The "No Network is 100% Secure" series
- The Aurora Power Grid Vulnerability -
Including Stuxnet

A White Paper


All rights reserved - may not be copied without permission
Easyrider LAN Pro, NOC Design Consultants

Contact Us

Visit the Easyrider LAN Pro Security Blog.



Page Ranking Tool


Share/Bookmark


The generator room at the Idaho National Laboratory was remote accessed by a hacker and a $1 Million diesel-electric generator was destroyed.
(U.S. Homeland Security photo)
VIEW THE VIDEO

What is the Aurora vulnerability?: Aurora is a vulnerablity to cyber attacks that could sabotage critical systems that provide electricity including the nationwide power grid. This vulnerability effects control systems that operate rotating machinery such as pumps, turbines and so on. The vulnerability of the nation's electrical grid to computer attack is due in part to steps taken by power companies to transfer control of generation and distribution equipment from internal networks to supervisory control and data acquisition, or SCADA, systems that can be accessed through the Internet or by phone lines.

The move to SCADA systems boosts efficiency at utilities because it allows workers to operate equipment remotely. But this access to the Internet exposes these once-closed systems to cyber attacks. So far, incidents of hackers breaking into control systems to cause damage or outages have been scarce although there have been a few. However, the threat of such damage makes control systems an alluring target for extortionists, terrorists, unfriendly governments and others.

Electric utilities, pipelines, railroads and oil companies use remotely controlled and monitored valves, switches and other mechanisms that are vulnerable to attack.

In a dramatic video-taped demonstration of the Aurora vulnerability recorded in 2006, engineers at Idaho National Labs showed how the weakness could be exploited to cause any spinning machine connected to the power grid -- such as a generator, pump or turbine -- to self-destruct. These attacks could easily be carried out on vulnerable equipment using the Internet.

Costs and time are frequently given as the reasons for not locking down these complex networks. Many plant operators consider it unlikely that an attacker would be able manipulate or damage control systems, as most of these systems run on obscure hardware powered by highly specialized communications standards. However, this "security-by-obscurity" defense is gradually eroding, as a number of utilities are upgrading from older, legacy systems to operating systems more familiar to the average hacker, such as Microsoft Windows and Linux.

The GAO issued a vulnerability report on May 21, 2008 regarding the Tennessee Valley Authority, the nation's largest public utility company. The GAO found that TVA's Internet-connected corporate network was linked with systems used to control power production, and that security weaknesses pervasive in the corporate side could be used by attackers to manipulate or destroy vital control systems. As a wholly owned federal corporation, TVA must meet the same computer security standards that govern computer practices and safeguards at federal agencies. As of 5/21/2008 it apparently did not. The GAO also warned that computers on TVA's corporate network lacked security software updates and anti-virus protection, and that firewalls and intrusion detection systems on the network were easily bypassed and failed to record suspicious activity.

The task of gauging the electric sector's true progress in mitigating the Aurora vulnerability has fallen to the Federal Energy Regulatory Commission. In January 2008, FERC approved eight mandatory reliability standards to protect bulk power systems against disruptions from cyber-security breaches. The agency has the authority to fine plants up to $1 million a day for violations of those standards, but the industry has until 2010 to demonstrate compliance with the new rules.

Security experts contend that existing standards contain loopholes and don't adequately protect critical power systems. For example, telecommunications equipment is excluded, even though there are documented cases of computer worms shutting off service from control systems to substations. There are security experts in the power industry who recognize the threat from cyber vulnerabilities like Aurora, but who claim they don't have the funding or the authority to do much about it.

FAA Air Traffic Control system vulnerability: While not an aurora vulnerability per se, a recent USDOT report stated that the nation's air traffic control systems are vulnerable to cyber attacks. Support systems have been breached in recent months allowing hackers access to personnel records and network servers, according to a government audit.

The Transportation Department's inspector general concluded that although most of the attacks disrupted only support systems, they could spread to the operational systems that control communications, surveillance and flight information used to separate aircraft. The report noted several recent cyber attacks, including a February incident when hackers gained access to personal information on about 48,000 current and former Federal Aviation Administration employees, and an attack in 2008 when hackers took control of some FAA network servers.

Auditors said the FAA is not able to adequately detect potential cyber security attacks, and it must better secure its systems against hackers and other intruders. "In our opinion, unless effective action is taken quickly, it is likely to be a matter of when, not if, ATC (air traffic control) systems encounter attacks that do serious harm to ATC operations," the auditors said.

