What local governments can do to lessen the vulnerability of public utilities and other systems managed by Supervisory Control and Data Acquisition (SCADA).
Vehicles speed toward a railroad crossing as a train approaches. But the warning lights stay off and the gates remain open. Traffic signals blink out at numerous busy intersections, snarling traffic for miles. Pressure in a residential gas line spikes but sensors fail to warn the utility. A nuclear power plant overheats but the safety systems indicate things are normal.
Such systems — termed Supervisory Control and Data Acquisition (SCADA) — run unnoticed when functioning properly, but a malfunction can mean catastrophe. And now, added to the normal vulnerabilities in any mechanical or electrical system, are some new threats. These systems are now targets of cyberattacks from individual hackers, groups with some social or political agenda — even nations intent on creating havoc.
The threat is not science fiction. In an experiment caught on video and released on the Internet, an electrical power generator is hacked and damaged remotely. According to CNN, the experiment, dubbed “Aurora,” was conducted in 2007 by the U.S. Department of Energy. “DHS acknowledged the experiment involved controlled hacking into a replica of a power plant's control system,” said a CNN article. “Sources familiar with the test said researchers changed the operating cycle of the generator, sending it out of control.”
For more than 10 years hackers have managed to disrupt, damage or stop the operation of critical infrastructure. A report from the Black Hat information security conference outlines some of the better-known incidents. In 2000, hackers gained control of Russia’s Gazprom natural gas pipeline network, and in 2003, a worm attack shut down an Ohio nuclear power plant safety system. And computers seized in Al-Qaeda training camps had data on SCADA systems for dams and other infrastructure.
According to one industry paper, less well-known but more insidious attacks have been occurring for at least five years. Perhaps the most sophisticated attack of all was a Stuxnet worm attack on Iran’s uranium enrichment program, blamed by some on the U.S. and Israel.
In September, the Department of Homeland Security released a bulletin warning of threatened attacks on infrastructure by so-called “hacktivists.”
So what can utilities and local governments do to reduce vulnerability? One common-sense approach is to avoid exposing these systems to the Internet. A tutorial by DPS Telecom says: “For security reasons, SCADA data should be kept on closed LAN/WANs without exposing sensitive data to the open Internet.”
But removing SCADA networks from the Internet might prove expensive. “Using the Internet,” reads another industry report on the subject, “makes it simple to use standard Web browsers for data presentation, thus eliminating the need for proprietary host software. It also eliminates the cost and complexity of long-distance communications.”
As systems become more complex, intelligent and networked, some security problems may be solved while others are created. Larry Karisny, a frequent contributor to Digital Communities on the subject of the smart grid, answered some questions about this arcane but essential subject.
Digital Communities: How does one differentiate between all the different types of industrial control systems?
Karisny: The capabilities between these systems are beginning to blur in functionality as the technical limits that drove the designs of these various systems are no longer as much of an issue. From legacy telephony connections to small embedded controls attached to an industrial computer via a network, we are entering a whole new world in critical infrastructure system design. When you start interconnecting these system design functions you start detecting existing security problems or need to find new ways to secure these needed power-grid upgrades.
Historically weren’t SCADA systems closed and very hard to penetrate? For example, to disrupt the electrical supply in the past, someone would have to attack the physical components?
One of the biggest fears of power grid attacks is physical. When reviewing the components of the power grid, there were potential single-operator catastrophic physical vulnerabilities found in facilities. With a single lock on a door and no way of viewing the operator, video cameras are now put in power grid locations — understanding that even physical components and human intervention can add to security vulnerabilities. Some of the most catastrophic power generation failures were caused by a combination of equipment failure and operator error and/or human error. Adding intelligence to SCADA systems can actually offer instantaneous information that could detect and detour catastrophic energy production errors. Keeping the power grid dumb is really not an option in securing today’s power grid.
Some say, “For security reasons, SCADA data should be kept on closed LAN/WANs without exposing sensitive data to the open Internet.” Is that principle being violated? If so, why?
I recently participated in a webinar Duqu, the Precursor to the Next Stuxnet hosted by Security Week with Kevin Haley, director, of Symantec Security Technology and Response. Interestingly some SCADA system breaches in Europe were stand-alone closed systems. With investigations still in process, even these seemingly closed systems were breached without access from outside networks.
As for open Internet connecting to sensitive data, the answer is not just “Don't put Internet access in” — but also keep it out. I was in an SRI International research extension and showed the research facility director 10 SSID’s capable of campus wireless Internet access, including an unsecured connection from the coffee shop down the street. Add this to your closed LAN/WAN port access with some SCADA OS [operating system] software offering backdoor vulnerabilities, and what you consider a closed system may not be closed at all.
Some regions are rolling out smart-grid projects which provide feedback to households so customers can adjust energy use, get better rates at off-peak hours, and even generate their own power and feed it into the grid to “run the meter backward.” Won't all these additional network access points increase the vulnerability of the grid to hackers?
The main business case for adding intelligence to the power grid (smart grid) was based on collecting electrical demand-side usage information. By knowing peak and off-peak electrical usage (combined with rewarding or penalizing end-user habits) peak power production capital overbuilds and production operational costs could be greatly reduced. Some estimates showed that power production could be reduced by as much as 30 percent, sometimes completely eliminating the need of building a new power plant to the grid.
In addition, if new alternative energy resources were to be added to the power grid there needs to be measured intelligence capabilities to credit the addition of these new energy sources. Without adding intelligence to the electrical demand-side network edge, these demand-side benefits in our current power grids could not be achieved.
As millions of smart grid edge devices (smart meters) were deployed, security concerns became an issue. These security concerns are nothing new to power companies. Legacy electromechanical meters have been run backward for years and are one of the main reasons (preventing electrical theft) China and India are upgrading to smart meters. We need to add network edge intelligence to our power grids while securing the collection of information from the device chip set to the local power-grid data collector. Connecting millions of these smart meters with end-to-end security needs to be done and can be. Smart grid networks should be designed to limit potential network demand-side breaches while isolating internal SCADA systems and networks from demand-side systems and networks.
What can local governments do to lower the vulnerability of critical city and county utilities and other SCADA-managed systems?
Power companies are not the only entities needing to upgrade security for their SCADA systems. SCADA is used in many critical infrastructure systems including manufacturing, production, power generation, fabrication, refining, water treatment and distribution, wastewater collection and treatment, oil and gas pipelines, electrical power transmission and distribution, wind farms, public safety, civil defense, large communication systems, buildings, transportation systems, airports, ships and even space stations. As these systems begin to connect to other control systems they all need one thing in common: a private local wireless and secure IP network.
With tight city and county budgets, building a private IP network for most cities and counties is out of the question. Collaboration with multiple government agencies and private-sector communication entities needs to occur if they are to accomplish the building of this secure network supporting critical infrastructure systems and applications. Building a network for the smart grid offers a big opportunity here. The power company could be the seed anchor tenant because it already owns massive communication fiber-optic and wireless infrastructures and has deep pockets in capital investment for supporting these needed local network upgrades.
Cities and counties have the relationships with the power companies and sometimes even publicly owned assets to support these network build-outs. The smart grid should be viewed as the first step in building the networks we need in securing local SCADA critical infrastructure. Collaboration by the public and private sectors can make this happen. In addition, edge security solutions available today could allow the economical and secure sharing of these needed local wireless IP networks for multiple users and applications. These steps would address the vulnerabilities while reducing the costs of these critically needed security requirements of city and county critical infrastructure.