I'm sorry, did someone say we have nothing to worry about when it comes to SCADA and control systems security? I must have missed the memo:
CIA: Hackers to Blame for Power Outages
WASHINGTON (AP) — Hackers literally turned out the lights in multiple cities after breaking into electrical utilities and demanding extortion payments before disrupting the power, a senior CIA analyst told utility engineers at a trade conference.
All the break-ins occurred outside the United States, said senior CIA analyst Tom Donahue. The U.S. government believes some of the hackers had inside knowledge to cause the outages. Donahue did not specify what countries were affected, when the outages occurred or how long the outages lasted. He said they happened in "several regions outside the United States."
"In at least one case, the disruption caused a power outage affecting multiple cities," Donahue said in a statement. "We do not know who executed these attacks or why, but all involved intrusions through the Internet."
A CIA spokesman Friday declined to provide additional details.
"The information that could be shared in a public setting was shared," said spokesman George Little. "These comments were simply designed to highlight to the audience the challenges posed by potential cyber intrusions."
Donahue spoke earlier this week at the Process Control Security Summit in New Orleans, a gathering of engineers and security managers for energy and water utilities.
The Bush administration is increasingly worried about the little-understood risks from hackers to the specialized electronic equipment that operates power, water and chemical plants.
In a test last year, the Homeland Security Department produced a video showing commands quietly triggered by simulated hackers having such a violent reaction that an enormous generator shudders as it flies apart and belches black-and-white smoke.
The recorded demonstration, called the "Aurora Generator Test," was conducted in March by government researchers investigating a dangerous vulnerability in computers at U.S. utility companies known as supervisory control and data acquisition systems. The programming flaw was fixed, and equipment makers urged utilities to take protective measures.
Now, this article says these attacks were outside the U.S. (since it came from the CIA, you can imagine why.) Also, it does NOT directly say that SCADA systems were attacked. However, these statements were made at a SCADA "Process Control" Security conference, so I'm going to take the liberty of bridging that assumption. Either way, it highlights the problem at hand (see the 787 Dreamliner story and the Polish Tram derailment...)
Do y ou really think it's that much of a reach to suggest it's not happening on our shores?
If anyone gives me any more crap about being concerned regarding the possibility/potential for disruption...look at the boldfaced section. The compromise was conducted over the Internet. Don't forget, this sort of thing is supposed to be impossible given some comments from my "awareness campaign":
No, Jake. I'm not a water utilities expert, just a concerned observer & citizen.
Hat tip to Stiennon for the source.
/Hoff
Oh gosh, where do I begin Chris?
What do the first letters of SCADA stand for? Supervisory Control.
A real SCADA system doesn't issue direct controls. It issues Supervisory Controls. There should be no time critical control loops in SCADA. In other words, we have vulnerabilities. But they won't destroy anything right away. We engineers know better than to trust complex software.
Most good design practice is based upon graceful degradation. In other words, we don't send a command to open a valve. We send commands to change the pressure differential setpoint. A local controller takes care of the rest. There are sanity checks in the local controller.
You could send commands to the field that would screw things up. But most people would notice and we'd take action. Keep in mind, that while our operation is very careful and deliberate, the distribution system was built for some wild extremes including pipe breaks, extreme weather, communcation outages, and vandalism. A successful attack would require intimate knowledge of where the real vulnerabilities are.
Are you an expert at water utilities too?