The "No Network is 100% Secure" series
- The Aurora Power Grid Vulnerability -
A White Paper


All rights reserved - may not be copied without permission
Easyrider LAN Pro, NOC Design Consultants

Contact Us

Visit the Easyrider LAN Pro Security Blog.





What is the Aurora vulnerability?: Aurora is a vulnerablity to cyber attacks that could sabotage critical systems that provide electricity including the nationwide power grid. This vulnerability effects control systems that operate rotating machinery such as pumps, turbines and so on. The vulnerability of the nation's electrical grid to computer attack is due in part to steps taken by power companies to transfer control of generation and distribution equipment from internal networks to supervisory control and data acquisition, or SCADA, systems that can be accessed through the Internet or by phone lines.

The move to SCADA systems boosts efficiency at utilities because it allows workers to operate equipment remotely. But this access to the Internet exposes these once-closed systems to cyber attacks. So far, incidents of hackers breaking into control systems to cause damage or outages have been scarce although there have been a few. However, the threat of such damage makes control systems an alluring target for extortionists, terrorists, unfriendly governments and others.

Electric utilities, pipelines, railroads and oil companies use remotely controlled and monitored valves, switches and other mechanisms that are vulnerable to attack.

In a dramatic video-taped demonstration of the Aurora vulnerability recorded in 2006, engineers at Idaho National Labs showed how the weakness could be exploited to cause any spinning machine connected to the power grid -- such as a generator, pump or turbine -- to self-destruct. These attacks could easily be carried out on vulnerable equipment using the Internet.

Costs and time are frequently given as the reasons for not locking down these complex networks. Many plant operators consider it unlikely that an attacker would be able manipulate or damage control systems, as most of these systems run on obscure hardware powered by highly specialized communications standards. However, this "security-by-obscurity" defense is gradually eroding, as a number of utilities are upgrading from older, legacy systems to operating systems more familiar to the average hacker, such as Microsoft Windows and Linux.

The GAO issued a vulnerability report on May 21, 2008 regarding the Tennessee Valley Authority, the nation's largest public utility company. The GAO found that TVA's Internet-connected corporate network was linked with systems used to control power production, and that security weaknesses pervasive in the corporate side could be used by attackers to manipulate or destroy vital control systems. As a wholly owned federal corporation, TVA must meet the same computer security standards that govern computer practices and safeguards at federal agencies. As of 5/21/2008 it apparently did not. The GAO also warned that computers on TVA's corporate network lacked security software updates and anti-virus protection, and that firewalls and intrusion detection systems on the network were easily bypassed and failed to record suspicious activity.

The task of gauging the electric sector's true progress in mitigating the Aurora vulnerability has fallen to the Federal Energy Regulatory Commission. In January 2008, FERC approved eight mandatory reliability standards to protect bulk power systems against disruptions from cyber-security breaches. The agency has the authority to fine plants up to $1 million a day for violations of those standards, but the industry has until 2010 to demonstrate compliance with the new rules.

Security experts contend that existing standards contain loopholes and don't adequately protect critical power systems. For example, telecommunications equipment is excluded, even though there are documented cases of computer worms shutting off service from control systems to substations. There are security experts in the power industry who recognize the threat from cyber vulnerabilities like Aurora, but who claim they don't have the funding or the authority to do much about it.

FAA Air Traffic Control system vulnerability: While not an aurora vulnerability per se, a recent USDOT report stated that the nation's air traffic control systems are vulnerable to cyber attacks. Support systems have been breached in recent months allowing hackers access to personnel records and network servers, according to a government audit.

The Transportation Department's inspector general concluded that although most of the attacks disrupted only support systems, they could spread to the operational systems that control communications, surveillance and flight information used to separate aircraft. The report noted several recent cyber attacks, including a February incident when hackers gained access to personal information on about 48,000 current and former Federal Aviation Administration employees, and an attack in 2008 when hackers took control of some FAA network servers.

Auditors said the FAA is not able to adequately detect potential cyber security attacks, and it must better secure its systems against hackers and other intruders. "In our opinion, unless effective action is taken quickly, it is likely to be a matter of when, not if, ATC (air traffic control) systems encounter attacks that do serious harm to ATC operations," the auditors said.

According to the report, the FAA received 800 cyber incident alerts during the fiscal year that ended Sept. 30, 2008, and more than 150 were not resolved before the year finished. Fifty of those, the auditors said, had been open for more than three months, "including critical incidents in which hackers may have taken over control" of some computers. Officials tested Internet-based systems that are used to provide information to the public. The tests found nearly 4,000 "vulnerabilities," including 763 viewed as "high risk." The vulnerabilities including weak passwords, unprotected file folders, and other software problems.

These weaknesses could allow hackers or internal FAA workers to gain access to air traffic systems, and possibly compromise computers there or infect them with malicious codes or viruses.

BIOS is also vulnerable to modern malware attacks: Basic Input/Output System (BIOS), a firmware run by a computer at the time of boot-up, is increasingly targeted by malware attacks as modern hackers having administrative OS rights are effectively conducting BIOS updates or BIOS on the Internet to load customized low-level firmware. Recently, experts have shown how BIOS malware could be used to attack multiple operating systems and infect different kinds of motherboards. According to them, BIOS-based malicious software can disseminate not just on various OSs, but also by a number of hardware. These attacks are hard to identify and block. Earlier during March 2009 at the Vancouver CanSecWest security conference, researchers Anibal Sacco and Alfredo Ortega of Core Security Technologies Inc. performed a general BIOS attack that could push malware inside various BIOS types, as reported by search security on June 18, 2009.

