There is a US video out that demonstrates the potential damage that hackers could have on the power grid.
Video Link (via Yahoo)
From the AP:
A government video shows the potential destruction caused by hackers seizing control of a crucial part of the U.S. electrical grid: an industrial turbine spinning wildly out of control until it becomes a smoking hulk and power shuts down.
The video, produced for the Homeland Security Department and obtained by The Associated Press on Wednesday, was marked “Official Use Only.” It shows commands quietly triggered by simulated hackers having such a violent reaction that the enormous turbine shudders as pieces fly apart and it belches black-and-white smoke.
The video was produced for top U.S. policy makers by the Idaho National Laboratory, which has studied the little-understood risks to the specialized electronic equipment that operates power, water and chemical plants. Vice President Dick Cheney is among those who have watched the video, said one U.S. official, speaking on condition of anonymity because this official was not authorized to publicly discuss such high-level briefings.
“They’ve taken a theoretical attack and they’ve shown in a very demonstrable way the impact you can have using cyber means and cyber techniques against this type of infrastructure,” said Amit Yoran, former U.S. cybersecurity chief for the Bush administration. Yoran is chief executive for NetWitness Corp., which sells sophisticated network monitoring software.
“It’s so graphic,” Yoran said. “Talking about bits and bytes doesn’t have the same impact as seeing something catch fire.”
The electrical attack never actually happened. The recorded demonstration, called the “Aurora Generator Test,” was conducted in March by government researchers investigating a dangerous vulnerability in computers at U.S. utility companies known as supervisory control and data acquisition systems. The programming flaw was quietly fixed, and equipment-makers urged utilities to take protective measures.
The narrator ends the package with the phrase “these systems were never designed with security in mind.” Well, yes. She got that correct.
Read on.
Here is the SCADA community reaction. The story actually dates back to February/March ‘07 but, only now has come to light in the media.
Here is an example of the SCADA point of view from the SCADA list.
Doesn’t it always turn out that these things are staged like the Dateline NBC story on General Motors pickup truck gas tanks being a fire hazard?
http://www.aim.org/publications/aim_report/1993/03a.html
I’m surprised they missed the opportunity to show Miss Patterson’s 5th grade class being decimated during their field trip to the local power plant. That really would have sent the government scurrying to throw more money at the Idaho National Lab.
And a sane response,
Taking a line on staged I can agree. Remember the PINTO? With the explosive gas tanks. Well I have a brother that was in a Pinto that was rear ended. The Tank was full and the person that hit him was going about 50MPH at the time. Fortunately my brother and his passenger lived.
One Key is HE SAW the car coming in his rear view mirror, made sure that his wheel was straight and let his foot off the break. This allowed the formidable Pinto take off like a marble when it was struck. This without a doubt has to be the main key as to what saved their lives.
Incidentally, they were not in a Pinto that escaped the factory with a fuel cell or airbags or other ’safety’ features that Ford originally had slated for the car.Now I know that there may be at least one person out here that can site a time that they know of a pinto that did burst into flames when struck.
But we are not hear to argue vehicle safety with gas tanks.With all this in mind so what if the video was staged. Is it so totally unrealistic that SCADA Devices can be hacked or compromised? I would say NO, and that we all need to keep our eyes trained at our rear view mirror, or in the least we need to take the proper precautions otherwise we will find ourselves “bursting into flames” at one point in time.
Lets all remember the rules of computer security. (long form)
1) If you need a secure system do not purchase a computer.
2) If you MUST purchase a computer do not open the box.
3) If you must open the box do not plug it in.
4) If you must plug it in do not turn it on.
5) If you must turn it on do not connect it to the network.
6) If you must connect it to the network SECURE (add the safety
features) it.
7) Go back to rule number 1.Bottom line, if the SCADA communicates via RF or is on a network sooner or later even with special or obscure protocols it can be broken. So if methods to protect the devices or the systems these devices manage/control are not in place sooner or later we will have the explosive Pinto or GM truck. Just because a “real” incident has not taken place yet means it never will.
just my thoughts.
–
Leif Ericksen
And to get the other side of the perspective here is a clipping from the Defcon DC-Stuff mailing list.
> On Thu, 27 Sep 2007, Dogten wrote:
>
>> Randal T. Rioux wrote:
>>> Dogten wrote:
>>>
>>>> Does anyone have a good download link? Youtube is down for routine
>>>> maintenance
>>>
>>> http://www.cnn.com/2007/US/09/26/power.at.risk/index.html#cnnSTCVideo
>>>
>> excellent, thanks.
>
> Did anyone else have a problem with this story’s closing?
>
> “The question remains: can the U.S. close these cyber-security holes, before the hackers find them?”
>
>
Clearly the implication is that hackers are [a] evil and [b] not citizens and [c] that no holes have been found by hackers up to this point
Tags: Critical Infrastructure Threats, SCADA Security, Power Grid Security, Hackers
