Monday, November 29, 2010


Will HECO’s SMART GRID of tomorrow be vulnerable to cyber attacks?

By Henry Curtis

Initially HECO wanted to race into building a costly SMART GRID, but has since backed off. The rumor is that they laid-off or relocated much of their smart grid staff after buying a costly piece of software that failed to work properly. Life of the Land intervened in the SMART GRID regulatory proceeding before the Hawaii Public Utilities Commission. HECO and Hawaii State Government signed an Energy Agreement (Oct 2008) which heralds a transformation of energy generation from fossil fuels to renewables but requires first to streamline regulatory processes, gutting some oversight, and to build billions of dollars worth of grid infrastructure. Then, if it is to be believed, then a transformation to very large central station power plants (such as Neighbor Island wind farms) will power the grid. One reason HECO needed to delay the development of a SMART GRID is the vulnerability of a new system to cyber exploitation. The alternative future relies on distributed solar and wind systems located at or near where the demand is. The question is: what road or path leads to a SMART FUTURE?

HECO controls the generation and transmission infrastructure using a Supervisory Control And Data Acquisition (SCADA) system.

Stuxnet is a worm specifically written to attack Supervisory Control And Data Acquisition (SCADA) systems used to control and monitor industrial processes.

Russian digital security company Kaspersky Labs released a statement that described Stuxnet as "a working and fearsome prototype of a cyber-weapon that will lead to the creation of a new arms race in the world."

Stuxnet is a Windows-specific computer worm first discovered in June 2010. It is the first discovered worm that spies on and reprograms industrial systems, the first to include a programmable logic controller (PLC) rootkit, and the first to target critical industrial infrastructure. Stuxnet includes the capability to reprogram the PLCs and hide its changes.

Country Infected computers: China 6,000,000; Iran 62,867; Indonesia 13,336; India 6,552; United States 2,913

It is initially spread using infected USB flash drives and then uses other exploits to infect other computers in the network. Once inside the system it uses the default passwords to command the software.

It only attacks systems with variable-frequency drives from two specific vendors: Vacon based in Finland and Fararo Payabased in Iran. It monitors the frequency and only attacks systems that run between 807Hz and 1210Hz which is very high and only used in particular industrial applications. Stuxnet then modifies the output frequency for a short interval of time to 1410Hz and then to 2Hz and then to 1064Hz and thus affects the operation of the connected motors.

The complexity of the software is very unusual for malware. The attack requires knowledge of industrial processes and an interest in attacking industrial infrastructure. Stuxnet is unusually large at half a megabyte in size, and written in different programming languages which is also irregular for malware. It is digitally signed with two authentic certificates which were stolen from two certification authorities which helped it remain undetected for a relatively long period of time. It also has the capability to upgrade via peer to peer, allowing it to be updated after the initial command and control server was disabled.

These capabilities would have required a team of people to program, as well as check that the malware would not crash the PLCs. Writing the code would have taken many man-months, if not years.

The worm's ability to reprogram external programmable logic controllers (PLCs) may complicate the removal procedure. In addition, it has been speculated that incorrect removal of the worm could cause a significant amount of damage.

The U.S. Department of Homeland Security (DHS) National Cyber Security Division's operates the Control System Security Program (CSSP). The program operates a specialized Computer Emergency Response Team (ICS-CERT)

Automation, SCADA and Control System developers often use off-the-shelf equipment, software and protocols, integrating and configuring these in different ways for a variety of applications. This 'common' approach can make it easier for malware to bring down some vulnerable systems.

Alan Bentley of security firm Lumension has said that Stuxnet is "the most refined piece of malware ever discovered ... mischief or financial reward wasn't its purpose, it was aimed right at the heart of a critical infrastructure". Symantec estimates that the group developing Stuxnet would have been well-funded, consisting of five to ten people, and would have taken six months to prepare. The Guardian, the BBC and The New York Times all reported that experts studying Stuxnet considered that the complexity of the code indicates that only a nation state would have the capabilities to produce it.

There are reports that Iran's uranium enrichment facility at the Natanz facility was the target of Stuxnet and the site sustained damage because of it causing a sudden 15% reduction in its production capabilities. There was also a previous report by wikileaks disclosing a "serious nuclear accident" at the site in 2009. According to statistics published by the Federation of American Scientists (FAS) the number of enriched centrifuges operational in Iran mysteriously declined from about 4,700 to about 3,900 beginning around the time the nuclear incident WikiLeaks mentioned would have occurred. On November 23 it was announced that due to a series of major technical problems in Natanz Iran had to temporarily cease its uranium production altogether.

The whole Stuxnet code has not yet been decrypted, but among its peculiar capabilities is a fingerprinting technology which allows it to precisely identify the systems it infects. It appears to be looking for a particular system to destroy at a specific time and place. Once it has infected a system it performs a check every 5 seconds to determine if its parameters for launching an attack are met.

The worm appears programmed to cause a catastrophic physical failure; early speculation on methods had included overriding turbine RPM limits, shutting down lubrication or cooling systems, or sabotaging the high-speed spinning process of centrifuge arrays at Iran's Natanz nuclear facility; in November 2010, according to The New York Times, experts at Symantec found that the worm speeds up rotation rates for the accelerators to the point where they break.[68] The complex code of Stuxnet looks for a very particular type of system and controller, namely frequency converters made by the Iranian company Fararo Paya and the Finnish company Vacon.

It is believed that infection had originated from Russian laptops belonging to Russian contractors at the site of Bushehr power plant and spreading from there with the aim of targeting the power plant control systems.

Henry Curtis

# # #


Post a Comment

Requiring those Captcha codes at least temporarily, in the hopes that it quells the flood of comment spam I've been receiving.

Links to this post:

Create a Link

<< Home


page is powered by Blogger. Isn't yours?

Newer›  ‹Older