It’s Even Easier Than We Feared to Blind Utility Substations

on October 23, 2013 at 4:30 PM

U.S. Temperatures Hit Upper 90s

Quick Take: Do you remember the stories that used to circulate about building a nuclear bomb from instructions on the Internet? I’m starting to feel that terrorists could bring down the grid by reading stories on the Internet. Every week we get details about another vulnerability.

Here’s the latest gambit receiving widespread attention. My advice is to make sure that your security team is aware of it and taking steps to close the gap.– By Jesse Berst

Engineers Adam Crain and Chris Sistrunk recently discovered a major grid vulnerability. Attackers could easily cause a widespread power outage by exploiting a flaw in the SCADA systems utilities use to monitor substations.

The pair eventually managed to break systems from 16 different SCADA vendors using the DNP3 communications protocol. At this point, according to an article in Daily Kos, they notified the U.S. Department of Homeland Security… which didn’t bother to issue a formal alert until four months later.

“We haven’t found anything we haven’t broken yet,” Mr. Crain said in an interview. At minimum, the two discovered that they could freeze, or crash, the software that monitors a substation, thereby blinding control center operators from the power grid. Mr. Crain likened that capability to “a bank robber being in a bank vault with the camera frozen.”

What’s worse, there’s no easy way to stop this threat. For one thing, serial communications such as DNP3 are not covered under current cybersecurity regulations, meaning there’s no way to force utilities to take steps. For another, traditional firewalls and perimeter security devices can’t prevent this particular kind of threat.

Jesse Berst is the founder and Chief Analyst of SGN and Chairman of the Smart Cities Council, an industry coalition.