Just Hop on the Bus, Gus: 13 Ways to Hack a Power Plant

Have you done anything today to put your power plant at risk of attack? Are you sure? Even if you think that plant security isn’t your job, it is.

Forty years ago, musical genius Paul Simon outlined “50 Ways to Leave Your Lover.” In New Orleans in early April at the ELECTRIC POWER Conference, Mike Firstenberg of Waterfall Security Solutions laid out 13 ways to lose your industrial control network. Waterfall, based in Philadelphia, specializes in protecting industrial control systems (ICSs), including those in the electricity business.

13 Attack Types

Here are Firstenberg’s 13 ways that computer hackers, for malicious purposes or just for kinky kicks, can avoid the firewalls your company thought would protect you and take over critical ICSs. This includes the many elderly, very vulnerable SCADA (supervisory control and data acquisition) systems, which are almost always these days interconnected with the enterprise’s overall information technology (IT) network.

#1. Phishing. This is the easiest, most common, way to bust into an allegedly protected network and involves getting responses to spam, or fake emails, or what some refer to as “drive-by download.” An email arrives from someone you know, telling you to click on the cool URL showing a picture of a kitten and kids that you won’t want to miss. You click. It’s a fake. You’ve been spear-phished, and the phisherman now owns your network.

#2. Social engineering. Steal that password. Do you know where your passwords are? They may be written on a label on the backside of a keyboard or a desk drawer or written on a post-it note on your office bulletin board—common and dangerous practices. Your ICS may have come from the vendor with a default password, which your techs have never changed. The most common default password: 1234567890.

#3. Compromise the domain controller. Create a fake account and ride it through the front door and into the guts of the control system. Log on as a customer or vendor, create an identity and a password, and it’s “open sesame.”

#4. Attack exposed servers. The quick path around the firewall is to use a “structured query language” (SQL) injection. According to Wikipedia, this is when malicious SQL statements are inserted into an entry field for execution (for example, to dump the database contents to the attacker).

#5. Attack the ICS clients. This approach is to compromise the servers at the heart of the interconnected ICS.

#6. Session hijacking. This is a common trick using WiFi access points for monitoring user traffic as it accesses the mother ship. It is also known as “cookie hijacking.” This is particularly common when users are connected with open-access WiFi networks. So don’t log on in the Starbucks or McDonald’s and let the hackers eat your cookies.

#7. Piggybacking on the system’s virtual private network (VPN). This is another common tactic of hackers and is extraordinarily easy to accomplish—also a problem with free WiFi access points. In the days after Firstenberg’s presentation, it became public that there is a serious bug in the OpenSSL security software widely used in VPN systems. The analysts gave it the name “Heartbleed.”

#8. Exploit firewall vulnerabilities. Firewalls aren’t hardware in the cyber world. They are software, and they have bugs, well known to hackers (and obtainable easily over the Internet). One well-known access to exploit firewalls is through vendor systems that have bugs the enterprise firewall can’t detect.

#9. Errors and omissions in the firewalls themselves. The smallest errors soon get exposed for those probing ICS systems, and they get posted on the Internet. Hackers know far more about the vulnerabilities of your systems than you do.

#10. Forged Internet Protocol addresses. If an attacker can fake an Internet address that fools the firewall, it’s easy access. This is also known as “IP spoofing” and is a common, often successful, hacker tactic.

#11. Bypassing the network security. There is available software that will translate a web page into a foreign language and thus bypass the site security measures. There are also anonymizers, proxy sites, and tunneling software readily available to bypass firewalls.

#12. Physical access to the firewall. If you can touch it, you own it. So controlling physical access to the ICS system can be crucial for protection. Who is that person sitting at the terminal keying away to a fair-thee-well?

#13. Sneaker net. If an attacker can get to the firewall through a physical device (Stuxnet, which gained control of Iran’s control system to corrupt operation of its nuclear enrichment centrifuges, apparently was introduced on a USB device), the attacker controls the system. That’s game over.

Getting Real About Cyber Protection

“This is a continually evolving environment,” said Firstenberg. “Ten years ago we never expected we would be doing this. And what we have now learned is that what you don’t know will hurt you.”

Firewalls, said Firstenberg, “are often the first step any site makes when starting down the road to cybersecurity.” But it’s only a first step, and all of the 13 ways he mentioned will defeat firewalls.

It’s not news that the bulk electric system is vulnerable to cyber attacks. The North American Electric Reliability Corp. (NERC), under the direction of the Federal Energy Regulatory Commission, has been working for years on what has become an ever-changing landscape of rules and regulations to protect “critical infrastructure,” known to those who speak the jargon as “CIP” for “critical infrastructure protection” standards. NERC is now on the fifth iteration of its CIP standards, aimed at protecting the bulk power system, with version 3 in force and version 5 now leapfrogging the stillborn version 4. (For more detail, see the set of special reports on NERC CIP 5 in this issue.)

How to make sense out of the labyrinthine course of the NERC cybersecurity program and its multiple versions? Mike Radigan of ABB and Kim Legelis of Industrial Defender, a company specializing in protecting control systems in energy industries, including electricity, oil, and natural gas (and recently acquired by defense behemoth Lockheed Martin), presented a paper on the cybersecurity landscape for industrial control systems and CIP 5.

They noted that the Department of Homeland Security’s Industrial Control System Cyber Emergency Response Team (ICS-CERT) recently reported 200 attacks in a six-month period, a “drastic” increase, with most targeting the energy sector. Attempts ranged from “brute force” to “sophisticated.” While most cybersecurity programs are focused on protecting enterprise IT systems, industrial control systems present different characteristics.

Enterprise IT, they noted, seeks to protect information, while ICSs are keyed to physical processes. Enterprise IT is looking to prevent financial loss, while ICS threats are not only financial but also threaten public health and safety and the environment. Enterprise IT’s focus is on central servers, while an ICS is by its nature widely distributed. Enterprise IT protection aims for 95% to 99% system availability; ICS is looking for 99% to 99.999%.

“Cyber incidents are real, and cybersecurity for industrial control systems must be taken seriously,” said Radigan. “But it is a challenge that can be met.”

The latest CIP standards are much more risk-based, compared to the checklist approach of previous NERC standards. The early NERC CIP standards relied on compliance rather than real security. “Version 5 represents a change in thinking by NERC to security,” said Radigan. “It’s not compliance,” but it is giving those covered a means to manage more effectively in order to protect security. In this regard, he said, and other speakers also noted, keeping up with cybersecurity protection has gone far beyond the conventional utility approach of maintaining manual computer spreadsheets for tracking critical infrastructure protection. The paper outlined four important aspects of keeping up with cybersecurity:

  • Automation: “Manual efforts take too long and are error prone.”
  • Timeline requirements: “Make sure things get done on time—or earlier!”
  • Data analysis: “Data from across devices and systems related and supporting various requirements” are vulnerable.
  • Documentation and reporting: “Excel is not your friend.”

The bottom line, Radigan and Legelis said, is, “Prepare your organization for the coming NERC CIP v. 5 requirements and for reasonable protection against cyber threats.” ■

Kennedy Maize is a POWER contributing editor.