By Paul Oman,
and Jeff Roberts
This two-part series will show how integration and automation engineers can use principles and technologies of information security (InfoSec) to safeguard their systems. Part I describes the increasing risk of electronic intrusion and sabotage, and identifies specific threats and vulnerabilities within electric power control and protection systems. Part II, which will appear in the January/February 2002 issue of Utility Automation, will examine mitigating technologies that reduce the vulnerability to malicious electronic intrusions.
The North American electric power grid fuels the digital society and supports virtually all critical infrastructures within the United States. However, an increasing reliance on computer technology for improved communication and automation of electric power stations has created vulnerabilities within the power grid that are similar to those seen in traditional computer networks. Cyber attacks and electronic sabotage targeted against these vulnerabilities have the capability of changing protection settings and metering data. It’s not hard to imagine how these unauthorized alterations could cause power system fluctuations and outages.
Stability and Instability in the Electric Power System
The North American electric power grid is a complex system subject to natural disasters, sabotage and nuisance attack, in addition to the rapid system dynamics and demand swings inherent in providing electric power across large areas. Under nominal conditions, the power system exhibits steady-state stability: the relatively minor fluctuations in load and generation caused by normal start-up and shut-down of appliances and equipment attached to the grid. Constraints on operating parameters-like voltage levels, current magnitudes and power flows-are used to achieve steady-state equilibrium where generation input is matched to system losses and electrical outputs. However, when triggered by abnormal conditions, such as those caused by natural disasters, sabotage or equipment misoperations, the power system exhibits transient stability: the major fluctuations and oscillations that occur as it absorbs disturbances prior to returning to a relatively balanced steady-state. Load shedding, generation shedding and regional islanding are all means to dampen the oscillations evident during stages of transient stability.
As the power system struggles to maintain balance between electrical generation inputs and electrical load outputs, it may start oscillating and cause a series of cascading blackouts like those that paralyzed the West Coast during summer 1996. The most serious outage, on Aug. 10, 1996, affected 7.5 million customers in 11 U.S. states and two Canadian provinces, and cost an estimated $1.5 billion dollars in damages and lost service revenues. Although that particular outage was triggered by three lost transmission lines due to weather and malfunctioning equipment, similar events could be triggered by electronic intrusions and sabotage.
IEEE Standard 1402-2000, Guide for Electric Power Substation Physical and Electronic Security, defines an electronic intrusion as: “Entry into the substation via telephone lines or other electronic-based media for the manipulation or disturbance of electronic devices. These devices include digital relays, fault recorders, equipment diagnostic packages, automation equipment, computers, PLC and communication interfaces.”
In computer networking circles this is called a cyber intrusion, cyber attack or just plain hacking. But how did the electric power system become vulnerable to hacking?
An Increasingly Vulnerable Electric Power System
Recognizing the advantages of digital microprocessors, electric power utilities have exploited computer technology for improved communication and automation of control centers, substations and remote protection equipment. Included in this list of microprocessor-based equipment are: supervisory control and data acquisition (SCADA) systems with Unix and/or PC-based workstations; substation controllers consisting of programmable logic controllers (PLCs), remote terminal units (RTUs), data processing units (DPUs) and communication processors; and intelligent electronic devices (IEDs) consisting of microprocessor-controlled meters, relays, circuit breakers and circuit reclosers. The use of these computer-based systems for electric power control and protection has created vulnerabilities within the power grid similar to those seen in more traditional computer networks. Physical intruders have been known to randomly or maliciously push buttons and operate circuit breakers, reclosers and switches; one must assume that electronic intruders would, too.
Unfortunately, because of the critical nature of the activities and systems controlled by electronic devices in the substations, misuse of those devices could have disastrous consequences. Any unauthorized setting or data alteration-by physical sabotage or cyber attack-has the potential to cause sudden load or generation shedding, and may trigger oscillations leading to widespread cascading blackouts.
IEEE Standard 1402-2000 concludes that all remote electronic access points to electric power systems control and protection equipment are vulnerable to electronic intrusion and cyber attacks. The National Security Telecommunications Advisory Committee (NSTAC) reached a similar conclusion in its report titled “Electric Power Risk Assessment.” NSTAC cautioned that electronic intrusions could result in widespread power outages at regional and even national levels. The weak links permitting these intrusions are the publicly accessible communications lines between utilities’ enterprise-level information technology (IT) systems, control centers and power substations.
