Staged Hack Causes Generator to Self-Destruct

An anonymous reader writes "It has been revealed that in a U.S. Department of Homeland Security exercise codenamed 'Aurora' conducted in March of this year, researchers were able to cause a power generator to self-destruct remotely via a hack which changed the operating cycle of the generator. 'Government sources said changes are being made to both computer software and physical hardware to protect power generating equipment. And the Nuclear Regulatory Commission said it is conducting inspections to ensure all nuclear plants have made the fix. Industry experts also said the experiment shows large electric systems are vulnerable in ways not previously demonstrated.'"

Don't connect it up

[squoozer]

There is a really simple and quick fix for this problem - don't connect the control equipment to a (public) computer network.

What is more interesting than the fact this was possible is the fact that some numb skull thought it might be a good idea to link critical control systems to a public network. I can see that there is scope for remote control, especially with a nuclear plant, but I hardly think sending the data over the Intertubes is the correct way to do it.

Um, WHY was the generator on the internet?!!

[jollyreaper]

I'm no computer security expert but I do know of the world's most unhackable firewall -- it's called a one inch air gap. Put that gap between the network cable and the NIC and nobody is gaining access.

Yes, I know power plants will require some net access for web, email, etc. But the office worker network and the command and control computers and network for the generators should have nothing to do with each other! Separate systems, no network connectivity, the plant software should be operating in a vacuum bubble. The rest of the world should not exist for it, no way, no how. Oh, need to install a patch for the software? After being thoroughly tested and vetted on a proofing system, the software is then installed the old-fashioned way, off of CD-ROM's. Now if someone can fuck with the CD-ROM's, THAT I can understand. I can buy the plausibility of the NSA printer hack, even if it was a hoax. (NSA puts a virus on printers heading to Iraq, takes down their network.) The story about the CIA sabotaging software for equipment the Russians were buying to use in their pipelines is true. These are secure systems completely cut off from external contact that were sabotaged by the insertion of compromised components that were not detected. That makes perfect sense.

It always bothers me when I see movies showing hackers getting in to some place and gaining access to files on servers that should never have a connection to the outside world. Then again, maybe I'm giving the fictional syadmins of the target systems too much credit. Who knows, maybe next week we'll read about some Korean hackers who were able to compromise a Minuteman silo and add it to their botnet.

Re:this should not be possible

[guruevi]

Well, if there is an established procedure for offsetting timings on any coil (as in chain of command), 'Terry' should call your supervisor, not you and then when you (technician) say it is dangerous, there should be a call back to 'Terry' and his supervisor.

Working in dangerous or otherwise critical environments is all about having established procedures mimicing the way public key infrastructures work. Both public (technicians calling each other) and private (supervisors calling each other) keys (commands) should match and be verified on both sides before anything is executed.

Re:this should not be possible

[StickyWidget]

It is possible. First, control systems are connected to a public network because the way electricity is traded among generators, transmission owners, and other members of the electric power community. They use the Internet as the common communications infrastructure for the business side, which gives orders to the production side (the generators). This is the way of the unregulated market, and it's starting to be run a lot like other industries. Because the production side is run by the business side, the connections between the two are inevitable, due to various benefits (lowered costs due to increased process intelligence, proactive maintenance, and a host of others).

Second, quick patching on control systems is a no-no. These systems run for 24x7, and are running highly customized and tested software. If a patch exists, it likely isn't under warranty from the vendor. This means that if a patch is applied, the vendor is well within their rights not to support the system anymore. Also, these systems typically can't just be rebooted, they are running real-time calculation and monitoring to ensure the process variables stay within controlled range. Shutting them down is often tantamount to shutting down the plant, which costs a metric f%&k-ton of money if it stays down.

Parent comment is not insightful, and certainly not intelligent, how about some corrective action Mods? Read the Blackout Report, it has perhaps the best explanation of how the power system function from top to bottom.

~Sticky

Re:this should not be possible

[russotto]

The problem is in allowing any remote control of the system, which the utility wants to happen so that a central facility can control any generator. Here, we have four power generation facilities, all of which are managed from a central control at the utilities main office downtown. They choose to use the internet to make those connections, because it's MUCH cheaper than stringing dedicated data lines from the generation plants to the central office.

I'm pretty sure that's a false dilemma. Doesn't the phone company still lease connections through it's own network (e.g. frame relay)? Much more expensive than the Internet, but much cheaper than a physical line, and certainly much more secure than the Internet.

Re:this should not be possible

[LeRandy]

At least here in the UK, Telemetry and control signals are carried over the National Grid itself, nowadays using an optic fibre that runs alongside the earth wire. Case Study.

I see no reason why all telemetry and control signals should not be carried in narrow- or broadband communications along the power infrastructure itself, and then restricted to a physically separate infrastructure when being processed. Data links to business systems can be provided using a one-way connection (Serial or optical). If you then want to have a real-time billing system, you can join all the business networks up, either along the same fibre-way (atop the pylons), or through the olde-fashioned interweb.

For telemetry, TCP/IP may often be your worst choice, since it has a high latency. If you want to protect your infrastructure from lightning strikes, you need to respond at the speed of light. Literally. Other control signals (demand etc.), may be able to wait a second or two, but you can't afford to risk the kind of packet loss you may receive if the teleco or ISP is having a bad day. So all the control stuff will need to be on multiple route redundant circuits anyway. Note I said circuits - you have to have whole circuits to yourself.

TCP/IP may have been well designed for critical communications networks. But it sure as hell ain't designed for critical real-time communications. Ergo you have to have a dedicated infastructure, so there is no excuse for having any connection, even firewalled from t'internet to the power station control systems.

If you really must share infrastructure, then for pete's sake, use the time-honoured TDM.

Re:Why mention Nuclear?

Not just ignorant of how a modern reactor works. The only reactor where this would even begin to cause a real issue is the specific Soviet design used in Chernobyl. After that debacle, everyone who had one of that particular type started dismantling them. At this point, I highly doubt there's a nuclear reactor in existence where the GP's post would make any sense. In fact, it would have been a rarity in the 1960s to find a reactor where that makes sense.