Last week's disclosure of a sophisticated malware program targeting control system software from Siemens AG has renewed long-standing concerns about whether the US power grid can withstand targeted cyberattacks. The malware program, called Stuxnet, is designed to exploit a Windows Zero Day flaw to find and steal industrial data from Supervisory Control And Data Acquisition (SCADA) systems running Siemens' Simatic WinCC or PCS 7 software.
Stuxnet is the first publicly-known malicious software program written specifically to exploit vulnerabilities in a SCADA system. "It could be a proof-of-concept to show control systems can be attacked" in a deliberate fashion, said Eric Knapp, director of critical infrastructure markets at NitroSecurity, a security vendor.
SCADA systems are used to control critical equipment at power companies, manufacturing facilities, water treatment plants and nuclear power operations. Typically, the systems run on segmented networks that are not directly connected to the Internet, making them external access difficult. But analysts for long have warned that SCADA systems, especially older ones, have several exploitable vulnerabilities.
One example was demonstrated by researchers at the Idaho National Laboratory three years ago. In a dramatic experiment, codenamed Aurora, researchers there demonstrated how a hacker could simply use a dial-up modem to exploit a SCADA vulnerability that could physically destroy a massive power turbine.
The potential for such attacks has risen sharply in recent years as many SCADA systems, including those at some very large public power companies, are increasingly integrated with networks with direct links to the Internet. In a high-profile story last year, theWall Street Journal reported that cyberspies in Russia, China and other countries had already taken advantage of such vulnerabilities to deeply penetrate the US electrical grid.
The emergence of threats like Stuxnet drives home the need for more federal oversight of cybersecurity matters in the utilities sector, said Joseph Weiss, managing partner at Applied Control Solutions.
So far there have been at least 170 known cyber-related outages in the US, including three that caused widespread regional outages, Weiss said. It's hard to know with certainty whether any of the 170 outages stemmed from a targeted cyberattack because of the relative lack of forensics-gathering capabilities in the utility business, he added.
"There has been almost minimal progress on securing control systems," said Weiss, author of the book, Protecting Industrial Control Systems from Electronic Threats, that was published earlier this year. He said progress is slowed largely due to a lack of understanding of the specific challenges associated with securing industrial control systems against cyber-threats, he said.
Currently, all bulk power system owners and operators are required to comply with reliability and security standards mandated by the North American Electric Reliability Corp (NERC), an independent regulatory organisation. NERC's mandated controls are based on a risk management framework created by the federal government's National Institute of Standards and Technology (NIST).
That framework, Weiss said, that is designed more for commercial IT systems than for industrial control systems. As a result, many of the prescribed controls are inadequate and do not cover all SCADA systems, he said.
NERC's requirements, for instance, apply only to cyberassets that use routable protocols or are dial-up accessible. The rules do not address the large number of vulnerable SCADA systems that use non-routable protocols, Weiss said. Importantly, NERC's rules do not apply to power distributors or to operators of emerging smart-grids, he added.
"Hacking a control system does not take rocket science," Weiss said. "Protecting one does."