Cyber watch

Utilities are looking to install software to protect key infrastructure from threats to network security.

Cracking a power company network and gaining access that could shut down the grid is simple.

So says Ira Winkler, a penetration-testing consultant, who along with his  team of  experts took a day to set up the tools they needed then launched their attack, which paired social engineering with corrupting browsers on a power company's desktop computers.

By the end of a full day of the attack, they had taken over several machines, giving the team the ability to hack into the control network that was overseeing power production and distribution.

Winkler says he and his team were hired by the US-based utility, which he would not name, to test the security of its network and the power grid it oversees. The company called off the test after the team took over the machines.

"We had to shut down within hours," Winkler says, "because it was working too well already. We more than proved that they were royally screwed."

The problem is pervasive across the power industry, he says, because of how power company networks evolved. Initially their supervisory, control and data acquisition (SCADA) networks were built as closed systems, but over time intranets and internet access have been added to the SCADA networks.

Individual desktops have internet access and access to business servers as well as the SCADA network, making the control systems subject to internet threats. "These networks aren't enclosed anymore. They've been open for more than a decade," Winkler explains.

Deep penetration

The penetration team started by tapping into distribution lists for SCADA user groups, where they harvested the e-mail addresses of people who worked for the target power company. They sent the workers an e-mail about a plan to cut their benefits and included a link to a web site where they could find out more. When employees clicked on the link, they were directed to a web server set up by Winkler and his team.

The employees' machines displayed an error message, but the server downloaded malware that enabled the team to take command of the machines. "Then we had full system control," Winkler says. "It was effective within minutes."

Winkler says SCADA systems are inherently insecure because they are software running on standard operating systems on standard server hardware, making them subject to all the vulnerabilities of those systems.

Fran Howarth, principle analyst at information technology analysts Quocirca concurs. "It is a no-brainer that terrorist are going to go after utilities. You can knock out an entire economy for a serious amount of time and you can cause enormous economic damage in the process. Our research shows that utilities in the US, the UK and Germany have been waking up to this threat and are active in writing their own specific software, but elsewhere very little appears to be happening," she says.

In the UK, RWE, Europe's second-largest power generator, has stepped up security for the systems that control operations at its UK power stations in response to UK government guidelines for members of the critical national infrastructure. RWE bought a new network security system from Industrial Defender sits on top of the SCADA.

Growing threat

Previously, power generators ran stand alone SCADA systems but privatisation meant that, to be competitive, the firm's energy trading systems had to link into the real-time systems used to control the generating turbines. This opened the SCADA network to threats such as viruses and hackers.

Power companies' desire to not risk interrupting service with software upgrades that could improve security perpetuates the inherent weaknesses in utility network systems in the Middle East, says Winkler.

"I tend to think that the systems in the Middle East are inherently vulnerable based on what I've seen of SCADA systems elsewhere in the world. The problem is that there is no financial incentive to do anything and utilities also don't want to acknowledge that issues need to be addressed and are hesitant to admit that problems exist."

"If something does happen then they claim that it's the work of some evil cyber-genius...you have knights and dragons and when bad things happen people tend to think it's because the dragon is extremely powerful when in fact the dragon can be clueless," he adds.

Risk assessment

Winkler believes the threat that hackers pose to utilities in the Middle East is particularly acute. "All military and intelligence agencies in the region are looking at this; I would be very disappointed if they weren't. Looking at Dubai specifically and the UAE, Iran has a chip on its shoulder and it has a very good cyber capability. I would imagine that Iranian intelligence has a few guys trying to subvert targets of interest and that would include utilities, the power systems of radar sites and so on. Al Qaeda is also very active in using computers, so there is the potential for serious damage," he says.

Jeff Bardin, director of risk management at security consultants EMC, believes the threat to utilities is more likely to come from a hostile state rather than from a terrorist group. "The utilities in the GCC are unlikely to be threatened by groups such as Al Qaeda as they use the internet as a tool for communication, fund-raising, stealing credit cards and recruiting, the internet is the main avenue for getting its message across. An attack on utilities would have to include quite a botnet, similar to the one Russia used earlier this year to attack the government networks in Estonia and Georgia, I don't think any terrorist group has that capability at present," says Bardin.

READERS' COMMENTS

MORE FROM ARABIANBUSINESS.COM