According to the report, the FAA received 800 cyber incident alerts during the fiscal year that ended Sept. 30, 2008, and more than 150 were not resolved before the year finished. Fifty of those, the auditors said, had been open for more than three months, "including critical incidents in which hackers may have taken over control" of some computers. Officials tested Internet-based systems that are used to provide information to the public. The tests found nearly 4,000 "vulnerabilities," including 763 viewed as "high risk." The vulnerabilities including weak passwords, unprotected file folders, and other software problems.

These weaknesses could allow hackers or internal FAA workers to gain access to air traffic systems, and possibly compromise computers there or infect them with malicious codes or viruses.

BIOS is also vulnerable to modern malware attacks: Basic Input/Output System (BIOS), a firmware run by a computer at the time of boot-up, is increasingly targeted by malware attacks as modern hackers having administrative OS rights are effectively conducting BIOS updates or BIOS on the Internet to load customized low-level firmware. Recently, experts have shown how BIOS malware could be used to attack multiple operating systems and infect different kinds of motherboards. According to them, BIOS-based malicious software can disseminate not just on various OSs, but also by a number of hardware. These attacks are hard to identify and block. Earlier during March 2009 at the Vancouver CanSecWest security conference, researchers Anibal Sacco and Alfredo Ortega of Core Security Technologies Inc. performed a general BIOS attack that could push malware inside various BIOS types, as reported by search security on June 18, 2009.

Terrorist attacks: Terrorists groups could soon use the internet to help set off a devastating nuclear attack, according to research done by the International Commission on Nuclear Non-proliferation and Disarmament (ICNND). Their study suggests that under the right circumstances, terrorists could break into computer systems and launch an attack on a nuclear state triggering a catastrophic chain of events that would have a global impact. Without better protection of computer and information systems, the paper states, governments around the world are leaving open the possibility that a well-coordinated cyberwar could quickly elevate to nuclear levels. In fact, this may be an easier alternative for terrorist groups than building or acquiring a nuclear weapon or dirty bomb themselves. Though the paper admits that the media and entertainment industries often confuse and exaggerate the risk of cyberterrorism, it also outlines a number of potential threats and situations in which dedicated hackers could use information warfare techniques to make a nuclear attack more likely. While the possibility of a radical group gaining access to actual launch systems is remote, the study suggests that hackers could focus on feeding in false information further down the chain or spreading fake information to officials in a carefully orchestrated strike. "Despite claims that nuclear launch orders can only come from the highest authorities, numerous examples point towards an ability to sidestep the chain of command and insert orders at lower levels," said Jason Fritz, the author of the paper. "Cyber-terrorists could also provoke a nuclear launch by spoofing early warning and identification systems or by degrading communications networks." Since these systems are not as well-protected as those used to launch an attack, they may prove more vulnerable to attackers who wish to tempt another nation into a nuclear response. Cyberspace is real, and so is the risk that comes with it. Online attacks are one of the most serious economic and national security challenges we face. However, the study suggests that although governments are increasingly aware of the threat of cyberwar with other nations, action to bolster those defenses does not alleviate the threat of a rogue group that circumvented the expected strategies for online warfare. "Just as the 9/11 attacks were an unprecedented attack with unconventional weapons, so too could a major cyber attack," it says.

Hacking the 'smart grid': The race to build a "smarter" electrical grid could have a dark side. Security experts are starting to show the dangers of equipping homes and businesses with new meters that enable two-way communication with utilities.

There are many benefits to upgrading the nation's electricity networks, which is why a smart-grid movement was already revving up before the recent economic recovery package included $4.5 billion for the technology. Smarter grids could help conserve energy by giving utilities more control over and insight into how power flows. But there are potential problems with moving too fast.

The risks are similar to what happens when computers are linked over the Internet. By exploiting weaknesses in the way computers talk to each other, hackers can seize control of innocent people's machines. In the case of the power grid, better communication between utilities and the meters at individual homes and businesses raises the possibility that someone could control the power supply for a single building, an entire neighborhood, or worse. For example, a computer worm could give miscreants remote control of the meters, which would let them take advantage of a utility's ability to, for example, disconnect someone's power for not paying his bill. A key vulnerability has been found in devices made by an unnamed manufacturer. But once infected, a worm could spread to other manufacturers' products that use the same communications technologies and can be used to remotely disconnect people's power.

To get the computer worm going, a hacker might have to get physical access to one of the meters in order to program it with malicious code. That could start a chain reaction in which the worm spreads meter to meter over the grid's communication network. This hack might also be done remotely, if the traffic on the network isn't encrypted.

More than 50 million smart meters are expected to be deployed by U.S. electric utilities by 2015, according to a list of publicly announced projects kept by The Edison Foundation. More than 8 million have already been deployed.

How a Phishing Attack Exposed an Energy Company to Hackers: The following is an unsubstantiated report that was published on the Internet. The report declines to identify the energy company involved so I will take these "facts" with a grain of salt. However, the described attack and it's aftermath is certainly plausible so I will include it here as a potential attack vector that needs to be defended against.

Using a Microsoft zero-day vulnerability and a bit of social engineering, hackers compromised a workstation and threatened critical SCADA systems. It began with an e-mail sent to an employee at an energy company, and ended with a security breach that exposed critical systems to outside control. The attack began to unravel April 3, 2007. That's when a fraudulent user account, complete with administrative privileges, was detected by the energy company. Tracing backwards, it turned out that random administrative accounts were being added in the internal network because another machine inside their corporate network had been compromised due to a successful phishing attack. The reason why I am repeating this story is to underscore that fact that the number one security risk to networks is people.... in some cases, employees can be fooled into going to a web site that has been infected with malware and once that happens, it's all over but the crying. But in this example, the attack was even less sophisticated than that.

The employee machine sat on the same segment where the SCADA (Supervisory Control And Data Acquisition) controllers were. This, of course, was a fundamental network security gaffe. Soon, evidence appeared that the attackers had leapfrogged off this network and broken into the domain controller. The source of the breach? A relatively simple phishing attack. The phishing e-mail contained a pitch for a new health care plan, something that caught an employee's eye. The e-mail claimed to be about benefits for a family with two or more children, and the employee had three. The message also contained a malicious .chm file attachment. When the employee opened the attachment, it reached out to a server in the Asia-Pacific region and pulled out a malicious executable that gave the attackers a foothold on the employee's machine. This particular attack took advantage of MS07-029, a Windows DNS (Domain Name System) vulnerability that at the time was unpatched. This, of course, is also a fundamental network security gaffe. Strike three! You're out... Using the vulnerability as an entry point, the attackers ended up with control of the employee's account. With the level of access they gained, the attackers could potentially control, view and modify everything related to the business.

Our advice? Put a proxy in place for Web browsing, obviously. But more critical is the subject of segregation. No workstation sharing a critical network segment such as SCADA should be connected to the Internet. Patch management, employee security training and the other preventative measures described in this series of white papers are also vital to protecting your network. HTH....

August, 2010 UPDATE: From the first smart grid security summit, San Jose, California - The smart grid is still vulnerable to cyber attack!

The current grid, with its hodgepodge industrial control system (ICS) technologies, is highly vulnerable to a cyber attack that could destroy critical generation and T&D assets. Resulting outages could last for weeks, causing economic devastation. Smart grid integration could make it worse. Utility IT staffs with some security knowledge don't understand ICS, and operations groups that do don't trust, or even like, the IT groups.

Nationally, very few experts (perhaps tens to low hundreds) understand enough ICS and IT to be useful. Most industry executives have their heads in the sand. The few that don't are thwarted by clueless regulators that deny rate cases for even modest security improvements. The recently discovered Stuxnet infestation targeting Siemens SCADA systems (see: http://www.symantec.com/connect/blogs/stuxnet-introduces-first-known-rootkit-scada-devices) provides the first hard evidence that the power grid is still seriously vulnerable.

One has to wonder why the message is apparently not getting through. One completely unscientific (and probably unfair) observation is the security messengers appear to be culturally worlds apart from their utility audiences. They are more likely to be in tee shirts than ties, have longer hair and beards, have body piercings and tattoos, and are proud to have been fired more than once for "telling the truth" to their management. Many have chosen to live in rural locations, have backup generators, and own more than one gun. It is hard to imagine a starker contrast to the buttoned-down-white-shirt-and-tie utility executive. Could this be a major impediment to grid security?

