The recent generator hacking demonstration from the Department of Homeland Security continues to generate discussion among Internet security experts. Ira Winkler, a former National Security Agency analyst and author, has done extensive “white hat” penetration testing of computer systems running the U.S. power grid. In a column at Internet Evolution, Winkler said the “Project Aurora” demo – in which DHS staff used an electronic attack to destroy a large diesel generator, apparently by altering the engine’s operating cycle and causing it to malfunction – couldn’t be expanded to threaten the power grid.
But vulnerabilities in power control systems known as SCADA (Supervisory Control and Data Acquisition) offer plenty of other avenues for skilled hackers to damage the grid, according to Winkler, who described a test he conducted 10 years ago on a utility company’s network:
My team was supposed to perform a simple assessment of the security of a Website owned by a power company. The Website had a security vulnerability and provided us a connection to the company’s internal network. From there, we could get to any system in the company, including its SCADA systems. We were told by the security manager to leave out access to the SCADA system in our report, but we were allowed to download the personnel records of the CEO and CIO, so that the results would be hard for them to ignore.
In discussions of the generator attack and SCADA hacking, many people are surprised that these kind of systems can be accessed via the Internet. Aren’t they managed by some secure internal network?
Winkler addresses this in his post at Internet Evolution:
Many people might now be thinking, “But isn’t it impossible to actually connect to or otherwise access a power grid SCADA system?” The answer is very sadly, “Hell no!” Initially, the power grid control systems were on closed networks. However when the Internet started to blossom, power companies decided that it was too costly to maintain separate networks. After all, they would need two computers on every desk, which wouldn’t be able to talk to each other. At the time, they rationalized that this only required adding extra protection to logically separate the power grid from the corporate networks. Don’t count on the hope that they actually followed through with that.
Winkler writes that hackers have also been able to gain access through modems connected to critical systems for maintenance purposes, or wireless access to allow load tracking so power companies can buy and trade power with other companies. “In order to know the available capacity, you have to eventually connect to SCADA systems,” said Winkler. “So there is even an outside connection engineered into the power grid.”