We’ve been reporting for years how linking the internet to grid communications and control technology could open the country’s utilities to cyber attack. On Friday came reports of what may be the first such hack to cause physical damage to the country’s electric, water or gas infrastructure -- a burned-out water pump at a small utility in Illinois.
That’s not such a big deal in terms of damage caused. But if the report is true, it indicates that nefarious actors may have strung together several key stages of security vulnerabilities to infiltrate, then take control of, a piece of automated utility infrastructure -- and that could be a very big deal indeed.
Here’s the story. Earlier this month, workers at a small utility in central Illinois found a problem with the SCADA industrial controls that manage their water system, including a damaged water pump. An investigation by an IT services company found that the SCADA system had been hacked into by a computer in Russia, according to Joe Weiss, managing partner of cybersecurity firm Applied Control Solutions in Cupertino, Calif.
Weiss, who cited a report he said came from the Illinois Statewide Terrorism and Intelligence Center (ISTIC), said that unknown hackers had taken over control of the SCADA system and turned the pump on and off until it burned out. The hackers had apparently stolen entry credentials from a company that makes software to access the SCADA system -- and Weiss said the same hackers could be planning future attacks using the same means and methods.
The U.S. Department of Homeland Security has told multiple news agencies reporting on this matter that it has no evidence that indicates there is a risk to utilities or public safety. Still, DHS and the FBI are investigating the matter.
Breaking Down the Risks
We need to wait for more facts to emerge on this murky matter. But there’s no getting around the fact that security is a major challenge for utilities that are seeking to secure legacy control systems that are being hooked up to the internet for the first time. Let’s break down the alleged SCADA hack in Illinois, and see how it could have happened, taking as examples some of the cybersecurity problems that have been identified for utilities over the past few years.
First, where could potential attackers have found the credentials they needed to access a utility SCADA system? One significant possibility is that the hackers took advantage of poor human management of security by fooling employees into turning over critical passwords or other credential information that they could exploit. That kind of “social engineering” is still a key concern for utility security, and requires employee training as much as software expertise to prevent.
Human failures can also open newly networked utility systems to remote attacks. Tom Parker, vice president at computer security firm FusionX, showed at a Black Hat conference in August how he could use simple code and Google searches to theoretically take control of a water treatment facility’s remote terminal units (RTUs), particularly when the RTUs are protected by the password “1234” -- the easiest password to guess besides the word “password” itself.
Even if SCADA system operators aren’t using idiotic passwords and are taking proper measures to protect their security credentials, there are harder-to-prevent ways to pull access and security data out of them. One scary possibility is that the hackers had accessed the utility’s SCADA system for months beforehand, and are currently worming their way into others, using more sophisticated cyber-intrusion tools.
Worming Into SCADA Systems?
Take Duqu and Stuxnet -- two words that are probably meaningless to most people, but which strike fear into SCADA system operators around the world. First came Stuxnet, a virus that is believed to have been targeting Iran’s nuclear materials program by infecting Windows computers and thence infiltrating SCADA systems built by Siemens, all with the goal of causing malfunctions in uranium enrichment centrifuge equipment.
It was just about a year ago that cybersecurity experts first discovered Stuxnet, but it’s believed that the virus may have been introduced years beforehand -- meaning that SCADA systems around the world may be carrying a version of it right now. While the hope is that the virus was targeting only Iranian centrifuges, the idea that similar viruses could use the same techniques to do more damage remains high on the list of concerns for smart grid cybersecurity experts.
More recently, those concerns have refocused on a computer virus known as Duqu. Whether or not it’s related to Stuxnet remains a point of contention, but it appears to operate in a similar way, by exploiting a vulnerability in Windows to lodge itself inside servers and collect data passing through them, which could allow for espionage or gathering security data for further exploitation.
The Duqu virus has been shifting around the world, from India to Europe, Africa and Indonesia (and reportedly back to Iran), as security experts seek to track it down and eliminate it. While no exploitation has been found in the utility industry as of yet, its ability to infect Windows machines should give it access to almost any industry out there.
Using Controls to Wreak Havoc
Unfortunately, once hackers have gotten access to a SCADA system, there are plenty of actions they can take to damage the system they’ve hijacked. Back in 2007, reports emerged of a DHS experiment that showed how the control system of gas-fired generator at the Department of Energy’s Idaho National Lab could be hacked in a way that destroyed the generator, using a mock-up of a typical power plant’s control system.
The U.S. utility industry has had four years since that demonstration to try to fix any similar vulnerabilities in their power plant controls systems, but it’s unclear if they’ve made much progress. The North American Electricity Reliability Council (NERC), an industry group in charge of setting critical infrastructure protection (CIP) guidelines for U.S. and Canadian utilities, has just this year begun auditing utilities on the compliance they’ve been self-reporting over the past few years.
NERC recently held a grid security exercise for utilities seeking to comply with its “critical infrastructure protection” program, which might provide some examples of the security precautions that are being tackled.
While outside attacks are the subject of much of our recent worries, it was an inside job that gave the world a sense of just how much havoc a SCADA system takeover could wreak. In 2000, a disgruntled former employee of a Queensland, Australia water treatment plant decided to remotely access the system and release millions of gallons of sewage into nearby streams and parks. Though he served two years in jail for the act, that didn’t stop it from happening.
To guard against these kinds of attacks, experts recommend multiple layers of security to detect and prevent such unusual and knowingly self-destructive commands. Preventing intrusion is the first line of defense, but stopping an attack in progress will be equally important. After all, the IT industry’s experience with hackers has shown that it’s almost impossible to anticipate all the clever ways hackers are working on their next exploits.
There’s little doubt that U.S. national security officials are worried about the potential threats that could come from connecting SCADA systems to the internet. Will utilities decide to cope with the threat by unplugging those systems, thus essentially turning back the clock on the smart grid? Or will they be able to manage the new security challenges that come along with the benefits of networking and integrating the grid? Looks like we’ll be talking a lot more about these subjects, thanks to a broken-down water pump in Illinois.