Just in time for the premiere of a National Geographic movie that portends what might happen to the U.S. in the event of a widescale cybersecurity attack on the power grid, researchers are spreading the word regarding potentially devastating vulnerabilities in a communications protocol widely used in U.S. electric, water and other critical infrastructure. These vulnerabilities could in theory disable control servers for major portions of the electric grid, leaving utility operators with little to no visibility into power delivery and allowing attackers to control the grid.
Vulnerabilities identified by researchers Chris Sistrunk and Adam Crain stem from the use of industrial control system protocols called DNP3, which enable SCADA (supervisory control and data acquisition) systems to communicate between master control centers and remote units, such as substations through which electric power flows. By gaining access to the remote units, either physically through break-ins at the units or, less frequently, remotely through wireless technology, attackers can leverage buggy implementations of DNP3 to send bad data or messages back to the utility's control servers, potentially crippling electric utilities' control over their networks.
"You get one bad packet and you can’t talk to a hundred things," Crain, who is a software researcher and founder of consulting firm Automatak said. "You can’t see what’s going on, you can’t do anything."
Crain concedes that most of the attacks enabled through the vulnerabilities that he and Sistrunk have identified are not likely to give the attackers actual control of the networks, but merely eliminate visibility from the control center into the network. "The majority of them [are likely] to be DoS [denial of service attacks]," he said. "Honestly right now I think the risk [of attackers taking control of power networks] is pretty low but the bar is constantly dropping so people are taking more and more interest in this stuff."
However, he warns, "if you can get into the control center of a major investor owned utility, all bets are off. Some of them serve multiple states" and all an attacker has to do is exploit the vulnerabilities of a few major utilities to attack the bulk of the American electric grid.
Neither Crain nor Sistrunk, who is a utility telecommunications engineer, is a cybersecurity specialist. Crain discovered the vulnerabilities through serendipity last April when he was testing an open source implementation of DNP3 protocols that he wrote.
The researchers alerted DHS and the various industrial control security information sharing bodies about the vulnerabilities and have mounted a project called Robus to keep track of these and other potential areas of exploit. It's not the protocol itself, which can be purchased off the Internet from the standards body for $500, that's the problem, Crain said.
The vendor implementations of DNP3 create the vulnerabilities. "In theory there is nothing wrong with the protocol. There are just bugs in what vendors have implemented."
As of today, Robus notes that only nine of 25 vulnerabilities discovered have been patched by the vendors. The original number of discovered vulnerabilities was sixteen and it's probable that more vulnerabilities are yet to be uncovered.
Crain and others don't believe critical infrastructure providers, particularly utilities, will move quickly to close these security holes until regulatory forces press them to do so. Ironically, the main cybersecurity quasi-regulatory authority in the electric utility industry, NERC (North American Electric Reliability Corporation), which has a series of cybersecurity critical infrastructure protection (CIP) standards that utilities must follow, specifically excludes serial communications technology from its requirements, of which DNP3 is one. "Until someone tells them, someone like NERC steps up, I don’t expect large industrial owned utilities to react," Crain said.
In the meantime, the number of remote units that are potentially vulnerable to this kind of attack could be staggering although no precise numbers are available. Based on research I conducted in 2009 for a different purpose, there are an estimated 74,120 substations in the U.S. if the sample in my study, which represented utilities serving around a quarter of all U.S. electricity customers, is good.
Of these substations, around 51% were connected by some form of communications, a ratio likely to be far higher today. But even assuming 51% connectivity, that's still around 37,800 potential threat vectors. No data exists on how many of these substations use DNP3, although one utility security expert suggested that the latest numbers he saw put the figure at 30%.
If that's a good number (and it's probably low because utilities tend to use the older communications technologies for which DNP3 is used, such as dial-up modems, microwave or 900 MHz platforms) that's 11,340 power grid substations through which attacks can be launched.
Moreover, as the same utility security expert noted, there could be potentially thousands more remote units that aren't substations, such as devices atop poles, that use vulnerable DNP3 implementations. On top of everything, water systems, oil and gas pipelines use the same implementations and aren't counted in this number.
All it takes is one vulnerable point in any utility's network to send bad data back to the control system and few utilities have robust physical protection of their substations or other remote units. As one expert noted, unless the unit is a manned facility (generation or inspection station) or has been deemed a critical asset by NERC, the sole security is probably an easily climbed chain linked fence or quickly pickable locked equipment cabinet.
Video surveillance of remote sites, if any, is typically limited to equipment racks and frequently has blind spots. Even the alarm systems on substations are controlled by DNP3-enabled technology, Crain said, so that attackers can block alerts to the control facility that a break-in has occurred.
Public domain image from Wikipedia.