CIA: Hackers to Blame for Power Outages (’nuff said)
I’m sorry, did someone say we have nothing to worry about when it comes to SCADA and control systems security? I must have missed the memo:
CIA: Hackers to Blame for Power Outages
WASHINGTON (AP) — Hackers literally turned out the lights in
multiple cities after breaking into electrical utilities and demanding
extortion payments before disrupting the power, a senior CIA analyst
told utility engineers at a trade conference.All the break-ins
occurred outside the United States, said senior CIA analyst Tom
Donahue. The U.S. government believes some of the hackers had inside
knowledge to cause the outages. Donahue did not specify what countries
were affected, when the outages occurred or how long the outages
lasted. He said they happened in "several regions outside the United
States.""In at least one case, the disruption caused a power
outage affecting multiple cities," Donahue said in a statement. "We do
not know who executed these attacks or why, but all involved intrusions
through the Internet."A CIA spokesman Friday declined to provide additional details.
"The
information that could be shared in a public setting was shared," said
spokesman George Little. "These comments were simply designed to
highlight to the audience the challenges posed by potential cyber
intrusions."Donahue spoke earlier this week at the Process
Control Security Summit in New Orleans, a gathering of engineers and
security managers for energy and water utilities.The Bush
administration is increasingly worried about the little-understood
risks from hackers to the specialized electronic equipment that
operates power, water and chemical plants.In a test last year,
the Homeland Security Department produced a video showing commands
quietly triggered by simulated hackers having such a violent reaction
that an enormous generator shudders as it flies apart and belches
black-and-white smoke.The recorded demonstration, called the
"Aurora Generator Test," was conducted in March by government
researchers investigating a dangerous vulnerability in computers at
U.S. utility companies known as supervisory control and data
acquisition systems. The programming flaw was fixed, and equipment
makers urged utilities to take protective measures.
Now, this article says these attacks were outside the U.S. (since it came from the CIA, you can imagine why.) Also, it does NOT directly say that SCADA systems were attacked. However, these statements were made at a SCADA "Process Control" Security conference, so I’m going to take the liberty of bridging that assumption. Either way, it highlights the problem at hand (see the 787 Dreamliner story and the Polish Tram derailment…)
Do y ou really think it’s that much of a reach to suggest it’s not happening on our shores?
If anyone gives me any more crap about being concerned regarding the possibility/potential for disruption…look at the boldfaced section. The compromise was conducted over the Internet. Don’t forget, this sort of thing is supposed to be impossible given some comments from my "awareness campaign":
Oh gosh, where do I begin Chris?
What do the first letters of SCADA stand for? Supervisory Control.
A real SCADA system doesn’t issue direct controls. It issues
Supervisory Controls. There should be no time critical control loops in
SCADA. In other words, we have vulnerabilities. But they won’t destroy
anything right away. We engineers know better than to trust complex
software.Most good design practice is based upon graceful degradation. In
other words, we don’t send a command to open a valve. We send commands
to change the pressure differential setpoint. A local controller takes
care of the rest. There are sanity checks in the local controller.You could send commands to the field that would screw things up. But
most people would notice and we’d take action. Keep in mind, that while
our operation is very careful and deliberate, the distribution system
was built for some wild extremes including pipe breaks, extreme
weather, communcation outages, and vandalism. A successful attack would
require intimate knowledge of where the real vulnerabilities are.Are you an expert at water utilities too?
No, Jake. I’m not a water utilities expert, just a concerned observer & citizen.
Hat tip to Stiennon for the source.
/Hoff
Thats really an awesome post .. i like the way you have been writing … its really fabulous.