Staged Hack Causes Generator to Self-Destruct 258
An anonymous reader writes "It has been revealed that in a U.S. Department of Homeland Security exercise codenamed 'Aurora' conducted in March of this year, researchers were able to cause a power generator to self-destruct remotely via a hack which changed the operating cycle of the generator. 'Government sources said changes are being made to both computer software and physical hardware to protect power generating equipment. And the Nuclear Regulatory Commission said it is conducting inspections to ensure all nuclear plants have made the fix. Industry experts also said the experiment shows large electric systems are vulnerable in ways not previously demonstrated.'"
Re:this should not be possible (Score:5, Interesting)
(Our company has also been working with Idaho National Labs on this exact issue, can you tell? The government is taking it pretty seriously)
There are a few problems. For example, there's a lot of old control gear out there, and if it talks ethernet, it assumes that anything it receives is legitimate. Also, the equipment involved is produced in small enough quantities that there can't be a great deal of effort expended on security features. It's not like Windows, where millions and millions of copies are sold, and lots of people actively look for holes.
Re:this should not be possible (Score:3, Interesting)
Layne
They are connected to the Internet (Score:4, Interesting)
Re:this should not be possible (Score:3, Interesting)
Even if the USA network was not connected, the control systems themselves use laughable authentication (if any). Most other networks are similar. They have been built by control automation engineers whose knowledge of networking and security is somewhere between laughing stock and none. This is valid for the rest of the world, not just the USA.
I am surprised the control automation allows setting parameters which are outside permitted ranges. This is something control and automation people usually get right. I remember my dad spending months on numerical models of the grid to compile sets of allowed parameters all of which ended being hardcoded in hardware and software. Nothing was left to be adjusted outside these ranges (this was not in the USA though).
One really worrying bit is that this is not USA limited. The same automation software and hardware is used in the UK and quite a few other countries.
Jumping Generators (Score:4, Interesting)
I'd like to know what they did to make a multi-ton generator JUMP like that thing did. After a few jumps there were a couple chunks of black stuff flying around. If you watch the "full" video it's clear they cut it at least once if not more. I'm guessing it took them quite a long while to get the generator to "blow up".
Anyone have thoughts as to how they did it? I'm going to guess they messed with the fuel/air mix or delivery and caused a massive backfire while under/overloading the alternator side. I'd guess for kicks they also forcibly turned off the cooling fans creating an over-temp in the engine. Assuming i'm right and they cut out 95% of the video length that explains it a bit better. The failure seemed two-fold: A failed main-crankshaft seal spewed out white "smoke" (read over-temp coolant) and something up by the valves making black smoke.
This is probably something you could do to a regular car if you were poking around in the engine management computer.
Re:Don't connect it up (Score:4, Interesting)
In addition to the Central Control there are Regional Dispatch Offices which have information about the grid as well. These mainly coordinate repair and upgrade efforts. But, they need to know which circuits are hot because people's lives are on the line.
So, simply isolating the plants would not work. Certainly not in our day and age.
I used to work for a SCADA/HMI software vendor (Score:2, Interesting)
I used to be a developer for a SCADA/HMI software vendor. That stands for Supervisory Control And Data Acquisition [wikipedia.org] / Human Machine Interface.
It is quite common for such software to be used in places where its failure could cause injury or death.
Many of our customers put their SCADA systems on the Internet, so that our support staff could work with their systems, as well as to allow our consultant engineers to remotely upload new releases.
One day my boss told me that a lot of our customers didn't use SSL encryption, either because they couldn't be bothered with it, or because they couldn't figure out how to install the server software or certificate correctly.
Anyone with a packet sniffer running on the path between us and our customers could have easily stolen the passwords.
Our product, BTW, ran on Microsoft Windows.
The threat is real (Score:4, Interesting)
And their machines weren't even connected to the internet. So all the people who are saying, "Just disconnect it", well, that's not good enough. We have to engineer systems that are hardened and handle failure gracefully. And don't use stolen software.
Re:this should not be possible (Score:5, Interesting)
The local power utility ( I know several of their techs who work on the telemetry gear) also has a remote control system which in entirely on their own infrastructure, and has no interconnection with any system that is accessible from a public network.
It may not be the absolutely cheapest way to do things, but it's also a lot more secure.
What's the cost of this sort of failure compared to doing it "right" in the first place?
Not possible (Score:5, Interesting)
If someone we never had heard of called asking for something strange, I would have definitely asked to talk to someone I knew at the independent system operator, emergency or not.
Re:this should not be possible (Score:5, Interesting)
I'd guess most people here have never read about power grid synchronization. Unless your power grid is DC isolated, it shares data telemetry data with other systems in the grid. Any one of these systems getting hacked can put the entire network at risk. There are many ways to damage a generator if you understand what causes it to trip from the system. Delaying the disconnect from the power grid, for even a short amount of time can cause substantial damage.
http://groups.google.com/group/alt.engineering.electrical/browse_thread/thread/c6a2399745b5413a/dcdf9906b70b85b1%23dcdf9906b70b85b1 [google.com]http://www.google.com/search?hl=en&q=power+grid+synchronization+failure&btnG=Search [google.com]
Why this was released... (Score:2, Interesting)
Re:Why mention Nuclear? (Score:1, Interesting)
A loss of a generator can cause a frequency disturbance across the whole interconnect, and the grid can only survive about 6 simultaneous losses of that magnitude before you would start tripping underfrequency relays, and companies would start disconnecting from one another and begin dumping load (customers). Each Control Area keeps reserves to recover the loss of their largest unit in 10 minutes, so it has to be quick before the reserve CTs can start. Once blacked out, a CA can reattach to its neighbor for a faster recovery.
The danger is a compromised LAN, leading to compromized VPN authentication, granting remote access to the SCADA network. The cracker would then access several LCCs simultaneously, causing numerous simultaneous trippings across the country, bringing down many CAs. The CAs wouldn't be able to cover their immediate loss, and knocking out a lot of pieces could bring the whole network to its knees, and you wouldn't be able to lean on your neighbor for reserves. The 4 hour duration NorthEast blackout of 2003 caused immense financial damage, so there's no accounting for what a larger outage would do.
Re:I've seen this before. (Score:3, Interesting)
Needless to say it didn't pass its next MOT, but then a £250 C Reg Ford Sierra is something you can drive for a year and then replace.