This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Content-Type: TEXT/PLAIN; charset=UTF-8
By BOB KEEFE
The Atlanta Journal-Constitution
Published on: 10/01/06
In June 1982, in a remote patch of Russian wilderness, a huge explosion
ripped apart a trans-Siberian pipeline.
It wasn't a bomb that destroyed the natural gas pipeline and sent shock
waves through the economy of what was then the Soviet Union. Instead, it
was a software virus created by the CIA, according to a book by Thomas
Reed, a former U.S. Air Force secretary and National Security Council
The virus took over the computers controlling valves and pumps,
increasing the pressure until the pipeline was ripped apart by a blast
equal to 3,000 tons of TNT.
The secret attack was one of the first known hacker strikes on a
Supervisory Control and Data Acquisition, or SCADA, network. Computer
security experts say it won't be the last.
Across America and around the world, SCADA networks control nuclear
power stations, water and gas lines, chemical plants and other critical
infrastructure. Many of them could be just as vulnerable today to
attacks from computer hackers =C2=97 or terrorists =C2=97 as the Soviet system was
nearly 25 years ago.
Or even more vulnerable. That's because in today's Internet age,
machines and computers are increasingly connected haphazardly to the
Web, whether their owners realize it or not. In addition, there has been
rapid growth in easy-to-access wireless networks and the use of
off-the-shelf software from Microsoft Corp. and others.
Hence the fear that five years after the Sept. 11 attacks, SCADA
networks could become "the new airplanes," said Alan Paller, director of
research for the SANS Institute, a computer security research and
Air of complacency
We all depend on SCADA networks, whether we know it or not.
SCADA computers monitor and control the flow of electricity across the
nation's power grids. They turn pump switches on and off to make oil and
gas and water pipelines flow. They make sure robots and mixing machines
and other factory equipment do what they are supposed to do.
Although the networks are so critical, SCADA security is often an
afterthought for corporate cyber-security departments. That's because =C2=97
so far =C2=97 SCADA networks haven't attracted computer hackers like
financially oriented e-mail and online billing systems and corporate Web
"It's kind of like, 'out of sight, out of mind,' " said Brian Davison,
manager of operations engineering for Austin Energy, a municipal
electric company in Texas.
Austin Energy is considered on the forefront of SCADA security. At many
utilities, though, "management has been away from the table," he said.
"They say they haven't seen anything major yet, so it can't be too bad.
But if somebody wanted to do harm to our industry, they could do it."
Government regulators are just beginning to pay more attention to SCADA
Only recently, for instance, did the North American Electric Reliability
Council start working on mandatory rules requiring the electricity
industry to audit and monitor its SCADA networks and take steps that
would be basic for any PC user, like installing software patches in a
Even so, power companies won't have to meet the new rules for several
years. Many in the industry already acknowledge the new rules are so
vague and open to interpretation that they'll be ineffective.
The power industry is considered further along in SCADA security than
other critical industries. Government regulators are at least developing
mandatory SCADA-specific regulations there.
"I don't think that the sky is necessarily falling ... and that the
entire United States could be shut down tomorrow," said Eric Byres, a
longtime SCADA researcher who's now director of industry security at
consulting firm Wurldtech Research.
"But I think we've got ourselves in a real fix," he said. "We're walking
on a tightrope."
In January 2003, the power industry got a wake-up call.
An event in Ohio "illustrated how accessible and vulnerable SCADA
systems are at nuclear power plants," the SANS Institute's Paller told a
House subcommittee last fall.
He testified that a computer worm circulating on the Internet had
infected Microsoft database software used by a contractor at the
Davis-Besse nuclear plant near Toledo, Ohio.
Even though the plant's operator, FirstEnergy Corp., had protected the
plant with a software firewall, the worm used the contractor's network
to bypass it.
"Because of Davis-Besse's widespread use of vulnerable Microsoft
software, the worm jumped to the plant network and crashed the Safety
Parameter Display System, keeping it offline for eight hours," Paller
Another incident, though not hacker-related, shows the potential impact
of SCADA computer problems.
In August 2003, computer glitches in Ohio caused inaccurate readings
along FirstEnergy's power lines. Cascading effects among Northeastern
utilities dealing with the summer heat prompted the shutdown of more
than 500 generating units in the United States and Canada.
