Protecting Power Grids from Hackers Is a Huge Challenge

Yesterday, the president’s cybersecurity coördinator, Michael Daniel, appeared in San Francisco at the world’s largest security conference, RSA, to explain how the president’s cybersecurity executive order—intended to help U.S. critical infrastructure to withstand computer attacks—will operate. The order, announced by President Obama earlier this month, will create voluntary security standards for power utilities and other infrastructure companies and allow them to receive classified government information about security threats.

Securing critical infrastructure is a growing concern to the government; last fall, secretary Leon Panetta said the United States could experience a “cyber Pearl Harbor” (see “U.S. Power Grids a Hacking Target”).

However, elsewhere at the conference, experts talked about more basic problems with securing energy grids, water plants, or other critical infrastructure. Many questions remain about what kinds of attacks might be possible, what their effects might be, and how to best defend against them.

A major part of the problem is that the manufacturers of infrastructure equipment such as power grid switches have long placed reliability over security and are still in the process of shifting their priorities.

Companies such as Siemens and ABB, which between them dominate the global market for power grid and industrial equipment, are working hard on making their new designs secure. But the results will be very slow to appear because infrastructure companies replace equipment so infrequently. “What they are working on will be the new devices in the next year,” said Marcelo Branquinho, executive director of TI Safe, a company based in Brazil that specializes in securing industrial control systems and is part of an effort to create an international standard for such defenses. “The [power] industry has 20-year-old devices—we have to think of other kinds of tools.”

Retrofitting dated infrastructure won’t be easy. Standard tools and techniques for protecting conventional computer networks don’t easily transfer because the computers used to control infrastructure are so different. Most systems are a complex mixture of three different, but interlinked, components: a network of conventional office computers; control software that directly controls equipment; and a thicket of specialized hardware such as switches and valves, in the case of a power grid. Although an attacker would most likely infect the office computers first—as did the Stuxnet worm that troubled Iranian nuclear processing equipment, in what is believed to have been a U.S.-Israeli operation—to actually cause significant damage they would need to interact with every other part, too.

Most work on securing infrastructure has focused on patching holes in the outdated and insecure control software, says José Fernandez, an assistant professor at Ecole Polytechnique de Montreal. However, properly securing a system requires considering the office computers and physical equipment, too, as well as how all three systems interact.

“What’s really important is to understand [the attack’s] effects on the real world, on the physics of what we’re trying to control,” Fernandez said at RSA yesterday. He is working on simulations that combine standard industry models of how power grids function with his own models of the control systems and office computers that comprise this setup. This includes a “sandbox” that allows testing of specific attacks and defenses. “We’re trying to measure the effects of attacks in terms of kilowatt-hours lost, or pressure readings [inside equipment], or whether something blows up or not.”

Destruction is certainly possible. The Stuxnet worm effectively damaged Iran’s nuclear processing equipment, while leaked video of a 2007 demonstration at Idaho National Lab shows an industrial turbine being damaged by a staged computerized attack.

Fernandez told MIT Technology Review that features of power grids intended to make them more reliable also make them resilient against attacks, but they can still be brought down. Tactics to achieve that include creating false sensor readings to trigger control systems to react inappropriately.

The unique properties of infrastructure control systems mean that those working on defenses are turning to methods that are either outdated or ignored in conventional computer security. Because the traffic inside industrial control systems is much more controlled and regular than that inside corporate networks linked to the open Internet, it is practical to teach software what “normal” operations look like and to sound the alarm when the pattern changes. In this context, the antivirus approach of using a blacklist of known malicious software makes little sense, but “whitelisting” permitted software and network traffic does.

However, figuring out how best to deploy such options is a challenge. Simulators like Fernandez’s are only just being developed, and power companies are loath to allow experimentation on live infrastructure.

That also makes it hard for policymakers to weigh the possible impacts of a successful attack, as they seek to plan possible responses. Speaking earlier in the day at RSA, Jason Healy, director of the Cyber Statecraft Initiative of the Atlantic Council, a Washington-based think tank, said that researchers there are trying to work out the economic effects of an extended power outage, with a view to sketching out guidelines for when a military response was justified.

It would be possible to adapt to an outage of one or two days with minimal long-term impact on GDP, according to Healy, thanks to backup generators and other measures. “Once you get more than about 10 days, then about 80 percent of economic activity ceases,” he said; “if you’re past that point, then clearly the world is going to say ‘this is like a military attack.’ ”

Despite talk in military circles of the possibility of such attacks, Healy said, governments remain cautious about using them. “Nations have had the capability to make attacks that could have caused loss of life for many years,” but none have occurred. “I think there’s evidence that deterrence is working at the highest level,” he said.