Unethical Hacking: Hackers cut cities power

Saturday, January 19, 2008 |

Cyber-security experts have long warned of the vulnerability of critical infrastructure like power, transportation and water systems to malicious hackers. Friday, those warnings quietly became a reality: Tom Donahue, a CIA official, revealed at the SANS security trade conference in New Orleans that hackers have penetrated power systems in several regions outside the U.S., and "in at least one case, caused a power outage affecting multiple cities."

"We do not know who executed these attacks or why, but all involved intrusions through the Internet," Donahue said in a statement. "We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge."

Other details were murky: Donahue didn't say when or where the cyber attacks had occurred, or how many people had been affected. He also glossed over what element of the systems had been exploited.

In recent months, security researchers have emphasized long-standing security vulnerabilities in the Supervisory Control and Data Acquisition (SCADA) systems that control U.S. critical infrastructure systems ranging from power plants to dams to public transit (See " America's Hackable Backbone").

At the DefCon hacker conference in August, researcher Ganesh Devarajan of the security firm Tipping Point gave a presentation showing techniques that hackers can use to find points in SCADA systems that are vulnerable to hijacking and sabotage. The next month, the Associated Press obtained a U.S. Department of Homeland Security video, known as the "Aurora Generator Test," demonstrating how a cyber-intrusion could be used to physically destroy a large power generator.

In the past two years, hackers have in fact successfully penetrated and extorted multiple utility companies that use SCADA systems, says Alan Paller, director of the SANS Institute, an organization that hosts a crisis center for hacked companies. "Hundreds of millions of dollars have been extorted, and possibly more. It's difficult to know, because they pay to keep it a secret," Paller says. "This kind of extortion is the biggest untold story of the cybercrime industry."

Paller told Forbes.com in June that he expected those incidents to increase, and warned that a botched extortion attempt could lead to accidental damage. "There's been very active and sophisticated chatter in the hacker community, trading exploits on how to break through capabilities on these systems," he said. "That kind of chatter usually precedes bad things happening."

Cyber-extortion and its collateral damage aren't new, says Bruce Schneier, chief technology officer for security firm BT Counterpane. He says that offshore-hosted Web sites, most often offering pornography and gambling, are frequent victims of hacker extortion. Targeting power companies, however, is a new wrinkle, he says.

But Schneier suggests that security researchers shouldn't assume that SCADA was the weak link in the power system attacks revealed Friday. If, as the CIA suggests, the penetration involved "inside knowledge" of the system, it may have been performed by an employee with administrative access. "How much of this is a computer vulnerability, how much is a human vulnerability?" he asks. "I wouldn't jump to any conclusions."

Regardless of the tactics used to hack the foreign power systems, he warns that the U.S. has no special immunity. "There's nothing magical about a system being in the U.S.," he says. "The same vulnerabilities are everywhere."

The SANS Institute’s Paller, who says Donahue had carefully considered the decision to reveal the power grid attacks, believes the CIA made its revelation with American security in mind. “My sense is that they wouldn't have disclosed this if they thought the problem had been fixed,” he says.

0 comments: