As silence descended on the blacked-out eastern seaboard of the US last week, one sound could clearly be heard. Internet backbone companies were slapping each other on the back. Despite the loss of the most fundamental motor in our civilised society, the Net continued to run perfectly. But now, some are asking whether the Net was the prime source of the problem -- did a computer attack bring down the grid?
It might seem like a conspiracy theory par excellence; an attempt to shift the responsibility for the outage anywhere but the power companies. The search for someone to blame has already pointed the finger at the poor old Canadians (for being connected at the time) and us British (for owning some of the companies concerned): when none of that stuck the old standby of "outdated transmission systems" was rolled out. Such words produce a picture of rusty old pylons and sagging cables: unwelcome, but easy to fix. Now, evidence is gathering that the antiquated systems aren't so much the cables and switchgear but the computerised monitoring, control and alarm systems that string everything together -- and the ordinary computer networks they rely on.
At the heart of power generation and distribution in the US and elsewhere is Scada, the Systems Control And Data Acquisition protocol. You'll be hearing a lot about that in the near future, and it looks at first like a good candidate for the problem. Scada is the glue that links together the hardware of power production -- the turbines, sensors, metering and switching -- with the computers that configure the power network, warn of problems and automatically isolate systems that go wrong in dangerous ways. We know already that this didn't happen: signs of instability went ignored. When lines started to go down because of overload, thus overloading other lines, this information was either not received or not acted on by neighbouring areas.
Scada is, at heart, not a secure system. Surveys of installations have time and again found problems, such as gateways into Scada systems connected to the public telephone system via modems -- with passwords left at the factory default. And the pressure to link Scada systems to others is growing -- like everyone else, Scada implementers are using open standards and designing business systems that are ever more tightly implemented, with the data coming out of the control networks. And these in turn are on the Internet, and vulnerable. Utility engineers and software designers have ignored or downplayed security issues, in a chilling reflection of the attitudes prevalent in companies like Microsoft until recently.
This isn't news. US security service teams have been looking intently at utility infrastructure IT since late 2001, and report that there are many systemic vulnerabilities. This time last year, the Washington Post reported that Ronald Dick, director of the FBI's National Infrastructure Protection Center, told a closed gathering of corporate security executives that "the event I fear most is a physical attack in conjunction with a successful cyber attack on the responders' 911 system or on the power grid."
That would be frightening enough, but the evidence is that the vulnerabilities extend beyond being open to a targeted, industry-specific act of vandalism. The same worms and viruses that cause us all such problems are just as happy breeding inside power station systems, provided they can get in: SecurityFocus News reports that a nuclear power station owned by Ohio company FirstEnergy Corp had its monitoring system disabled for five hours in January by the Slammer worm. It got in through a contractor's network which was directly linked to the power station's systems by a T1 line -- bypassing the firewall. Once inside, it spread from PC to PC and clogged the network, disabling the central monitoring panel and other systems. Backup systems worked, but it took six hours to get the main monitors back online. Fortunately, the power plant was idle (due to a gaping hole in the reactor head, you'll be reassured to hear), but the worm didn't know that.
There's more. Sterling detective work by Heise Security, a German publication, has shown that the Niagara Mohawk power grid -- the one that went down first -- is owned by National Grid USA; itself a major customer of a company called Northern Dynamic. These people specialise in Scada and Windows-based process control over OLE, the Microsoft protocol based on DCOM -- the technology attacked by the Blaster worm. As Heise points out, other customers of Northern Dynamic include many European power companies and the nuclear research organisation CERN.
We know that these systems are vulnerable. We know that the fault which brought darkness to the city of New York and forty million people was in some way linked to control and monitor failures. We know that this past week, we've had a surfeit of worms. Some conspiracy theory.
In the past, I've tried and failed to get information out of the UK government as to which regulator is responsible for the security aspects of our national and local utilities. Like the interstate distribution system in the US, it seems that nobody is in charge: a comforting network of buck-passing is working far better than the real thing. We cannot accept complacent assurances that all is in hand and all is well, not when lights go out across the US and the worms run rampant. The warning lights must go on in Whitehall before they go out across the country.