The security of generators and electric utility systems has been vigorously debated in recent months following the release of a video from the Department of Homeland Security showing a diesel generator being disabled by an electronic attack. The utility hacking issue is back in the news after the CIA told the SANS Institute that attacks have caused power blackouts in other countries.
“We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands,” the CIA spokesman said at a SANS workshop on industrial security. “We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyber attacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet.”
The SANS event was organized to discuss security issues for power control systems known as SCADA (Supervisory Control and Data Acquisition). Vulnerabilities in web-exposed SCADA systems have been a concern for a number of years, and the level of risk posed by attacks on SCADA has been debated within the security community. The government has been studying the risk posed by SCADA hackers for years at its Idaho National Laboratory and Center for SCADA security at Sandia Labs.
The DHS proof-of-concept attack released in September used an electronic attack to destroy a large diesel generator, apparently by altering the engine’s operating cycle and causing it to malfunction. It was part of an experiment named “Aurora” conducted in March at the Department of Energy’s Idaho lab. A video shows the generator begin to shake and shutter as bolts are sheared off, after which clouds of white and black smoke shoot forth from the engine.
The demonstration was greeted skeptically by some security professionals in a discussion at Bruce Schneier’s blog. SANS noted last week that it “rarely hear(s) about intrusions into the PCS/SCADA community” but has responded with a call for data, offering privacy and anonymity to any parties that can provide details on an incident.