Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: CNN: 'Explores Possibility that Power Outage is Related to Internet Worm'
From: Dragos Ruiu <dr () kyx net>
Date: Fri, 15 Aug 2003 15:48:09 -0700

On August 15, 2003 11:21 am, Geoff Shively wrote:
This email was origionaly posted to bugtraq early on in the 'crisis' but
due to obvious congestion and instability issues it wasnt posted for a
while.

Since this post I have done much research on SCADA, DCS, and HMI
(Human Machine Interface) systems. These systems run primarily
on Windows and rely on RPC for remote monitoring. If this doesnt
sound like an overwhealiming coincidance than I dont know what does.

[ http://216.239.37.104/search?q=cache:w7lnOBBrPxUJ:st-div.web.cern
.ch/st-div/ST2001WS/Proceedings/Session42/Sollander.pdf+SCADA+
Windows+RPC&hl=en&ie=UTF-8

"The data transmission layer is used to transport data from the equipment
to at least one controlor monitoring application. This is usually done by
remote procedure calls (RPC) or a middle-wareover a TCP/IP network."
- CERN ]

There has been much talk about this on DShield and Full Disclosure if
anyone is interested in reading more.

While I have bid on a power system network audit, I haven't specifically 
done one, so this is conjecture.... but somewhat informed conjecture.

Re: SCADA vulnerabilities

Yes you might have SCADA vulnerabilities... but in the power system 
SCADA is used for data collection and measurement only not control. 
This is at least in western Canada, YMMV but I believe this is typical of 
other systems. The power routing is still done by humans flipping 
(really freaking big) switches - or starting turbines or turning hydro 
valves. There are lots of physical procedures and safeguards in the 
system too. And people think carefully about those decisions, because 
the fines and regulatory penalties for being out of spec are measured 
in tens of thousands of dollars per minute.

You might be able to interfere with the data going into the power
NOC and fool the operators into making the wrong phone calls.
But arguably you would need to know a lot about the design of the 
system and specific procedures and policy to create an outage 
this way.

As far as I know there are no (or few) network based feedback loops in
typical power system. Breakers pop at predetermined points, the system
parameters are fairly static. In the western Canadian system, operators
review power demand and capacity on an hourly basis, and make the
appropriate routing decisions (and output levels of variable output
plants) and adjust capacity by bringing plants on line or adjusting
network topology to keep system stability.

As an interesting factoid, in the directives list for power noc engineers,
the prime directive is network stability (crucial for interconnected systems
outside theirs) and delivering power to customers comes lower in the list.

Unlike the internet, the power system is a network that delivers a very stable 
commodity 60Hz 110 volts.  There are no router like components that 
dynamically adjust paths, and capacity based on any measured
data.  All the collection and info feeds back to a control center where a
human operator adjusts simulations first and then when that's checked
by another engineer on other simualtions the configuration is "downloaded"
into the system via telephone to regional operators.  The dynamic components
are like breakers, primarily binary on/off devices with fixed trigger 
parameters not things adjusted constantly by a processor based on 
network input. Power system switches are big physical things typically 
moved by burly technicians, rather than a packet sent remotely by a 
distant button or software.

If the control network goes away the systems will default to preset stable
(but not necessarily optimal) presets in the equipment I'm aware of.
Similarly if communications outages occur, the regional operators
have fallback stances in "safe" configurations.  Unlike the internet
reliability engineers and audits are a big concern in the power system
engineering.  The engineers there do their best to make sure that
the result of any or all of the components failing does not equal 
"no power for anyone". Also unlike the internet power engineers _do_
consider "What if" scenarios for any individual components failing.

While from my knowledge there could be areas of vulnerability 
in power distribution that might concern me (none of which I will 
discuss) if I was building an attack tree. However, network based 
disruption does not rank very high on my concern list.

If I really wanted to create a power outage, my tool of choice would 
be a chainsaw, not network packets :-). 
(News at 11: Chainsaws Banned because of potential terrorist threat :-)

cheers,
--dr

(Caveats, and Disclaimers:
I used to be a vms admin and developer at a power company R&D lab in uni.
Interestingly, one of the things I worked on was outage crash dump loggers. 
I have visited mutliple power NOCs and have some knowledge of their 
procedures. My now retired father used to manage the power distribution
system in western Canada, and my conclusions are based on information 
thusly gleaned over time. :-)

-- 
Top security experts.  Cutting edge tools, techniques and information.
Tokyo, Japan   November, 2003   http://www.pacsec.jp
pgpkey http://dragos.com/ kyxpgp


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault