Headline: Power Grid Vulnerable to Hackers

Source: Los Angeles Times, 13 August 2001

URL: http://www.latimes.com/business/la-000065693aug13.story?coll=la%2Dheadlines%2Dbusiness

Computer hackers have stopped access to Yahoo and EBay, blocked orders to Amazon.com, inflicted a plague of data-consuming viruses on corporate America and defaced thousands of Web sites with graffiti, including many sites operated by the U.S. Department of Defense.

And their next target may be the nation's energy utilities.

For two weeks last spring, hackers wormed their way inside a computer system that plays a key role in moving electrical power where it is needed around the state. The computers belong to the California Independent Service Operator, an agency that oversees much of the state's electricity transmission grid--including the massive complex of power plants and transmission lines. Cal-ISO patched the flaw that allowed hackers to roam through portions of its network before power supplies were affected. But the episode sent shock waves throughout the energy industry.

So far, no utility has blamed computer hackers for a power disruption. But two trends may soon change that, experts say.

Deregulation of the energy industry has led to the formation of dozens of online energy trading networks where buyers and sellers manage real-time sales of electricity over the Internet. Experts believe that such trading networks are less secure than computer networks maintained by utility companies and if hacked into could disrupt power transfers.

They also warn that increasing links between computers that control the grid and those used for administration, Internet e-mail or Web surfing make hacker-induced blackouts likely.

Riptech Inc., a security company in Alexandria, Va., has tested security for dozens of energy-industry clients. In every case, the firm penetrated Internet-connected corporate networks--and often hopped from those networks into supposedly sealed grid-control systems, according to Riptech's president, Amit Yoran.

Other security companies report similar experiences, suggesting there has been scant progress since 1997, when Defense Department engineers successfully hacked into control systems for the nation's electrical grid in a security trial. Once inside a power-control network, hackers could find diagrams of switches and power supplies that could enable widespread sabotage.

"You can black out whole cities," said Anjan Bose, a power-grid expert and dean of the College of Engineering and Architecture at Washington State University. Other specialists said that hackers could cause physical damage to generating plants or other energy-industry facilities.

"I'm not sure that any [network] manager is totally confident. Those hackers are sharp. If there's a way to get in, they usually try to figure it," said Carl Lindau, director of computer information systems for South Mississippi Electrical Power Assn., a small co-op in Hattiesburg, Miss. "We all worry about it." Lindau said he monitors his network constantly and plans to upgrade security software.

Security Shortfalls Left Door Open

Even major energy-industry companies have committed missteps that amount to leaving out a virtual welcome mat. The computer network that operates the Alaska oil pipeline was found by its own security experts to be "in great jeopardy."

According to 1997 court documents, "a decent hacker--[could] get into that system and actually burst or cause the pipeline to--to stop its flow," said Alan Gibson, a consultant for the Alyeska Pipeline Service Co., which runs the oil pipeline.

In a recent interview, Gibson said Alyeska allowed contractors direct access to its internal computer networks, opening security holes that could have led to environmental disaster.

Alyeska declined to comment on past conditions. But Erv Barnes, the company's chief information officer, said improvements and rigorous testing have made the pipeline nearly impervious to hacking.

In a separate case last year, an audit found that the electrical transmission network at ISO New England, a group similar to California's, permitted computer access passwords to be blank, with no expiration date, leaving it open to anyone who got into the system. And the system's lockout settings were disabled, opening the door to virtually anyone who sat down at the computer, which was in an unsecured area.

An ISO New England representative said the problems have been corrected.

Utilities historically have maintained security of their power supply by isolating and strictly controlling access to computers used to monitor and manage power flow. But increasingly, administrative and supervisory computers are linked for efficiency. Security officials normally use computer firewalls to protect their grid-control systems, but hackers have been able to defeat almost any firewall.

And supervisory computer systems used by utilities often are equipped with dial-up modems so that engineers can monitor the grid remotely. But modem access opens serious security holes, experts say.

At South Mississippi Electrical, the supervisory computer systems have modem access and other features that experts view as an open invitation to hackers. The utility's grid-management machines have Internet connections and lack intrusion-detection software or computers to serve as a buffer between their internal network and the Internet.

But Lindau said some risk is the price of doing business.

"If you want to be able to do things today electronically, you have to be connected" to the Internet. "It's a matter of putting in the controls and educating your users," he said.

Some utilities--including those that might be considered bigger targets--use greater caution. Pacific Gas & Electric Co. maintains a completely separate supervisory network with no links to the Internet or to the company's administrative computer systems, and no dial-up access.

But South Mississippi Electrical is closer to the norm. Veridian Inc., another security firm based in Alexandria, Va., has tested the network security of many large electric utilities and has penetrated all of them.

"A determined hacker [who] really wants to get into most information systems in America today will do so," said Michael Farmer, Veridian's chief operating officer.

Another efficiency measure that also has reduced security at utilities is the move to standardized software.

A decade ago, "the phones, the power grid, 911 and fire dispatch were all separate systems," said Bruce Schneier, chief technical officer at the San Jose-based monitoring firm Counterpane Internet Security. Such systems were unique and arcane. "Sure, they were hackable, but they were proprietary systems. You had to be smart to do it."

Today, power companies are migrating to easier-to-use software, such as Microsoft's Windows NT operating system. That allows hackers to more easily penetrate and operate inside them.

Once inside the control system, "you have access to open the switches for the transmission lines" throughout a state or region, Washington State University's Bose said. "You can open the switches for the big generators. Even random switching without someone knowing the consequences could be devastating."

Likelihood of Hacking Leads to Usual Suspects

Experts are divided on which individuals or groups might be targeting the grid. But they agree that the recent emergence of hundreds of new energy firms and online power traders could create new incentives for hacking because of industrial espionage.

"The whole deregulation environment has made the electric power system look a lot like the Internet--lots of small players that may have adversarial relationships," said Howard Lipson, an expert with the CERT Coordination Center, a computer emergency response team at Carnegie Mellon University.

The federal government has long considered electric utilities a prime target for foreign enemies' information-warfare efforts. But the apparent lack of success suggests an imbalance between motivation and expertise among likely perpetrators.

"Most sophisticated foreign governments are unlikely to want to run the risk of shutting down someone's electrical grid," for fear of retaliation, Veridian's Farmer said. "Terrorist groups that might want to do that have a lot less [hacking] sophistication."

That's one reason many experts see the primary threat to the power system as the same forces that have haunted cyberspace for years: disgruntled employees, corporate spies and teens testing their limits.

-- Andre Weltman (aweltman@state.pa.us), August 13, 2001