The discussion about security for smart grid infrastructure has seemed to fluctuate between hype and malaise. Most media reports have focused on headline-grabbing events like Chinese hackers breaking into the U.S. power grid, or the potentials for a smart meter virus. But within the smart grid industry the reactions to this media hype have sometimes been a feeling of: ‘this problem is solved, move on.’ But I think the frequency and sophistication of cyber attacks on the power grid are just beginning, and the attention over smart grid security is about to ramp up exponentially in 2010.
Last month the first worm that was able to exploit a Microsoft Windows vulnerability to break into power grid control systems (supervisory control and data acquisition systems, called SCADA) emerged. The worm — coined Stuxnet — was active for several days, targeted Siemens’ Windows-based SCADA systems, attacked the U.S. the hardest, and was able to penetrate the systems via infected USB devices. Researchers think the motives behind the attacks was corporate espionage, and the infected systems exposed their databases, revealing potentially sensitive and usable information.
While Microsoft and Siemens (along with the various computer security vendors) released the necessary tools for energy companies to deal with the vulnerability, there are a couple important things to note about the event. First, given this was the first time that the Microsoft vulnerability was exposed and used to attack SCADA systems, you can guess that there will be many, many copycats that will follow suit.
The event highlights the differences between IT network security management and SCADA management. The fixes in the vulnerability will likely take awhile to get deployed for the power grid (if at all on a wide scale) as SCADA managers aren’t generally and constantly updating network software like their IT counterparts are. As the security researchers at McAfee pointed out, the worm was able to target Siemens because it had hardcoded passwords (put the passwords in the source code of the software) to connect the SCADA system to corresponding the database. Siemens said that made the system more reliable. That’s a big no-no in the Internet security world.
The worm also shows just how un-smart power SCADA systems can be. Jonathan Pollet, founder of Red Tiger Security, told an audience at the Black Hat convention last week that some energy customers had downloaded the Windows patch and the patch actually broke the SCADA systems, CNET reported. (For just how dumb the power grid is, see The Power Grid Is So Dumb That. . . . ). Pollet also said during his talk titled “Electricity for Free? The Dirty Underbelly of SCADA and Smart Meters,” that SCADA systems are in general a lot less secure than IT systems and that SCADA systems are “a ticking time bomb,” in terms of security breaches.
Both Pollet and McAfee researchers pointed to the fact that the SCADA worm was particularly sophisticated and that utility and energy companies should expect these types of attacks to continue and become increasingly more sophisticated. Up to this point, there’s been mostly simulated attacks and researchers warning of potential attacks. As the Smart Grid Security Blog puts it, “Stuxnet is heavy, heavy duty malware.” McAfee:
Energy and utility companies should be frightened by the sophistication of this attack and fearful of coordinated advanced persistent threats.
While last year I thought discussions about smart grid security had reached some kind of height in 2009, looks like 2010 is just the beginning of the actual defense and implementation of software to secure the smart grid. Joseph Weiss, managing partner at Applied Control Solutions, told Computer World that to date there’s been at least 170 known cyber-related power outages in the US.
For more research on the smart grid check out GigaOM Pro (sub req’d):
Image courtesy of Davide Restivo Flickr Creative Commons.