Friday, 27 January 2017

In 2015, Russia hacked the Ukraine power grid. How big is the risk here? (Part 2 of 3)

If you've read part 1, hopefully I've convinced you that we do face a genuine risk.

But suppose someone set out to attack us.  How damaging could an attack really be?

Let's imagine that an attacker invests the needed resources (and let's not fool ourselves: the country that attacked Ukraine must have been Russia, but Russia isn't the only country able to prepare and carry off such exploits: at a minimum, China can too, and North Korea may have found ways to hire the needed expertise on the black market.  So there are at least three possible nation-state actors to consider.  Beyond that, there is probably at least one and perhaps more than one free-lance group out there with very high skill sets, working for organized criminals who use their skills for theft, blackmail and so forth.  And then there are friendly countries with deep hacking skills, like the UK, the rest of Europe, Israel.  So there are a bunch of potential bad actors.

For the sake of argument, let's not rehash part 1: assume that some bad actor has already done his homework.  So Russia, or China, or whatever has penetrated, perhaps, a handful of US RTO and ISO organizations.  How much harm would they be able to do, if they were inclined to attack

With control over a SCADA system, there are a few styles of attack that become feasible.  First and easiest is to just disable the SCADA control system itself.  With modern computers, if you reformat the disks and reflash the PROMs used for booting, you can render the machine pretty much useless, at least without a lot of hassle.    You can also cause some nasty crashes simultaneous with a blackout, and toss in additional barriers to block restarts, even using clean computers:  In Ukraine, the uninterruptible power supplies that were supposed to guarantee power for the grid operations center were hacked too: not only did they not supply clean power, but they were reprogrammed to actually cause power surges rather than to protect against them.  So that's easy.  Given years during which the attack was being planned, you could probably also compromise backup systems and hide some backdoor options, so that even after being discovered, there might be a way back in.

This alone is probably enough to cause a week or two of total chaos, similar to what Ukraine experienced right after the attack.  They ended up cobbling together a power grid and running it with purely human operations for a while.

But in fact you could do far more. 

Having broken in, you don't necessarily have to start by destroying the SCADA system.  Another option is to subvert the SCADA system to attack some of the technology components used in the grid itself.  A power grid has all sorts of elements: switching stations of the kind usually stuck in obscure locations out in the woods, dams and coal burning generators and nuclear reactors, wind farms, etc.  Some of these could be damaged by power surges, and others would probably be vulnerable to bizarre and incorrect control commands.  In fact, one thing you could take advantage of is that because SCADA systems are presumed to be secure, they usually have special direct ways to communicate into the control centers that operate such components.  

So you could explore ways of logging into the control center for a nuclear reactor and messing with its protections against core meltdown, or maybe look into the possibility of opening drainage in a series of dams in succession to generate a massive downstream flood.  Perhaps you could trick wind turbines into tearing themselves apart by deliberately configuring the wind-vanes to put them under as much stress as possible.  

Now we have to start to imagine an attack that could destabilize nuclear plants, flood entire cities, and leave wind farms in shreds: attacks with very real physical consequences!  And that kind of damage could take months to repair, or even years.

Of course, such attacks wouldn't be so easy to prepare: installing and debugging the exploit becomes the hardest step.  No way that you could do this to 10 RTO/ISO control systems simultaneously, and to their associated TOs, and to a large number of nuclear plants and dams and wind farms.  And keep in mind: a nuclear plant control room may accept requests (to increase or cut power production) from the local RTO, but this isn't the same, at all, as being wide-open to massive intrusion through the connection used to send those commands.  By and large, you'll be blocked at every step by firewalls, multi-factor authentication requirements, monitoring systems of varying levels of sophistication, you name it.  Try to deploy an intrusion capable of doing damage at the scale of the whole US and you'll be detected long before you can launch the attack.

But maybe you could set a smaller goal and succeed.

With years to prepare, and unlimited national backing, my guess is that a really professional team would overcome the barriers at least in some settings.  In Ukraine, an attack focused mostly on SCADA compromise was already enough wreak utter havoc: their system was down for weeks.  One might assume that in the US the impact would be more limited and shorter, but my guess is exactly the converse: I think that a cleverly planned exploit could be far more harmful here, even if pretty narrow in scope, simply because we depend so strongly on electrically powered technologies. Moreover, you could take advantage of our tendency to panic: in the US, we tend to overreact in extreme ways to certain types of fears.

For example, suppose that one icy cold winter morning we awoke with the power out for the northern 20% of the US: just a mundane blackout, but even so, lots of houses would suddenly feel very cold.  Worse, suppose that as the government was taking stock of the situation, several large hydroelectric generators suddenly malfunction in ways that indicated serious damage: perhaps,  two massive transformers took irreparable hits and will take a year or more to replace.  And then suddenly in comes a report that a nuclear reactor control system may have been compromised too: a particular reactor shut down into a fail-safe mode, and every nuclear reactor from that same vendor in the whole  US has been taken offline too, as a precautionary measure, expanding our regional problem into a massive nation-wide power shortage.  And just to enliven things, perhaps a few other mishaps occur at the same time: A jet landing at JFK collided with a plane on the runway, killing 500 passengers.  Two more near-miss events of the same kind have been reported at Denver and Atlanta airports, and nationwide air traffic control is also shutting down.  A train carrying toxic chemicals has derailed in downtown Atlanta.  A huge explosion has been reported in the new Keystone oil pipeline, and it has shut down.  Things like that.

Well, we know what would very likely happen next.

But let's not even go there.  Instead, in part 3, I'll offer some thoughts on how to make things better.

No comments:

Post a Comment