Can open-source software prevent the next big blackout?

38
– by Chris Gulker
North America’s power grid, creaking under loads it was never designed to handle, may be facing an even grimmer future thanks to security flaws in aging control systems that are increasingly interconnected with Microsoft-based enterprise systems. The situation is so bad, experts say, that bored script kiddies could soon be knocking out power stations as easily as they concoct viruses from toolkits available on the Web.

Brian Ahern, CEO of control system security firm Verano, says that three issues have created a security nightmare for the power grid: underinvestment in electric power distribution systems that include control software; the interconnection of power industry business systems with legacy control systems; and a trend among vendors to build control-system technology on insecure platforms such as Microsoft’s.

Underinvestment means that most utilities rely on aged systems that were never designed for the loads or security issues they face today. Legacy systems, for example, may have been designed to run on private, 10-megabit networks, and as such, lack even basic security features such as firewalls.

But utilities increasingly connect these systems to business networks running Microsoft software, meaning that they may be vulnerable to the effects of the plethora of virii, worms, and other malware that plagues the dominant proprietary software brand.

Ohio’s precursor to recent big blackout

Just such a problem surfaced in January at the Davis-Besse nuclear power plant operated by FirstEnergy, the Ohio utility under close scrutiny for its role in the East Coast’s largest-ever blackout. The Slammer worm penetrated the plant’s internal network and lodged in an unpatched Windows server. The worm’s scanning slowed the internal network to a crawl, eventually crashing the plant’s Safety Parameter Display System, according to reports.

While legacy control systems are often UNIX-based (“Control-Alt-Delete scares power plant operators,” Ahern said) and thus immune to MS worms and virii, their 10-megabit networking technologies can easily be overwhelmed. “Even the load from leading intrusion detection and monitoring systems can create a denial of service and shut these plants down,” Ahern said.

Ahern also said that corporate firewalls tend to focus on protecting data integrity and are not suitable for protecting control systems. Control systems operate in real time, where processes, availability, and reliability are paramount.

Even though DOE and other sources ruled out cyber attack as a cause for this month’s blackouts, Ahern said that control systems are so wide open that no one has the data to credibly make that determination. Legacy control systems are prone to attack by “worms, terrorists, and insiders … if Al Quaeda hadn’t thought about it before, they are now.”

Ahern also notes that the actions of a worm, or of a coordinated attack, can cause events to cascade so quickly that human operators may not be able to react. Verano’s technology, built on the NSA’s Secure Linux, can automatically create an “air gapâ€? by disconnecting the control system from enterprise networks when an intrusion or other event is detected.

“It doesn’t take a very sophisticated hacker to get in and wreak havoc in the electrical system,” said Ahern. “The unfortunate thing is that the industry hasn’t even undertaken the most basic steps,” he added, noting that most have yet to even assess their vulnerabilities, and almost no one is actively monitoring control systems for attempted security breaches.

An improbable scenario?

Stephen Connors, a director at MIT’s Laboratory for Energy and the Environment, says that while Ahern raises some good points about aging infrastructure, energy companies have been looking closely at their systems in the two years since the 9/11 attacks. While he doubts that every security hole has been fixed and believes there are issues with multiple generations of control systems, he characterizes the likelihood of hackers taking down utilities thus: “Is it in the realm of possibility? OK. [Is it] in the realm of probability? That’s another case.”

Michael Skroch manages Sandia National Laboratories’ “Red Teams,â€? who have engaged in vulnerability assessments of control and automation systems used in United States critical infrastructures. Their report “Common Vulnerabilities in Critical Infrastructure Control Systems” cites all of the security issues that Ahern raises.

Skroch (pronounced skraw), while disagreeing with some of Ahern’s assessments, was in almost complete accord on the issue of vulnerability: “We know the capability exists to penetrate such information systems, because we do it. We know the vulnerabilities exist, because we have identified them. The likelihood of a particular attack is dependent on motivation of such a malevolent group. We are not worried about hackers that might cause nuisance outages; we are worried about coordinated sophisticated attacks that would have extreme consequence.”

Skroch went on to say that, while some hackers may not want to intentionally bring down the power grid, hacker activities such as worms, viruses, and penetration attempts could have unintended consequences, given the relatively fragile state of the power grid.

It is apparent from industry reports that grid operators need to share information with each other in order to meet demand, and interconnection of control systems with IT systems can help reduce costs for cash-strapped grid operators. They can’t realistically disconnect their systems from networks, but their older, proprietary “security by obscurityâ€? systems can no longer meet demand or security requirements.

Security needs to balance with system usability

Skroch thinks that as systems move to the Internet, it is vital to “integrate security from a systems perspective” on secure platforms, but he notes that developers also face the challenge of balancing security with usability. Says Skroch: “If you have too much security [i.e., no network connections], then the power plant probably won’t work.”

Ahern sees a great opportunity to “shrink wrap” existing systems with secure, robust open source security software, but he believes that the Department of Homeland Security, DoE, and other agencies have to step up and require operators to protect the grid before there is a catastrophe, a point that was echoed by MIT’s Connors. “What open source gives us is a reliable, available platform that isn’t as prone to failure and lock up as the Microsoft platform,” says Ahern.

The blackout was a “wake-up call,” Ahern said, and he hopes it won’t take an even worse event before the U.S. gets serious about securing infrastructure.

Chris Gulker, a Silicon Valley-based freelance technology writer, has authored more than 130 articles and columns since 1998. He shares an office with 7 computers that mostly work, an Australian Shepherd, and a small gray cat with an attitude.

Category:

  • Open Source