SCADA vs. the hackers
Can freebie software and a can of Pringles bring down the U.S. power grid?
As far as we know, no one has ever deliberately
hacked into the U.S. electrical grid and pulled the plug on millions or
even thousands of people. Just as on Sept. 10, 2001, no one had ever deliberately
crashed a jet airliner into a skyscraper.
Is the power grid vulnerable to cyberattack? What about natural gas pipelines,
nuclear plants, and water systems? Or refineries and other industrial
facilities that run on similar Internet-enabled digital control systems?
Could a terrorist or disgruntled employee cause lethal accidents and millions
of dollars of damage? What about a bored 14-year-old?
"Are we vulnerable?" asked Joseph Weiss, executive consultant
for KEMA Consulting, which is based in Fairfax, Va. "Of course,
we are. We designed ourselves that way."
None of the industrial control systems used to monitor and operate the
nation's utilities and factories were designed with security in
mind. Moreover, their very nature makes them difficult to secure. Linking
them to networks and the public Internet only makes them harder to protect.
Wireless Intrusion
Paul Blomgren, manager of sales engineering at cyber-
security firm Rainbow Mykotronx in Torrance, Calif., measures control
system vulnerabilities. Last year, his company assessed a large southwestern
utility that serves about four million customers.
"Our people drove to a remote substation," he recalled. "Without
leaving their vehicle, they noticed a wireless network antenna. They plugged
in their wireless LAN cards, fired up their notebook computers, and connected
to the system within five minutes because it wasn't using passwords.
"Within 10 minutes, they had mapped every piece of equipment in the
facility," Blomgren said. "Within 15 minutes, they mapped every
piece of equipment in the operational control network. Within 20 minutes,
they were talking to the business network and had pulled off several business
reports. They never even left the vehicle."
Blomgren, of course, is a professional with a professional's tools. But
Eric Byres, research manager at the Internet Engineering Laboratory of
the British Columbia Institute of Technology in Burnaby, maintains that
any hacker could achieve similar results—with free software off the
Internet and a can of Pringles.
Wireless systems are especially vulnerable to attack, Byres said. He cited
as an example a petrochemical plant that he just finished assessing. "They
had an overflow pond that wound around the plant site and wanted to put
sensors on it, but they were worried that if they ran fiber, someone might
dig it up," he said. "So they put in a wireless system."
Because the wireless system was part of the plant network, information
technology engineers assumed the firewall would protect it from unauthorized
access. That was not the case. Because they thought they were secure,
they never even turned on the wireless transmitters' security features.
Byres said that many information technology, or IT, professionals don't
even know these options exist.
Eavesdropping
choices: original or spicy Cajun. A quick Web search can turn up hundreds
of sites eager to tell how to turn a snack can into a directional antenna
able to listen in on wireless systems.
Anyone driving by could pick up the wireless traffic. All they need is
a laptop PC, a $60 wireless network card, and a directional antenna, which
can be made from a Pringles can. Don't know how to make the antenna? A
Google Internet search of "Pringles antenna" returns nearly
400 Web sites, many with do-it-yourself instructions, pictures, and even
videos.
Wireless security features are easily defeated. All wireless transmitters
communicate using a single standard, IEEE 802.11b, and it has serious
security flaws, according to Byres. Widely available free software, such
as AirSnort (11,900 hits on Google) and NetStumbler (7,270 hits), give
hackers free tools to crack wireless codes within 15 minutes.
Once they steal the wireless encryption key, they can use a freebie protocol
analyzer like Ethereal (21,000 Google hits) or Sniffit (2,490 hits) to
spy on the network. "They will listen until a maintenance engineer
signs onto a PLC," said Byres, referring to the programmable logic
controllers that control the facility's sensors and actuators.
"Here's where human engineering comes in," Byres said. "No
one likes to have 20 different passwords, so the password for this PLC
is probably the password for the other PLCs and the Windows server as
well. Now they have the password to your secure systems and networks."
A facility may not even realize it is under attack, Byres warned. In Queensland,
Australia, a disgruntled job seeker remotely discharged raw sewage into
local parks and rivers 46 times during March and April 2001 before he
was caught. During most of the spree, everyone assumed the discharges
were caused by valve or control system failures, so no one even bothered
looking for a hacker.
Unlike business networks and the Internet, the industrial control system
world has not developed the tools needed to monitor system intrusions.
It has become a much higher priority since 9/11.
Patching Wireless Leaks
Byres said that potential fixes exist for wireless security leaks. Vendors
have developed software to get around 802.11b's security flaws,
and the Institute of Electrical and Electronics Engineers is currently
revising its standard.
Developers, such as Vernier Networks and Bluesocket, are attempting to
bring conventional network security measures to industrial control systems.
