Delivering authoritative information and exclusive insight to the world's most discerning executives. More

Absolute Independence

We are beholden only to our customers and we fulfill on that promise every business day with trusted, timely, relevant and exclusive information through a growing number of premium news journals, special reports, virtual conferences and round tables. More

FOR IMMEDIATE RELEASE

LinkedIn Twitter Googleplus Facebook   

Grid security experts share explicit grid vulnerabilities

Hope is for industry action before bad actors attack

Rockville, MD (April 8, 2015) – Utility executives may believe their digital SCADA systems are air-gapped from the internet, "but that is rarely true," Laila Khudairi, an enterprise cyber risk underwriter with Tokio Marine Kiln, told Smart Grid Today – the leading independent, daily, professional news journal of the smart grid industry – recently in an exclusive interview. Smart Grid Today publisher Modern Markets Intelligence, Inc. is sharing the story here, free of charge.

The firm is a syndicate within Lloyds of London and uses technical experts to analyze these systems and often finds that remote terminal units (RTUs) have a wireless connection so that employees, or potentially anyone, can connect to them remotely, she said.

"Sometimes these devices are left completely open. You could literally type in the IP address of a PLC, find it and hack into it or the SCADA environment that way," Khudairi added

Researchers found nearly 2.2 million SCADA devices worldwide open to the internet, according to findings released late last year for Operation SHINE, a project run by open-source group Infracritical, a group founded in 2001 to improve security for critical infrastructure.

THE 2015 FIX
Critical insights on US grid cybersecurity, Part One

SHINE is an acronym for Shodan Intelligence Extraction, where Shodan is a search engine that crawls for the IP address and much more data about devices connected to the internet – about 500 million of them each month.

The scope of the study extended beyond utilities and researchers did not try to identify specific IP addresses, but spot-checking did reveal exposed devices linked to wind farms and utility substations, Infracritical co-founder Jake Brodsky told Smart Grid Today recently in an exclusive interview.

"A lot of utilities use plain old internet service provider (ISP) systems for their SCADA systems to communicate with a remote substation," Brodsky said. "They use systems that were sold as private networks in 2004 and 2005, but it turns out they are visible from the internet.

"They assume it's private, but it's not. A far larger problem is that most utility and integration-firm staff were not considering the security aspects of using a SCADA protocol across the internet," he added.

"If they did consider it, it was presumed that this sort of communication was obscure enough that nobody would want to mess with it. In hindsight, that couldn't have been more wrong," Brodsky said.

Added risks come from online systems that let consumers track energy use and savings, software bugs, SCADA-system programming errors, substation maintenance mishaps, payment kiosks in shopping malls and utility employees checking email and surfing the internet at work – especially when platforms for these transactions are not separated from utility control systems, security experts told the daily journal. And several recent reports detailed the growing risk.

Existing vulnerabilities since 2003 caused at least 58 million people in the US to go without power for an extended length of time and, in addition to exposing people and businesses to power outages, the vulnerabilities are envisioned as contributing to the most dire of national security scenarios.

"Until we fix these vulnerabilities, there are distinct cybersecurity problems related to deny, destroy, disrupt attacks, which we're not prepared as a nation to handle," Bryan Sartin, director of the "research, investigations, solutions, knowledge" team at Verizon Enterprise Solutions and one of the authors of Verizon's annual "Data Breach Investigations Report," told Smart Grid Today.

"Places like North Korea and Iran are capable of causing damage to critical infrastructures," Joe Weiss, managing partner at Applied Control Systems and author of the book "Protecting industrial control systems from electronic threats," told Smart Grid Today. "In December, North Korea hacked into a South Korean nuclear plant."

The risks go beyond taking down the grid, Mike Swearingen, former manager of regulatory compliance at Tri-County Electric Co-Op in Hooker, Oklahoma, told Smart Grid Today recently in an exclusive interview. He gained experience with defense satellites when he served in the US Air Force, he noted.

QUOTABLE: Take a place like Iran, with a nuke program with ICBMs. We still run on mutually assured destruction – that if you attack us, you are going to get wiped out. But a hostile country could first cripple the US power grid and then launch nuclear weapons. By weakening the grid, you've now limited the response. – Mike Swearingen, former manager of regulatory compliance at Tri-County Electric Co-Op in Oklahoma

Yes, the military and industry have backup generators. But, Swearingen asked rhetorically: "How long does it take to get the generators up? How often do we do preventive maintenance on those generators? There's going to be an advantage to the other side.

"We won't have the full response we planned on in our strategy. That's what worries me," he added.

Endless SCADA hits found

To better define the risks, Operation SHINE researchers began combing the internet for exposed SCADA devices in April 2012. They were still finding devices when the project ended in January 2014.

"We had expected sooner or later to see things level off," Brodsky told the leading independent, daily, professional news journal of the smart grid industry. "But the library of hits kept accumulating."

Gaining access may not even take sophisticated expertise, but more basic search engines like Google and Yahoo also could find these SCADA devices, he added.

Addressing all the risks will require a multi-faceted approach from many sectors, including culture changes within utilities, market responses especially related to insurance and more layers of protection – driven not by regulation but by results.

ABOUT THIS SERIES

The final part of this series will lay out actions the experts suggest smart grid stakeholders take this year to at least start fixing the problem.

Smart Grid Today first addressed cybersecurity in-depth in a series of articles that became a report titled "The Ins & Outs of CYBER-inSECURITY," which focused on the transmission side of the grid in 2012. A subsequent report titled "The 2013 Fix," focused on cybersecurity on the distribution side of the grid.

The current series looks at issues that affect generation and T&D. Security experts told Smart Grid Today that if one part of the grid is not secure &ndash meaning a geographic area or a sector such as generation or T&D – the rest of the grid remains vulnerable.

This story was originally published in Smart Grid Today (http://ow.ly/Lm09t) April 7, 2015 and has been slightly edited for this format. To read more articles like this one, sign up for a Free Trial to Smart Grid Today.

ABOUT SMART GRID TODAY

Smart Grid Today's mission is to deliver daily, unbiased, comprehensive and original reporting on emerging trends, applications and policies driving the modern utility industry – in a signature format our founders have developed over decades in the trade news business, featuring highly concise and easy-to-understand news copy based on trusted reporting, exclusive interviews, informed analysis and strategic insights that our subscribers rely on to succeed every business day. Smart Grid Today is published by Modern Markets Intelligence, Inc.

CONTACTS

Brett Brune
VP of Editorial
Modern Markets Intelligence, Inc.
1-888-907-1113
brett@mminews.com

Season Crawford
VP of Marketing
Modern Markets Intelligence, Inc.
1-888-678-4480
season@mminews.com

 

Code of Ethics

At MMI, we believe that our success and growth depends on maintaining the highest degree of ethical standards in all situations. Our industry is going through a period of rapid change, and with that comes new challenges, opportunities and ethical questions. Our Code of Ethics should serve as a guide for employees and managers dealing with ethical dilemmas. More

Core Values

To achieve our corporate mission, we have developed these governing principles: Integrity – our role as a partner for success with each of our customers depends on honesty and ethical integrity in every word we write, every document we produce, every conference we produce and every decision we make along the way. More