The industrial control systems that run U.S. utilities and factories were not designed to be secure. With a can of Pringles and free software, a hacker could wreak havoc.

It’s a frightening scenario—a hacker getting into the U.S. electrical grid to cut off millions of people—and it’s far from inconceivable. In fact, it’s easy for a terrorist, a vindictive employee or even a bored teenager to tap into and disrupt the control systems that operate industrial facilities.

And this vulnerability is widespread—from natural gas pipelines to nuclear plants and water systems. The country’s utilities and factories all run on similar industrial control systems, none of which were designed with security as a consideration. What’s more, their very architecture makes them hard to protect. And connecting them to networks and the Internet has made them all the more vulnerable.

Take one large southwestern utility with about four million customers, for example. Its control system’s weaknesses were almost immediately apparent, says Paul Blomgren, manager of sales engineering at California-based cyber-security firm Rainbow Mykotronx.

“Our people drove to a remote substation,” recounts Blomgren. “Without leaving their vehicle, they noticed a wireless network antenna. They plugged in their wireless LAN cards, fired up their notebook computers, and connected to the system within five minutes because it wasn’t using passwords.”

“Within 10 minutes, they had mapped every piece of equipment in the facility,” says Blomgren. “Within 15 minutes, they mapped every piece of equipment in the operational control network. Within 20 minutes, they were talking to the business network and had pulled off several business reports. They never even left the vehicle.”

And you don’t even have to be a professional to pull off this kind of security breach, says Eric Byres, research manager at the Internet Engineering Laboratory of the British Columbia Institute of Technology in Burnaby. He says any hacker can do it with software you can download from the Internet for free and a can of Pringles.

Wireless systems are very susceptible, says Byres, especially because many IT professionals are unaware of wireless transmitters’ security features and thus, don’t even activate them.

As a result, any person driving by could access the wireless traffic with a laptop PC, a $60 wireless network card and a directional antenna, which can be fashioned from a can of Pringles. And if you don’t know how to make this antenna, all you have to do is go online to Google and type in “Pringles antenna” and about 400 web sites will come up, many featuring instructions, pictures and even videos.

Next, with readily available free software such as AirSnort and NetStumbler, hackers can decipher wireless codes within 15 minutes. Then once they snag the wireless encryption key, they can eavesdrop on the network, using a freebie protocol analyzer such as Ethereal or Sniffit. “They will listen until a maintenance engineer signs onto a PLC,” says Byres. A PLC is a programmable logic controller, which manages a facility’s sensors and actuators.

“Here’s where human engineering comes in,” says Byres. “No one likes to have 20 different passwords, so the password for this PLC is probably the password for the other PLCs and the Windows server as well. Now they have the password to your secure systems and networks.”

Industrial control systems lag behind business networks and the Internet in developing ways to track intruders. One single standard, IEEE 802.11b is used by all wireless transmitters, and it easily succumbs to security breaches, says Byres.

To fix this problem, the Institute of Electrical and Electronics Engineers is currently reworking its standard. And vendors have created software that circumvents 802.11b’s weaknesses. In addition, developers are trying to implement conventional network security measures on industrial control systems.

It hasn’t been easy, however. PLCs, digital control systems, and supervisory control and data acquisition (SCADA) systems were designed under two assumptions, says Joseph Weiss, executive consultant for Virginia-based KEMA Consulting. One, that they would work in isolation, not linked to networks, and two, that they would only be accessed by authorized people.

Such assumptions sound quaint after 9/11, but they started to be impractical even before that day. Downsizing was the culprit. Utilities and corporations yanked employees and put automated control systems at substations, pipeline switches and plants instead. As a result, many utilities today oversee numerous facilities and thousands of operations over SCADA networks connected to a central control room.

And to make matters worse, companies rejected costly private telecommunications links and instead chose the Internet to carry SCADA traffic. In fact, almost all remote terminal units, which manage a facility’s automated field devices, and control systems are now Web- or network-enabled, says Weiss.

Vendors conduct remote diagnostics or upload software updates over phone lines. That means hackers can get in, too, locating modems by dialing phone numbers sequentially until one picks up. If they are able to access a device on the network, they can layout the system and listen in for passwords. This backdoor imperils even those with solid network security.

To prevent this kind of intrusion, some facilities utilize a dial-back modem, but hackers have already found a way to defeat that, too, says Blomgren.

Indeed, to protect industrial control systems, operations people have to go beyond securing modems and implementing better password policies. They have to reconsider IT policy, says Byres. “Standard IT policy is to lock down a console after someone makes three bad password attempts,” he says. “But what if someone made the mistakes because he’s panicking that a recovery boiler is going through the roof?”

To this end, the industry has started to work on procedures that are applicable to control systems. Also, several industry standards organizations, such as the IEEE and the International Electrotechnical Commission, have set up committees to tackle control system protection issues.

Another measure involves implementing a better encryption standard, which would require that a dedicated encryption device be placed between the SCADA remote terminal unit and the modem that connects it to the Internet. That way, even if a hacker does access the line, all he or she would hear would be scrambled information.

But encryption is not fail-safe, protecting wireless traffic from ill-intentioned outsiders but not from disgruntled insiders, or even drive-by hackers. And the Federal Bureau of Investigation has found that 70% of hacks are perpetrated by insiders.

Indeed, stronger IT policies and encryption are only initial steps. The industry must devote time and resources to security and consider such drastic measures as new technologies, new control systems or even, a completely different IT architecture.

Even more fundamentally, it must throw out its long-held belief of “security through obscurity,” which assumes that since nobody knows how its control system operates, it’s safe, says Blomgren.

In fact, the complete opposite is the case because the same SCADA systems that monitor the U.S. power grid also run the grids in Iraq, Saudi Arabia, Indonesia and Iran. Not surprisingly, SCADA documents were found in al Qaeda safe houses in Afghanistan.

And for now, even a Pringles can-wielding teenager with a wireless card and laptop can pose a danger to the U.S. power grid—and all utility and industrial infrastructure.

Source: SCADA vs. the Hackers
Alan S. Brown
Mechanical Engineering, Dec. 2002
http://www.memagazine.org/