One of my cybersecurity nightmares is that foreign nations will use a network attack to bring down our power grid in a time of crisis. I’m not alone. Richard Clarke and Rob Knake spend a lot of time on the risk in their book on Cyberwar. So naturally the privacy lobby, determined to downplay the threat, would like to reassure everyone that this risk is just some science fiction boogeyman dreamed up by defense contractors to scare Americans.
The reporter most reliably in the tank for the privacy lobby is probably Ryan Singel of Wired, though he’s got plenty of competition. Singel’s review of the Clarke/Knake book predictably trashes as alarmist the notion that the grid is at risk:
Clarke returns over and over to the security of the power grid, focusing on the systems known as SCADA that allow utilities to remotely monitor and control electric generation and transmission equipment. Here, he starts reasonably enough: Good security practices dictate that these systems should be unreachable from the public net, and, unfortunately, that’s not always the case. But from there, he quickly moves back to fantasy. He suggests darkly throughout the book that the nation’s power and chemical plants are all shot through with secret backdoors implanted by the Russian, North Korean and Chinese governments, even though there’s never been a single publicly documented case, outside of a vague and anonymously sourced article in the Wall Street Journal.
… The Chinese and Russians don’t have secret backdoors into the transformer outside your house, and if it blows up, it’s more likely a rodent chewing through the casing than a cyberwarrior sitting in an internet cafe in Shanghai.
But this week brought a bit of news that undercuts Singel’s happy talk. Researchers discovered that USB memory sticks were being infected with a new exploit. This news poses two problems for the cyberwar deniers, and Singel in particular.
First, as I point out in Skating on Stilts, Singel’s simple solution, making SCADA systems “unreachable from the public net,” doesn’t really protect such systems from attack:
The government used to have its own illusions about security. Maybe our unclassified networks are compromised, Defense Department officials used to say, but the classified networks are still bombproof. They can’t be compromised by all this malware floating around the Internet. Because they aren’t connected to the Internet. There’s an “air gap” between the two.
But … the air gap illusion, too, has fallen prey to the exponential empowerment of hackers that we’ve seen in recent years.
The “Conficker” computer worm … infiltrated as many as 15 million machines around the world. One of the ways it spreads is by infecting the USB thumb drives that carry data from one machine to the next. Even classified or isolated networks could be captured if a bad thumb drive was used to transfer data to a machine on a secured network.
Second, this particular exploit is remarkably sophisticated and singleminded. It does not depend on Windows’ autoplay or autorun features, which can be turned off. Instead, the malware is a new and sophisticated zero-day attack that seems to start running as soon as Windows Explorer opens up the memory stick to see what’s on it. But most troubling is what the malware goes looking for once it starts up. The entire attack seems designed to exploit holes in the Siemens SCADA software that runs electric grids around the world.
As far as I can tell, there’s no reason to compromise a SCADA system other than to take it down. The SCADA system doesn’t contain credit card numbers or other financial data, and I doubt that compromising it is a cost-effective way to steal power for free. The guy who found the SCADA calls, Frank Boldewin, says, "As this Siemens SCADA system is used by many industrial enterprises worldwide, we must assume that the attackers' intention was industrial espionage or even espionage in the government area". In fact, though, there are no obvious secrets to steal from a SCADA system – other than the secret of how to bring the system down. So the logical goal of the malware is not so much espionage as sabotage.
Let me repeat that for emphasis. This elaborate, previously unseen piece of malware, which surely could have been a big moneymaker if used to create a botnet or to send spam, has instead been put to use for a purpose that has no obvious economic payoff -- compromising the power grid. Singel’s claim that “there’s never been a single publicly documented” backdoor into the power grid is looking pretty shaky with this disclosure.
I welcome comments, especially from those who can evaluate the malware code, on whether this is the smoking gun establishing that non-financially motivated malware attacks are being aimed at our power grid. Because the consequences for public policy are profound.
You do not need a memory stick to infect a SCADA desktop computer. That is usually a catalogue Dell or HP device under the control of the toxic Microsoft Operating Systems as well as the Microsoft browser.
SCADA operators will invariably include inside these computers a variety of personal software, such as social media (Facebook, etc.). Operators do that to to pass the time of the day with something entertaining during the long dull hours sitting in network control centers with little to do, since most of the corrective actions in a network have been automated.
The discussion about cyber attacks on SCADA should include a realistic review of what is actually used in the operating environment and what safeguards have been installed to prevent the non-SCADA software infecting SCADA operations.
Most importantly, the human factor should be considered. Research reveals that human errors of omission or commission account for most snafus. With ten thousands of probes per hour, one flaw will surely get through and sit in the software root until "kissed" to wake up and cause mischief.
Posted by: Paul A. Strassmann | Jul 18, 2010 at 04:16 PM
Although I have a long history of disagreeing with Stewart Baker on privacy, my take on this particular incident (see http://www.cs.columbia.edu/~smb/blog/2010-07/2010-07-16.html) is more or less identical. (My comments on the Clarke/Knake book, which I can summarize as "the book is useful but flawed", are at http://www.cs.columbia.edu/~smb/blog/2010-07/2010-07-13.html)
Posted by: Steven M. Bellovin | Jul 18, 2010 at 11:11 PM
Thanks, Steve. After reading your review of Clarke/Knake, I await with trepidation your judgment on the technical aspects of chapter 9.
Posted by: stewart baker | Jul 19, 2010 at 06:32 AM
Sounds like maybe we should all invest in wood stoves, just in case...
Posted by: Snarky Daughter | Jul 22, 2010 at 08:06 PM
Not in Virginia, though.
Posted by: stewart baker | Jul 22, 2010 at 09:29 PM
Stewart,
I have less confidence today than I did when the NSTAC and PCCIP reviews
were being done that we can shrug off attacks by even 2nd tier nations and state sponsored groups today. When I first brought likely nation state and state sponsored activities to the attention of senior policy makers and managers, they were sure that we were misinterpreting the data and/or that "we should be ok anyway." I have more hope that the effort and investment that we have all made especially since 9/11 will begin to turn the tide in favor of infrastructure owner/operators and those that depend upon them for services.
Having had to drive a successful enterprise recovery effort after a devastating physical attack and overlapping cyberattacks, and having helped others since then, I feel qualified to jump in here. It is my belief that we will soon need everyone of the proposed and recent new security/mission assurance hires and then some along with new operations models. I educated and trained some of these folks, managed others, and I have great hope as a result that they will slowly fix things that really matter.
I expect that some of the current Federal initiatives will produce more than just indiscriminately checked boxes on long checklists/spreadsheets/webforms. I figure that in another 5-10 years we will be materially more secure than when we first began addressing these issues.
Thanks for writing to the book and sharing some sections freely.
Aloha
Posted by: Kawika Daguio | Jul 22, 2010 at 11:38 PM