Two engineers have discovered a major vulnerability in the systems that control our power grid, one that could literally allow hackers to take down the entire U.S. power grid.
According to the New York Times, the two engineers, Adam Crain and Chris Sistrunk, developed software to look for vulnerabilities in an open-source software program. The program looked for defects in a very specific communications protocol called DNP3, which is predominantly used by electric and water companies, and plays a crucial role in so-called S.C.A.D.A. (supervisory control and data acquisition) systems.
SCADA systems basically control everything from our communication infrastructure, to our drinking water and our electric power grid and nuclear reactors. For many years SCADA systems were thought to be more secure; according to these engineers, that may not be the case.
During the course of testing, the engineers found they could penetrate and shutdown almost every major Industrial Control System they tested. The two quickly compiled a 20-page report detailing the vulnerabilities they found for the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team.
Despite finding and reporting the problems to the Department of Homeland Security, the engineers claim very little is being done to fix the problem.
Government preparing for Massive GridEx 2013 Preparedness Drill
Early next month, the U.S. Government, along with more than 150 companies and organizations, will take part in GridEx 2013, one of the largest infrastructure preparedness drills ever. The drill will simulate a Grid Down Scenario, one that will examine what would happen if the county’s electric grid was taken down by both physical and cyber-attacks.
While GridEx 2013 organizers are pretty tight-lipped over exactly what’s being tested, experts say it could be years before any real improvements are actually made. In fact, our country has known about most of these threats for decades, but very little has been done to protect the country.
Earlier this year we talked to Damon Petraglia, a Cyber-Terrorism expert and member of US Secret Service Electronic Crimes Task Force, who told us, the country is “under attack 24 hours a day, seven days a week, 365 days a year.” He went on to say, “Our military systems are probed in excess of hundreds of thousands of times per hour. Our private industry can claim similar statistics.”
Our country’s infrastructure is extremely susceptible to cyber-attacks, not to mention how easily things can go bad during relatively common problems caused by storms and outdated failing equipment. As we’ve seen during disasters like Hurricane Sandy, even small-scale disasters can wreak havoc on this country’s power grid, and cause mass amounts of chaos on the streets.
The need to be prepared for this type of disaster has never been more apparent. Our entire culture clings to these systems like a lifeline, should those systems go down this country will be in for some major trouble.
Hachi Machi, couldn’t this have been done in the summer time?!
It would be just as disastrous in the southwest for this to happen in the summer. When it’s between 105-115, people will die without power.
It will be cold when things don’t mysteriously fire back up like they are supposed too. Than its a national emergency.
Things seem to go from bad to worse.
I do not know where you get your info ….but the super computer that runs the water an power grid is not linked to the internet so you would have to be an employee of the co. to hack in on a terminal that is link to the system…..and I don’t see that happening ……
church; were did you get this information of a super computer? and if it is true they would have to have another internet for it to run everything from water and power. This is the first time anyone has said that there is an internet just for all of water and power to link together.
All the articles I have ever read it is on the same internet. Please post a link to anywere there is an article on this please.
That’s actually not 100% correct. These SCADA SYSTEMS are setup to be accessed remotely and have been hit a number of times. Check out the Russian hack of the water treatment plant in Illinois, I think they mentioned it here somewhere on the site.
Also to say it can’t be done ignores the stutex and the flame attacks that hit the nuclear plants in Iran. Also these engineers figured out how to do it and the link above to the NY TIMES article confirms it.
I sell Wonderware SCADA software. At least 75% of the water systems in my state run on our software. There’s no supercomputer that runs SCADA across the country. It is run on stand alone pc’s and some have a thin client architecture, but not many. Most can be accessed remotely via VPN. Some are secure, some are not. Some are connected to the internet, some are not. Keep in mind that water plants are mostly run by local utilities and their employees are often not the best and the brightest because of the meager wages they get paid. Many are using old operating systems and old SCADA versions with security vulnerabilities too because they are too cheap to pay for upgrades and support. Also keep in mind that these systems don’t have to be connected to the internet to be hacked. USB flash drives will work just fine to do this. Ask the Iranians about Stuxnet. That’s how their Siemens SCADA software and S7 PLC’s got hacked. Unfortunately, out water is vulnerable.
For clarification, yes, some SCADA systems have this vulnerability, but most SCADA systems are not (and should never be) connected to the public Internet. In most control systems designs, the control system nodes connect to a private network that is air-gap isolated from other networks. Adherence to strong Infrastructure Assurance practices can mitigate most of the risk. That said, vigilance, understanding and awareness are necessary to prevent attacks through uncomon vectors, as we saw with Stuxnet (which used offline USB thumb-drives in operator terminals/workstations as both the attack vector and the C&C)
What’s worse is that a lot of our power infrastructure is vulnerable to simple physical attacks like small arms fire or even simple infiltration for direct sabotage in some cases.
I remember a few years ago (at least it seems like just a few to me) when a couple of trees in Ohio shorted out a power line in a local wind storm. Within two hours New York went BLACK. That was before computers were as sophisticated (read that interconnected and desparately depended upon) as they are today. These engineers have merely documented one set of details provng what intelligent technologists have known for many years. I’ve worked with computer systems for decades doing the infrastucture management that the “programmers” did not even want to understand. SCADA may be ironclad from an “internet” standpoint, but the internet is not the whole story regarding connectivity among computerized functions. Just consider that more and more power companies are now using the same physical line to transmit thousands of volts of power and microvolt communications signals at the same time. From a systemic stand point the true vulnerability is the grid itself.
I hope that the govt. handles this little project better than they have in the past. Maybe Mexico won,t wind up with all of our power.
If the grid goes down, what happens at the banks? Do our bank records get erased? It’s always about money somehow. I think this is just another shell game. Create a diversion so everyone is focusing on that while we are being deceived, Big Time! as to what is really happening. Better be praying for understanding.
Anyone see any connection here? NatGeo is going to air a show about a grid down senerio, GridEx2013, and the DHS spending $80 million for privite security?
Remember back last year that a town in Ga. made the MSM because the EBT cards didn’t receive their deposit and people went nuts when they tried to use them (payment was made the VERY next day but you never heard of it happening anywhere else)? The partial Government shut down this year and the EBT card debacle in a La. Wal-Mart? The numbers are adding up to me! If I were a betting man I would say that the Government is “testing the waters” and\or planning for something? Of course, this is just my opinion but the math adds up right.
@cam
Not sure about the banks but you should only keep what you need in there and put the rest under you mattress for a rainy day ;)
I have been reading a lot on this matter, and I say the same thing…It makes me nervous
could tis really happen?