What can happen within a cyberterrorist attack to the electrical grid of a country?

Published: 2013-01-23
Last Updated: 2013-01-25 16:30:11 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
3 comment(s)

SCADA systems constitute a major challenge in the implementation of information security management systems, since they involve a new spectrum of risks which, if materialized, can cause incalculable losses to the population in terms of money and even human lifes.

What kind of impact are we talking about? As I have described in previous diaries, the electrical system is controlled by SCADA systems, which manages the three core subsystems:

  • Generation: The most common facilities used to generate energy are: Thermoelectrical plans, Nuclear plants and Hydro electrical plants. Inside this facilities, the SCADA platform is vital to perform the following when generation takes place: Ensure turbines are not having revolutions more than supported, generators are not working overloaded and energy being generated matches the amount of energy that the transmission line can handle.
  • Transmission: Once generated, electricity needs to be distributed to reach the final users using power transmission lines with voltages like 115 kV. Those lines ends into the substations, which handles the delivery of electricity to a specific amount of instalations, usually being a large number of blocks in a city. The SCADA platform is vital for monitoring of voltage in transmission lines looking for high amount of electricity flowing and possible overloads because protections might activate causing a massive blackout controlled by the affected substations
  • Distribution: Inside the substation, the electricity power decreases to 13.2 kV and flows to the distribution power lines until reaches the transformers that handles the energy for specific blocks, where it's decreased again to 110V or 220V. The SCADA platform needs to monitor voltage in distribution lines and monitor voltage in user meters looking for high amount of electricity flowing beating the distribution power line voltage limit.

To perform risk asessment for a SCADA System from the IT perspective, we need to list the cyber assets as stated in NERC CIP 002-4. The following is a prototype list extracted from one of my previous SCADA diaries:

  • Remote Terminal Unit (RTU), hardware, software and configuration: The RTU is defined as a communication device within the SCADA system and is located at the remote substation. The RTU gathers data from field devices in memory until the MTU request that information. It also process orders from the SCADA like switch off a transmission line.
  • Master Terminal Unit (MTU), hardware, software and configuration: The MTU is defined as the heart of a SCADA system and is located at the main monitoring center. MTU initiates communication with remote units and interfaces with the DAS and the HMI.
  • Data Acquisition System (DAS), hardware, software and configuration: The DAS gathers information from the MTU, generates and store alerts that needs attention from the operator because it can cause impact on the system.
  • Human Machine Interface (HMI), hardware, software and configuration: Also called User Interface (UI). The HMI is defined as the interface where the operator logs on to monitor the variables of the system. It gathers information from the DAS.

The most critical obtained risks are:

  • Loss of integrity of the configuration files
  • Loss of confidentiality of the configuration files
  • Loss of integrity of the software
  • Loss of availability for the hardware
  • Loss of traceability for the configuration files
  • Loss of traceability for the software files

Those risks pose two great impacts for SCADA Systems: Lack of availability causing the SCADA System to stop monitoring and unauthorized remote control. This is is the biggest threat as it is the door to perform ciberterrorism causing the following impacts:

  • Massive blackouts: If the SCADA System tells the generator to increase the electricity on the line beating the supported limit, all protections will be triggered and the whole electrical system might be turned off.
  • Damage on power generators: If we are talking about hydro power plants, the rotor speed could exceed supported, which could cause an explosion in the generator, damaging the pipes and cause a large dam  leakage. In addition, new generators should be placed and this could mean energy rationing for the whole country or specific sectors. If we are talking about nuclear plants, disasters like Chernobyl could easily happen.
  • Massive damage on electrical devices: If the distribution lines are overloaded, protections might not be triggered and everything receiving electricity from that distribution line might be damaged.
  • Substation transformer explotions: If the transform relation is modified several times within a short time period, the transformer will explode as it gets filled with lots of gas that expands, causing physical damage to the buildings and houses sorrounding the substation.

Incident response capabilites needs to be greatly improved under this environments, as the consequences might be catastrophic if there is not enough monitoring for attacks. Keep in mind that attacks under SCADA systems does not follow same patterns or targets under normal corporate environments as they have different vulnerabilities and attack vectors. In my SANSFIRE 2013 presentation I will discuss hydro power plant SCADA vulnerabilities that might trigger cyberterrorism impacts, some tools to check for them and some proposed architectures to avoid those risks. You are also still on time to attend the SANS SCADA Summit, which will have very interesting conferences on how to protect SCADA environments. I will be there on the last panel and will be happy to see you there if you are attending.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org 

Keywords:
3 comment(s)

Comments

FYI, NERC CIP-002-3 is the present standard in force in the US (not sure about Canada or Mexico). CIP-002-3 doesn't end until CIP-002-4 begins April 1, 2014.
On a related note, what could happen when smart meters are installed nation-wide and then vulnerabilities in the implementation of those meters are found? Please see professor Ross Anderson's paper "Who controls the off switch" on this: http://www.lightbluetouchpaper.org/2010/07/26/who-controls-the-off-switch/
This article also feeds back to the JAVA issue and earlier versions of serial interface and web interface. IE 6 and <. I've worked around SCADA for 10 years San Onofre, BP and many water districts, WW, EB, Schneider Elec and watched in awe wondering when something was going to go south. Then this happened by 1 tech.

"The outage extended into southern Orange County, across California's inland deserts, as far east as Yuma and into Mexico. The region is home to 6 million people, though it was impossible to say exactly how many had lost power.

The outage occurred after an electrical worker removed a piece of monitoring equipment at a power substation in southwest Arizona, officials at Phoenix-based Arizona Public Service Co. said.

It was unclear why that mishap, which normally would have been isolated, sparked such a widespread outage. The company said that would be the focus of an investigation.

"This was not a deliberate act. The employee was just switching out a piece of equipment that was problematic," said Daniel Froetscher, an APS vice president.

If these companies would do a simple firmware hardening would go a long way, but then even new smart meters will gladly give you a dump.


Diary Archives