Not long ago, if a terrorist wanted to cause a blackout in a major city, it would have taken a bit of doing, even in the most plausible movie scenario. The plot is familiar: men in ski masks send an explosives-packed truck barreling into a power plant or substation.
Today, utility information technology (IT) managers face a similar threat-exploitation of their vulnerabilities by a wide array of malicious actors. However, the primary vehicle that stands ready to cause mayhem as the new millennium approaches features a keyboard, a CPU and a modem instead of a steering wheel. Deadly arrays of sophisticated information attack tools stand ready to help hackers disrupt utility information network operations.
A real-life incident of cyber-terrorism already has happened in the United States, with a willing hand from the federal government. Two years ago, using software obtained from hacker sites on the Internet, a group of National Security Agency (NSA) officials gained access to key control systems and could have shut down the U.S. electric power grid within days. While the attacks were not actually carried out, referees supervising the exercise agreed the assault would have worked.
Now, as utilities finalize preparations for the rollover to the year 2000 (Y2K), the specter of cyber-terrorism becomes even more threatening. Computer villains seeking to compound the confusion are expected to time their attacks to coincide with Y2K. This first installment in a series investigates the weak spots in the industry`s IT armor, as well new efforts to defend against hacker attacks.
Prankster from within
On the evening before the 9/9/99 Y2K drill, a prank caller tried to disrupt electric distribution at Seattle City Light, which was participating in the readiness exercise. An employee of Puget Sound Energy falsely claimed to be a company dispatcher. The prankster instructed a substation operator at the South Tolt dam to open three breakers, effectively disconnecting 115 kV lines, which were not energized at the time of the test.
“It was simply a case of an employee placing a phone call to a buddy in the field and impersonating the power dispatcher,” says Dorothy Bracken, spokeswoman for Puget Sound Energy. “We called the Western Systems Coordinating Council (WSCC) security group to let them know of the matter.”
Bill Comish, WSCC`s director of dispatcher training and Y2K coordinator, received the message about the incident at 11:30 p.m. Because the culprit was still unidentified, Comish decided to transmit a general warning on the WSCC Message System, providing the information he knew about the incident without identifying any of the parties involved. Eventually, Puget traced the call to the responsible employee.
“For us, this was a wake-up call,” Comish said. “We are encouraging WSCC members to implement telephone security procedures, particularly during the Y2K roll-over. We have suggested passwords, authentication codes, or call-back procedures if the situation is not urgent.”
WSCC and other reliability councils have devoted considerable attention to mission-critical items related to Y2K and the National Electric Reliability Council`s (NERC) directives. Comish is not too worried about Y2K from a grid reliability perspective. However, many IT managers are concerned about the consequences of hackers penetrating the system.
Sniffed and smurfed
The security director of a mid-sized utility agreed to discuss the issue with EL&P on condition of anonymity. “This is an important issue that needs to be communicated, but at the same time, I`m concerned about making ourselves a target for hackers,” said the director, whom we`ll call John Doe. “If you indicate any confidence whatsoever in this area, you make yourself an open target for a hacker who might want to bring you down.”
Doe said there`s nothing unusual about his utility`s activities in this area. “We just look at what`s going on according to a regular, scheduled basis.” Nevertheless, the utility has seen plenty of action on the cyber battlefield. “They are trying the doors to see if they can get in,” he said. This September, the utility experienced more than 150,000 port scans from 5,000 different sources, apparently originating from such locations as the Czech Republic, South Korea, Finland, New Zealand and California.
Doe`s utility was most likely being “smurfed,” a denial-of-service type of attack in which a hacker tries to fool the network into causing its computers to respond en masse, thereby clogging the network.
Most IT protection systems can detect automatic rapid scans, or “demon dialers” that dial one number after another. Doe said, “We still see those, but we also see where they will dial one number an hour. We`ve set our firewall monitoring system so we still pick those up. Several times a month, we get denial-of-service attacks where someone actually attempts to overwhelm our system using specially configured packets of electronic information.”
Doe said executives at other utilities are monitoring the same pattern of hacker activity. For some utilities, the activity has become routine-they filter out most of the intrusions, and worry mostly about denial-of-service attacks.
“We are seeing a lot of kids who just want to see who they can crack, and people looking for proprietary information,” Doe said. However, as Y2k approaches, other, more serious concerns are rising.
“In our area, we are concerned about a number of extremist groups and militias,” he said. “Some of these people believe the millennium change is the time to cleanse their chosen land of what they believe are past mistakes. There is no question that these groups are computer literate. Our Highway Patrol has them pretty well infiltrated. However, the real sneaky hackers know that utilities will be taking extra precautions right at the rollover date, so they may hold off. Why not wait until March?”
Villains and heroes
At least one hacker group has a professional interest in such concerns. A collective of eight young hackers known as L0pht (pronounced “loft”) positions itself as a “gray-hat” consumer-advocacy group, acting as a buffer of sorts between “black-hat,”malicious hackers and “white-hat” protective forces.
L0pht members identify themselves only with their on-screen monikers, and refused to communicate with EL&P except via email. The group`s resident electric utility expert, Dr. Mudge, has written a computer program to scan utilities` Web sites for keywords. He believes a hacker could punch out the nation`s lights because utilities have allowed sensitive documents to be stored on public servers. Such key documents often explain how to access a utility`s central computer, according to Mudge.
Mudge revealed, in an October 3 New York Times Magazine feature article, that he obtained two sensitive files from unidentified utility companies. The first, downloaded from a large utility, featured a presentation on company security. The second, from another utility, included phone numbers Mudge claimed ring through to modems connected to central switches controlling power flows.
Such activity has not gone unnoticed by law enforcement officials. America`s highest official, President Bill Clinton, announced two directives in May 1998 aimed at strengthening the nation`s defenses against terrorism. President Decision Directives (PDD) 62 and 63 create a more systematic approach for defending against terrorist threats. PDD-63 focuses specifically on protecting critical infrastructure from both physical and cyber attack.
The Department of Justice and the Federal Bureau of Investigation (FBI) created the National Infrastructure Protection Center (NIPC) at FBI headquarters in Washington, D.C., in February 1998. The NIPC brings together government and private agencies and serves as the national focal point for efforts to defend against attacks on critical infrastructure.
The North American Energy Reliability Council (NERC) and the NIPC established an industry-based Electric Power Working Group to develop tactical warning indicators and information sharing procedures for the electric power industry. Elsewhere, other government officials urge widespread use of encryption by the government and the private sector as a means of defending vital U.S. networks and computers. However, policy debates over privacy concerns have slowed development of such systems.
“It is important that the Congress and the American public understand the very real threat that we are facing in the cyber realm, not just in the future, but now,” said NIPC Director Michael A. Vatis during his Oct. 6 testimony before the U.S. Senate Judiciary Committee Subcommittee on Technology and Terrorism. “While we have yet to see a significant instance of cyber terrorism with widespread disruption of critical infrastructures, all of these facts portend the use of cyber attacks by terrorists to cause pain to targeted governments or civilian populations by disrupting critical systems.”
Vatis emphasized the importance of cooperation between the government and infrastructure companies. “To improve our detection capabilities, we first need to ensure that we are fully collecting, sharing, and analyzing all extant information from all relevant sources… Intrusions can be discerned simply by collecting bits of information from various sources; conversely, if we don`t collate these pieces of information for analysis, we might not detect the intrusions at all.”
Because the pace and scope of the business has changed dramatically, requirements for information security have taken on a new imperative. Grid planners no longer have ample time to prepare for bulk power transfers. Independent System Operators (ISOs) make hundreds of electricity sales and purchases each day, and power is being wheeled across regions as never before.
Effective protection against infrastructure threats requires a systemic approach that accounts for a wide range of vulnerabilities. Those who deal effectively now and in the future with critical-infrastructure problems will be privy to what may be the largest organized effort to collect and share intelligence data. There must be cooperation if those inside and outside government are to succeed in this task.