The smart grid cybersecurity debate has just shifted from hypothetical to real.
Telvent, the smart grid giant owned by Schneider Electric, has reported that hackers breached its network, left behind malicious software and accessed project files for its OASyS SCADA system. That’s the same system that Telvent uses to control power grid, oil and gas pipeline, and industrial controls around the world, as well as to integrate them with utility enterprise systems and new smart grid platforms.
Telvent is still investigating the incident, but has said that clues indicate a Chinese group with a track record of infiltrating other Western interests is involved, according to a report from Krebs on Security. As a precautionary measure, Telvent has disconnected its customers’ access to its own networks for the indefinite future.
The smart grid industry has been plagued with cybersecurity problems for awhile now, but they’ve almost all been reports from the Department of Homeland Security, or independent security researchers, of potential weaknesses and threats to critical grid systems.
Telvent’s announcement of an actual hack would appear to be much more serious. Telvent told Wired’s Threat Level blog that it was working with its customers, law enforcement and security to “ensure that this breach has been contained.” But, as security experts told Wired, the fact that project files had been accessed could mean that hackers had gained insight into how Telvent’s OASyS system works, which could lead to further attacks.
At the same time, Telvent recently hired Industrial Defender, a company that staffs network operations centers to secure critical industrial control systems, including grid assets, from intrusion. Swiss grid giant ABB is also a customer of, and investor in, Industrial Defender, which represents a labor-intensive and expensive, if very proactive, way to secure the grid from cyber-intrusion.
Another way to fight hackers is to bring more of the smart grid into the realm of standards-based technology, where there’s a depth of expertise and ever-evolving support for securing critical networks. Cisco is, unsurprisingly, a big champion of Internet Protocol (IP) for the smart grid, and particularly the latest security enhancements of IPv6, saying that it’s one surefire way to allow utilities to get up to speed with Wall Street, the Department of Defense and other leaders in cybersecurity.
Still, there are lots and lots of grid assets that run on legacy systems that can’t be replaced overnight -- and with the rise of the smart grid, more and more of them are being connected to utility IT systems that connect, in one way or another, to the internet at large.
That makes securing today’s grid a matter of upgrading the ability of millions of endpoints like smart meters and grid controls, along with the chain of networking and software that binds them to the utility enterprise, to protect themselves from attack, as well as warn the system when that attack is occurring, which can trigger a series of security responses to detect, prevent or minimize it -- a so-called “defense in depth” approach
For context, here’s a report from last month on the latest Department of Homeland Security report of a potential breach of a smart grid vendor’s cybersecurity, along with a list of the challenges the industry faces in securing its new smart infrastructure:
Another day, another cybersecurity flaw revealed in the IT systems that run the world’s critical infrastructure -- and this time, the Department of Homeland Security is getting involved.
The latest bad smart grid security news is for RuggedCom, the hardened grid and industrial router company bought by Siemens for $381 million last year. DHS reported (PDF) that it is investigating a flaw that could be used to decrypt RuggedCom’s data traffic between an end user and the router.
From there, attackers could theoretically launch denial-of-service attacks, or infiltrate and potentially control networks that run power turbines, high-voltage grid gear and industrial plant across the world, according to security expert Justin Clarke, who revealed the exploit Friday at a Los Angeles conference.
"If you can get to the inside, there is almost no authentication, there are almost no checks and balances to stop you," is how Clarke put it to the BBC. Getting access to RuggedCom’s network is merely the matter of extracting the software "key" used to encrypt traffic, he said.
This isn’t the first alert from the DHS’ Industrial Control Systems Computer Emergency Response Team (ICS-CERT). The federal agency tagged what turned out to be a SCADA system employee logging on from Russia as a potential foreign attack on an Illinois water utility last year. ICS-CERT reported a total of 90 vulnerabilities so far this year, up from 60 in 2011.
But some of the agency’s warnings could have an impact on the grid and other critical infrastructure. In December, ICS-CERT notified the industry of vulnerabilities in remote terminal units (RTUs) built by Schneider Electric’s Telvent, which one security expert told us may have cost utilities dearly in replaced equipment.
It’s all part of the process of bringing utilities up to the cybersecurity required in the new age of smart grid. Simply put, yesterday’s grid technology was built with the assumption that it would stand apart, in locked industrial sites and control centers, unavailable to outside tampering. But connecting that legacy technology to today’s IT world via the smart grid opens it up to all sorts of hacks.
That’s going to unleash a flood of investment in smart grid cybersecurity over the next few years. GTM Research predicts spending on cybersecurity products and services will grow from $120 million in 2011 to $237.6 million in 2015, making it the second largest segment behind distribution automation in terms of utility enterprise IT spending.
Some recent deals in the cybersecurity space include software startup N-Dimension’s $3.85 million Series A round last month, and grid giant ABB’s investment into Industrial Defender, which offers SCADA protection services for big industrial customers. In the meantime, all the big smart grid players -- IBM, Cisco, HP, Microsoft, Accenture, CapGemini, Logica, Lockheed Martin, SAIC, the big meter makers and SCADA vendors, etc. -- are promising state-of-the-art cybersecurity from their new smart grid offerings.
We’re seeing renewed focus on cybersecurity from government and regulators as well. Last month, the National Security Agency reported a 17-fold rise in attempted cyber-attacks between 2009 and 2011. A Senate energy panel heard experts from GAO, FERC and NERC testify to the nation’s vulnerability to cyber-attack in a July hearing, though a bill that would have stiffened security regulations failed to pass later that month.
In the meantime, there’s an ever-expanding list of major vendors that are seeing their SCADA systems being hacked in front of a live audience. Earlier this year, for example, Digital Bond released exploits of Schneider Electric’s programmable logic controller (PLC) units, which translate SCADA messages to commands at end devices.
The firm claims it can do things like rewrite the PLC’s “ladder logic,” which allows it to take control of such fundamental functions as issuing stop and run commands -- the kind of thing that can throw a power turbine or substation into a breakdown. Previous hacks include those of Siemens’ PLCs by Metasploit creator H.D. Moore, of General Electric’s D20 PLCs, of Telvent’s PLCs by independent SCADA security researcher Rubén Santamarta, and of ABB’s ActiveX scripting interfaces and WebWare Server application by Billy Rios and Terry McCorkle, as part of their “100 bugs in 100 days” project.
Even adding a PC-based interface can open the doors to intrusions. Stuxnet -- the malicious code aimed at upsetting Iran’s nuclear development program via sabotaging centrifuge systems -- was introduced to the system via thumb drives left lying around the office, according to reports.
Stuxnet was aimed at Siemens' SCADA systems, and cybersecurity experts contend that the industrial giant hasn’t fixed the underlying vulnerabilities in that system that the virus targeted. Since then, security firm Symantec has reported that a variant known as Duqu has been developed, apparently by the same shadowy group that created Stuxnet, with the aim of gathering information about SCADA systems for espionage or planning future attacks.
In short, the utility sector is entering the wild, wooly world of cyber-warfare and industrial espionage, like it or not. It’s a commonplace in the security industry that only a massive, destructive cyber-attack will wake the powers-that-be into spending the money on security that’s required. Hopefully, we’ll never know. But with vulnerabilities being publicized every week or so, the industry certainly isn’t getting a free pass on the issue anymore.