The Department of Homeland Security has been able to use an electronic attack to destroy a large diesel generator, apparently by altering the engine’s operating cycle and causing it to malfunction, according to a story and video from CNN. The proof-of-concept attack was part of an experiment named “Aurora” conducted in March at the Department of Energy’s Idaho lab, the network said. The video shows the generator begin to shake and shutter as bolts are sheared off, after which clouds of white and black smoke shoot forth from the engine.
The notion that such an attack could be launched electronically is bound to be unsettling for data center operators, as most mission-critical facilities have banks of large diesel generators on site to provide back-up power in the event of a grid outage. The DHS said details of its attack methods are being shared with sources in the electric power industry. CNN’s report takes a pretty alarmist tone, interviewing experts who predict that cyber attacks on electric infrastructure could cripple the U.S. power industry for months.
The threat posed by hacking power control systems known as SCADA (Supervisory Control and Data Acquisition) is real, but isn’t anything new to the security community or the power industry. The issue was the focus of a feature article in Electric Light & Power magazine in July 2006. The government has been studying the risk posed by SCADA hackers for years at its Idaho National Laboratory and Center for SCADA security at Sandia Labs.
The DHS experiment, which is also being discussed at Slashdot, raises a lot of uncomfortable questions. I’m not an expert on SCADA, but have been aware of the potential exploitability of these systems since they became a hot topic in coverage of the Y2K scare in 1998, when it was assumed that date problems in embedded chips in SCADA would cripple the power grid for months, leading to TEOTWAWKI (The End of The World As We Know It). The longstanding awareness of these vulnerabilities, along with the scarcity of documented real-world attacks, suggests that the vulnerability is harder to exploit than the CNN might have you believe.
A Forbes story from last month addresses this in more detail:
One answer (for the lack of SCADA attacks) may be the sheer complexity of major infrastructure systems: Though SCADA computers have weak external security, controlling them takes engineering expertise. Most hackers could only gain enough control to create the fear that they’re capable of something worse, says Alan Paller, director of the SANS Institute. … Paller says he’s learned of multiple threats within the last year and a half from hackers claiming to have infiltrated SCADA systems and demanding ransom. “There’s been very active and sophisticated chatter in the hacker community, trading exploits on how to break through capabilities on these systems,” he says. “That kind of chatter usually precedes bad things happening.”
Is the threat for real? Information is power, so here’s a list of resources on the subject of SCADA security and some best practice recommendations from the UK government on keeping the bad guys out of your control systems.