By Joseph Weiss, PE, CISM, KEMA Consulting
Investments in control system automation and networking are paying off as utilities are able to make better-informed decisions, restore outages faster and accomplish more with smaller staffs. These bottom-line benefits, however, have come at a price.
Utilities today face a greater risk of cyber attacks on their control systems than ever before. The world political situation plays a hand in this, but the cyber threat is more serious also because utilities have become more vulnerable–primarily as a result of automation and networking technologies offering easy access to unwanted entry.
This susceptibility has been fostered by a lingering myth that utilities are invulnerable to cyber attacks. While outdated, this notion has a firm basis in history. Utility operating systems have traditionally been safe from hacking due to their isolation. Prior to deregulation, utilities were vertical monopolies that did not require external communications between control systems. Additionally, the control systems lacked remote communication, external data acquisition, web access and other features that commonly invite intrusion.
But the new reality is that the online and wireless communications paths provided by these technologies in the name of efficiency and interoperability are open doors to skilled hackers. Any device or system that can be accessed through the Internet, an intranet, modem or wireless network is vulnerable to unauthorized intrusion.
The intruder may be a terrorist, but recent history suggests it will more likely be a disgruntled employee or a competitor. In any case, the results can be devastating. A perpetrator with remote access to a key control system can gather valuable customer and operational information from a utility that could benefit its competitor. Or, in the worst-case scenario, an intruder can open and close breakers, potentially shutting down power service to large numbers of customers.
With few safeguards in place, most utilities won’t even know they have been hit by a cyber attack. A sobering example is a water/wastewater utility in Queensland, Australia, which suffered more than 40 online attacks by an angry former employee of the utility’s SCADA system vendor. Using the SCADA system, the perpetrator remotely opened wastewater discharge valves repeatedly before the utility realized the problem was not a hardware failure. He was ultimately caught, but not before millions of liters of sewage had been spilled.
Electric and gas utilities are equally–if not more–vulnerable due to the extent of automation that has taken place over the past decade in control centers, substations and power plants. Nearly every power utility has automated some part of its operating infrastructure. Some of the more vulnerable control systems include:
- Remote terminal units (RTUs);
- Intelligent electronic devices (IEDs);
- Plant distributed control systems (DCSs);
- Programmable logic controllers (PLCs);
- Generator tap changers; and,
- Environmental monitoring systems.
Control system cyber security is a new concept in the power industry, but, due to the current threat
For many utilities, the wake-up call came in the form of Urgent Standard 1200 released in early 2003 by the North American Electric Reliability Council (NERC). It mandates specific actions utilities must take regarding cyber security for operating systems. This NERC order has left utilities scrambling for information on the cyber threat, their vulnerability, and potential solutions specific to control centers and control systems.
Based on feedback received by these standards organizations and questions raised at demonstration workshops, it is clear that numerous myths about cyber attacks and their prevention still circulate throughout the industry. Dispelling these myths and understanding the reality of the situation is the best first step a utility can take toward protecting itself from a cyber incursion.
Myth: Obscurity equals security.
Reality: In the early days of automation, control systems utilized arcane protocols for data transfer within and between substations, control centers and power plants. This reliance on proprietary technology offered some degree of intrusion protection then, but this is no longer true. Many utility communications networks–especially those running over the Internet or using commercial off-the-shelf operating systems such as Windows–have standardized on common protocols.
Jeff Dagle from DOE’s Pacific Northwest National Laboratory has demonstrated this point at several conferences. He used a protocol analyzer to intercept the data stream from a SCADA to the IED. He then allowed the protocol analyzer to interrogate the data and take control of the IED without the SCADA being aware.
Myth: Control systems are immune to viruses, worms and hacking tools.
Reality: As with the myth above, this was true in automation’s early days when vendors typically used proprietary system architecture. But today, in the interest of interoperability and openness, many automated products run on standard Microsoft or Unix platforms. This is especially true of the man-machine interfaces in control rooms where incoming data is analyzed and utilized. Knock out the interface, and the rest of the data acquisition and control infrastructure is neutralized.
No demonstration could have proved this lesson better than the so-called “Slammer” worm. In January 2003, this worm targeted Microsoft SQL Servers and SQL Server Desktop Engines worldwide. Although it didn’t carry a malicious payload, Slammer shut down networks by replicating in seconds and overwhelming transmission capacities. At least six North American electric utilities, including a nuclear power plant, lost one or more control systems during the Slammer incident. The more recent “Blaster” worm appears to have done the same thing.