Terrorist attacks: Terrorists groups could soon use the internet to help set off a devastating nuclear attack, according to research done by the International Commission on Nuclear Non-proliferation and Disarmament (ICNND). Their study suggests that under the right circumstances, terrorists could break into computer systems and launch an attack on a nuclear state triggering a catastrophic chain of events that would have a global impact. Without better protection of computer and information systems, the paper states, governments around the world are leaving open the possibility that a well-coordinated cyberwar could quickly elevate to nuclear levels. In fact, this may be an easier alternative for terrorist groups than building or acquiring a nuclear weapon or dirty bomb themselves. Though the paper admits that the media and entertainment industries often confuse and exaggerate the risk of cyberterrorism, it also outlines a number of potential threats and situations in which dedicated hackers could use information warfare techniques to make a nuclear attack more likely. While the possibility of a radical group gaining access to actual launch systems is remote, the study suggests that hackers could focus on feeding in false information further down the chain or spreading fake information to officials in a carefully orchestrated strike. "Despite claims that nuclear launch orders can only come from the highest authorities, numerous examples point towards an ability to sidestep the chain of command and insert orders at lower levels," said Jason Fritz, the author of the paper. "Cyber-terrorists could also provoke a nuclear launch by spoofing early warning and identification systems or by degrading communications networks." Since these systems are not as well-protected as those used to launch an attack, they may prove more vulnerable to attackers who wish to tempt another nation into a nuclear response. Cyberspace is real, and so is the risk that comes with it. Online attacks are one of the most serious economic and national security challenges we face. However, the study suggests that although governments are increasingly aware of the threat of cyberwar with other nations, action to bolster those defenses does not alleviate the threat of a rogue group that circumvented the expected strategies for online warfare. "Just as the 9/11 attacks were an unprecedented attack with unconventional weapons, so too could a major cyber attack," it says.

Hacking the 'smart grid': The race to build a "smarter" electrical grid could have a dark side. Security experts are starting to show the dangers of equipping homes and businesses with new meters that enable two-way communication with utilities.

There are many benefits to upgrading the nation's electricity networks, which is why a smart-grid movement was already revving up before the recent economic recovery package included $4.5 billion for the technology. Smarter grids could help conserve energy by giving utilities more control over and insight into how power flows. But there are potential problems with moving too fast.

The risks are similar to what happens when computers are linked over the Internet. By exploiting weaknesses in the way computers talk to each other, hackers can seize control of innocent people's machines. In the case of the power grid, better communication between utilities and the meters at individual homes and businesses raises the possibility that someone could control the power supply for a single building, an entire neighborhood, or worse. For example, a computer worm could give miscreants remote control of the meters, which would let them take advantage of a utility's ability to, for example, disconnect someone's power for not paying his bill. A key vulnerability has been found in devices made by an unnamed manufacturer. But once infected, a worm could spread to other manufacturers' products that use the same communications technologies and can be used to remotely disconnect people's power.

To get the computer worm going, a hacker might have to get physical access to one of the meters in order to program it with malicious code. That could start a chain reaction in which the worm spreads meter to meter over the grid's communication network. This hack might also be done remotely, if the traffic on the network isn't encrypted.

More than 50 million smart meters are expected to be deployed by U.S. electric utilities by 2015, according to a list of publicly announced projects kept by The Edison Foundation. More than 8 million have already been deployed.


About the Author

Frank Saxton is a computer network security engineer and Easyrider LAN Pro principle. Home-based in Portland, Oregon, Frank has been designing remote diagnostic and network enterprise monitoring centers since the late 1970s. Prior to becoming a professional systems engineering consultant in 1990, Frank had a 20 year career in computer systems field engineering and field engineering management. Frank has a BSEE from Northeastern University and holds several certifications including Network General's Certified Network Expert (CNX). As a NOC design engineer and architect, Frank works regularly with enterprise-class monitoring tools such as HP Openview Operations, BMC Patrol and others. In his enterprise security audit work, Frank uses sniffers and other professional grade monitoring tools on a daily basis.


Next in the security white paper series:

Are you vulnerable to drive-by exploits?
High value sites recent hacks
More 2009 hacks in the news
Still more 2009 hacks in the news
IT employment challenges of the 21st century
Competency Certifications White Paper
Firewall White Paper
Virus White Paper
GhostNet White Paper
Password White Paper
Cryptography White Paper
Intrusion Detection Systems IDS White Paper
Rootkit White Paper
Unnecessary Windows XP Services White Paper
Scareware White Paper
Exaflood Internet Brownout White Paper
Cloud Computing White Paper
Proxy Server White Paper
Personal Computer PC Security White Paper
Conficker White Paper
Phishing White Paper
DNS Poisoning White Paper
SPAM White Paper
Best Practices White Paper
Denial of Service DoS White Paper
Trojan Virus Attacks White Paper
Port Scanning White Paper
Monitoring Basics 101 White Paper
Monitoring Basics 102 White Paper
Monitoring Basics 103 White Paper
Virtual Machine Security White Paper
Shelfware White Paper
Outsourced IT White Paper

Easyrider LAN Pro Consulting services:

Network Security Audit and PC Tune-up service

- Proxy server installation and configuration
- Enterprise security consultations
- Disaster recovery planning
- Disaster recovery services
- Capacity, migration and upgrade planning
- Build and deploy central syslog server
- Build trouble ticket systems
- Design and build monitoring environments
- Design and build Network Operations Centers (NOC)
- HP Openview, BMC Patrol consulting


Last modified March 25, 2009
Copyright 1990-2010 Easyrider LAN Pro