Posted By Rich Miller On September 27, 2007 @ 10:49 am In Power | Comments Disabled
The Department of Homeland Security has been able to use an electronic attack to destroy a large diesel generator, apparently by altering the engine’s operating cycle and causing it to malfunction, according to a story  and video  from CNN. The proof-of-concept attack was part of an experiment named “Aurora” conducted in March at the Department of Energy’s Idaho lab, the network said. The video shows the generator begin to shake and shutter as bolts are sheared off, after which clouds of white and black smoke shoot forth from the engine.
The notion that such an attack could be launched electronically is bound to be unsettling for data center operators, as most mission-critical facilities have banks of large diesel generators on site to provide back-up power in the event of a grid outage. The DHS said details of its attack methods are being shared with sources in the electric power industry. CNN’s report takes a pretty alarmist tone, interviewing experts who predict that cyber attacks on electric infrastructure could cripple the U.S. power industry for months.
The threat posed by hacking power control systems known as SCADA (Supervisory Control and Data Acquisition) is real, but isn’t anything new to the security community or the power industry. The issue was the focus of a feature article in Electric Light & Power magazine in July 2006. The government has been studying the risk posed by SCADA hackers for years at its Idaho National Laboratory  and Center for SCADA security  at Sandia Labs.
The DHS experiment, which is also being discussed at Slashdot , raises a lot of uncomfortable questions. I’m not an expert on SCADA, but have been aware of the potential exploitability of these systems since they became a hot topic in coverage of the Y2K scare in 1998, when it was assumed that date problems in embedded chips in SCADA would cripple the power grid for months, leading to TEOTWAWKI (The End of The World As We Know It). The longstanding awareness of these vulnerabilities, along with the scarcity of documented real-world attacks, suggests that the vulnerability is harder to exploit than the CNN might have you believe.
A Forbes story  from last month addresses this in more detail:
One answer (for the lack of SCADA attacks) may be the sheer complexity of major infrastructure systems: Though SCADA computers have weak external security, controlling them takes engineering expertise. Most hackers could only gain enough control to create the fear that they’re capable of something worse, says Alan Paller, director of the SANS Institute. … Paller says he’s learned of multiple threats within the last year and a half from hackers claiming to have infiltrated SCADA systems and demanding ransom. “There’s been very active and sophisticated chatter in the hacker community, trading exploits on how to break through capabilities on these systems,” he says. “That kind of chatter usually precedes bad things happening.”
Is the threat for real? Information is power, so here’s a list of resources  on the subject of SCADA security and some best practice recommendations  from the UK government on keeping the bad guys out of your control systems.
Article printed from Data Center Knowledge: http://www.datacenterknowledge.com
URL to article: http://www.datacenterknowledge.com/archives/2007/09/27/can-your-generator-be-hacked/
URLs in this post:
 story: http://www.cnn.com/2007/US/09/26/power.at.risk/index.html
 video: http://www.cnn.com/2007/US/09/26/power.at.risk/index.html#cnnSTCVideo
 feature article in Electric Light & Power : http://www.emersonprocess.com/home/library/articles/elp/elp0608_cybersecurity.pdf
 Idaho National Laboratory: http://www.inl.gov/scada/
 Center for SCADA security: http://sandia.gov/scada/home.htm
 discussed at Slashdot: http://it.slashdot.org/article.pl?sid=07/09/27/1229230
 Forbes story: http://www.forbes.com/2007/08/22/scada-hackers-infrastructure-tech-security-cx_ag_0822hack.html
 list of resources: http://www.inl.gov/scada/resources.shtml
 best practice recommendations: http://www.cpni.gov.uk/Products/guidelines.aspx
 Rich Miller: http://www.datacenterknowledge.com/archives/author/richm/
Copyright © 2012 Data Center Knowledge. All rights reserved.