"They work well in an IT environment, but it's been a struggle
to adapt them to control systems," Byres said. "They assume
a device is competent to answer a password and identify itself, but most
PLCs can't answer passwords."
The problem is that programmable logic controllers, digital control systems,
and supervisory control and data acquisition, or SCADA, systems were never
designed with security in mind.
"When companies designed control systems worldwide, there were
always two unwritten assumptions," said Weiss, who served as the
technical lead for control system cybersecurity at the Electric Power
Research Institute in Palo Alto, Calif., before joining KEMA. "Everyone
assumed the system would be isolated, not connected to anything else.
We also assumed that the only people who would use the control system
were people who were supposed to use it. That was a good assumption for
another day."
The sun had already begun to set on that day well in advance of 9/11.
The cause was downsizing. Utilities responding to deregulation and corporations
seeking higher productivity replaced employees with automated control
systems at substations, pipeline switches, and plants.
Today, many utilities monitor scores of facilities and thousands of different
operations over SCADA networks linked to a central control room.
Making It Too Easy
The Internet made it easy. Instead of installing expensive private telecommunications
links, companies let the Internet carry SCADA messages. Weiss said it
is almost impossible today to buy remote terminal units (RTUs, which coordinate
a facility's automated field devices), or control systems that
are not Web- or network-enabled. Even some field devices, such as pumps,
valves, and breakers, have their own plug-in connections.
With manpower scarce, vendors often run remote diagnostics or upload software
updates over phone lines. Weiss recalled a vulnerability audit of a supposedly
secure nuclear power plant that turned up several unregistered modems.
Hackers find modems by dialing phone numbers sequentially until one responds.
If they break through to a device on the network, they can map the system
and eavesdrop for passwords. Even a facility with good network security
is compromised by this backdoor.
To resist this type of attack, some facilities use a dial-back modem,
which responds to a password by dialing a confidential phone number for
confirmation. Yet hackers have found a way around this, too, Blomgren
said. Once they find a modem, they keep redialing and entering words until
they find the password.
Once they have it, they redial, enter the password, and program their
modem to issue a hangup tone without really hanging up. The modem dials
back with no effect. It is on the hacker's line all the time.
The obvious solution is to add security to SCADA and other control systems.
Weiss thought the same thing when he first started grappling with the
problem during the period that he worked at EPRI.
"Our initial thought was that security technology exists, but we
don't have it in our control systems right now because utilities
haven't been willing to pay for it," he said. "If
we could get the IT security people to talk with control people, how big
a deal could it be? We thought it would be a six-month program at most."
Two Operating Systems
Weiss found that industrial control systems consist of two operating systems.
The first uses Windows or Unix for the operator console. It provides role-based
security, determined by an employee's position. A plant manager and a
unit operator, for example, would have access to different information.
Despite occasional hacks and viruses, this system is relatively secure.
The second operating system is the actual control processor, which receives
and sorts data, responds to commands, and the like. The controllers on
this system were originally designed to operate in isolation and usually
have rudimentary password control.
Control systems differ from conventional networks in some important ways.
A typical PC or network will run a calculation until it is finished. A
real-time control system prioritizes its operations, Weiss said. Each
task, from data reception to processing and device actuation, is time-sensitive.
But it will also stop what it is doing if something with a higher priority
appears.
"Some
utilities take security very seriously ... They know what procedures to
kick in."
Because field devices used by utility and business control systems are
designed to do specific tasks, they use inexpensive, low-cost microprocessors.
Some electrical industry devices in use contain the Intel 8088 processor,
introduced in 1978.
Only the 486, dating from 1989, and later processors can run encrypted
authentication schemes without unacceptable delays, Weiss said.
Jeff Dagle, a staff electrical engineer at the Department of Energy's
Pacific Northwest National Laboratory in Richland, Wash., exploits the
weaknesses of a SCADA network testbed he built to study the vulnerability
of the electrical grid.
"We bought off-the-shelf protocol analyzer software that technicians
use to troubleshoot control system communications," Dagle said. "We
intercepted control messages from the communications site, took control
of a network, and injected our own false commands."
In a demonstration at a recent security conference, he hacked into his
testbed system and tripped an electrical breaker. The breaker then signaled
the SCADA software that it had opened. But the SCADA controller did not
respond because it had not instructed the breaker to open. It was a classic
denial-of-service attack. "We were demonstrating a weakness at the
protocol level itself," said Dagle.
Yet, Dagle and other control system experts see immediate steps that can
make systems more secure.
"Some utilities take security very seriously," Dagle said. "They
have better awareness, better password policies, secure modems, rigorous
network security, and well-trained people with the authority to make decisions.
They have practiced response and recovery procedures in drills and planning
exercises, so if there is an event, they know what procedures kick in."
Rethinking IT
Yet standard IT policies by themselves are not enough, according to Byres.
They must take into account the unique nature of the operating environment.
