Grid and Bear It

So we read about how vulnerable our power grid system is to potential attacks, either by outsiders taking control or hackers infesting the control systems with customized viruses and computer worms. The Department of Homeland Security is concerned, but for the most part, the software protection systems seem to have vulnerabilities that would allow a knowledgeable attacker with malice in mind to shutter major electrical delivery systems across the land. Just picture a great big blackout hitting your neck of the woods. Lights go off, elevators stop, electrically-driven trains/subways roll to a halt, traffic signals blank out, file servers and computer systems that don’t have back-up power sources shut off, data is lost, financial transactions go down in flames, emergency generators in hospitals and sensitive government venues kick on… but for how long… and the United States of America simply stops.

The problem is that how to shut down the grid is widely known by software engineers that work in the system, even those who are not security experts. We took down Iran’s centrifuge system, crippling their nuclear development activities for months, with our little Stuxnet malware worm. Well, vulnerability fans, here’s a little tale in the October 17^thBits section of the New York Times that should rock your world… dealing directly with how Americans get electricity… in a bad way:

“Adam Crain and Chris Sistrunk do not specialize in security. The engineers say they hardly qualify as security researchers. But seven months ago, Mr. Crain wrote software to look for defects in an open-source software program [that is used in running our power grid]. The program targeted a very specific communications protocol called DNP3, which is predominantly used by electric and water companies, and plays a crucial role in so-called S.C.A.D.A. (supervisory control and data acquisition) systems. Utility companies use S.C.A.D.A. systems to monitor far-flung power stations from a control center, in part because it allows them to remotely diagnose problems rather than wait for a technician to physically drive out to a station and fix it.

“Mr. Crain ran his security test on his open-source DNP3 program and didn’t find anything wrong. Frustrated, he tested a third-party vendor’s program to make sure his software was working. The first program he targeted belonged to Triangle MicroWorks, a Raleigh, North Carolina based company that sells source code to large vendors of S.C.A.D.A. systems. It broke instantly.

“Mr. Crain called Mr. Sistrunk, an electrical engineer, to see if he could help Mr. Crain test his program on other systems… ‘When Adam told me he broke Triangle, I worried everything else was broken,’ said Mr. Sistrunk… Over the course of one week last April, the two tested Mr. Crain’s software across 16 vendors’ systems. They did not find a single system they couldn’t break.” Uh oh! With too many unmanned, remote facilities on the grid, the ability to crack into the system though these isolated structures makes a bad situation a whole lot worse.

“In the case of one vendor, Mr. Crain found that he could actually infiltrate a power station’s control center from afar. An attacker could use that capability to insert malware to take over the system, and like Stuxnet, the computer worm that took out 20 percent of Iran’s centrifuges, inflict actual physical harm… ‘This is low-hanging fruit,’ said Mr. Crain. ‘It doesn’t require some kind of hacker mastermind to understand the protocol and do this.’

“What makes the vulnerabilities particularly troubling, experts say, is that traditional firewalls are ill-equipped to stop them. ‘When the master crashes it can no longer monitor or control any and all of the substations,’ said Dale Peterson, a former N.S.A. employee who founded Digital Bond, a security firm that focuses on infrastructure. ‘There is no way to stop this with a firewall and other perimeter security device today. You have to let DNP3 responses through.’

“Even more troubling, Mr. Peterson said, is that most DNP3 communications aren’t regulated. The original version of DNP3 worked on serial communications — a way of transmitting data usually found in things like coaxial cables — and is still widely deployed in large systems, particularly substations around the country. But current cybersecurity regulations, governed by the North American Electric Reliability Corporation’s (N.E.R.C.) Critical Infrastructure Protection Committee (C.I.P.C.) are focused on Internet Protocols, or I.P. protocols, and specifically exclude serial communications and the equipment that uses them from meeting any security requirements.” NY Times. We are a long, long, long way from solving this issue. If you can read about how to do this in the New York Times…

But we have to cut our federal budget, and we know that education – needed to train Americans for better-paying jobs, infrastructure – needed to keep America running (like our power grid) efficiently, and research – needed to create new-growth economic centers, are and have been on the chopping block as ultra-conservative budget slicers want everything to be reduced except military expenditures. I only wish they believed enough in America to invest in it… but they don’t. If you think this is a country worthy of such investment, let your representatives in Congress know how you feel… NOW! And if you don’t live in the United States, take a good look at how your country is dealing with these same issues.

I’m Peter Dekom, and I really hope we wake up and invest to restore both greatness and the opportunities that have defined this nation since it was founded.