Article 43


Thursday, April 09, 2009

Bad Moon Rising Part 36 - Infrastructure Cyber-Threat


Electricity Grid in U.S. Penetrated By Spies

By Sioban Gorman
Wall Street Journal
April 7, 2009

Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials.

The spies came from CHINA, Russia and OTHER COUNTRIES, these officials said, and were believed to be ON A MISSION to navigate the U.S. electrical system and its controls. The intruders haven’t sought to damage the power grid or other key infrastructure, but officials warned THEY COULD try during a crisis or war.

“The Chinese have attempted to map our infrastructure, such as the electrical grid,” said a senior intelligence official. “So have the Russians.”

The espionage appeared pervasive across the U.S. and doesn’t target a particular company or region, said a former Department of Homeland Security official. “There are intrusions, and they are growing,” the former official said, referring to electrical systems. “There were a lot last year.”

Many of the intrusions were detected not by the companies in charge of the infrastructure but by U.S. intelligence agencies, officials said. Intelligence officials WORRY ABOUT cyber attackers TAKING CONTROL of electrical facilities, a nuclear power plant or financial networks via the Internet.

Authorities investigating the intrusions have found software tools left behind that could be used to destroy infrastructure components, the senior intelligence official said. He added, “If we go to war with them, they will try to turn them on.”

Officials said water, sewage and other infrastructure systems also were at risk.

“Over the past several years, we have seen cyberattacks against critical infrastructures abroad, and many of our own infrastructures are as vulnerable as their foreign counterparts,” Director of National Intelligence Dennis Blair recently told lawmakers. “A number of nations, including Russia and China, can disrupt elements of the U.S. information infrastructure.”

Officials cautioned that the motivation of the cyberspies wasn’t well understood, and they don’t see an immediate danger. China, for example, has little incentive to disrupt the U.S. economy because it relies on American consumers and holds U.S. government debt.

But protecting the electrical grid and other infrastructure is a key part of the Obama administration’s cybersecurity review, which is to be completed next week. Under the Bush administration, Congress approved $17 billion in secret funds to protect government networks, according to people familiar with the budget. The Obama administration is weighing whether to expand the program to address vulnerabilities in private computer networks, which would cost billions of dollars more. A senior Pentagon official said Tuesday the Pentagon has spent $100 million in the past six months repairing cyber damage.

Overseas examples show the potential havoc. In 2000, a disgruntled employee rigged a computerized control system at a water-treatment plant in Australia, releasing more than 200,000 gallons of sewage into parks, rivers and the grounds of a Hyatt hotel.

Last year, a senior Central Intelligence Agency official, Tom Donahue, told a meeting of utility company representatives in New Orleans that a cyberattack had taken out power equipment in multiple regions outside the U.S. The outage was followed with extortion demands, he said.

The U.S. electrical grid comprises three separate electric networks, covering the East, the West and Texas. Each includes many thousands of miles of transmission lines, power plants and substations. The flow of power is controlled by local utilities or regional transmission organizations. The growing reliance of utilities on Internet-based communication has increased the vulnerability of control systems to spies and hackers, according to government reports.

The sophistication of the U.S. intrusions—which extend beyond electric to other key infrastructure systems—suggests that China and Russia are mainly responsible, according to intelligence officials and cybersecurity specialists. While terrorist groups could develop the ability to penetrate U.S. infrastructure, they don’t appear to have yet mounted attacks, these officials say.

It is nearly IMPOSSIBLE TO KNOW whether or not an attack is government-sponsored because of the difficulty in tracking true identities in cyberspace. U.S. officials said investigators have followed electronic trails of stolen data to China and Russia.

Russian and Chinese officials have denied any wrongdoing. “These are pure speculations,” said Yevgeniy Khorishko, a spokesman at the Russian Embassy. “Russia has nothing to do with the cyberattacks on the U.S. infrastructure, or on any infrastructure in any other country in the world.”

A spokesman for the Chinese Embassy in Washington, Wang Baodong, said the Chinese government “resolutely oppose[s] any crime, including hacking, that destroys the Internet or computer network” and has laws barring the practice. China was ready to cooperate with other countries to counter such attacks, he said, and added that “some people overseas with Cold War mentality are indulged in fabricating the sheer lies of the so-called cyberspies in China.”

Utilities are RELUCTANT TO SPEAK about the dangers. “Much of what we’ve done, we can’t talk about,” said Ray Dotter, a spokesman at PJM Interconnection LLC, which coordinates the movement of wholesale electricity in 13 states and the District of Columbia. He said the organization has beefed up its security, in conformance with federal standards.

