Forwarded From: Simon Gardner <juniper@cix.compulink.co.uk>
Hacking the Power Grid
by Gene Koprowski
Could hackers flip the switch on the US electric-power grid and leave the
country in the dark, as if a national natural disaster had occurred? The
question is not as absurd as it sounds, computer experts say.
As electric utilities from California to Maine prepare for the era of
deregulated competition, many are adopting customer-friendly Web sites.
Some of these sites are integrated with databases inside the utilities
themselves, leaving them potentially vulnerable to penetration by hackers.
But the highly decentralized structure of the power plants -- generators
are not connected to the networks which are hooked to the Internet --
means that the damage hackers can cause is limited, says Bruce Wallenberg,
a professor of electrical engineering at the University of Minnesota, who
has worked extensively with utilities.
"The government recently put together a group which claimed that they
hacked into computers controlling the entire electric power grid of the
US, and then claimed they could have shut it down," said Wallenberg,
referring to recent press accounts. "My contention with that is just
because you can break into a computer, it does not mean that you have
suddenly acquired the ability to shut the process of controlling the
plant."
Power plants are complex technological organizations, Wallenberg
explained. To shut down a generator, one has to open circuit breakers and
instruct generators to lower the "set points," the levels at which they
are transmitting power. This is not something that can be done solely via
a computer network. Often the task is done manually through process
controls, or, if computerized, requires smart-card access.
"To change our computers you would physically have to be there," said Mark
DuBois, the technical team leader for Web development at the Central
Illinois Power Co., an electric utility located in Peoria. "Someone would
notice."
The fact that hackers have gotten into power plants, Wallenberg said,
simply proves what everybody already knew: Networks linked to the Web are
vulnerable.
Still, Wallenberg and others, like Nick Simicich, a senior consultant with
Florida's IBM Consulting, Inc., think that there are dangers for the
electric-power industry now that they are online. Companies like Central
Illinois Light Co. recently launched a Web-based service for its
customers, which will eventually offer services including online bill
payment. This is where the companies are vulnerable, Simicich believes. A
hacker could break into the network and wreak havoc with the billing
system.
The Central Illinois site, which uses an Integraph server with one
gigabyte of memory and 10 gigabytes of disk space, is linked to seven
Sybase databases and located offsite, in Arlington, Va., at a Web-hosting
service.
"We did physically locate it offsite to keep them separate from our
network," said DuBois, the technical team leader for the Web project at
CILCO. "There is still a fair amount of security, but hackers would go
nowhere if they break in there. I can guarantee that."
There's another concern for these energy computing experts. With
deregulation, there is an increasing interest in energy futures trades at
the commodities exchange on Wall Street. Simicich said hackers might use
social engineering techniques to obtain passwords to computers with access
to the networks containing sensitive information from these sources.
Others in the computer-security industry have raised concerns about the
government simulating attacks on these kinds of systems, and whether or
not that was proper. But Susan Hansen, a spokeswoman for the Office of the
Secretary of Defense, defends the practice and says that most information
remained secure. But a government source claims that government hackers
were able to penetrate beyond the Web site in their tests of utility
networks.
Security experts say that energy companies are becoming increasingly
sophisticated with network security, and have software systems in place
allowing them to monitor any suspicious activity. That's important,
because while the networks controlling power grids are currently offline,
the utilities will come to rely more and more on the Internet. As they do,
their vulnerability will increase.
"With deregulation, as the separation of power from transmission grows,
companies are going to be sharing information with each other and with
customers over networks," says Patrick Taylor, a consultant at Internet
Security Systems, an Atlanta-based security software vendor. "You are
opening up the systems. It is no longer just PG&E or another utility
running everything. It is Bill's Power Co., too. So Net security is now on
the radar screen of the electric industry."
[Wired News]
[http://www.wired.com/news/news/technology/story/12746.html]
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Fri Jun 5 09:14:07 1998