Just how vulnerable is the electrical grid?

Smarter is not always better--at least when it comes to utilities.

More than a decade after initial reports said critical infrastructure in the U.S. is vulnerable to cyberattack, the situation has only worsened as utilities move their control systems closer to the Internet and install smart-grid technology, according to security experts.

Questions about the security of infrastructure in the United States arose this week following a Wall Street Journal report that said the nation's electricity grid has been compromised by foreign hackers. And several experts said in interviews this week that some energy systems have, in fact, gotten less secure as they have modernized. The Supervisory Control and Data Acquisition (SCADA) control systems used by the energy industry used to be segregated from public networks. But they have increasingly become more dependent on Internet protocol-based systems, the experts said. At the same time, their security precautions are inefficient, they said.

"The end result is that, as part of our modernization, we've made ourselves more vulnerable," said James Lewis, a senior fellow at the nonprofit Center for Strategic and International Studies (CSIS).

"Plant control networks (and their programmable logic controllers) should be disconnected from the Internet," said Peter "Mudge" Zatko, technical director of the national intelligence research unit at BBN Technologies. "These are the things lifting and lowering the plutonium rods into the water to make steam...It's on the Internet. This is terrifying."

Myriad operational problems
For many utility workers, it's easier to log onto the Internet from home when they get called at night. But if those home computers are infected with spyware, they can be used by attackers to get into the control systems, which are supposed to be separated from the Internet.

And there are other problems that are more deeply embedded in the day-to-day operations of a utility's business. Network control software that utilities buy from outside vendors often includes the ability to run Web servers and enable remote access and wireless access. Then there are configuration problems, such as routers and other systems that use default passwords, or worse, don't use passwords at all, according to Zatko and others who have tested the systems.

"Energy management systems really can't be connected to the Internet. It's going to be painful for some companies, but they're going to have to change this."

--Frank Heidt
CEO, Leviathan Security

"It's out of ease-of-use and the fact that there weren't strong restrictions (the electric utilities were deregulated to a large extent) that the networks are a mess in a lot of places," Zatko said. Often, "the systems themselves aren't robust because they were designed to be on networks that weren't talking to the public Internet."

Many warnings have been sounded over the years. In 1999, Zatko compiled a list of about 30 utilities whose plant control networks could be accessed remotely, and he says many of them still have the same problems today. In 2004, Gartner did a report concluding that the use of IP networks for critical infrastructure could serve as bait for cyberattackers.

"It's painfully easy to exploit" the control systems, said Frank Heidt, chief executive of professional security services company Leviathan Security. "Energy management systems really can't be connected to the Internet. It's going to be painful for some companies, but they're going to have to change this."

Last year, a security expert at the RSA conference detailed how easy it is to break into power plants by downloading malware to employee computers through a socially engineered e-mail that directs them to a malicious server. Meanwhile, Core Security found a hole in the Suitelink software that is used to automate operations at power stations, oil refineries, and production lines.

Lewis of the CSIS acknowledged that using the Internet opens utilities up to cyberattack risks, but said there are "sound economic reasons" for them doing so.

"Most of the critical infrastructure on the Internet is there for legitimate business purposes," agreed John Bumgarner, a research director at the nonprofit U.S. Cyber Consequences Unit.

Security company Industrial Defender has done more than 100 threat assessments over the past seven years, primarily in utility infrastructure, and identified 34,000 vulnerabilities, said company CEO Brian Ahern.

For the most part, utilities--among the most conservative businesses in spending on technology--don't do basic security monitoring of their power generation and distribution equipment, he said.

"You can't protect when you don't know what's happening. I think that less than five percent of utilities have a good sense of critical threats," he said.

Utilities "are sacrificing security for convenience and cost savings," said Richard Forno, a principal at KRvW, an information security consulting firm in Washington, D.C. "We've allowed the situation to get worse, and it will be harder to get away from these networks touching the public Net now that we are 10 years, 15 years into the process."

Smart grids: Efficient but insecure
IP networks aren't the only problem. The use of smart-grid technology, which consists of networked meters designed for adjusting electricity flows and monitoring everything from power plants to individual appliances in homes, are also putting critical systems at risk, experts said.

Critical infrastructure insiders in the U.S. and Canada surveyed last year said the energy sector was the industry most vulnerable to cyberattack. The survey cited many contributing factors: an increase in the number of access points through the use of sensors, smart meters, and third-party contractors with remote access capability; use of more IP-based networks; integration between corporate and operational networks; reliance on standard or commodity IT platforms such as Microsoft Windows; and lack of attention to security by network automation and control system vendors. The biggest bottleneck to improving critical infrastructure security is cost, followed by apathy, they said.

"We've got to take a step back from the hurry-up approach with the smart grid. There needs to be a balanced approach between investing in (smart grid) deployments and building security deeply into it."

--Brian Ahern
CEO, Industrial Defender

In March, IOActive, which provides application and smart-grid security services, said it had verified "significant" and "inherent" security flaws with multiple smart-grid platforms" and found them susceptible to common security vulnerabilities such as protocol tampering, buffer overflows, persistent and non-persistent rootkits, and code propagation.

"These vulnerabilities could result in attacks to the smart-grid platform causing utilities to lose momentary system control of their advanced metering infrastructure smart meter devices to unauthorized third parties," the company said in a release (PDF). "This would expose utility companies to possible fraud, extortion attempts, lawsuits, or widespread system interruption."

More than 2 million smart meters are in use in the U.S. today, and an estimated 73 utilities have ordered 17 million additional smart meters, according to IOActive. The Obama administration's proposed 2010 budget has earmarked $4.5 billion for smart-grid technologies in the electricity infrastructure.

"The plan now would be to put in largely unsecured networks for smart grid," said Lewis of CSIS. "Hopefully they'll fix it."

The worst case scenario is that a person would access and control a smart meter and control other networked smart meters to disrupt the grid, said Ahern of Industrial Defender.

Standards for securing smart-grid technologies are still being finalized, but Ahern thinks that government-led efforts to modernize the grid should focus more on designing security in right at the beginning.

"We've got to take a step back from the hurry-up approach with the smart grid," he said. "There needs to be a balanced approach between investing in (smart grid) deployments and building security deeply into it."

The vulnerability of the critical infrastructure isn't news, so why the Wall Street Journal report, with its unnamed sources, now?

The story is likely linked to turf battles within the federal government over which agency will oversee the cybersecurity policies, and get the funding for it, several of the security experts suggested. For instance, the Department of Homeland Security has been criticized for not doing enough on cybersecurity, while the director of Homeland Security's National Cybersecurity Center resigned recently, accusing the NSA of trying to wrest control.

The Obama administration in December ordered officials to do a 60-day review on the Department of Homeland Security's cybersecurity efforts, and that report is due to be released next week.

Meanwhile, the administration's proposed 2010 budget includes $355 million to support the base operations of the National Cyber Security Division and the efforts of the Comprehensive National Cybersecurity Initiative.

"We're right at the point where they're naming new cybersecurity czars and there's a grab for funding between the Air Force, Navy, NSA, and others that want the cybersecurity budget," said Zatko. "There are a lot of renewed efforts in this particular field, and it's a field that's in a fair amount of disarray."

While experts discuss cybersecurity threats, physical attacks on infrastructure are taking place. AT&T said on Thursday that vandals are to blame for the massive phone and Internet outage in Silicon Valley on Thursday.

(CNET News' Martin LaMonica contributed to this report.)

[czmyt]

Obviously it is vulnerable and has been hacked; otherwise, the US Government would state categorically that it has not been penetrated. To say that it has not been remotely controlled by unauthorized CHINESE and RUSSIAN government agencies is little consolation. Just because they have not pulled the trigger on their hacks does not mean that they cannot do that on a moment's notice. How about we spend some stimulus money monitoring those systems closely AND looking through the code for previous hacks?

[wolivere]

Why do we feal the need to connect everything to the internet? What is wrong with a private network for this? It worked for the past 40+ years.

The easiest way to keep critical systems safe is not connect them to the outside.

Yes it may be easier to work from home, but for critical utilities, its best to have an on call center?

[darwincat1]

After years of warnings it looks like the only way that companies will stop putting critical industrial control systems on the Internet is if 1) Congress makes it illegal, and/or 2) someone gets hacked BAD, to the extent that people are killed and massive lawsuits result. I hate to turn to Big Brother for a solution (especially a tech solution) but it seems like option 1 is better than waiting for option 2...

[Number_of_Euler]

If I correctly interpeted the article, the electrical companies aren't connecting their networks to the internet. They're in trouble for using the TCP/IP protocol on their internal networks, allowing their technicians to dial into the networks by phone, and not securing the routers inside these more or less isolated networks. Except for the unsecured routers, there is nothing wrong with using highly tested and easy to troubleshoot technologies. Security through obscurity is not the answer.

tl;dr
The electrical grid isn't going to get severly compromised any time soon, DON'T PANIC.

[n3td3v]

The threat is being hyped up for a political agenda.

[scottthesculptor]

yep,
spys are everywhere and are trying to switch off your refrigerator!
most of the "insecure access" is only for monitoring.
From the sound of we should use armed guards and top secret couriers to flip a switch.
No network - even the private ones - are absolutley safe.
But they'll take the millions to make it slightly safer.

But I can see why the non-technical masses with all the virii and trojans on their computers would be concerned . . .
Jeez - the military uses the Internet. Let's turn it off.

[Heebee Jeebies]

What I want to know is who is the idiot (not the words I want to use by the way) that thought "well we need to network these all together so lets use the public, insecure, easily hacked internet instead of a private dedicated network with no outside access" Whoever thought this was a good idea should be fired. The internet is great for many things, things like this isn't one of them. What's next the government using the internet to relay commands to our ships, missiles, satellites, etc. Give me a freaking break.

Robert

[wpentland]

The grid is alarmingly vulnerable to even unsophisticated, low-grade attacks. Here is the conclusion reached by a 2008 Defense Task Force Report on the U.S. military's energy security:

?Unfortunately, the current architecture of the grid is vulnerable to even simple attacks. In addition to physical attacks, cyber attacks could take down parts of the grid for extended periods. Grid control systems are continuously probed electronically, and there have been numerous attempted attacks on the Supervisory Control and Data Acquisition (SCADA) systems that operate the grid. None have yet resulted in major problems in the U.S., but the potential exists for major outages. Recently discovered types of cyber attacks illustrate this vulnerability and would impose unique DoD consequences. A long term major power outage would have significant consequences for both DoD and the nation. To begin with, there is the threat to critical DoD missions. A number of installations in the U.S. and OCONUS host missions that are critical in strategic and tactical terms and must function 24/7. The resilience of these missions is wholly dependent on continued power to the buildings and equipment involved.?

The whole report and related declassified military analysis of the grid's security can be found at: http://cleantechlawandbusiness.com/cleanbeta/index.php/3201/us-navy-drops-privatization-plans-for-power-utilities-due-to-grid-security-concerns/

[Jane in KC]

I wonder if we have mapped the grids of antagonistic nations.

[tgrenier]

How about Ethernet over power lines??

[tketcher]

Anybody logging in from home, should be using VPN to connect to the Network, that would eliminate most threats right off the bat. If they are allowing something as insecure as the Internet to access these controls, they have made the Hackers jobs simplicity itself.

[leedix8420]

As scary as this may sound its just the tip of the ice berg... Recent congressional hearings have shown evidence that terrorists are more involved than previously believed in cybercrime. In short, evidence suggests terrorists are actively training new recruits on how to hack into computer systems, perform phishing operations and to move money using stolen credit cards and bank accounts.

In his jailhouse manifesto, Imam Samudra (linked to the Bali terrorist bombing), urged his Muslim radical comrades to declare holy war not on the battlefield, but rather in cyberspace. Imam describes how America's computer infrastructure and networks are vulnerable to hacking, credit card and money laundering. How far the rabbit hole really goes is anyone's guess but the future of terrorism and cyberwarfare is growing exponentially... The ties are apparent... The course of action by governments, corporations and individuals is absolutely necessary... For more information: http://fraudpractice.blogspot.com/2009/04/hacking-why-not.html

[disco-legend-zeke]

even a private network would be killed by a simple cable cut.

no high voltage, etc. no specialized tools, etc.

please read FCC # 09-31

[sam99999999]

Sure hope that Peter "Mudge" Zatko (quoted in the article) isn't designing any reactors. Plutonium rods don't get "lowered into the water to make steam".

[BtmnHatesRbn]

Everytime I see a power plant or something power related on History or Discovery, it's always running Windows, from the looks of it, anything from 3.0 to XP, depending on which plant the show is visiting.

That's not very smart. The Pentagon's top .mil computers are all Mac OS X, Solaris, or whatever the hell SGI used to use. There's a semi-public report that somebody can hunt down on their own showing that since *.mil changed the workstations to OSX, not on single hack or break-in has occurred at that top level. The bottom levels run on Windows, and, as CNET reported just a few months ago, China broke into those.

Also, for anybody thinking I'm lying about the .mil computers being OSX, there's a History Modern Marvels that shows it, with all of the screens changed to normal user account, with the Tiger default wallpaper and the default dock at the bottom.

[seanparker04]

Totally all technology today is prone to cyber attack.

<a href="http://ezinearticles.com/?The-Easiest-and-Cheapest-Way-to-Do-a-Reverse-Cell-Phone-Lookup&id=2045677">Reverse Cell Phone LookUp</a>

[bdennis410]

Ignoring security in favor of profitability,proitability through conservation being the primary motive for smart grid, is not to be ignored.
At the same time, we have a tremendous opportunity to upgrade the physical security of power distribution, AND transportation, AND communications which at the same increasing efficiency enough to pay for the upgrades.
Which upgrades?
We have hundreds of thousands of miles of power-generation-plant-to-sub-station above ground power lines. We also need securiy for communications wiring-fiber optic and hardwire-plus we need mass transit lines for freight and passengers. Those utility rights of way are hundreds of feet wide, run for hundreds, even thousands of miles in relatively straight lines, and are wide enough for five or more 20-25 foot tunnels, with 10 foot separation for all those uses, and more. Those big overhead 100-150 foot towers would move underground and be insulated to mitigate the power loss that now occurs for every mile of above ground transmission, paying for itself by saving plant capacity and extending reach.
Besides all the benefits, we get J-O-B-S.