Myth: There simply haven’t been many cyber attacks on control systems.
Reality: In the past three years, more than 40 incidents have been documented in which utility control systems have been impacted by intentional or unintentional means. So why haven’t you heard about them? The existing computer response organizations such as CERT, SANS and CSI lack the specific control system knowledge and contacts to investigate control system attacks and build an information archive about them. Without this resource, most utilities (and other industrial companies) do not know how to identify an attack or where to report one if it does occur.
As is true of many industries, the electric power industry has established an information sharing and analysis center (ISAC) to increase awareness of cyber security and preventative measures. However, no ISAC exists specifically for automated control systems, which cross the boundaries of water, wastewater, gas and electric utilities. This may soon change. KEMA is spearheading an effort with DOE and Carnegie Mellon’s Software Engineering Institute to establish an ISAC for control system security. Such a movement, however, needs industry support to succeed.
Myth: Everything you read about cyber attacks is true.
Reality: Don’t rely on the general media to accurately report the occurrence and impacts of cyber attacks on utilities. A recent example of inaccurate reporting by a national newspaper was an incident in 2002 in which a hacker hit the California Independent Service Operator (ISO). The newspaper report indicated that the hacker compromised the ISO’s SCADA. Although a server was shut down by the attack, the SCADA was not impacted. The other common myth is the story of the 12-year-old who hacked into Salt River Project’s water SCADA and was able to open the Roosevelt dam’s lift gates. This was erroneous but has become part of accepted lore.
Myth: Only an employee can launch an “inside” attack.
Reality: While it’s true that disgruntled current and former personnel pose a serious threat, utilities must expand their traditional notion of who is an insider. In the control system world, inside threats can be anyone who now works or has ever worked for the utility or the automation vendor either as an employee or subcontractor.
Surprisingly, employees of other utilities that operate the same automated equipment are also an inside threat. Why? Control system security at most utilities often maintain the original default passwords. These passwords are known throughout the industry.
Myth: The IT folks will take care of cyber security.
Reality: IT people know how to secure a utility’s business systems, but they often do not understand what control systems do or how they work. Without this knowledge, an IT person cannot devise a workable solution. Cyber security solutions for control systems must have participation by the same people who implemented and/or use the control systems. This means automation consultants, vendors and utility personnel must take part in creating safeguards.
Myth: Off-the-shelf security products can be used for control systems.
Reality: Common firewalls and encryption devices were developed by IT people for IT applications. The development of firewalls specifically for control systems will take time for two reasons. First, the industry hasn’t demanded that automation vendors offer these products. And, second, the solution is not easy because security often counteracts the speed and efficiency automated devices are built to provide.
For example, several major suppliers of control systems recently experimented with installing commercial encryption products on plant distributed control systems and SCADA systems. The encryption successfully blocked access, but it also slowed the systems down to the point they could not perform their functions. The lesson is that cyber security products should be tailored for control systems.
Myth: Any cyber security specialist can perform an effective penetration test on control systems.
Reality: Penetration-testing technicians will find and report what they are familiar with. Unfortunately, most are trained in IT systems and do not understand the critical nature of control systems. Such penetration testers may not even realize that all control system workstations are not equally important to the process. They may also be focused on traditional IT vulnerabilities and not vulnerabilities unique to control systems. Penetration testing should be conducted by, or with, individuals who have operated control systems.
Taking Steps to Protection
By dispelling these long-standing myths, utilities can take a positive step toward protecting their vulnerable control systems from attack. This should enable utilities to begin implementing proactive measures that can considerably reduce their risk. Three other relatively simple steps that all utilities can and should take in the short term include the following:
- Respond to the NERC standards. Although many of these new regulations do not specifically address control systems concerns, they cover many basic cyber security procedures that every utility should put into practice.
- Create a market for security solutions developed specifically for control systems. Vendors of automated systems are in the best position to develop these products, but they won’t unless there is a demand from their customers.
- Train personnel to become experts at control system security. Ideally, operations people should be involved. Whether this involves training from consultants on-site or traveling to industry-sponsored symposiums, utilities should ensure that key personnel can understand how to minimize the risk of a cyber attack, identify one if it occurs, and respond immediately to remediate the damage. ÃÃ
Joseph Weiss is an executive consultant at KEMA Consulting, a vendor-independent and impartial international management consulting, technical services and systems integration firm established in 1927 and based in Fairfax, Va. He is located in California and may be reached at email@example.com or (408) 253-7934.