Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (23 page)

On June 22, 2009, a passenger train in the DC Metro system collided during the afternoon rush hour with another train stopped on the tracks, killing one of the operators and eight passengers, and injuring eighty others. Malfunctioning sensors on the track had failed to detect the presence of the stopped train and communicate that to the moving train. Although the latter train was equipped with anti-collision sensors that should have triggered its brakes when it got within 1,200 feet of the other cars, that system had failed too, and for some reason the operator never applied the manual brakes. A decade earlier, communication relays on the same Metro system had sent incorrect instructions to trains on several occasions—one time telling a train to travel 45 miles per hour on a section of track with a 15 mile per hour speed limit.
⁴⁸

These incidents were all accidental, but in Poland in 2008 a fourteen-year-old boy in Lódz caused several trains to derail when he used the infrared port of a modified TV remote control to hijack the railway’s signaling system and switch the tram tracks. Four trams derailed, and twelve people were injured.
⁴⁹

ALTHOUGH THERE ARE
many different ways to attack critical infrastructure, one of the most effective is to go after the power grid, since electricity is at the core of all critical infrastructure. Cut the power for a prolonged period, and the list of critical services and facilities affected is long—commuter trains and traffic lights; banks and stock exchanges; schools and military installations; refrigerators controlling the temperature of food and blood supplies; respirators, heart monitors, and other vital equipment in hospitals; runway lights and air traffic control systems at airports. Emergency generators would kick in at some critical facilities, but generators aren’t a viable solution for a prolonged outage, and in the case of nuclear power plants, a switch to generator power triggers an automatic, gradual shutdown of the plant, per regulations.

One way to target electricity is to go after the smart meters electric utilities have been installing in US homes and businesses by the thousands, thanks in part to a $3 billion government smart-grid program, which has accelerated the push of smart meters without first ensuring that the technology is secure.

One of the main problems security researchers have found with the system is that smart meters have a remote-disconnect feature that allows utility companies to initiate or cut off power to a building without having to send a technician. But by using this feature an attacker could seize control of the meters to disconnect power to thousands of customers in a way that would not be easily recoverable. In 2009, a researcher named Mike Davis developed a worm that did just this.

Davis was hired by a utility in the Pacific Northwest to examine the security of smart meters the company planned to roll out to customers. As with the Siemens PLCs that Beresford examined, Davis found that the smart meters were promiscuous and would communicate with any other smart meters in their vicinity as long as they used the same communication protocol. They would even accept firmware updates from other meters. All an attacker needed to update the firmware on a meter was a network encryption key. But since all the meters the company planned to
install had the same network key embedded in their firmware, an attacker only had to compromise one meter to extract the key and use it to deliver malicious updates to other meters. “Once we had control of one device, we had pretty much everything we needed,” Davis said. “That was the case across a bunch of meters that we had looked at from different vendors.”
⁵⁰

The meters communicated with one another via radio and were always in listening mode to detect other meters nearby. Some meters could communicate with one another from miles away. The ones Davis examined had a reach of about 400 feet, a little longer than the length of a football field—which was more than enough to propagate a malicious update between neighboring houses that would shut off the electricity and spread the worm to additional meters. Davis didn’t even need to compromise an existing meter at a house to get the infection going; he could simply buy his own meter of the same brand—as long as it spoke the same protocol—and load it with malware and the necessary encryption key, then place it in the vicinity of a metered house. “Because of the radio, it’s going to get picked up automatically [by other meters around it],” Davis says. Once the update was complete, the victim meter would restart with the new firmware in place and automatically begin spreading its update to other meters within range, setting off a chain reaction. Operators wouldn’t know anything had changed with the meters until power started dropping out in neighborhoods.

Normally the vendor’s meters got upgraded remotely through a utility company’s central network, or via a technician in the field who used a special dongle connected to a laptop to communicate wirelessly with the meters. So when Davis and his team told the vendor they could write software that propagated automatically from one meter to another without using the central computer or a dongle, the vendor scoffed and said the meters didn’t have the ability to initiate a firmware update to other meters. “They told us … that wasn’t part of their feature set,” Davis recalls. “We said we know, we added the feature [to our malicious firmware update].” The
vendor still didn’t believe a worm would have much effect, so Davis wrote a program to simulate an infection in a residential neighborhood of Seattle that in a day spread to about 20,000 smart meters.
⁵¹
“We had pretty much full compromise by the end of the twenty-four-hour cycle,” he says. The infection spread one meter at a time, but a real-world attack would move much more quickly since an attacker could send out a plague of firmware updates from multiple patient zeros located strategically throughout a city.

The vendor scoffed at Davis’s simulation, too, saying a worm would take two to four minutes to update each meter’s firmware, and in that time, technicians would spot the outage before too many customers lost electricity and send out a remote firmware update to turn the power back on to them.

That’s when Davis delivered his final blow and told the vendor that his malicious software didn’t just turn the power off, it also deleted the firmware update feature on the meters so they couldn’t be updated again to restore power. Technicians would have to replace the meter at each house or take them back to the lab and flash their chips with new firmware. “That actually seemed to get their attention more than anything,” he says. “We were able to prove the point that this could get out of hand well before they would be able to figure out what’s going on.”

