, SecurityFocus 2000-05-26
A year in the making, NIPC's Michael Vatis unveils a plan to monitor cyber attacks on the power grid. Is it enough to prevent a blackout?
Utility operations personnel interviewed believed that firewalls and dial-back modems were sufficient to protect their systems from intruders.
Vatis unveiled the "Electrical Power Indications and Warning System" in his written testimony to the full Senate Judiciary committee as it conducted a hearing on cybercrime. "Under the pilot program, electric utility companies and other power entities transmit cyber incident reports to the NIPC," Vatis testified. "These reports are analyzed and assessed to determine whether an NIPC warning, alert, or advisory is warranted to the electric utility community."
The FBI established the program in concert with the North American Electrical Reliability Council (NERC), a not-for-profit industry group that umbrellas electric utilities in the U.S. and Canada. "We've been working with NIPC over the past year, maybe a little longer, to develop the program," said Eugene F. Gorzelnik, NERC's communications director. Gorzelnik said the program is being tested by one of the nine regional councils that make up NERC, but declined to say which one. "They've been working through some of the bugs, and we've had several utilities around the country volunteer to participate as well," Gorzelnik said.
NERC formed in the wake of the catastrophic November 9, 1965 blackout that knocked-out power to 30 million people in the Northeastern United States and Ontario, Canada for as long as thirteen hours. Runway landing lights went dark, people were trapped in elevators, traffic snarled at busy intersections that were suddenly left without signals. Decades before buzzwords like "critical infrastructure" and "cyberterrorism" would enter the vernacular, President Lyndon Johnson viewed the blackout as a national security matter and set the FBI and the Pentagon to investigate. Utility engineers eventually traced the genesis of the cascading outage to the failure of a single relay in a transmission line.
Today, the "Great Northeast Blackout" influences the most popular cyberterror fears. The inevitable hacker-induced blackout goes with the hacker-induced 911 outage as a central doctrine for executive, congressional and industry believers who say that cyberterrorism is a serious and immediate threat to the Western World. National Security Council Terrorism Coordinator Richard Clarke put it this way to the New York Times: "You black out a city, people die. Black out lots of cities, lots of people die. It's as bad as being attacked by bombs."
Actual incidents of computer-based attacks against the power grid are hard to find. While the past two decades have seen no shortage of attacks on critical infrastructures -- including a hacker taking over an HBO broadcast through a communications satellite, a group trespassing into the computers controlling a Time Warner cable system, and intruders of all types routinely gaining influence over huge swaths of the telephone network -- tales of intrusions into electric utilities remain apocryphal. An October Wall Street Journal report on the 1995 Dallas "Phone Masters" case included a casual paragraph-eight disclosure that the three hackers involved "had access to portions of the national power grid," but no such charges were filed against the defendants, who admitted to cracking telephone company computers, and the prosecutor on the case denies it. "I don't remember any example of them accessing the power grid," said former Assistant U.S. Attorney Matt Yarbrough, now with a Dallas law firm.
The electric industry is closed mouthed on the question. "When it comes to saying something specific about whether anything has happened on the electric system, I don't answer," said Gorzelnik. Asked to what degree the power grid is vulnerable to such an assault, Gorzelnik said, "I just won't answer that question. It's not something that we want to talk about in the press. It doesn't serve any useful purpose."
But a detailed 1997 report by the White House's National Security Telecommunications Advisory Committee paints a sobering picture.
The committee's Electric Power Risk Assessment was conducted at the request of President Clinton, and involved six months of investigation and interviews with workers at eight utilities and three industry groups, including NERC. While the report concluded that physical destruction of electric facilities was a far greater threat than online attacks, it also described a power grid controlled by Byzantine systems riddled with basic security holes.
Networks controlling critical portions of the grid were accessible through corporate LANs, the report said. Digital circuit breakers could be remotely tripped by anyone with the right phone number. Fixed passwords for remote vendor access went unchanged for years. Of particular concern to the committee was the widespread use of unsecured supervisory control and data acquisition (SCADA) systems. The SCADA systems consist of central hosts that can monitor and control smaller Remote Terminal Units (RTUs) sprinkled throughout the grid, which in turn control power flow at any given point. Many RTUs in electrical substations were accessible through telephone dial-ups, some of which were protected only with dial-back systems -- modems that call a user back at a pre-programmed number before granting access -- while others lacked even that weak security mechanism and were accessable to anyone who found the telephone number. "An intruder could dial into this port and issue commands to the substation equipment," the report notes.
"Open sources, including... electric industry publications, regional maps, and the Internet would provide enough information to identify the most heavily loaded transmission lines and most critical substations in the power grid," reads the report. "Relatively simple hacking techniques could then be used to locate dial-in ports to these points and modify settings to trigger an outage."
Overall, the report found that that utility workers "believed that firewalls and dial-back modems were sufficient to protect their systems from intruders, and they were surprised to learn about the experiences of the telecommunications industry with hackers defeating these measures."
An engineer with a company that manufactures SCADA systems in use at major electric utilities, speaking on condition that neither he nor his company be identified, said that in recent years the government has spurred electric utilities to increased security. But his company's SCADA products still include dial-up support, and the security features are identical to the ones criticized as weak in the 1997 report. "You can have the remote unit call back to verify that the number is correct," he said. "There are security checks in many areas across the system, via protocols, via passwords... So I'd say it's safe. At least, it's not completely open."
"Everything you see in computer security is being applied here. There are utilities that deem it necessary and are applying it. Is every utility applying it? No. But at least [the government] is pushing to see that utilities do it," he said.
NERC's Gorzelnik wouldn't comment on whether the power grid is any more secure now than in 1997. The Electrical Power Indications and Warning System does nothing to prevent attacks, but rather provides a channel for electric utilities to report attacks they detect directly to NIPC. "With the information NIPC receives, they'll be able to see if there's any kind of trend developing, to see if there's a more serious problem," said Gorzelnik. "They wouldn't just be looking at the power sector, but also banking, telecommunications and other infrastructure sectors" for signs of a coordinated attack, Gorzelnik said.
The program will go nationwide this fall, and in Thursday's testimony Vatis promised the Senate that it will be a model for similar programs to monitor intrusions into other critical infrastructures. "We are currently working with industry on a Indications and Warning model for the telecommunications sector."