Report: Massive Vulnerability Detected In National Power Grids: “There Is No Way to Stop This”

If you think that our multi-billion dollar electrical power grids are secure and capable of withstanding a coordinated attack, think again.

According to one group of engineers, the grid is so vulnerable that it wouldn’t even require a skilled hacker to compromise. In fact, when Adam Crain and Chris Sistrunk decided to test some new software they were developing they identified a vulnerability so serious that it could literally blind operational controllers to such an extent that they would be locked out of monitoring systems and unable to maintain grid integrity.

The consequences, according to the engineers who note they are in no way security specialists, could be a total downing of the national power grid with nodes across the nation being taken over all at once. Moreover, the same systems used to maintain the U.S. power grid are also being used in other industries, like water treatment facilities.

You’d think that such a vulnerability would be a top priority for the Department of Homeland Security, considering they are spending millions of dollars and promoting their coming Grid Ex exercise in November.

But you’d be wrong. The kicker is that when Crain and Sistrunk advised the DHS Industrial Control Systems Cyber Emergency Response Team, they got what essentially amounts to no response. It took Homeland Security a full four months before they even acknowledged the problem.

The two engineers who discovered the vulnerability say little is being done.

Adam Crain and Chris Sistrunk do not specialize in security. The engineers say they hardly qualify as security researchers. But seven months ago, Mr. Crain wrote software to look for defects in an open-source software program.

The program targeted a very specific communications protocol called DNP3, which is predominantly used by electric and water companies, and plays a crucial role in so-called S.C.A.D.A. (supervisory control and data acquisition) systems. Utility companies use S.C.A.D.A. systems to monitor far-flung power stations from a control center, in part because it allows them to remotely diagnose problems rather than wait for a technician to physically drive out to a station and fix it.

Mr. Crain ran his security test on his open-source DNP3 program and didn’t find anything wrong. Frustrated, he tested a third-party vendor’s program to make sure his software was working. The first program he targeted belonged to Triangle MicroWorks, a Raleigh, North Carolina based company that sells source code to large vendors of S.C.A.D.A. systems.

It broke instantly.

“When Adam told me he broke Triangle, I worried everything else was broken,” said Mr. Sistrunk.

Over the course of one week last April, the two tested Mr. Crain’s software across 16 vendors’ systems. They did not find a single system they couldn’t break.

By the end of the week, the two had compiled a 20-page report replete with vulnerabilities in 16 different system vendors for the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team, I.C.S.-C.E.R.T., which notifies vendors of vulnerabilities and issues public advisories.

And then, they waited. It would take I.C.S.-C.E.R.T. another four months to issue a public advisory for Triangle MicroWorks’ system.

…D.H.S. did not return a request for comment.



Mr. Crain found that he could actually infiltrate a power station’s control center from afar. An attacker could use that capability to insert malware to take over the system, and like Stuxnet, the computer worm that took out 20 percent of Iran’s centrifuges, inflict actual physical harm.

“This is low-hanging fruit,” said Mr. Crain. “It doesn’t require some kind of hacker mastermind to understand the protocol and do this.”

What makes the vulnerabilities particularly troubling, experts say, is that traditional firewalls are ill-equipped to stop them. “When the master crashes it can no longer monitor or control any and all of the substations,” said Dale Peterson, a former N.S.A. employee who founded Digital Bond, a security firm that focuses on infrastructure.

“There is no way to stop this with a firewall and other perimeter security device today.”

The New York Times

When outgoing DHS head Janet Napolitano suggested that a cyber attack on the nation’s power grid is imminent, she meant it.  Continue reading

No comments:

Post a Comment