Since conducting the simulation, Davis has seen vendors improve their meters. Some vendors now use multiple network keys on their meters, assigning a different key for different neighborhoods to limit the damage an attacker could do with a single key. But the remote disconnect is still a problem with most smart meters, since an attacker who breaches a utility’s central server could do what Davis’s worm did, but in a much simpler way. “Were [the remote disconnect] not in there, none of this would really be all that much of an issue,” Davis says. “In my opinion, if it’s got the remote disconnect relay in it, whether it’s enabled or not … it’s a real big, ugly issue.”

Going after smart meters is an effective way to cut electricity. But an even more effective and widespread attack would be to take out generators that feed the grid or the transmission systems that deliver electricity to customers. Defense Secretary Leon Panetta said at his confirmation hearing in June 2011 that the next Pearl Harbor the nation experiences could very well be a cyberattack that cripples the grid.

The North American power grid is large and complex and actually consists of three large regional grids—known as the Eastern, Western, and Texas Interconnections. The grids are composed of more than 450,000 miles of high-voltage transmission lines owned and operated by about three thousand utilities. Because power is traded on energy markets, it sometimes gets routed long distances between and within states to fulfill demand, such as by Cal-ISO, the entity that was hacked in 2001. Although the existence of many independent systems means that an attack on one utility or substation will have a limited effect, their interconnectedness means that a coordinated and strategic attack on a number of systems could cause cascading blackouts that are difficult to fix and plunge users into darkness for weeks.
⁵²

For example, circuit breakers that monitor distribution lines are designed to sense a dangerous surge on the lines and open to disconnect them from the grid to prevent them from being damaged. When one breaker trips, however, the power from that line gets redirected to other lines. If those lines reach capacity, their breakers will also trip, creating a blackout. But a well-crafted attack could trip the breakers on some lines while manipulating the settings on others to prevent them from tripping, causing the lines to overheat when they exceed capacity.

When distribution lines overheat, it causes them to sag or melt. Sagging lines were the cause of the 2003 Northeast blackout that cut power to
50 million people in eight states and parts of Canada. Although a digital attack wasn’t the cause of the outage, a software bug thwarted early detection and prevention of the cascade.

The problem began in Ohio when sagging power lines tangled with trees, but it was exacerbated by the fact that the emergency alert system at FirstEnergy’s control center in Akron failed to register faults in the system, leaving operators ignorant about deteriorating conditions. About two and a half hours before the blackout occurred, industrial customers and even other power plants were calling FirstEnergy to report low voltages and tripping transmission lines—indications that major problems were brewing in the grid. But because FirstEnergy operators didn’t see any sign of trouble on their control screens, they assumed the problem lay elsewhere. “[American Electric Power] must have lost some major stuff,” one First-Energy operator told a caller, pointing the finger at another utility.
⁵³
It wasn’t until the lights in FirstEnergy’s own control room went dark that operators realized the problem was with their own system. They eventually traced the glitch in the alert system to a software bug. “[The bug] had never evidenced itself until that day,” a FirstEnergy spokesman later said. “This fault was so deeply embedded, it took them weeks of poring through millions of lines of code and data to find it.”
⁵⁴

An even more destructive attack than targeting distribution lines, however, would be to target equipment at substations that feed electricity to those lines. The grid consists of more than 15,000 nodes, or substations, divided into three types—generator substations that create power, transmission substations that transfer it between power lines, and distribution substations that deliver it to consumers. The majority of these are transmission substations, which are responsible for “stepping up” the voltage to
transmit it long distances and then “stepping down” the voltage before it gets distributed to end users. A recent study by the Federal Energy Regulatory Commission found that an attack that took out just nine critical substations—four in the Eastern grid, three in the Western grid, and two in the Texas grid—could cause a national power outage for weeks, possibly months, creating panic and leading to loss of life.
⁵⁵

The good news is that because grid systems are owned and operated by different utilities, they use different equipment and configurations, thwarting a one-size-fits-all attack and making a single widespread attack on energy systems difficult to pull off. But regional attacks and blackouts are not out of the reach of average hackers. And an attack that also destroyed industrial-sized generators at power-generation plants would make recovery more difficult. This was precisely the point of the Aurora Generator Test.

NAMED AFTER THE
Roman goddess who was mother to the four winds, the test had its origins in the cascading Northeast blackout of 2003. That blackout lasted for only two days, but it got people thinking about the possibility of remote attacks against power-generation plants that might not be so recoverable. Mike Assante was in charge of pulling a team together to test the hypothesis.

While a naval intelligence officer in 2001, Assante had been assigned to work at the FBI’s new National Infrastructure Protection Center in Washington, DC, to research the risks posed by cyberattacks against energy infrastructures. After a year, he left the Navy to take a job with American Electric Power (AEP) in Ohio, one of the largest electric utilities in the country. AEP wanted help developing an infrastructure protection program, and it was during this time that Assante began to think about attacks that might cause physical destruction to the grid.

While at AEP, Assante was struck by a
Washington Post
story about the Idaho National Lab’s SCADA test-bed program, in which workers there terrified the chairman of the Federal Energy Regulatory Commission with a simulation showing him how easily a hacker could destroy a utility’s turbine by shutting down the mechanism responsible for lubricating the machine. Without oil greasing the moving metal parts, the turbine seized up and tore itself apart.
⁵⁶
The chairman’s reaction to the demo was visceral. “I wished I’d had a diaper on,” he told the
Post
after the test.
⁵⁷