"There is a reason better passwords are not installed in most plants,"
he said. "IT policy is simply not appropriate for the world operations
people live in.
"Standard IT policy is to lock down a console after someone makes
three bad password attempts," he added. "That's great on your
desktop. But what if someone made the mistakes because he's panicking
that a recovery boiler is going through the roof?
"In IT, data integrity and asset protection are number one. In the
industrial world, plant safety is primary. Our whole starting point is
different and that impacts everything from audits to passwords. We need
to take what IT has given us and modify it to work for us."
The industry has begun to develop procedures that users can apply to control
systems now. In addition, several industry standards organizations, including
the Institute of Electrical and Electronics Engineers, Instrumentation
Society of America, and International Electrotechnical Commission, have
established committees to address control system security concerns.
The other near-term initiative involves better use of encryption. William
F. Rush, Jr., an assistant physicist at the Gas Technology Institute in
Des Plaines, Ill., has been working on SCADA encryption techniques since
1985. The original goal was to keep energy traders from gaining inside
information or influencing a company's operations.
Electrical,
gas, and water utilities believe encryption can keep intruders out, but
according to one expert, 70 percent of hacking incidents come from people
inside an organization.
After years of slowly working its way through committee, Rush's project
jumped to the fast track on 9/11. He expects to publish the new standard
by February. It will set encryption standards for current SCADA communications
systems.
The standard's focus is deliberate. Utilities have an enormous installed
SCADA base with a lifespan of 10 to 15 years. "If the standard only
protected new equipment, it would take 15 years to fully deploy it,"
Rush said. "We want to be able to put this in now."
The emphasis on communications closes SCADA's most visible security flaw,
its vulnerability to an attack from a remote location over the Internet.
The standard calls for placing a dedicated encryption device between the
SCADA remote terminal unit and the modem that links it to the Internet.
It would not only scramble the data, but do it in a way that authenticates
the sender as a trusted source. "We assume an assailant can get on
the line, but all they would hear is encrypted information," Rush
said.
Rainbow Mykotronx is one of a handful of companies that will introduce
a SCADA encryption device when the standard is approved. It is based on
the Advanced Encryption System, an algorithm designed for speed as well
as security. Blomgren estimates that the unit will add $50 to the cost
of a field device.
"Before doing this, we asked utilities what would protect them the
most," Blomgren said. "Electrical, gas, and water utilities
all felt the best thing we can do was encrypt data on both ends to keep
eavesdroppers out."
Going Forward
Encryption may prevent a remote attack on data, but also may leave utilities
vulnerable to attacks over corporate networks that are often linked to
facilities. Someone on the inside may be able to unscramble encrypted
data.
Similarly, drive-by hackers will still be able to take advantage of security
flaws in a wireless system to sneak into a plant network behind any encryption
device.
Nor will encryption foil hacking by disgruntled employees. Byres said
the Federal Bureau of Investigation and his own data show that 70 percent
of hacks come from insiders. Without a way to detect unauthorized access
to a plant control system, most companies will be hard-pressed to identify
a security incident before it results in major damage.
According to Weiss, over the long term, industry must develop new technologies
or new control systems designed to be both secure and efficient. "Security
is a very resource-intensive thing to do," he said. "Industry
wants open, interoperable systems that can prioritize functions. They
want to be able to configure them in the field. How do you do all those
things and still be secure?"
Byres goes one step further. True security will involve rethinking some
of the basic premises of IT architecture. "Security in conventional
IT systems revolves around protecting critical core servers," he
said, referring to the computers that manage network and Internet operations.
"If your workstation gets hacked into, that's annoying.
But if a main server is attacked, that's a big deal.
"Now think about the typical plant floor," he said. "The
PLCs that control operations are the critical things. The supervisory
system is less important. Trying to apply an IT architecture that protects
the core is not the right solution. We need a different architecture."
It will take time, but 9/11 has placed these issues on the front burner.
For 20 years, the industry has relied on what Blomgren calls "security
through obscurity." The industry assumed nobody knew how its control
system worked, even though SCADA and other control systems use the same
hardware, software, documentation, and training worldwide.
The same SCADA systems that are used to manage the U.S. power grid also
control the grids in Iraq, Saudi Arabia, Indonesia, and Iran. So it should
come as no surprise that SCADA documents turned up in al Qaeda safe houses
in Afghanistan.
Stronger IT policies and encryption are good first steps. But the U.S.
power grid—and all the nation's utility and industrial infrastructure—remain
vulnerable to cyberattack from terrorists and angry employees. And bored
14-year-olds with a laptop, wireless card, and a can of Pringles.
Alan Brown, a frequent contributor to Mechanical
Engineering, is a technical writer based in Dayton, N.J.
home | features | news update | marketplace | departments | about ME | back issues | ASME | site search
© 2002 by The American Society of Mechanical Engineers