Stuxnet: The Stuxnet worm is included here because, like Aurora, it is used to penetrate and infect SCADA PLC systems. However Aurora is an opportunistic, "all purpose" worm which attacks motors, motor generators and Programmable Logic Controllers generally. Stuxnet is far more specialized and was designed specifically to attack Iran's nuclear capability. The creator(s) of Stuxnet are currently unknown. But given how complicated, selective and sophisticated this worm is, one can make some logical guesses. The short list would most likely include any International Government with the technical wherewithall and desire to shut down Iran's nuclear weapons program.

Stuxnet is the first [suspected] Government [sponsored] attack on another Government that does not involve Military action, bombs, death, a declaration of war and so on. I suspect that Stuxnet is the first salvo in a Global trend towards Cyber Warfare that will continue, grow and escalate for decades (at least) to come. IMHO, it's just a question of when, not if, Terrorists deploy some sort of Aurora/Stuxnet attack against the USA and other free Nations around the World. These attacks can, and probably will eclipse the 9/11 World Trade Center attacks in terms of disruption and destruction to infrastructures that we depend on for our daily existence. The emergence of cyber warfare is more significant, in my opinion, than the creation of the atomic bomb in 1945. The Planet is on the cusp of the greatest "arms race" ever known.

The worm's target seems to be high value infrastructures in Iran that use Siemens control systems and specific hardware components. Stuxnet has also infected other SCADA systems (an estimated 6 million computers in China, for example) but seems to be disinterested in anything that does not use the narrow band of equipment found in Iran's nuclear facilities. According to news reports the infestation by this worm might has significantly damaged Iran's nuclear facilities in Natanz and has delayed the start up of Iran's Bushehr Nuclear Power Plant. Although Siemens has stated that the worm has not caused any damage, on November 29, 2010, Iran confirmed that its nuclear program had indeed been damaged by Stuxnet.

The Stuxnet worm was first reported by the security company VirusBlokAda in mid-June 2010, and roots of it have been traced back to June 2009. Stuxnet contains a component with a build time stamp from 3 February 2010. In the United Kingdom on 25 November 2010, Sky News reported that it had received information that the Stuxnet worm, or a variation of the virus, had been traded on the black market. The name is derived from some keywords discovered in the software.

The complexity of Stuxnet is very unusual for malware, and consists of attacks against three different systems: The Windows operating system, an industrial software application that runs on Windows, and a Siemens programmable logic controller (PLC). This type of attack required in-depth knowledge of industrial processes and an interest in attacking industrial infrastructure. Developing the capabilities in Stuxnet would have required a team of people to program, as well as check that the malware would not crash the PLCs.

Stuxnet attacked Windows systems using four zero-day attacks (plus the CPLINK vulnerability and a vulnerability used by the Conficker worm. It initially spread using infected removable drives such as USB flash drives, and then used other exploits and techniques such as peer-to-peer RPC to infect and update other computers inside private networks that are not directly connected to the Internet. The number of zero-day Windows exploits used is unusual, as zero-day Windows exploits are valued, and hackers do not normally waste the use of four different ones in the same worm. Stuxnet is unusually large at half a megabyte in size, and written in different programming languages (including C and C++) which is also irregular for malware. The Windows component of the malware is promiscuous in that it spreads relatively quickly and indiscriminately.

The malware has both user-mode and kernel-mode rootkit capability under Windows, and its device drivers have been digitally signed with the private keys of two certificates that were stolen from separate companies, JMicron and Realtek, that are both located at Hsinchu Science Park in Taiwan. The driver signing helped it install kernel-mode drivers successfully and remain undetected for a relatively long period of time. Both compromised certificates have since been revoked by VeriSign.

Two websites were configured as command and control servers for the malware, allowing it to be updated, and for industrial espionage to be conducted by uploading information. Both of these websites have subsequently been taken down as part of a global effort to disable the malware.

Once installed on a Windows system, Stuxnet infects project files belonging to Siemens' WinCC/PCS 7 SCADA control software, and subverts a key communication library of WinCC called s7otbxbx.dll. The purpose of this subversion is to intercept communications between the WinCC software running under Windows and the target Siemens PLC devices that the software is able to configure and program when the two are connected via a data cable. In this way, the malware is able to install itself on PLC devices unnoticed, and subsequently to mask its presence from WinCC if the control software attempts to read an infected block of memory from the PLC system. The malware furthermore used a zero-day exploit in the WinCC/SCADA database software in the form of a hard-coded database password.

