Monday, May 23, 2005

Hacking the American Power Grid

Part 1, Part 2, and Part 3 of an article in Red Herring explain why "Security experts warn it wouldn’t be hard for a cyberpunk or terrorist to turn off the lights in a large portion of the U.S."

The U.S. power grid, with its billions of dollars worth of electrical lines, switching stations, and electrical generators, is like a big shiny toy for computer hackers.

Imagine the attraction to a teenage computer nerd of flipping the light switch to the Northeast corridor when he doesn’t have a date for the prom. This attractive nuisance has Washington spooked and is developing into an opportunity for startup security companies.

Power companies rely on a complex relay of information between delivery stations to regulate electrical flow. They send commands back to these stations to control the voltage and amperage allowed to flow to consumers. It is a network, just like the Internet. And just like the Internet, it is subject to attack.

"Just thinking about it makes me feel almost sick," said Justin Bingham, a security expert and CTO of software startup Intrusic. "This is stuff I can’t live without. It isn’t some internal database someplace."

Grid operators monitor and control the flow of electricity via computer networks called Supervisory Control and Data Acquisition (SCADA) systems. These systems once operated in a vacuum using language that only experts understood. The power companies and the government thought they were safe.

But several new developments have made SCADA systems vulnerable. When power companies hook their business computers to the Internet, and then plug the business computers to the SCADA computers, critical systems can be exposed to viruses and worms.

Standard software doesn’t help, either. Power companies used to buy their control systems from a series of disparate vendors. A hacker could expect to run into at least five different types of computer networks and would have to know many different communications protocols.

Industry consolidation has led to standardization on one or two well-known systems with well-researched security holes. Hacking one system takes less expertise than hacking seven.

Labels: , , ,


Post a Comment