Figure 1 shows a typical substation configuration with remote access for SCADA operations, monitoring and maintenance. Remote access vulnerabilities are evident in several places as indicated by lightning-bolt pointers. What is not obvious is the different nature of the risk involved with each access point. An electronic intruder who gains access to a communications processor with control over a multitude of IEDs, is much more threatening than the intruder who hacks into a single IED. Likewise, the hacker who gains control over a SCADA system can do far more damage-and more widespread damage-than the person who intrudes into a substation controller.
Consequences of an electronic intrusion into a SCADA system, controller or IED could be as severe as physical sabotage. Once a cyber intruder gains access, he or she could:
- Shut down the SCADA system, either immediately or in a delayed manner.
- Steal or alter metering and management data gathered by the SCADA system.
- Shut down a substation, or any portion of a subsystem controlled by the compromised IED, either immediately or in a delayed manner.
- Change protection device settings to degrade reliability of the IED and, subsequently, the electric service provided by the substation.
- Gather control and protection information that could be used in a subsequent attack.
- Change or perturb the data in such a manner as to trigger an inappropriate action by an IED.
- Plant malicious code that could later trigger a delayed or coordinated attack.
- Use the SCADA system as a backdoor into the corporate IT system to obtain customer credit and personal identity information used in electronic theft.
An Increasing Risk of Attack
Studies by government and professional groups have identified several socio-economic factors that increase the probability of an attack (both physical and cyber) being launched against a utility or substation. Contributing factors to this rising threat are changing social, political and technological conditions:
- Increased incidents of international and domestic terrorism targeted against the United States.
- An increase in the number of countries with government-sponsored information warfare initiatives.
- Pressures within the electric power industry to downsize, streamline, automate and cut costs to maintain profit margins.
- Instability in the electric power utility job market, caused by deregulation and mergers, creating disgruntled employees and ex-employees.
- Instability in the electric power service, caused by deregulation and increased competition, creating disgruntled customers.
- Public access to transmission system data (FERC 888 and 889).
- Rapid growth of a computer-literate population and widespread dissemination of hacker-tool libraries.
- Increased electronic theft, recreational hacking and “hacktivism” (i.e., the destruction of electronic assets for a political or socioeconomic cause).
- The increased network interconnections between previously isolated control systems. For example, the use of public protocols to interconnect protective equipment, SCADA systems and enterprise IT systems.
- Increased dial-in and network access to remote substations through public communication services (e.g., public phones, Internet).
- The shift from proprietary mainframe-based computer control systems to distributed systems using open protocols and standards (e.g. TCP/IP and UCA over Ethernet LANs/WANs).
In addition to the above factors, an increasing awareness-both nationally and internationally-of the North American power grid’s vulnerability may threaten the grid before security measures can be implemented. For example, in a recent nationally televised PBS Frontline special, titled Hackers, one interviewee claimed that the power grid “could be brought down in the click of a button.” Whether this is true or not is less important than the fact that hackers, saboteurs and terrorists may believe it is true, and thus turn their attention toward attacks on the power grid. When viewed as a whole, all of the above factors dramatically increase the risk of electronic intrusions into the North American electric power grid.
Threats to Electric Power System Dependability
It is unknown if electronic intrusions have actually caused outages or damage to the electric power grid. FERC requires utilities to report outages affecting 50,000 customers for a period of three hours or more. Lesser outages have no reporting requirement, and outage information is often incomplete. Also, the NSTAC report showed that only 25 percent of electric power utilities use cyber intrusion detection systems, so it’s not clear whether cyber attacks on the electric power grid have not occurred or have simply not been reported. There are, however, several documented cases where individuals and radical groups have targeted electric utilities:
- In Texas, a disgruntled electric utility ex-employee posted a note in an online hacker journal that his knowledge of the system could be used to shut down the regional power grid.
- In several instances worldwide, hackers attacked electric utilities’ IT systems looking for credit information.
- At an undisclosed U.S. location, a radical environmental group was caught hacking into an electric utility’s IT system.
- In the United Kingdom, during summer 1999, a security guard at a nuclear power plant was discovered hacking into the plant’s control system for reasons yet undisclosed.
- In California, hackers apparently targeted the ISO’s electricity management system used to determine supply, demand and bulk-movement operations. The attacks appear to have originated in China.
- In another unspecified U.S. location, hackers subverted an electric power company’s enterprise IT system to play games, consuming 95 percent of the server’s resources and denying access to legitimate users.
This last incident is evidence of an increasing threat against electric power systems. Although it was not a malicious attack, the intruder’s “game-playing” activities on an electric power company’s information server consumed enough computing resources that legitimate users could not access their own system. Two disturbing aspects about this incident are (1) the recognition that some people view these attacks as games, and (2) that utility IT systems are clearly vulnerable to network flood attacks. That is, using the same techniques used to cripple U.S. e-commerce sites in February 2000, a few individuals determined to disrupt power services could launch a coordinated denial of service attack (also known as a flood attack) on electric power utilities.
Attacks and Consequences
Electronic attacks key in on system vulnerabilities, and attack characteristics are based on the characteristics of the vulnerability being exploited. Following are six example attack scenarios showing how vulnerabilities can be exploited.
The Insider: Using insider information, a disgruntled employee or ex-employee accesses protective equipment (either physically or electronically) and changes settings so the equipment either (a) fails to operate when it should, causing bus, line or transformer damage, or (b) operates when it shouldn’t, causing service interruption.
The Disgruntled Customer: Using a war-dialer (a program to control a modem for automated attacks), a disgruntled customer scans hundreds of phone numbers above and below a utility’s publicly available phone numbers, looking for answering modems. When a connection is found, multiple returns, question marks, “HELP” and “HELLO” are entered to probe the connection and look for clues as to the kind of connection. Once a login dialog is acquired, the intruder uses social engineering to determine login information, or launches a dictionary-based or brute-force password attack. When the connection is complete, and the intruder is “inside” the IED, controller or SCADA system, data can be altered or destroyed, communications can be blocked or rerouted, and settings can be changed deliberately or randomly.
The Network Hacker: A network hacker uses a port scan or ping-sweep program to identify active system ports and/or network IP addresses belonging to a public utility. When an active connection is found, multiple returns, question marks, “HELP,” “HELLO” and “LOGIN” are entered to probe the connection and look for clues as to the connection type. Once a login dialog is acquired the intruder uses insider information, social engineering or a password attack to gain access to the system. If the intruder is inside the system, then all data, communications and settings are vulnerable.
The Dupe: An employee with access to IT services is duped into installing or running a computer “game” or otherwise seemingly innocuous application by a friend or casual acquaintance. The installed computer application contains a Trojan horse program that opens a backdoor into the computer network. The inventor of the Trojan horse, automatically notified that the backdoor is open, gains access to the system to retrieve and exploit inside information enabling him or her to access SCADA systems and protective equipment. The IT system and all systems connected to it are now in jeopardy.
The Snoop: An unscrupulous competitor, foreign agent or network service provider uses public information and social engineering to obtain network traffic patterns for TCP/IP packets moving between supervisory stations and remote protective equipment or metering equipment. A network analyzer or “sniffer” is physically hung on the network line to show the content of all data packets between the supervisory and remote equipment. The unencrypted data packets contain control and settings information that can be used in subsequent attacks on either the SCADA system or the protective equipment.
The Agent: An employee, inside service provider or vendor representative with privileged information is approached by an unscrupulous competitor or foreign agent and is bribed or duped into sabotaging systems and settings, or creating access mechanisms the agent could use for subsequent activities that jeopardize equipment and services.
As implausible as these scenarios may seem, the telecommunications industry has experienced all of them. The electric power industry needs to learn from that history so it can harden control and protection networks before cyber attacks become commonplace.
Part II of this series, to be published in the next issue of Utility Automation, will describe mitigating technologies and procedures that reduce the grid’s vulnerability to malicious electronic intrusions.
Paul W. Oman is a Senior Research Engineer at Schweitzer Engineering Laboratories Inc. in Pullman, Wash. Dr. Oman has published more than 100 papers and technical reports on computer security, computer science education and software engineering. He has a Ph.D. in Computer Science from Oregon State University, serves as a Senior Member in the IEEE, and is active in the IEEE Computer Society and the Association for Computing Machinery.
Edmund O. Schweitzer, III founded Schweitzer Engineering Laboratories in 1982 to develop and manufacture digital protective relays and related products and services. He is recognized as a pioneer in digital protection, and holds the grade of Fellow of the Institute of Electrical and Electronic Engineers (IEEE). Dr. Schweitzer received his Bachelor and Master degrees in electrical engineering from Purdue University, and received his Ph.D. from Washington State University. His Ph.D. dissertation was on digital protective relaying.
Jeff Roberts is the Manager of Research Engineering at Schweitzer Engineering Laboratories Inc. in Pullman, Wash. Prior to joining SEL he worked for Pacific Gas and Electric as a Relay Protection Engineer for more than three years. Mr. Roberts holds a BSEE from Washington State University and is a Senior Member of the IEEE.