the data, but do it in a way that authenticates the sender as a trusted source. “We assume an assailant can get on the line, but all they would hear is encrypted information,” Rush said.
Rainbow Mykotronx is one of a handful of companies that will introduce a SCADA encryption device when the standard is approved. It is based on the Advanced Encryption System, an algorithm designed for speed as well as security. Blomgren estimates that the unit will add $50 to the cost of a field device.
“Before doing this, we asked utilities what would protect them the most,” Blomgren said. “Electrical, gas, and water utilities all felt the best thing we can do was encrypt data on both ends to keep eavesdroppers out.”
Encryption may prevent a remote attack on data, but also may leave utilities vulnerable to attacks over corporate networks that are often linked to facilities. Someone on the inside may be able to unscramble encrypted data.
Similarly, drive-by hackers will still be able to take advantage of security flaws in a wireless system to sneak into a plant network behind any encryption device.
Nor will encryption foil hacking by disgruntled employees. Byres said the Federal Bureau of Investigation and his own data show that 70 percent of hacks come from insiders. Without a way to detect unauthorized access to a plant control system, most companies will be hard-pressed to identify a security incident before it results in major damage.
According to Weiss, over the long term, industry must develop new technologies or new control systems designed to be both secure and efficient. “Security is a very resource-intensive thing to do,” he said. “Industry wants open, interoperable systems that can prioritize functions. They want to be able to configure them in the field. How do you do all those things and still be secure?” Byres goes one step further. True security will involve rethinking some of the basic premises of IT architecture. “Security in conventional IT systems revolves around protecting critical core servers,” he said, referring to the computers that manage network and Internet operations. “If your workstation gets hacked into, that’s annoying. But if a main server is attacked, that’s a big deal.
“Now think about the typical plant floor,” he said. “The PLCs that control operations are the critical things. The supervisory system is less important. Trying to apply an IT architecture that protects the core is not the right solution. We need a different architecture.”
It will take time, but 9/11 has placed these issues on the front burner. For 20 years, the industry has relied on what Blomgren calls “security through obscurity.” The industry assumed nobody knew how its control system worked, even though SCADA and other control systems use the same hardware, software, documentation, and training worldwide.
The same SCADA systems that, are used to manage the U.S. power grid also control the grids in Iraq, Saudi Arabia, Indonesia, and Iran. So it should come as no surprise that SCADA documents turned up in al Qaeda safe houses in Afghanistan.
Stronger IT policies and encryption are good first steps. But the U.S. power grid—and all the nation’s utility and industrial infrastructure—remain vulnerable to cyberattack from terrorists and angry employees. And bored 14-year-olds with a laptop, wireless card, and a can of Pringles.