In January 2008, the Federal Energy Regulatory Commission approved new protection measures that required improvements in the security of computer servers and better plans for handling attacks.

Last week, Senate Democrats introduced a proposal that would require all critical infrastructure companies to meet new cybersecurity standards and grant the president emergency powers over control of the grid systems and other infrastructure.

Specialists at the U.S. Cyber Consequences Unit, a nonprofit research institute, said attack programs search for openings in a network, much as a thief tests locks on doors. Once inside, these programs and their human controllers can acquire the same access and powers as a systems administrator.

The White House review of cybersecurity programs is studying ways to shield the electrical grid from such attacks, said James Lewis, who directed a study for the Center for Strategic and International Studies and has met with White House reviewers.

The reliability of the grid is ultimately the responsibility of the North American Electric Reliability Corp., an independent standards-setting organization overseen by the Federal Energy Regulatory Commission.

The NERC set standards last year requiring companies to designate “critical cyber assets.” Companies, for example, must check the backgrounds of employees and install firewalls to separate administrative networks from those that control electricity flow. The group will begin auditing compliance in July.

Rebecca Smith contributed to this article.



WSJ’s Meatless Spies Story

By Kelly Jackson Higgins
Dark Reading
April 8, 2009

Wednesday’s Wall Street Journal article reporting that the U.S. power grid had been infiltrated by Chinese and Russian “cyberspies” likely caused a few people to choke on their Cheerios. But it left the security community—already jaded with stories of SCADA and power-grid vulnerabilities, and with assumptions that the grid had been hacked a long time ago—hungry for more.

Marcus Sachs, director of SANS Internet Storm Center, says his first thought was, “Where is the beef?” Sachs, a SCADA security expert, told me he didn’t think the revelations by the article’s unnamed senior intelligence official sources were anything new—at least to the security industry. But the report could help raise awareness among businesses running critical infrastructures, such as small power companies, to remember that “cyberspace is a dangerous place.”

“For the rest of us, we already know that’s what’s been going on,” Sachs says.

Still, we security folk want more. We want the down-and-dirty malware particulars. What exactly were those “software tools” described by senior officials in the WSJ article? Spyware? Bots? Malicious code that takes over the admin rights of the power grid systems and triggers blackouts?

It wasn’t clear given how the article’s sources described the hacks, with the intruders “believed to be on a mission to navigate the U.S. electrical system and its controls,” but had not been out to damage it, although those sources said the hackers could try to do so “during a crisis or war.” They reportedly left behind the so-called software tools, which they could ultimately use to destroy elements of the power grid infrastructure, the article said.

Power grid insecurity is a well-documented topic in the security world, most recently with IOActive’s discovery of several vulnerabilities in the next-generation Smart Grid network of intelligent power switches that could let an attacker break in and cut off power. And on Tuesday, Dark Reading blogger and security expert Gadi Evron blog on Tuesday shed light on how poorly SCADA vendors handle vulnerabilities.

Senior officials’ acknowledgment of the intrusions may not have given us enough meat to chew on, but it did raise the topic at breakfast tables around the country, where everyone expects their refrigerator to always be running when they grab the milk and the light to come on when they flip the switch. For the rest of us in security? Hey, at least we now have another topic besides Conficker to chat about at the office coffee maker.



Air Traffic Control System Repeatedly Hacked
A security audit finds a total of 763 high-risk, 504 medium-risk, and 2,590 low-risk vulnerabilities, such as weak passwords and unprotected folders.

By Thomas Claburn
May 7, 2009

In the past four years, hackers have hobbled air traffic control systems in Alaska, seized control of Federal Aviation Administration network servers, and pilfered personal information from 48,000 current and former FAA employees, according to a newly released government report.

The report, “Review of Web Applications Security and Intrusion Detection in Air Traffic Control Systems,” was published Wednesday by the Department of Transportation Office of the Inspector General.

It comes on the heels of a report last month in the Wall Street Journal that the Air Force’s air traffic control system had been breached by hackers and amid congressional hearings featuring military and civilian officials testifying about the sorry state of U.S. cybersecurity.

The Transportation Department report states that auditors from KPMG and the Office of the Inspector General tested 70 Web applications, 35 used by the FAA to disseminate information over the Internet and 35 used internally to support air traffic control systems. The security audit found a total of 763 high-risk, 504 medium-risk, and 2,590 low-risk vulnerabilities, such as weak passwords and unprotected folders.

Beyond the issue of poorly configured, buggy Web applications, the report also found that the air traffic control systems are woefully unprotected by intrusion-detection systems. Only 11% of air traffic control facilities have IDS sensors, the report states, and none of those IDS sensors monitors air traffic control operational systems; instead, they monitor mission-support systems, such as e-mail servers.

