Joseph Weiss, KEMA
In January 2003, the so-called Slammer worm invaded Microsoft SQL servers worldwide and crashed tens of thousands of computer business networks. Slammer also affected control systems used in utility and manufacturing applications. The only cases that were publicized were the business network impacts.
As unintended targets of Slammer, Blaster and other worms, the energy industry was caught off guard by these incidents because utilities traditionally have not been vulnerable to attacks in cyber space. For decades, the proprietary software and closed architecture used to develop computerized operating systems for utilities were inherently safe from unwanted incursion. Cyber security simply has not been an issue utilities have had to consider.
In recent years, however, developers of the automated monitoring, control and communications systems now routinely used by power utilities have largely abandoned proprietary products in favor of off-the-shelf components. While commercial platforms offer advantages such as lower cost and interoperability, these systems also provide an open door for viruses and hackers to invade critical infrastructure.
Worming their way in
In terms of viruses and worms, the primary threat for utilities is not the control systems themselves but the infrastructure attached to them. These typically include man-machine interfaces, operator consoles and telecommunications components. The majority of interfaces and display consoles now utilize Microsoft or UNIX platforms, both favorite targets of virus and worm creators. And recently, the communications routers built by Cisco Systems have come under attack.
Fortunately, this focus on the support systems means that virus and worm incursions have failed to do any physical damage to critical control systems or other key utility assets, but the negative impacts have still been costly to the utilities involved. When a communication line or display console is impacted, the usual result is the operator loses the ability to monitor and control the SCADA or plant system.
As a result of the Slammer attack, for example, a nuclear power plant had several key plant computer systems compromised, and Blaster forced several generating companies to shut down combustion turbines because the operator displays were compromised. Without the ability to view conditions in the substation or generator, the utility often has no choice but to shut the impacted system down. In extreme cases like this, the utility loses money either by cutting power to customers or having to buy supplemental power on the open market.
When word of a major worm attack gets out, a few utilities deal with the situation by immediately shutting down their most vulnerable systems. Unfortunately, even this can’t prevent an incursion. The nuclear plant mentioned above was not invaded by Slammer during the primary attack. That occurred later when a subcontractor unknowingly brought an infected laptop computer into the facility and plugged it into the network. No firewall can protect the network from an inside attack.
Safeguarding against attacks
The fact that most utilities have not needed to defend their control systems against cyber attacks until very recently makes their current vulnerability and the potential consequences that much more serious. An additional sobering thought is that in today’s competitive energy market and volatile world situation, utilities may not remain unintended targets for long. Fortunately, the industry is becoming aware of the threat, and there are several steps utilities can take immediately to protect themselves.
First, utilities must educate operations personnel on the dangers of cyber attacks. Appropriate personnel should attend training on control system cyber security. This can be done in-house or by attending industry workshops. These individuals must be taught to identify which systems are vulnerable and to develop detailed plans on how to recover systems that have been hit. If possible, they should also participate in appropriate industry standards organization such as IEEE, ISA or IEC or at least be knowledgeable of these efforts.
Next, each utility should create written policies and procedures regarding access, either remote or internal, to its critical control systems. Only designated employees should have access, and they must be instructed to change passwords periodically. Strict guidelines should be established governing use of utility computers to connect with outside Web sites. Introducing portable computers to the internal networks, especially by vendors and contractors, must be strictly regulated.
In addition, utilities should work closely with automation system vendors to find and install patches that close the holes through which worms and viruses enter. Microsoft, UNIX and other commercial software developers periodically release software patches. However, utilities should always ensure that these patches have been tested for their specific systems.
Firewalls and intrusions detection systems are another solution that utilities should consider. Although none of these hardware or software devices has been specifically developed for use on SCADA or plant control systems, automation vendors should be able to utilize them in implementing security solutions.
Finally, utilities should report and share their own worm and virus experiences. Industry Information Sharing and Analysis Centers (ISACs) were established to share such information. However, to date, most of the control system impacts have not been reported to the ISACs or any other reporting agency such as CERT, SANS, or CSI.
Weiss is an executive consultant at KEMA. He is also a member of ISA’s process control systems security committee –SP99, and CIGRE’s task force on cyber security. Weiss is located in California and may be reached at [email protected] or 408-253-7934.
