• picture
  • picture
PRI's Environmental News Magazine

Cyber Security Breach

Air Date: Week of February 1, 2008

stream/download this segment as an MP3 file

Generator room at the Idaho National Laboratory was remote accessed by a hacker and a $1 Million diesel-electric generator destroyed. (Courtesy of U.S. Department of Homeland Security)

As power companies increasingly use the internet to manage their power grids, they’re also becoming increasingly vulnerable to hacker attacks that could shut down power and destroy facilities, all with the click of a mouse. Host Bruce Gellerman speaks with Alan Paller, director of research at the SANS Institute, which specializes in security systems education.

Transcript

GELLERMAN: It’s Living on Earth, I’m Bruce Gellerman. The CIA’s top Cyber Security analyst recently made a very unusual and alarming public statement. According to the agency’s Tom Donahue, computer hackers tried to infiltrate and disrupt the electric power grids in several foreign regions. And in some places, they succeeded. Who hacked the grids? Where? How? We don’t know. The tight-lipped CIA isn’t talking.

But Alan Paller is - he’s the director of research at the SANS Institute, which is a cyber security education organization. It was Paller who chaired the mid-January meeting where the CIA’s Tom Donahue made his startling announcement.

PALLER: I was shocked, because he had spoken for us at an earlier conference about a year and a half ago and swore us all to secrecy. We couldn’t tell anyone the kinds of things he was saying, and when he walked into this meeting he said ‘I’m going to say something we’ve never disclosed before and you can quote me.’

GELLERMAN: Why would he make this kind of dramatic statement - especially from the CIA?

PALLER: This all is guesswork. Tom didn’t say ‘hey, I’m doing it for this particular reason.’ He did say he vetted it with all of the senior people, which means that there was a systematic analysis of whether or not it should be disclosed. And the only answer that I could give you is that the problem had become great enough that they wanted the utilities to actually act on it rather than just talk about it.


Alan Paller, Head Researcher at the SANS Institute.(Courtesy of SANS Institute)

GELLERMAN: Well, why make it public?

PALLER: Because the heads of utilities get lied to by their technical people. The technical people say ‘oh, nobody can get in! We’re not connected to the Internet.’ But we had three people at that same meeting who, for a living, did penetration testing of utilities, and every one of them said they never failed to get in, even when the organization claimed they weren’t connected to the Internet. They just don’t know all the connections they have.

GELLERMAN: So how do hackers do it? How would they take down a power supply?

PALLER: Lots of steps, but one of them is to get into the computers and that turns out to be much easier than anybody thinks. In fact, the Government Accountability Office had two reports on how much easier the utilities have made it for hackers to get in by starting to use Windows operating systems and connecting their systems to the internet. So, they can get in through the business side and then they jump over to the control systems side. And then once they’re in the control system side, they have to learn a lot about the control systems. But it turns out that over the last year and a half in the very sophisticated hacker conferences, people have been giving speeches about how to hack these sophisticated control systems. They’ve bought them on eBay, they’ve found the manuals for them, they’ve figured out how to hack them, so not only am I confident that it happened but I’m confident it’s going to happen substantially more in the future.


Generator room at the Idaho National Laboratory was remote accessed by a hacker and a $1 Million diesel-electric generator destroyed. (Courtesy of U.S. Department of Homeland Security)

GELLERMAN: There was a test at the Idaho National Lab in which hackers were able to blow up a generator, a real generator, from a power plant.

PALLER: It was actually the second test like that. The first test was one in which they caused a chemical spill in a chemical plant from a remote hack. This was the second one where they demonstrated that a generator could actually be destroyed. And this is new for most people. The idea that physical damage can be done by cyber attack but that’s what those two tests demonstrated beyond any doubt.

GELLERMAN: So, a terrorist could sit in a cyber café anywhere in the world, type in a couple of codes, and take down a power plant?

PALLER: It’s as hard to do this as to learn to fly an airplane into the 82nd floor of a tall building in New York. So my point is, no, anyone can’t do it but if you have enough money, enough time and enough will, you can learn to do it. And it’s not any harder to do this than it is to fly a jetliner.

GELLERMAN: Well, just around the time that the CIA was announcing this hack, a governmental agency announced, well it was coming out with eight mandatory measures to plug cyberholes.

PALLER: They did, indeed. That organization is called FERC, Federal Energy Regulatory Commission. And all they were doing was approving a set of measures that the industry association, the association of utilities, wrote. And it turns out that those measures are not very effective because they don’t measure actual security of the systems, they measure whether or not people have written reports about security.

GELLERMAN: So, are we any better off now than we were before these eight mandatory measures came out?

PALLER: The people who helped develop them claim that it’s a step in the right direction. And my answer to that is: it’s a step in the right direction but we’re way past the point at which we need to take baby steps. We need to take big steps to protect these utilities and we’re not doing it. It turns out that almost no utility has the security expertise to protect its control systems. The only ones who do have that knowledge are the ones who manufacture those control systems. So we need to shift the responsibility to those manufacturers, and we’re going to have to pay them a little bit to do it. But we need them to take responsibility for securing the systems.

GELLERMAN: Well Mr. Paller, thank you very much. I appreciate your time.

PALLER: And thank you.

GELLERMAN: Alan Paller is the Director of Research at the SANS Institute, a cyber security education organization that works with government agencies and corporate clients.

 

Links

The SANS Institute

The Government Accountability Office's report on Cyber Security Risks

The Federal Regulatory Energy Commission approved new reliability standards for cyber security earlier this month

 

Living on Earth wants to hear from you!

P.O. Box 990007
Prudential Station
Boston, MA, USA 02199
Telephone: 1-617-287-4121
E-mail: comments@loe.org

Donate to Living on Earth!
Living on Earth is an independent media program and relies entirely on contributions from listeners and institutions supporting public service. Please donate now to preserve an independent environmental voice.

Newsletter
Living on Earth offers a weekly delivery of the show's rundown to your mailbox. Sign up for our newsletter today!

Major funding for Living on Earth is provided by the National Science Foundation.

Committed to healthy food, healthy people, a healthy planet, and healthy business.

Innovating to make the world a better, more sustainable place to live.

Kendeda Fund, furthering the values that contribute to a healthy planet.

The Grantham Foundation for the Protection of the Environment: Committed to protecting and improving the health of the global environment.

Contribute to Living on Earth and receive, as our gift to you, an archival print of one of Mark Seth Lender's extraordinary hummingbird photographs. Follow the link to see Mark's current collection of photographs.