[ISN] Hackers Target U.S. Power Grid

InfoSec News isn at c4i.org
Fri Mar 11 05:05:15 EST 2005 

Forwarded from: William Knowles <wk at c4i.org>

http://www.washingtonpost.com/wp-dyn/articles/A25738-2005Mar10.html

By Justin Blum
Washington Post Staff Writer
March 11, 2005

Hundreds of times a day, hackers try to slip past cyber-security into 
the computer network of Constellation Energy Group Inc., a Baltimore 
power company with customers around the country.

"We have no discernable way of knowing who is trying to hit our 
system," said John R. Collins, chief risk officer for Constellation, 
which operates Baltimore Gas and Electric. "We just know it's being 
hit."

Hackers have caused no serious damage to systems that feed the 
nation's power grid, but their untiring efforts have heightened 
concerns that electric companies have failed to adequately fortify 
defenses against a potential catastrophic strike. The fear: In a 
worst-case scenario, terrorists or others could engineer an attack 
that sets off a widespread blackout and damages power plants, 
prolonging an outage.

Patrick H. Wood III, the chairman of the Federal Energy Regulatory 
Commission, warned top electric company officials in a private meeting 
in January that they need to focus more heavily on cyber-security. 
Wood also has raised the issue at several public appearances. 
Officials will not say whether new intelligence points to a potential 
terrorist strike, but Wood stepped up his campaign after officials at 
the Energy Department's Idaho National Laboratory showed him how a 
skilled hacker could cause serious problems.

Wood declined to comment on specifics of what he saw. But an official 
at the lab, Ken Watts, said the simulation showed how someone could 
hack into a utility's Internet-based business management system, then 
into a system that controls utility operations. Once inside, lab 
workers simulated cutting off the supply of oil to a turbine 
generating electricity and destroying the equipment. 

Describing his reaction to the demonstration, Wood said: "I wished I'd 
had a diaper on."

Many electric industry representatives have said they are concerned 
about cyber-security and have been taking steps to make sure their 
systems are protected. But Wood and others in the industry said the 
companies' computer security is uneven. 

"A sophisticated hacker, which is probably a group of hackers . . . 
could probably get into each of the three U.S. North American power 
[networks] and could probably bring sections of it down if they knew 
how to do it," said Richard A. Clarke, a former counterterrorism chief 
in the Clinton and Bush administrations.

Clarke said government simulations show that electric companies have 
not done enough to prevent hacking. "Every time they test, they get 
in," Clarke said. "It's nice that the power companies think that 
they've done things, and some of them have. But as long as there's a 
way to get into the grid, the grid is as weak as its weakest company."

Some industry analysts play down the threat of a massive cyber-attack, 
saying it's more likely that terrorists would target the physical 
infrastructure such as power plants and transmission lines. James 
Andrew Lewis, director of technology policy at the Center for 
Strategic and International Studies in the District, said a 
coordinated attack on the grid would be technically difficult and 
would not provide as much "bang for the buck" as high-profile physical 
attacks. Lewis said the bigger vulnerability may be posed not by 
outside hackers but by insiders who are familiar with their company's 
computer networks.

But in recent years, terrorists have expressed interest in a range of 
computer targets. Al Qaeda documents from 2002 suggest cyber-attacks 
on various targets, including the electrical grid and financial 
institutions, according to a translation by the IntelCenter, an 
Alexandria firm that studies terrorist groups.

A government advisory panel has concluded that a foreign intelligence 
service or a well-supported terrorist group "could conduct a 
structured attack on the electric power grid electronically, with a 
high degree of anonymity, and without having to set foot in the target 
nation," according to a report last year by the Government 
Accountability Office, the investigative arm of Congress.

Cyber-security specialists and government officials said that 
cyber-attacks are a concern across many industries but that the threat 
to the country's power supply is among their top fears.

