Security experts say hackers targeting energy industry

Copyright © 2002 Tribune Media Services

By CHARLES PILLER, Los Angeles Times

SAN FRANCISCO - Power and energy companies are fast becoming a primary target of computer hackers who have managed to penetrate energy control networks as well as administrative systems, according to government cyber-terrorism officials and private security experts.

Experts cite a number of potential sources for the post-Sept. 11 increase in hacker attacks, including industrial espionage and malicious mischief, but Ronald Dick, director of the FBI's cybercrime division, said he is concerned that the United States' power grid now may be moving into the cross-hairs of cyber-terrorists.

"The event that I fear most is a physical attack in conjunction with the success of a cyber attack on an infrastructure such as electric power or 911," the emergency telephone system, Dick said.

The raft of recent attacks has been confirmed by private computer security companies.

Riptech Inc., an Alexandria, Virginia, security firm, said that since January, 14 of its 20 energy-industry clients have suffered severe cyber attacks that would have disrupted company networks if they had not been detected immediately. The number of attacks is up 77 percent since last year.

Power and energy companies experienced an average of 1,280 significant attacks each in the last six months - far more than companies in any other industry sector - according to Riptech's semiannual client analysis.

"Unequivocally, these nets are vulnerable to cyber attack, and, unequivocally, one outcome could be disruption of power supplies," said Tim Belcher, Riptech's chief technology officer.

Last year's power crisis in California, the Enron Corp. scandal and the declaration of bankruptcy by Pacific Gas & Electric Co. have revealed an industry that is fragile, high-profile and wracked with confusion and administrative chaos. Experts suspect that the glare of adverse publicity has drawn the attention of not just joyriding hackers, but also corporate saboteurs and terrorists.

More than 70 percent of the attacks came from North America and Europe, suggesting that traditional hackers are now turning to a fresh and vulnerable victim. The second-most popular hacking target among Riptech clients was financial service companies, a longtime hacker favorite. Riptech, which serves Fortune 500 corporations, smaller companies and government agencies, was founded by former top Defense Department officials to provide computer security.

A geographical analysis of Riptech data also shows that a small number of attacks - 1,260 out of a total of more than 180,000 - originated in countries where terrorists groups are known to be concentrated. Hackers in those countries targeted power and energy companies more consistently and aggressively than any other industry. The most active attacks originated from Kuwait, Egypt and Pakistan - countries that have relatively developed computer networks and a growing pool of experienced hackers.

Energy power systems have ironically become a choice target because of efforts to modernize them for greater efficiency. The weak link - a group of remote control devices known as Supervisory Control and Data Acquisition systems - "have been designed with little or no attention to security," according to a recent report by the National Research Council, an arm of the National Academy of Sciences.

The systems, which are used to control the flow of oil and water through pipelines, and monitor power grids, were once impervious to hackers because they were completely isolated from other computer systems.

Today many such systems are connected to the Internet, and therefore vulnerable to hacking. The FBI also blames a rapid increase in hacking attacks in recent years on the proliferation of hacking software posted online. Such tools require little computer expertise, are readily available worldwide and are becoming increasingly simple to use. Some are directly applicable to electrical power systems.

"One of the places (hackers) are certainly attacking are those known vulnerabilities," Dick said. "The rise in the number of incidents reflects of the ease with which these tools are utilized."

Surreptitious hacking tests conducted by special Defense Department information warfare squads known as "red teams" in 1997 found power grid control systems susceptible to attacks; recent, similar vulnerability testing by Riptech for its own clients resulted in network penetrations virtually 100 percent of the time, Belcher said.

"Two years ago, there were people who didn't have a clue - who said, 'Why would somebody want to attack us?' That is not the case today," said Will Evans, vice president of People's Energy, a diversified power company in Chicago.

"The problem is not today, but tomorrow," he said. "Whatever you've got today someone may discover and exploit against that tomorrow. ... You need to finance a very active cyber-security program."

Evans, consistent with the policy of nearly all energy companies, declined to comment on specific attacks against his company.

Even using advanced computer forensic methods, law enforcement officials cannot identify the individual hackers behind the barrage of attacks on power companies.

The Washington Post reported last month that some government officials suspect the al Qaida terrorist network of plotting cyber-terrorist actions against power stations and emergency services in the San Francisco Bay area.

Riptech's Belcher, a former cyber-security consultant for the Defense Department, is skeptical of such claims, saying that the ability to wage effective information warfare is many levels beyond the ability to merely penetrate a network.

"I see no evidence that there are expert cyber-terrorists today," he said.

Although a concentration of attacks comes from countries identified with terrorist groups, he cautioned that many such countries are major energy producers - suggesting that the hacks may be the product of more mundane industrial espionage, rather than terrorism. Similarly, Hong Kong - a key financial center - is a hotbed for cyber attacks on the financial services industry, he said.

But some experts believe that some of the attacks may be a kind of training exercise for terrorists. Al Qaida worked for three years on the Sept. 11 attacks, according to U.S. intelligence agencies, and may be making a similar investment in cyber-terrorism.

"The terrorists out there are well-educated and determined to get the training and knowledge to carry this out, and they are very patient," Dick said.

A number of terrorist organizations have developed rudimentary technical skills. For example, in 1997, the Tamil Tigers, a Sri Lankan rebel army known for terrorist bombings and assassinations, hacked into and shut down the servers of Sri Lanka's embassies in Seoul and Washington.

"Why haven't they done more of it? My main hypothesis is that they didn't need to because their conventional weapons - the gun and the bomb - were adequate," said Bruce Hoffman, a terrorism expert with the Rand Corp.

But the new war on terrorism has hampered terrorists' ability to operate elaborate base camps, and has dramatically tightened security for physical infrastructure - from airports to power plants to government buildings.

Cyber-warfare may represent a safer, more effective alternative.

"You don't need training camps or a robust logistical and intelligence support structure," said Hoffman, "just a modem and a safe house. ... This is the ultimate anonymous attack."

www.nandotimes.com/nation...0092c.html

-- Martin (Martin@aol.com), July 20, 2002