Identity theft, T&D style
To understand how transmission and distribution (T&D) system vulnerabilities arose, it helps to take a look back at the technology of control systems built before Sept. 11, 2001—this generation’s “day of infamy” that precipitated concern about terrorism on U.S. soil.
Then—as now—in a typical utility system for controlling energy delivery, the system’s master computer and remote terminal units (RTUs) communicate using wireless radio technologies that are easily tapped into by a third party. Even direct T-1 lines, frame relay clouds, fiber optics, and other communications channels can be penetrated by someone with nothing more than moderate technical savvy and desire. For example, a miscreant can initiate a “playback attack” by recording sensitive messages between devices and playing them back later. A more sophisticated attacker could formulate and send new messages designed to override control of remote devices, report incorrect status to the master computer, and/or wreak havoc on system stability.
To this day, most electric utilities’ control systems do not authenticate master and remote devices before allowing them to communicate. Such authentication would allow each device in a network to verify another’s identity, instead of blindly sending out information.
Without authentication, an intruder can engage in what is known as “spoofing”—interjecting message packets that pose as having been sent from a valid device on the network. Because authentication is never done, the receiving device has no way to differentiate malicious packets from authentic packets.
In one possible scenario, a hacker could send to the master computer false status data pretending to be from a remote device. If the false status message is formatted correctly, the master computer will respond as if it were from a real device and disrupt the system.
Another T&D cyber vulnerability is the dial-up connection used by maintenance personnel to remotely diagnose and fix problems with field equipment. Utilities commonly use the technique to avoid the cost and time of sending a technician in a truck to some distant site.
In some remote diagnostic systems, the equipment’s default password either has not been changed or has been set to a nonchanging phrase that many employees and contractors know. One problem with legacy technology environments is that they make it impractical to change the password frequently. Because dial-up diagnostic systems use analog modems, an attacker armed with “war dialer” software and a basic knowledge of control system devices could find it easy to infiltrate a control system through a dial-up connection. And, given that landlines are often not monitored for activity, an attacker could stage a “back door” attack whose source would be very hard or impossible to identify.
Control systems’ final security concern isn’t obvious, but it is very real. In the process of upgrading and expanding their control systems, many utilities and other large infrastructure companies have linked them to supporting IT systems and applications that specialize in billing, accounting, and e-mail. Though this enhanced connectivity and modernization has been a boon for the companies’ productivity, it has exposed their control systems—especially their legacy systems—to the cyber vulnerabilities inherent in IT systems that rely on the Internet. Adding new devices and systems to the interconnected network only creates more possible points of attack.
Email
Comments
Print
Reuse
