[Infowarrior] - US video shows simulated hacker attack

Thu Sep 27 00:29:53 UTC 2007

http://news.yahoo.com/s/ap/20070926/ap_on_re_us/hacking_the_grid_1

US video shows simulated hacker attack

By TED BRIDIS and EILEEN SULLIVAN
Associated Press Writers

A government video shows the potential destruction caused by hackers
seizing control of a crucial part of the U.S. electrical grid: an
industrial turbine spinning wildly out of control until it becomes a
smoking hulk and power shuts down.

The video, produced for the Homeland Security Department and obtained by
The Associated Press on Wednesday, was marked "Official Use Only." It
shows commands quietly triggered by simulated hackers having such a
violent reaction that the enormous turbine shudders as pieces fly apart
and it belches black-and-white smoke.

The video was produced for top U.S. policy makers by the Idaho National
Laboratory, which has studied the little-understood risks to the
specialized electronic equipment that operates power, water and chemical
plants. Vice President Dick Cheney is among those who have watched the
video, said one U.S. official, speaking on condition of anonymity
because this official was not authorized to publicly discuss such
high-level briefings.

"They've taken a theoretical attack and they've shown in a very
demonstrable way the impact you can have using cyber means and cyber
techniques against this type of infrastructure," said Amit Yoran, former
U.S. cybersecurity chief for the Bush administration. Yoran is chief
executive for NetWitness Corp., which sells sophisticated network
monitoring software.

"It's so graphic," Yoran said. "Talking about bits and bytes doesn't
have the same impact as seeing something catch fire."

The electrical attack never actually happened. The recorded
demonstration, called the "Aurora Generator Test," was conducted in
March by government researchers investigating a dangerous vulnerability
in computers at U.S. utility companies known as supervisory control and
data acquisition systems. The programming flaw was quietly fixed, and
equipment-makers urged utilities to take protective measures.

There was no evidence any U.S. utility company suffered damage from
hackers or terrorists using this technique, U.S. officials said. But
these officials cautioned that affected systems are not routinely
monitored as closely as many modern corporate computer networks, so
there would be little forensic evidence to study after such a break-in.

Industry experts cautioned that intruders would need specialized
knowledge to carry out such attacks, including the ability to turn off
warning systems.

"The video is not a realistic representation of how the power system
would operate," said Stan Johnson, a manager at the North American
Electric Reliability Corp., the Princeton, N.J.-based organization
charged with overseeing the power grid.

A top Homeland Security Department official, Robert Jamison, said
companies are working to limit such attacks.

"Is this something we should be concerned about? Yes," said Jamison, who
oversees the department's cybersecurity division. "But we've taken a lot
of risk off the table."

President Bush's top telecommunications advisers concluded years ago
that an organization such as a foreign intelligence service or a
well-funded terror group "could conduct a structured attack on the
electric power grid electronically, with a high degree of anonymity, and
without having to set foot in the target nation." Ominously, the Idaho
National Laboratory - which produced the new video - has described the
risk as "the invisible threat."

Experts said the affected systems were not developed with security in
mind.

"What keeps your lights on are some very, very old technology," said Joe
Weiss, a security expert who has testified before Congress about such
threats. "If you can get access to these systems, you can conceptually
cause them to do whatever it is you want them to do."

The Homeland Security Department has been working with industries,
especially electrical and nuclear companies, to enhance security
measures. The electric industry is still working on their internal
assessments and plans, but the nuclear sector has implemented its
security measures at all its plants, the government said.

In July the Federal Energy Regulatory Commission proposed a set of
standards to help protect the country's bulk electric power supply
system from cyber attacks. These standards would require certain users,
owners and operators of power grids to establish plans and controls.