Hackers have gained access to U.S. utilities' electronic control 
systems and in a few cases have "caused an impact," said Joseph M. 
Weiss, a Cupertino, Calif.-based computer security specialist with 
Kema Inc., a consulting firm focused on the energy industry. He said 
computer viruses and worms also have caused problems.

Weiss, a leading expert in control system security, said officials of 
the affected companies have described the instances at private 
conferences that he hosts and in confidential conversations but have 
not reported the intrusions publicly or to federal authorities. He 
said he agreed not to publicly disclose additional details and that 
the companies are fearful that releasing the information would hurt 
them financially and encourage more hacking.

Weiss said that "many utilities have not addressed control system 
cyber-security as comprehensively as physical security or 
cyber-security of business networks." 

The vulnerability of the nation's electrical grid to computer attack 
has grown as power companies have transferred control of their 
electrical generation and distribution equipment from private, 
internal networks to supervisory control and data acquisition, or 
SCADA, systems that can be accessed through the Internet or by phone 
lines, according to consultants and government reports. That 
technology has led to greater efficiency because it allows workers to 
operate equipment remotely. 

Other systems that feed information into SCADA or that operate utility 
equipment are vulnerable and have been largely overlooked by 
utilities, security consultants said.

Some utilities have made hacking into their SCADA systems relatively 
easy by continuing to use factory-set passwords that can be found in 
standard documentation available on the Internet, computer security 
consultants said.

The North American Electric Reliability Council, an industry-backed 
organization that sets voluntary standards for power companies, is 
drafting wide-ranging guidelines to replace more narrow, temporary 
precautions already on the books for guarding against a cyber-attack. 
But computer security specialists question whether those standards go 
far enough.

Officials at several power companies said they had invested heavily in 
new equipment and software to protect their computers. Many would 
speak only in general terms, saying divulging specifics could assist 
hackers.

"We're very concerned about it," said Margaret E. "Lyn" McDermid, 
senior vice president and chief information officer for Dominion 
Resources Inc., a Richmond-based company that operates Dominion 
Virginia Power and supplies electricity and natural gas in other 
states. "We spend a significant amount of time and effort in making 
sure we are doing what we ought to do."

Executives at Constellation Energy view the constant hacking attempts 
-- which have been unsuccessful -- as a threat and monitor their 
systems closely. They said they assume many of the hackers are the 
same type seen in other businesses: people who view penetrating 
corporate systems as fun or a challenge.

"We feel we are in pretty good shape when it comes to this," Collins 
said. "That doesn't mean we're bulletproof."

The biggest threat to the grid, analysts said, may come from power 
companies using older equipment that is more susceptible to attack. 
Those companies many not want to invest large amounts of money in new 
computer equipment when the machines they are using are adequately 
performing all their other functions.

Security consulting firms said that they have hacked into power 
company networks to highlight for their clients the weaknesses in 
their systems.

"We are able to penetrate real, running, live systems," said Lori 
Dustin, vice president of marketing for Verano Inc., a Mansfield, 
Mass., company that sells products to companies to secure SCADA 
systems. In some cases, Dustin said, power companies lack basic 
equipment that would even alert them to hacking attempts.

O. Sami Saydjari, chief executive of the Wisconsin Rapids, Wis.-based 
consulting firm Cyber Defense Agency LLC, said hackers could cause the 
type of blackout that knocked out electricity to about 50 million 
people in the Northeast, Midwest and Canada in 2003, an event 
attributed in part to trees interfering with power lines in Ohio. He 
said that if hackers destroyed generating equipment in the process, 
the amount of time to restore electricity could be prolonged.

"I am absolutely confident that by design, someone could do at least 
as [much damage], if not worse" than what was experienced in 2003, 
said Saydjari, who was one of 54 prominent scientists and others who 
warned the Bush administration of the risk of computer attacks 
following Sept. 11, 2001. "It's just a matter of time before we have a 
serious event."



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

More information about the ISN mailing list