Infrastructure vulnerable to hacker attacks


ajc.com: In June 1982, in a remote patch of Russian wilderness, a huge explosion ripped apart a trans-Siberian pipeline.
It wasn't a bomb that destroyed the natural gas pipeline and sent shock waves through the economy of what was then the Soviet Union. Instead, it was a software virus created by the CIA, according to a book by Thomas Reed, a former U.S. Air Force secretary and National Security Council member.
The virus took over the computers controlling valves and pumps, increasing the pressure until the pipeline was ripped apart by a blast equal to 3,000 tons of TNT.
The secret attack was one of the first known hacker strikes on a Supervisory Control and Data Acquisition, or SCADA, network. Computer security experts say it won't be the last.
Across America and around the world, SCADA networks control nuclear power stations, water and gas lines, chemical plants and other critical infrastructure. Many of them could be just as vulnerable today to attacks from computer hackers — or terrorists — as the Soviet system was nearly 25 years ago.
Or even more vulnerable. That's because in today's Internet age, machines and computers are increasingly connected haphazardly to the Web, whether their owners realize it or not. In addition, there has been rapid growth in easy-to-access wireless networks and the use of off-the-shelf software from Microsoft Corp. and others.
Hence the fear that five years after the Sept. 11 attacks, SCADA networks could become "the new airplanes," said Alan Paller, director of research for the SANS Institute, a computer security research and training group.
Air of complacency
We all depend on SCADA networks, whether we know it or not.
SCADA computers monitor and control the flow of electricity across the nation's power grids. They turn pump switches on and off to make oil and gas and water pipelines flow. They make sure robots and mixing machines and other factory equipment do what they are supposed to do.
Although the networks are so critical, SCADA security is often an afterthought for corporate cyber-security departments. That's because — so far — SCADA networks haven't attracted computer hackers like financially oriented e-mail and online billing systems and corporate Web sites.
"It's kind of like, 'out of sight, out of mind,' " said Brian Davison, manager of operations engineering for Austin Energy, a municipal electric company in Texas.
Austin Energy is considered on the forefront of SCADA security. At many utilities, though, "management has been away from the table," he said. "They say they haven't seen anything major yet, so it can't be too bad. But if somebody wanted to do harm to our industry, they could do it."
Government regulators are just beginning to pay more attention to SCADA security.
Only recently, for instance, did the North American Electric Reliability Council start working on mandatory rules requiring the electricity industry to audit and monitor its SCADA networks and take steps that would be basic for any PC user, like installing software patches in a timely fashion.
Even so, power companies won't have to meet the new rules for several years. Many in the industry already acknowledge the new rules are so vague and open to interpretation that they'll be ineffective.
The power industry is considered further along in SCADA security than other critical industries. Government regulators are at least developing mandatory SCADA-specific regulations there.
"I don't think that the sky is necessarily falling ... and that the entire United States could be shut down tomorrow," said Eric Byres, a longtime SCADA researcher who's now director of industry security at consulting firm Wurldtech Research.
"But I think we've got ourselves in a real fix," he said. "We're walking on a tightrope."
In January 2003, the power industry got a wake-up call.
An event in Ohio "illustrated how accessible and vulnerable SCADA systems are at nuclear power plants," the SANS Institute's Paller told a House subcommittee last fall.
He testified that a computer worm circulating on the Internet had infected Microsoft database software used by a contractor at the Davis-Besse nuclear plant near Toledo, Ohio.
Bypassed firewall
Even though the plant's operator, FirstEnergy Corp., had protected the plant with a software firewall, the worm used the contractor's network to bypass it.
"Because of Davis-Besse's widespread use of vulnerable Microsoft software, the worm jumped to the plant network and crashed the Safety Parameter Display System, keeping it offline for eight hours," Paller testified.
Another incident, though not hacker-related, shows the potential impact of SCADA computer problems.
In August 2003, computer glitches in Ohio caused inaccurate readings along FirstEnergy's power lines. Cascading effects among Northeastern utilities dealing with the summer heat prompted the shutdown of more than 500 generating units in the United States and Canada.