The blackout cut power to an estimated 50 million people, shut down
transportation and communication networks, and caused an estimated $6
billion in economic damage.
"The longer we wait, it's inevitable [that] somebody decides to turn off
a major U.S. city," said Rob Ciampa, vice president of marketing and
business strategy for Atlanta-based computer security company Trusted
Network Technologies Inc.
Utility industry officials sometimes accuse consultants like Ciampa of
scare tactics. Companies like his, after all, make a living selling
But the danger is real.
According to government officials, the U.S. military in 2001 found
evidence in Afghanistan that al-Qaida terrorists were researching SCADA
systems and cyber-terrorism.
Paller and other computer security experts say the risk is relatively
small that terrorists will attack a SCADA network, because the effects
would not be as destructive as those from a car bomb or airplane
"Can they hack any system? The answer is yes," said Pete Allor, a former
U.S. Army security officer who now is director of intelligence at
Atlanta-based Internet Security Systems Inc. "The problem is making
The bigger threat, Allor and others said, is from hackers trying to
extort money from a company or from disgruntled employees trying to
Incident in Australia
That was the case in Australia in April 2000. Vitek Boden, a former
contractor, took control of the SCADA system controlling the sewage and
water treatment system at Queensland's Maroochy Shire. Using a wireless
connection and a stolen computer, Boden released millions of gallons of
raw sewage and sludge into creeks, parks and a nearby hotel. He later
went to jail for two years.
Not surprisingly, U.S. companies are hesitant to talk about the security
of their SCADA networks for fear they may give clues to hackers. But
security consultants say problems with them are widespread.
Allor's company, for instance, regularly does audits of SCADA systems at
major installations such as power plants, oil refineries and water
Almost invariably, Allor said, the companies claim their SCADA systems
are secure and not connected to the Internet. And almost invariably, he
said, ISS consultants find a wireless connection that company officials
didn't know about or other open doors for hackers.
Realizing the growing threat, the federal government two years ago
directed its Idaho National Laboratory to focus on SCADA security. The
lab created the nation's first "test bed" for SCADA networks and began
offering voluntary audits for companies.
Officials at the Idaho lab declined to reveal details about the audits,
citing security concerns. But Rita Wells, who manages the program,
called the companies' approaches to SCADA security "a mixed bag."
"We've gone into some entities and we've seen things so tight that we
were awestruck," she said. "But we've also gone into other places where
they were wide open."
As the former head of information security for Columbus, Ohio-based
American Electric Power, Mike Assante has firsthand experience with
While he was at AEP, Assante said he never experienced an attack on his
company's SCADA network. But that doesn't mean hackers weren't
Almost daily, Assante said, the company noticed mysterious outside scans
and probes of its computers. Often, he said, they could be traced to
computers in Russia and China, two international hacker hotbeds.
"It was so [frequent] that I never really slept very well," said
Assante, who now helps direct SCADA strategy at the Idaho National
The electricity industry's computers are considered among the most
vulnerable of any SCADA networks. In part, that's because many electric
grids operate on equipment that is decades old, pieced together from
municipality to municipality and state to state.
Generally, the power grids were designed with reliability in mind.
Cyber-security was an afterthought at best.
"With the technology in use today, totally avoiding touches with the
outside word or with the wireless world is very difficult," said Billy
Ball, senior vice president for transmission planning and operations for
Southern Co., the giant Atlanta-based electricity company. At Southern,
between 50 and 70 employees now work solely on SCADA security and
implementing the forthcoming federal regulations.
135 incidents in 41/2 years
In a survey of utility industry officials last year by Trusted Network
Technologies, about 20 percent of respondents said their SCADA systems
had already been subjected to outside threats. About 30 percent said
they expected a utility SCADA network would be attacked soon.
A more comprehensive study, managed by the British Columbia Institute of
Technology, shows that major companies in the United States and four
other nations have recorded about 135 SCADA security incidents over the
past 41/2 years.
Byres of Wurldtech Research said the numbers could soon rise.
"We're seeing an interest in the black hat [hacker] community that we
never, ever saw before," he said. "All of the sudden we have people with
malicious intent learning and understanding what a SCADA system is."
Content-Type: text/plain; charset="us-ascii"
Donate online for the Ron Santo Walk to Cure Diabetes!