Hackers Extort Utility Companies
Tom Donahue, the CIA’s top security analyst, announced this week that attackers hacked into the computer systems of foreign utility companies and held power grids hostage until their demands were met. In one case, they also caused a power outage that affected multiple cities. According to a Forbes.com article, the attacks occurred over the last two years, and an unknown amount of money was extorted.
An article on washingtonpost.com suggests that the reason extortion events like this continue to occur is because large corporations like banks and online gambling sites simply pay the extortionist’s demands to keep their websites up and to keep their names out of the papers. Unfortunately, by caving to and attacker’s demands the companies set up a precedent of payout that will keep attackers coming back for more money as long as they can. It is true that an online gambling site likely makes most of its money by having the site up and accessible to users at all times and having a good reputation, but allowing the attackers to go free just perpetuates the problem. Setting a precedent of a very strong response would let the attackers know that they aren’t going to get away with anything, and could serve as a very strong deterrent against future attacks.
It’s unclear from the articles how serious the threat posed to the United States is, but as a consumer of electricity I would like to know that steps are being taken to keep my coffee maker running. These steps should include more stringent security standards for the technologies used by utility companies for remote access, and the companies themselves should also be sure to provide security training for employees. The security training is only worthwhile if you trust your employees though: at least the Forbes article referenced a source who believed that inside knowledge had been used to hack into the systems. It can easily be inferred from this that some care should be taken to strengthen measures within the system to prevent disgruntled employees from doing damage internally.
In an increasingly wired (wireless?) world, companies can save a lot of man-hours and money by allowing their employees to access resources remotely. However, these resources need to be adequately protected in order to ensure that only authorized personnel can access them, and the systems should ideally be read-only to ensure that even if a malicious use gained access, they couldn’t make changes that could affect power grids.
Comment by sky
January 20, 2008 @ 8:31 pm
Reading Robert’s summary here got me thinking that is is good that companies are getting forced to become wise to e-terrorism when only money and continence are involved, and before hackers could really physically harm anyone. But then i realized that it might already be possible to kill someone by hacking into a hospital’s network. Threatening to make lifesupport machines go haywire would be much more scary.
Also, being able knock out power grids at will would be a very nice trick to do, right before an invasion.
Comment by David St. Hilaire
January 20, 2008 @ 10:11 pm
Having worked with SCADA systems (water/wastewater) before, I have definitely seen the trend towards remote access capabilities. As some systems are widely distributed geographically, it is convenient for employees to be able to configure settings, acknowledge alarms, and view system wide status while at remote sites. It is also sometimes requested that laptops be configured so that on call employees can access the system from home, providing them with a way to instantly deal with alarms and other issues as they drive to the plant before anything becomes critical.
However this also provides a huge security concern. If the laptop is stolen or infected with the right malware, an adversary could potentially remotely connect to the master SCADA computer. Though if the adversary desires to avoid alerting the employees that his attacks were being/had been implemented or if the computer itself does not provide control decisions for the system, he would need to be able to log into the SCADA software itself. Yet if he was lucky and had access to the application directory, under a certain security configuration one industrially used SCADA software’s system’s security can be easily bypassed in seconds, granting full administrator access to the controls.
As systems are becoming more automated, more control and tweaking capabilities for the employees are being provided at the computer, giving adversaries even more potential to create havoc.