Classical Values :: Cyber Attacks On Power Generation

January 19, 2008

Cyber Attacks On Power Generation

Back when Power and Control was new (Dec '004) I put up a post called Internet Security, where I discussed the problems of controlling critical infrastructure with the Internet, wireless, or worse yet wireless Internet. George Tenent then head of the CIA said we had a problem. Let me quote a bit to give you the flavor:

What George is saying is that the Inherent Design of the internet is not compatible with infrastructure security. Duh.

What we actually need is less stupidity.

What we need to do is to provide more security for our networked systems. The Internent is not the answer to infrastructure control problems. It is inherently insecure. As a controls engineer I have been arguing this point for at least five years. Well before 9/11.

Wiring up a factory to use the Internet Protocol (IP) for in factory and inter factory control is a stupid idea. Since the IP is well understood using it to destroy a facility would be rather easy. Nothing new to learn except the control settings of the individual factory or company.

Worse is controlling a factory with wireless internet. With that kind of setup you don't have any fire wall between your operations and the outside world. In fact you don't even need to know IP or wireless protocols to cause trouble. All you need is a jammer to bring a factory to its knees. And the jammer need not be on continuously. An intermittent jammer could wreak havoc with sensitive factory processes.

Well it has started. According to the CIA

The CIA on Friday admitted that cyberattacks have caused at least one power outage affecting multiple cities outside the United States.

Alan Paller, director of research at the SANS Institute, said that CIA senior analyst Tom Donahue confirmed that online attackers had caused at least one blackout. The disclosure was made at a New Orleans security conference Friday attended by international government officials, engineers, and security managers from North American energy companies and utilities.

Paller said that Donahue presented him with a written statement that read, "We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyberattacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet."

Let me tell you that as long as I am designing plants no controls or critical infrastructure will use the Internet protocols or the Internet. Ever. As long as I am designing plants no controls or critical infrastructure will use wireless. Ever. To do is inviting trouble. I will use wires. Coax. Shielded twisted pairs. Fiber. Preferably in conduit except for nodes. All with custom protocols. No easy access, except locally. There is nothing wrong with using encoded data over the internet to report plant operation. There will be no possibility of plant control remotely. Ever.

To do so would be stupid. I wasn't born yesterday.

Yes. It raises the capital costs and the time required to connect everything together. What is one plant outage worth? What is meeting one extortion demand worth? Once you pay the Danegeld, how do you get rid of the Dane?

H/T Instapundit

Cross Posted at Power and Control

posted by Simon on 01.19.08 at 03:06 PM

TrackBack

TrackBack URL for this entry:
http://classicalvalues.com/cgi-bin/pings.cgi/6094

Comments

Ah yes. SCADA hacking. Very scary. I know just enough about the subject to be terrified.

It would be lovely to have everything in conduit. But remember that one nuclear power plant incident happened because workers were cutting a trench in the concrete and came across (and cut) a wire conduit they were not expecting.

I strongly disagree with your "custom protocols" idea. This is security through obscurity. All it means is that your devs and testers will get lazy and will not have a full range of tools for testing their work. The bad guys will take advantage of that. All of the stupid design failures that were caught a decade ago in IP will be lurking in your new custom protocol.

TCP/IP is well-tested and has been beaten to death. Encrypt everything, use solid authentication, and erect firewalls. But your nodes should not rely on the firewalls to do their validation.

And, of course, this set of issues is not confined to power plants. Anything with process control equipment is potentially vulnerable.

Fritz · January 19, 2008 04:40 PM

Fritz,

I have designed protocols. If they are simple they are not hard to keep secure.

In any case I'd go with something like CAN with a custom layer above that. Which is a pretty common way of doing these things.

No crash buses (Ethernet).

The most important thing is physical security. If you have that the protocol is a minor issue. Lots of nice CAN bus testers out there these days. I even designed a custom one for aerospace in 1998.

M. Simon · January 19, 2008 04:52 PM

I thought it was fairly common for peaking turbines, small hydro plants, etc to run unmanned and to be turned on remotely when there power is needed. Is this not right?

david foster · January 19, 2008 05:58 PM

david,

I don't know.

What I would do with stuff like that is run dedicated lines to the dispatch office.

M. Simon · January 19, 2008 06:03 PM

Water management has been at the forefront of automation since the rise of irrigation. If I understand correctly, the term "SCADA" originated on a Hydro project in 1973, with a BPA/TRW team.

There are some large hydro plants that run unmanned, and have been for years.

I'm glad to see someone is taking this seriously. I'm afraid they're not taking it seriously enough.

Dishman · January 19, 2008 09:19 PM