In 2008, more than 800 cyberincident alerts were issued to the Air Traffic Organization, which oversees air traffic control operations. At the end of that year, 17% of those incidents (150), some designated critical, had not been addressed.

“Without fully deploying IDS monitoring capability at [air traffic control] facilities and timely remediation against cyberincidents, FAA cannot take effective action to stop or prevent these cyberattacks, thus increasing the risk of further attacks on ATC systems,” the report said.

The report states that most of the attacks have disrupted FAA air traffic control support operations rather than the operational network that keeps planes separated from one another. However, it also states that unless swift action is taken, dangerous operational problems are only a matter of time.

It’s also a matter of money, which could be easier to obtain under a cloud of imminent danger: The FAA has been pushing its NEXT GENERATION AIR TRANSPORTATION SYSTEM, a project to update the nation’s air transit infrastructure that’s expected to cost at least $20 billion.

With any luck, that amount of funding will also buy a few scarecrows. There were almost 10 times as many wildlife strikes against airplanes in 2007 (7,666) as air traffic control cyberincidents in 2008. Such collisions—recall the bird strike that sent US Airways Flight 1549 into the Hudson River in January—cost an estimated $628 million in monetary losses annually, to say nothing of the potential loss of life. Hackers just don’t have that kind of impact, unless they wander onto a runway.



Utilities Race to Protect Electric Grid Before Disaster Strikes

By Steven Rosenbush and Rachael King
Wall Street Journal Blogs
February 20, 2013

Kenneth DeFontes, president and CEO of Baltimore Gas & Electric Co., warned lawmakers that cyber threats to the electric grid are fast evolving and demand constant vigilance and close collaboration among industry and government officials before a disaster strikes.

At a Congressional hearing on cybersecurity Thursday, DeFontes said he was working closely with a team of government officials and other utilities, part of the National Infrastructure Advisory Council, to figure out how to prepare for a possible outage due to a cyber attack. He said the teams were assessing various strategies, from sharing information and communicating with the public to protecting assets.

Utilities have two networksa production network and a corporate network. The production systems are supposed to be kept off line - an industry practice known as creating an air gap - so they aren;t vulnerable to viruses distributed via the Internet. But experts and industry officials like DeFontes say the risk of cyber attack is nonetheless a great concern. They say these air gaps can be hopped if the two systems use common computer peripherals, such as printers or USB sticks, or if the production networks use public networks to send alerts. And while utilities follow industry standards regarding security, even industry officials admit these standards are not sufficient safeguards against the most significant threats.

Cyber threats are constantly evolving in real time. “They require quick action and flexibility that can come only from constant vigilance and close collaboration with the government and emergency response protocols that are planned and practiced before a disaster strikes,” DeFontes said during the hearing. He appeared on behalf of BG&Es parent company Exelon Corp., and two electric industry trade groups. Exelon is one of the largest electric and natural gas utility companies in the U.S., and also the largest owner and operator of nuclear plants in the nation.  In September, 70 electric company CEOs got a classified briefing at the North American Aerospace Defense Command in Colorado Springs. In January a group met to discuss how they would respond to a damaging cyber attack.

“Will we see a successful attack on the grid in the U.S? You can’t say what the probability is. All you can ask is whether it is physically possible. And the answer is yes. It could physically happen,” says Richard A. Clarke, counter-terrorism czar in the Clinton and Bush administrations.

In theory, power companies are supposed to keep their corporate networks separate from their industrial control systems, including one type of control system called Supervisory Control and Data Acquisition networks. That should prevent viruses attacking corporate networks via the Internet from attacking the SCADA systems.

‘It turns out,” Clarke said, “that it is very easy to get into the SCADA networks.’

Thats because SCADA networks - which are used to control a range of industrial systems - are built to last for years, if not decades. They are designed to keep the grid operating near 100% of the time - not for security, which is sometimes viewed as an obstacle to performance. And when these networks were built, today’s security issues weren’t understood. They certainly weren’t designed to withstand the relentless form of cyber attack known as Advanced Persistent Threat, which can overwhelm a cyber defense system by the sheer volume and duration of assaults.

‘The reason it is called advanced persistent threat is because they just keep going until some way or another, they get in,’ Clarke says. “Firewalls are pretty vulnerable. In order to really defend a network, you can never make a mistake. And everybody makes a mistake from time to time And once they are in, they are hard to get out.”

The isolation of SCADA networks isn’t as complete as one might suppose.

“Even though I have separate networks, there are potential connections, and there need to be,’ says William Stewart, a former Army signal officer and now senior vice president at consultant Booz Allen Hamilton Inc., where he heads Booz’s Cyber Technologies Center of Excellence.

