Another day, another cybersecurity flaw revealed in the IT systems that run the world’s critical infrastructure -- and this time, the Department of Homeland Security is getting involved.
The latest bad smart grid security news is for RuggedCom, the hardened grid and industrial router company bought by Siemens for $381 million last year. DHS said in a Tuesday alert (PDF) that it is investigating a flaw that could be used to decrypt RuggedCom’s data traffic between an end user and the router.
From there, attackers could theoretically launch denial-of-service attacks, or infiltrate and potentially control networks that run power turbines, high-voltage grid gear and industrial plant across the world, according to security expert Justin Clarke, who revealed the exploit Friday at a Los Angeles conference.
"If you can get to the inside, there is almost no authentication, there are almost no checks and balances to stop you," is how Clarke put it to the BBC. Getting access to RuggedCom’s network is merely the matter of extracting the software "key" used to encrypt traffic, he said.
This isn’t the first alert from the DHS’ Industrial Control Systems Computer Emergency Response Team (ICS-CERT). The federal agency tagged what turned out to be a SCADA system employee logging on from Russia as a potential foreign attack on an Illinois water utility last year. ICS-CERT reported a total of 90 vulnerabilities so far this year, up from 60 in 2011.
But some of the agency’s warnings could have an impact on the grid and other critical infrastructure. In December, ICS-CERT notified the industry of vulnerabilities in remote terminal units (RTUs) built by Schneider Electric’s Telvent, which one security expert told us may have cost utilities dearly in replaced equipment.
It’s all part of the process of bringing utilities up to the cybersecurity required in the new age of smart grid. Simply put, yesterday’s grid technology was built with the assumption that it would stand apart, in locked industrial sites and control centers, unavailable to outside tampering. But connecting that legacy technology to today’s IT world via the smart grid opens it up to all sorts of hacks.
That’s going to unleash a flood of investment in smart grid cybersecurity over the next few years. GTM Research predicts spending on cybersecurity products and services will grow from $120 million in 2011 to $237.6 million in 2015, making it the second largest segment behind distribution automation in terms of utility enterprise IT spending.
Some recent deals in the cybersecurity space include software startup N-Dimension’s $3.85 million Series A round last month, and grid giant ABB’s investment into Industrial Defender, which offers SCADA protection services for big industrial customers. In the meantime, all the big smart grid players -- IBM, Cisco, HP, Microsoft, Accenture, CapGemini, Logica, Lockheed Martin, SAIC, the big meter makers and SCADA vendors, etc. -- are promising state-of-the-art cybersecurity from their new smart grid offerings.
We’re seeing renewed focus on cybersecurity from government and regulators as well. Last month, the National Security Agency reported a 17-fold rise in attempted cyber-attacks between 2009 and 2011. A Senate energy panel heard experts from GAO, FERC and NERC testify to the nation’s vulnerability to cyber-attack in a July hearing, though a bill that would have stiffened security regulations failed to pass later that month.
In the meantime, there’s an ever-expanding list of major vendors that are seeing their SCADA systems being hacked in front of a live audience. Earlier this year, for example, Digital Bond released exploits of Schneider Electric’s programmable logic controller (PLC) units, which translate SCADA messages to commands at end devices.
The firm claims it can do things like rewrite the PLC’s “ladder logic,” which allows it to take control of such fundamental functions as issuing stop and run commands -- the kind of thing that can throw a power turbine or substation into a breakdown. Previous hacks include those of Siemens’ PLCs by Metasploit creator H.D. Moore, of General Electric’s D20 PLCs, of Telvent’s PLCs by independent SCADA security researcher Rubén Santamarta, and of ABB’s ActiveX scripting interfaces and WebWare Server application by Billy Rios and Terry McCorkle, as part of their “100 bugs in 100 days” project.
Even adding a PC-based interface can open the doors to intrusions. Stuxnet -- the malicious code aimed at upsetting Iran’s nuclear development program via sabotaging centrifuge systems -- was introduced to the system via thumb drives left lying around the office, according to reports.
Stuxnet was aimed at Siemens' SCADA systems, and cybersecurity experts contend that the industrial giant hasn’t fixed the underlying vulnerabilities in that system that the virus targeted. Since then, security firm Symantec has reported that a variant known as Duqu has been developed, apparently by the same shadowy group that created Stuxnet, with the aim of gathering information about SCADA systems for espionage or planning future attacks.
In short, the utility sector is entering the wild, wooly world of cyber-warfare and industrial espionage, like it or not. It’s a commonplace in the security industry that only a massive, destructive cyber-attack will wake the powers-that-be into spending the money on security that’s required. Hopefully, we’ll never know. But with vulnerabilities being publicized every week or so, the industry certainly isn’t getting a free pass on the issue anymore.