Highlights
– US Government Accountability Office reports documents vulnerabilities in the Tennessee Valley Authority’s computer network
– Hackers have attacked power plants in foreign cities
– Vulnerabilities have been discovered across the US power grid
On Wednesday May 21, 2008 the United States Government Accountability Office (GAO) released a report entitled TVA Needs to Address Weaknesses in Control Systems and Networks, which concluded that the Tennessee Valley Authority (TVA) is vulnerable to cyber attacks.
Specifically, the GAO found that the TVA’s “corporate network infrastructure and control systems networks and devices were vulnerable to disruption.” Moreover, the TVA’s “corporate network was interconnected with control systems networks GAO reviewed, thereby increasing the risk that security weaknesses on the corporate network could affect those control systems networks.”
The Pros and Cons of SCADA
The control system network is home to the supervisory control and data acquisition (SCADA) systems that control the power generation and distribution process. Power utilities have deployed SCADA systems in an effort to lower total cost of ownership as these systems allow employees to remotely administer power generation and distribution equipment.
However, if the control system network is connected to a power utilities corporate network, as is the case with TVA, then it is also possible for unauthorized hackers to manipulate SCADA devices and potentially disrupt the power generation and distribution process.
Previous Attacks and Other Examples of Vulnerabilities
Previous examples demonstrate the potential danger of the interconnection between a power company’s corporate network and its control systems network. For example, a June 20, 2003, report from the North American Electric Reliability Corporation (NERC) details how the Slammer worm, a self-propagating malware designed to exploit vulnerabilities in Microsoft SQL Server, traversed the Internet and disrupted the internal systems of the Davis-Besse nuclear power plant in Ohio. According to the NERC, “The worm … apparently [migrated] through the corporate networks until it finally reached the critical SCADA network via a remote computer through a VPN connection” (source). This singular, and likely undocumented, VPN connection collapsed the cyber security architecture of the Davis-Basse nuclear power plant and effectively allowed an external attacker to access the plant’s internal control network.
Additionally, in January 2008 the CIA announced that hackers had disrupted power generation in several foreign cities. Specifically, a senior Central Intelligence Agency (CIA) analyst stated, “we have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands.” The analyst continued, “In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions were through the Internet.” While it is unclear exactly how the hackers in this case executed their attack, these blackouts illustrate the potential damage that could result from similar attacks against power plants in the US.
Finally, a March 2007 test by the Department of Homeland Security (DHS) dubbed the “Aurora Generator Test” revealed that large power generators used to supply electrical power to cities could be remotely attacked and disabled by knowledgeable hackers.
Conclusions
These previous examples demonstrate the risk to our nation’s power grid and when taken together illustrate that it is possible for an attacker to disrupt power generation and distribution to large portions on the country. While the recent GAO report only addressed vulnerabilities in found in the TVA, it is likely that other public utilities also suffer from the same weaknesses.