April 8th, 2009

The U.S. electrical grid: How big of a cyber target is it?

Posted by Larry Dignan @ 7:22 am

Categories: General, Government, Hardware Infrastructure, Security

Tags: Asset, SCADA, Grid, Intrusion, Asset Management, Enterprise Software, Security, Operational Planning, Business Operations, Software

Updated: Spies have reportedly been probing the U.S. electrical grid for months and planting software that could be activated at a future date, according to a Wall Street Journal. The report highlights the latest vulnerabilities facing U.S. power infrastructure.

The Journal notes that the spies are from China, Russia and other countries. While the news isn’t that surprising—given how vulnerable U.S. infrastructure is—it is notable because electrical grids were initially thought to be somewhat hacker proof until recently. Why? Grids run on an old mish-mash of software, which is often proprietary.

However, recent events indicate that so called SCADA systems—(Supervisory Control And Data Acquisition), which collect data from sensors and machines and send them to a centrally managed repository—are also at risk. To wit, last June Core Security detailed how SCADA systems were vulnerable. And even silly electronic road sign pranks show how SCADA systems are vulnerable.

How bad is it? According to the Journal report, a SCADA attack may be a disaster waiting to happen. The ability to hack into electric grids isn’t new–you can find reports here, here and here—and the usual techniques such as social engineering, exploits and other hijinks work well. In addition, the House Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology had a big hearing on electric grid threats a year ago and the General Accountability Office has also highlighted the issues in a report on network controls.

In a report, the GAO found the Tennessee Valley Authority (TVA), a federal corporation and the nation’s largest public power company, “had not consistently implemented significant elements of its information security program.” Meanwhile, the TVA’s corporate network “lacked key software patches and had inadequate security settings, and numerous network infrastructure protocols and devices had limited or ineffective security configurations,” according to the GAO.

Simply put, the fact the grid is wide open for malicious hackers isn’t news. What’s different is the Journal is naming names (at least countries).

The Journal notes that:

• The Chinese have attempted to map the U.S. electrical grid;
• The espionage is pervasive and not targeted to any one company or region;
• The companies in charge of the infrastructure—remember most of the U.S. networks are in private hands—never knew of the intrusions;
• Intelligence agencies discovered the intrusions;
• Water, sewer and other systems are at risk;
• And the intelligence gleaned through these intrusions will be critical in the event of war.

The good news is that the Obama administration is about to complete a cybersecurity review and Congress had approved $17 billion in funds to protect government networks under the Bush administration.

Also see: TechRepublic resources on SCADA security

GAO report on Tennessee Valley Authority’s security weaknesses

House hearing on electric grid vulnerabilities

However, throwing money at the problem may not help all that much.

The North American Electric Reliability Corporation told its members that utilities need to step up security procedures. In the letter, Michael Assante, chief security officer of the group, wrote:

NERC is requesting that entities take a fresh, comprehensive look at their risk-based methodology and their resulting list of CAs (critical assets) with a broader perspective on the potential consequences to the entire interconnected system of not only the loss of assets that they own or control, but also the potential misuse of those assets by intelligent threat actors.

Assante outlines the grid’s conundrum:

Most of us who have spent any amount of time in the industry understand that the bulk power system is designed and operated in such a way to withstand the most severe single contingency, and in some cases multiple contingencies, without incurring significant loss of customer load or risking system instability. This engineering construct works extremely well in the operation and planning of the system to deal with expected and random unexpected events. It also works, although to a lesser extent, in a physical security world. In this traditional paradigm, fewer assets may be considered “critical” to the reliability of the bulk electric system.

But as we consider cyber security, a host of new considerations arise. Rather than considering the unexpected failure of a digital protection and control device within a substation, for example, system planners and operators will need to consider the potential for the simultaneous manipulation of all devices in the substation or, worse yet, across multiple substations. I have intentionally used the word “manipulate” here, as it is very important to consider the misuse, not just loss or denial, of a cyber asset and the resulting consequences, to accurately identify CAs under this new “cyber security” paradigm. A number of system disturbances, including those referenced in NERC’s March 30 advisory on protection system single points of failure, have resulted from similar, non-cyber-related events in the past five years, clearly showing that this type of failure can significantly “affect the reliability (and) operability of the bulk electric system,” sometimes over wide geographic areas.

Taking this one step further, we, as an industry, must also consider the effect that the loss of that substation, or an attack resulting in the concurrent loss of multiple facilities, or its malicious operation, could have on the generation connected to it.

The good news so far: It doesn’t appear that these intrusions have led to any attacks. But as grids become smarter via technology, they’re likely to be easier to hack. It’s only a matter of when, not if, the grid—and other key infrastructure—gets hacked.

Update: I’d like to point out the following Talkback.

I am a retired engineer, formerly employed by 2 electric utilities - one of them a very large utility within the U. S; Department of Energy. In that job I was the project manager for a large SCADA/Energy Control System. So I (think) I know a little about SCADA systems and how they operate.

EVERY SCADA system that I have ever seen use its own dedicated communication network to carry data between the Master Station (the “base”), and the substation Remote Terminal Units (RTU’s) and with the powerplants. The Master Station is manned 24 hours per day, seven days per week, 52 weeks per year. In other words, ALL THE TIME. So if something happens, the knowledgeable, experienced operator can take immediate steps to counteract the event. One example: many years ago, a light airplane flew into a high voltage transmission line in Northern Arizona. The electric system “alarmed”, and a dispatcher in a Phoenix control center shut down that line and rerouted power so as to minimize outages to customers until the cause of the alarm had been identified and corrective measures taken.

Another Western US utility’s management decided to “economize” by combining the SCADA functions with the company’s corporate functions in a single computer. And, of course, there was a “firewall” between the SCADA and corporate functions. And when the firewall failed, it took down the company’s entire power grid. Needless to say, nobody in electric utility management today sees this as a way to economize.

Oh yes, did I mention that SCADA systems almost always use redundant computers, so that in the event that one fails, an automatic “failover” to the backup computer occurs?

Remember the late 1990’s, and the widespread fear that the rollover to year 2000 would cause widespread failures in the electric power grid, because microprocessors and computers had not been designed to recognize dates beyond 1999? And that once the grid crashed, taking out all electric power in North America, it would be impossible to restart, because electric power was needed just to start up a generator, etc. As the person who designed the data communications protocol for use between our Master Station and the several (hydro and steam) powerplants we had under control, I knew that the prognosticators of doom were wrong. And, remember what happened on New Year’s Day, 2000: NOTHING. The electric system continued to function, just as before. The doom-sayers were WRONG.

So, considering that utilities use dedicated, private (usually microwave) communications for their SCADA systems, and that the data communications use various coding and security methods, I, for one, will not lose any sleep worrying that the Chinese or Russians are going to tap into our country’s SCADA systems and crash the power grid.