The complete Stuxnet code has not yet been decrypted, but among its peculiar capabilities is a fingerprinting technology which allows it to precisely identify the systems it infects. Stuxnet requires specific slave variable-frequency drives (frequency converter drives) to be attached to the targeted Siemens S7-300 system and its associated modules. It only attacks those PLC systems with variable-frequency drives from two specific vendors: Vacon based in Finland and Fararo Paya based in Iran. Furthermore, it monitors the frequency of the attached motors, and only attacks systems that spin between 807Hz and 1210 Hz. The industrial applications of motors with these parameters are diverse, and may include pumps or centrifuges. Stuxnet installs malware into memory block DB890 of the PLC that monitors the Profibus messaging bus of the system. When certain criteria are met, it periodically modifies the frequency to 1410 Hz and then to 2 Hz and then to 1064 Hz, and thus affects the operation of the connected motors by changing their rotational speed. It also installs a rootkit that hides the malware on the system - the first such documented case on this platform.

Stuxnet removal: As stated earlier, you don't have to be running a nuclear facility in Iran to become infected with Stuxnet! Siemens has released a detection and removal tool for Stuxnet. Siemens recommends contacting customer support if an infection is detected and advises installing Microsoft patches for security vulnerabilities and prohibiting the use of third-party USB flash drives. Siemens also advises immediately upgrading password access codes. The worm's ability to reprogram external programmable logic controllers (PLCs) may complicate the removal procedure. Fixing Windows systems may not completely solve the infection; a thorough audit of PLCs is recommended. Despite speculation that incorrect removal of the worm could cause further damage, Siemens reports that in the first four months since discovery, the malware was successfully removed from the systems of twenty-two customers without any adverse impact.

As predicted, Aurora and Stuxnet would eventally morph into an "all purpose" power
generating sytem virus. And so it has. Enter the "Duqu virus". More on this later
but suffice it to say that Duqu is designed to penetrate pretty much any SCADA system,
collecting passwords and probing for vulnerabilities that would allow it to shut
down power generation facilities, among other things. Prepare for blackouts and
Government excuses as to why this was allowed to happen.


About the Author

Frank Saxton is a computer network security engineer and Easyrider LAN Pro principle. Home-based in Portland, Oregon, Frank has been designing remote diagnostic and network enterprise monitoring centers since the late 1970s. Prior to becoming a professional systems engineering consultant in 1990, Frank had a 20 year career in computer systems field engineering and field engineering management. Frank has a BSEE from Northeastern University and holds several certifications including Network General's Certified Network Expert (CNX). As a NOC design engineer and architect, Frank works regularly with enterprise-class monitoring tools such as HP Openview Operations, BMC Patrol and others. In his enterprise security audit work, Frank uses sniffers and other professional grade monitoring tools on a daily basis.


Next in the security white paper series:

How Cyber Criminals will mature over the next ten years
Are you vulnerable to drive-by exploits?
High value sites recent hacks
More 2009 hacks in the news
Still more 2009 hacks in the news
IT employment challenges of the 21st century
Employment reference checking white paper
Competency Certifications White Paper
Firewall White Paper
Virus White Paper
GhostNet White Paper
Password White Paper
Digital Identification Certificates White Paper
Cryptography White Paper
OpenID White Paper
Intrusion Detection Systems IDS White Paper
Rootkit White Paper
Unnecessary Windows XP Services White Paper
Scareware White Paper
Exaflood Internet Brownout White Paper
Cloud Computing White Paper
Proxy Server White Paper
Personal Computer PC Security White Paper
Conficker White Paper
Phishing White Paper
DNS Poisoning White Paper
SPAM White Paper
Best Practices White Paper
Denial of Service DoS White Paper
Trojan Virus Attacks White Paper
Port Scanning White Paper
Monitoring Basics 101 White Paper
Monitoring Basics 102 White Paper
Monitoring Basics 103 White Paper
Virtual Machine Security White Paper
Shelfware White Paper
Outsourced IT White Paper

Easyrider LAN Pro Consulting services:

Network Security Audit and PC Tune-up service

- Proxy server installation and configuration
- Enterprise security consultations
- Disaster recovery planning
- Disaster recovery services
- Capacity, migration and upgrade planning
- Build and deploy central syslog server
- Build trouble ticket systems
- Design and build monitoring environments
- Design and build Network Operations Centers (NOC)
- HP Openview, BMC Patrol consulting


Last modified March 25, 2009
Copyright 1990-2010 Easyrider LAN Pro