A few months ago, engineers Adam Crain and Chris Sistrunk discovered a potentially catastrophic vulnerability in the nation's power grid. Due to a flaw in the software used to monitor most of the country's electrical substations, an attacker can easily break in and cause a widespread power outage.
The engineers say they hardly qualify as security researchers. But seven months ago, Mr. Crain wrote software to look for defects in an open-source software program. The program targeted a very specific communications protocol called DNP3, which is predominantly used by electric and water companies, and plays a crucial role in so-called S.C.A.D.A. (supervisory control and data acquisition) systems. Utility companies use S.C.A.D.A. systems to monitor far-flung power stations from a control center, in part because it allows them to remotely diagnose problems rather than wait for a technician to physically drive out to a station and fix it.
Mr. Crain ran his security test on his open-source DNP3 program and didn’t find anything wrong. Frustrated, he tested a third-party vendor’s program to make sure his software was working. The first program he targeted belonged to Triangle MicroWorks, a Raleigh, North Carolina based company that sells source code to large vendors of S.C.A.D.A. systems. It broke instantly.
Mr. Crain called Mr. Sistrunk, an electrical engineer, to see if he could help Mr. Crain test his program on other systems.
“When Adam told me he broke Triangle, I worried everything else was broken,” said Mr. Sistrunk.
After finding they could successfully break 16 different SCADA vendors, they sent a detailed report to the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team. But ICS-CERT didn't issue a formal alert about Triangle's system until August
--four months after Crain and Sistrunk first alerted them.
During that time, Crain and Sistrunk discovered they could break into nine other vendors. They also discovered that in all cases, they could crash the software that monitors a substation, making it impossible for operators to watch the grid. I used to work at a wastewater plant, so I know from experience--the SCADA is practically the only way an operator can spot a problem and have enough time to react.
If that isn't unnerving enough, current technology makes it impossible to stop this kind of attack.
What makes the vulnerabilities particularly troubling, experts say, is that traditional firewalls are ill-equipped to stop them. “When the master crashes it can no longer monitor or control any and all of the substations,” said Dale Peterson, a former N.S.A. employee who founded Digital Bond, a security firm that focuses on infrastructure. “There is no way to stop this with a firewall and other perimeter security device today. You have to let DNP3 responses through.”
Peterson pointed out something else--DNP3 isn't regulated. DNP3 transmits serially--the same way data is transmitted via coaxial cables. However, current cybersecurity regulations don't cover serial communications, even though many substations use it. That means there's no way to make utilities apply a patch for this software. "Ass-backwards" doesn't even begin to describe this.