One of my cybersecurity nightmares is that foreign nations will use a network attack to bring down our power grid in a time of crisis. I’m not alone. Richard Clarke and Rob Knake spend a lot of time on the risk in their book on Cyberwar. So naturally the privacy lobby, determined to downplay the threat, would like to reassure everyone that this risk is just some science fiction boogeyman dreamed up by defense contractors to scare Americans.
The reporter most reliably in the tank for the privacy lobby is probably Ryan Singel of Wired, though he’s got plenty of competition. Singel’s review of the Clarke/Knake book predictably trashes as alarmist the notion that the grid is at risk:
Clarke returns over and over to the security of the power grid, focusing on the systems known as SCADA that allow utilities to remotely monitor and control electric generation and transmission equipment. Here, he starts reasonably enough: Good security practices dictate that these systems should be unreachable from the public net, and, unfortunately, that’s not always the case. But from there, he quickly moves back to fantasy. He suggests darkly throughout the book that the nation’s power and chemical plants are all shot through with secret backdoors implanted by the Russian, North Korean and Chinese governments, even though there’s never been a single publicly documented case, outside of a vague and anonymously sourced article in the Wall Street Journal.
… The Chinese and Russians don’t have secret backdoors into the transformer outside your house, and if it blows up, it’s more likely a rodent chewing through the casing than a cyberwarrior sitting in an internet cafe in Shanghai.
But this week brought a bit of news that undercuts Singel’s happy talk. Researchers discovered that USB memory sticks were being infected with a new exploit. This news poses two problems for the cyberwar deniers, and Singel in particular.
First, as I point out in Skating on Stilts, Singel’s simple solution, making SCADA systems “unreachable from the public net,” doesn’t really protect such systems from attack:
The government used to have its own illusions about security. Maybe our unclassified networks are compromised, Defense Department officials used to say, but the classified networks are still bombproof. They can’t be compromised by all this malware floating around the Internet. Because they aren’t connected to the Internet. There’s an “air gap” between the two.
But … the air gap illusion, too, has fallen prey to the exponential empowerment of hackers that we’ve seen in recent years.
The “Conficker” computer worm … infiltrated as many as 15 million machines around the world. One of the ways it spreads is by infecting the USB thumb drives that carry data from one machine to the next. Even classified or isolated networks could be captured if a bad thumb drive was used to transfer data to a machine on a secured network.
Second, this particular exploit is remarkably sophisticated and singleminded. It does not depend on Windows’ autoplay or autorun features, which can be turned off. Instead, the malware is a new and sophisticated zero-day attack that seems to start running as soon as Windows Explorer opens up the memory stick to see what’s on it. But most troubling is what the malware goes looking for once it starts up. The entire attack seems designed to exploit holes in the Siemens SCADA software that runs electric grids around the world.
As far as I can tell, there’s no reason to compromise a SCADA system other than to take it down. The SCADA system doesn’t contain credit card numbers or other financial data, and I doubt that compromising it is a cost-effective way to steal power for free. The guy who found the SCADA calls, Frank Boldewin, says, "As this Siemens SCADA system is used by many industrial enterprises worldwide, we must assume that the attackers' intention was industrial espionage or even espionage in the government area". In fact, though, there are no obvious secrets to steal from a SCADA system – other than the secret of how to bring the system down. So the logical goal of the malware is not so much espionage as sabotage.
Let me repeat that for emphasis. This elaborate, previously unseen piece of malware, which surely could have been a big moneymaker if used to create a botnet or to send spam, has instead been put to use for a purpose that has no obvious economic payoff -- compromising the power grid. Singel’s claim that “there’s never been a single publicly documented” backdoor into the power grid is looking pretty shaky with this disclosure.
I welcome comments, especially from those who can evaluate the malware code, on whether this is the smoking gun establishing that non-financially motivated malware attacks are being aimed at our power grid. Because the consequences for public policy are profound.