Malicious software that gets into production systems can destroy physical equipment, such as pumps and turbines, by targeting a known vulnerability in some rotating equipment, called Aurora. Utilities have known about the vulnerability since 2007, but only in the last year or two have utilities started to make some progress on this issue, experts say.

Experts described some of the potential bridges between the production networks and the corporate networks:

Maintenance. Elements of the control infrastructure sometimes need to be updated, which can create a scenario in which workers bring in code and connect potentially compromised computers.

Lax internal security behind the firewall. Some networks have strong firewalls that protect their perimeter - but insufficient internal boundaries. In those cases, hackers who manage to penetrate a firewall can move around inside of an organization with relative impunity.

Shared network gear and peripherals. It is possible for production and corporate networks to share network routers. They also might share peripherals like faxes, scanners and printers, which can be connected to the Internet, creating a potential entry point for hackers.

Movement of laptops and other devices. People can move laptops, thumb drives and other devices and storage media from the corporate network to the control network.  This may be forbidden by policy, but it may happen in practice. It is possible to build in protections so that computers assigned to a corporate network canגt work on a production network, but such defenses arent always put in place.

Vulnerable supply chains. The hardware and software that companies use to build the control networks may not be safe, especially given the fact that economic pressures drive utilities to find the lowest cost provider.

SCADA connections to the Internet. Some SCADA networks are connected directly to the Internet. It’s possible to find them using a specialized search engine called Shodan. Researchers have found thousands of industrial control systems that can be accessed from the Internet, according to a report from the Department of Homeland Security. DHS has set out to notify utilities when their systems are discovered online.

Alerts. If control systems send out status alerts to workers using devices that are connected to the Internet, those alerts can be used by hackers to gain access to a SCADA system.

Insufficient industry standards. Cybersecurity standards established by the North American Electric Reliability Corporation the body that oversees the U.S. electric grid - cover only the basics, not viruses like Stuxnet or the Aurora vulnerability.

BG&E parent company Exelon says that security is of the “utmost importance” but declined to specify measures it has taken to secure its network. In addition to electric industry standards, the company adheres to cybersecurity standards of the Nuclear Regulatory Commission. ‘We regularly work with relevant organizations and outside agencies to ensure that any security matters related to Exelon or the utility industry are addressed in our operations. This includes a robust array of security measures that are designed to protect our computer-based systems and other assets from cyber threats,” said a spokesperson.

“But given widespread cyber vulnerabilities throughout the grid, there is no question they (control networks) are penetrated,” Mr. Stewart says. The real question is whether dormant viruses deposited by hackers will be used to disrupt the operation of the grid. It depends on the circumstances. They generally find (malware from) Advanced Persistent Threat is not active. It is there for the future.


Bad Moon Rising
Part 1 - Part 2 - Part 3 - Part 4 - Part 5
Part 6 - Part 7 - Part 8 - Part 9 - Part 10
Part 11 - Part 12 - Part 13 - Part 14 - Part 15
Part 16 - Part 17 - Part 18 - Part 19 - Part 20
Part 21 - Part 22 - Part 23 - Part 24 - Part 25
Part 26 - Part 27 - Part 28 - Part 29 - Part 30
Part 31 - Part 32 - Part 33 - Part 34 - Part 35
Part 36 - Part 37 - Part 38 - Part 39 - Part 40
Part 41 - Part 42 - Part 43 - Part 44 - Part 45
Part 46 - Part 47 - Part 48 - Part 49 - Part 50
Part 51 - Part 52 - Part 53 - Part 54

Posted by Elvis on 04/09/09 •
Section Bad Moon Rising
View (1) comment(s) or add a new one
Printable viewLink to this article
Page 1 of 1 pages


Total page hits 11745439
Page rendered in 7.4051 seconds
40 queries executed
Debug mode is off
Total Entries: 3418
Total Comments: 339
Most Recent Entry: 07/17/2022 03:24 pm
Most Recent Comment on: 09/26/2021 05:03 pm
Total Logged in members: 0
Total guests: 16
Total anonymous users: 0
The most visitors ever was 172 on 12/25/2019 07:40 am

Email Us


Login | Register
Resumes | Members

In memory of the layed off workers of AT&T

Today's Diversion

A wise man only speaks when he has something to say; a Fool speaks when he has to say something. - Plato


Advanced Search



August 2022
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31      

Must Read

Most recent entries

RSS Feeds

Today's News

ARS Technica

External Links

Elvis Picks

BLS and FRED Pages


All Posts



Creative Commons License

Support Bloggers' Rights