By Walt Boyes and Joe Weiss
We have information from multiple regions outside the United States of cyber intrusions into utilities, followed by extortion demands, said CIA executive Tom Donahue, in a written statement released at the SANS Security Conference held in January in New Orleans. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyber attacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet.
While the CIA may not be much more forthcoming for fairly obvious reasons, there are lots of clear signs that our infrastructure is being menaced by more than rust and corrosion. In process plants, in water, wastewater, power, nuclear power, pipelines and in transportation, the trend over the past 20 years has been interconnectioninterconnection of devices, of subsystems, of control systems; interconnection to government systems, to business partners, and of control systems to business and enterprise networks. This has led to a serious problem regarding protection of cyber-connected assets in all those industry verticals.
One of the very largest problems is that the control systems in plants and the SCADA systems that tie decentralized facilities like power, oil and gas pipelines, and water distribution and wastewater collection systems together were designed to be open, robust and easily operated and maintainedbut not necessarily to be secure.
For example, at the ACS Cyber Security Conference in August 2008, Nate Kube of Wurldtech and Bryan Singer of Kenexis demonstrated that a TÜV-certified, safety-instrumented system could be hacked very easily. The unidentified system failed in an unsafe condition in less than 26 seconds after the attack commenced. Operating cyber-securely was not a design criterion.
Schweitzer Engineering Laboratories (SEL) had a utility on its website that allowed its Internet-enabled relays to be programmed via a Telnet client by any authorized user. Recently, several security researchers found and acted on it, and SEL has now taken the utility down to protect the users.
These cyber incidents have happened in many process industry verticals, whether theyve been admitted to or not. Its clear that it isnt just terrorists, too.
Although the CIAs Donahue says terrorists and gangsters have struck outside the U.S., in North America, cyber accidents have occurred more often than deliberate attacks. Mike Peters, of but not speaking for the Federal Energy Regulatory Commission (FERC), says, Its been 10 years since the various domestic and foreign terrorists started playing in cyberspace. Theyve gotten better and better at it. The middle managers, who are much more current with cyber, have not yet succeeded to leadership roles where they can order something done. Theyre collecting information, and theyre planning. Its just a matter of time.
It may be a matter of time, but history shows that it is much more likely to be an internal screw-up that produces the problem.
In 1999, an operator for the Olympic Pipeline Co. in Bellingham, Wash., was working on his pipeline SCADA system. Unbeknownst to him, the scan rate of the SCADA system slowed to the point where critical process data failed to reach the SCADA HMI until after the pipeline ruptured, causing three deaths and numerous injuries. This is a classic cyber accident.
On March 7, 2008, the Southern Co.s Hatch Unit 2 nuclear power station near Baxley, Ga., was operating at approximately 100% power. An engineer was testing a software change on the plants Chemistry Data Acquisition System (CDAS) server. The engineer did not realize that the vendor software automatically synchronizes data tags between connected computers running the software. When the local tag values were updated by his code, the changes were synchronized with the software running on the condensate demineralizer control PC. The updated values were sent to the PLC operating the demineralizers. Because the values being written were zeros, the PLC switched to manual control with 0% flow demand, and closed all seven condensate demineralizer outlet valves, resulting in an automatic scram of the plant.
On Aug. 19, 2006, operators at TVAs Browns Ferry Unit 3 nuclear power plant, in northern Alabama, manually scrammed the unit following a loss of both reactor recirculation pumps. The initial investigation found that the recirculation pump VFD controllers were nonresponsive, and that the condensate demineralizer controller had also failed. The condensate demineralizer primary controller is a dual-redundant PLC system connected to the plant-integrated, Ethernet-based computer system network. The VFD controllers are also connected to this same plant-integrated control system network. TVA determined that the root cause of the event was the malfunction of the VFD controller because of excessive traffic on the plant-integrated control system network. TVA could not conclusively establish whether the failure of the PLC caused the VFD controllers to become nonresponsive, or the excessive network traffic, originating from a different source, caused both to fail. However, information received from the PLC vendor indicated that the PLC failure was a likely symptom of the excessive network traffic.
Lest you think this is all about the power and oil and gas industries, there is the case of Vitek Boden. Boden worked for Hunter Watertech, a firm that installed a SCADA system for the Maroochy Shire Council in Queensland, Australia. Later, Boden applied for a job with the council, but the council decided not to hire him. Consequently, Boden decided to get even with the council and his former employer. He packed his car with stolen radio equipment attached to a possibly stolen computer, and drove around the area on at least 46 occasions from Feb. 28 to April 23, 2000, issuing radio commands to the sewage equipment he probably helped install, causing raw sewage to spill into local parks, rivers and even the grounds of a Hyatt Regency hotel. Boden was caught and sentenced to two years in jail and ordered to reimburse the council for cleanup.