The blackout cut power to an estimated 50 million people, shut down transportation and communication networks, and caused an estimated $6 billion in economic damage.
"The longer we wait, it's inevitable [that] somebody decides to turn off a major U.S. city," said Rob Ciampa, vice president of marketing and business strategy for Atlanta-based computer security company Trusted Network Technologies Inc.
Utility industry officials sometimes accuse consultants like Ciampa of scare tactics. Companies like his, after all, make a living selling software fixes.
But the danger is real.
According to government officials, the U.S. military in 2001 found evidence in Afghanistan that al-Qaida terrorists were researching SCADA systems and cyber-terrorism.
Paller and other computer security experts say the risk is relatively small that terrorists will attack a SCADA network, because the effects would not be as destructive as those from a car bomb or airplane hijacking.
"Can they hack any system? The answer is yes," said Pete Allor, a former U.S. Army security officer who now is director of intelligence at Atlanta-based Internet Security Systems Inc. "The problem is making spectacular results."
The bigger threat, Allor and others said, is from hackers trying to extort money from a company or from disgruntled employees trying to cause trouble.
Incident in Australia
That was the case in Australia in April 2000. Vitek Boden, a former contractor, took control of the SCADA system controlling the sewage and water treatment system at Queensland's Maroochy Shire. Using a wireless connection and a stolen computer, Boden released millions of gallons of raw sewage and sludge into creeks, parks and a nearby hotel. He later went to jail for two years.
Not surprisingly, U.S. companies are hesitant to talk about the security of their SCADA networks for fear they may give clues to hackers. But security consultants say problems with them are widespread.
Allor's company, for instance, regularly does audits of SCADA systems at major installations such as power plants, oil refineries and water treatment systems.
Almost invariably, Allor said, the companies claim their SCADA systems are secure and not connected to the Internet. And almost invariably, he said, ISS consultants find a wireless connection that company officials didn't know about or other open doors for hackers.
Realizing the growing threat, the federal government two years ago directed its Idaho National Laboratory to focus on SCADA security. The lab created the nation's first "test bed" for SCADA networks and began offering voluntary audits for companies.
Officials at the Idaho lab declined to reveal details about the audits, citing security concerns. But Rita Wells, who manages the program, called the companies' approaches to SCADA security "a mixed bag."
"We've gone into some entities and we've seen things so tight that we were awestruck," she said. "But we've also gone into other places where they were wide open."
As the former head of information security for Columbus, Ohio-based American Electric Power, Mike Assante has firsthand experience with SCADA security.
While he was at AEP, Assante said he never experienced an attack on his company's SCADA network. But that doesn't mean hackers weren't interested.
Almost daily, Assante said, the company noticed mysterious outside scans and probes of its computers. Often, he said, they could be traced to computers in Russia and China, two international hacker hotbeds.
"It was so [frequent] that I never really slept very well," said Assante, who now helps direct SCADA strategy at the Idaho National Laboratory.
The electricity industry's computers are considered among the most vulnerable of any SCADA networks. In part, that's because many electric grids operate on equipment that is decades old, pieced together from municipality to municipality and state to state.
Generally, the power grids were designed with reliability in mind. Cyber-security was an afterthought at best.
"With the technology in use today, totally avoiding touches with the outside word or with the wireless world is very difficult," said Billy Ball, senior vice president for transmission planning and operations for Southern Co., the giant Atlanta-based electricity company. At Southern, between 50 and 70 employees now work solely on SCADA security and implementing the forthcoming federal regulations.
135 incidents in 41/2 years
In a survey of utility industry officials last year by Trusted Network Technologies, about 20 percent of respondents said their SCADA systems had already been subjected to outside threats. About 30 percent said they expected a utility SCADA network would be attacked soon.
A more comprehensive study, managed by the British Columbia Institute of Technology, shows that major companies in the United States and four other nations have recorded about 135 SCADA security incidents over the past 41/2 years.
Byres of Wurldtech Research said the numbers could soon rise.
"We're seeing an interest in the black hat [hacker] community that we never, ever saw before," he said. "All of the sudden we have people with malicious intent learning and understanding what a SCADA system is."