June 24th I gave a presentation on ICS cyber security at Cyber Endeavor 2014 at the Naval PostGraduate School and discussed both Aurora and Project Shine. Aurora is a PHYSICAL gap in protection of the electric grid that with the exception of very few utilities, is not being mitigated. Project Shine identifies control systems and control system devices directly connected to the Internet. The DOE representative at Cyber Endeavor stated that many of the control system devices found by Project Shine were just garage door openers and utilities were doing a good job on Aurora.
Among other devices, Project Shine has found MANY wind turbines directly connected to the Internet. Recently, malicious actors have executed cyber attacks on wind turbine controllers in two different wind farms that were directly connected to the Internet. These are very large machines that can do substantial damage to people and property if they are out of control. The NERC cyber security standards effectively excludes these devices from any cyber security requirements as they allow the utilities to treat each turbine as an individual asset rather than include the entire wind farm. This means that each individual turbine is too small to meet the NERC minimum requirements for having to address cyber security.
DHS recently declassified the wrong Project Aurora information (see previous blog), yet some people in the Federal Government cannot understand why private industry is reluctant to share ICS cyber security information with it. Even though the only way to mitigate the Aurora threat against rotating equipment is via specific hardware, all NERC requires is for utilities to periodically tell them what they are doing to study the vulnerabilities associated with Aurora. Since the 2007 time frame, DOD has offered to provide Aurora hardware mitigation devices for free to utilities with critical facilities. Until the December 2011 time frame, DOD could not give them away for free! We now have two utilities implementing the Aurora hardware mitigation in a joint program with DOD and hopefully a third may be interested. What is ironic is none of these utilities have any NERC Critical Cyber Assets but they are working with DOD because they believe it is the right thing to do.
October 2013 Project Shine found a device in a distribution substation in a US state capital that was connected to the Internet. Project Shine was able to find pertinent information about the installed device and the utility implementation from the web. From the equipment vendor’s website, project Shine personnel could have changed the configuration of the as-installed equipment. This equipment was connected directly to the Internet on one side and to SCADA via a serial DNP connection on the other. It would not have been difficult to access the substation device to get access to SCADA to open and close breakers and create an Aurora event. The utility was unaware of the device being connected to the Internet until I called them. As this was a distribution substation and using serial communications, this system fell outside of NERC cyber security requirements. When I talked to a representative of the California Public Utilities Commission (CA PUC) about this in March 2014, I was told that PG&E and the other large California utilities told him Aurora was not a problem. The CA PUC representative also stated that none of the large California utilities would ever connect their ICSs directly to the Internet. The CA PUC representative was wrong – the large California utilities have connected ICSs directly to the Internet.
Recently a US DOD cyber security subject matter expert returned from an international trip. While overseas, he had discussions about ICS cyber security. When the DOD representative mentioned ICS cyber security, one of the international government representatives stated that cyber terrorists had attacked their electric grid. I personally know of many significant international ICS cyber incidents. As electric grids and other critical infrastructure use common equipment from common vendors, one can ask why this information is not shared with industry by DHS and/or DOE, or if DHS and/or DOE are even aware of the incidents.
My database of actual ICS cyber incidents is >350 and growing. I certainly hope people wake up before it is too late.
Joe Weiss