State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
Cyber Attack! - Lessons Learned: Aurora Attack
Test gets major media hype, but SCADA vulnerabilities remain
uses proprietary operating systems and proprietary protocols for gaining access and communicating among various parts of the infrastructure. Other systems use standard protocols and authentication routines that are inherently weak. “In a lot of cases it would be clear-text protocol like Telnet, which is a very insecure protocol a lot of these older machines speak,” Traverse says. “And maybe everyone can sign onto a piece of SCADA equipment with one user password, which is ‘super.’” Additionally, SCADA equipment generally allows serial access, which means a user can plug a device into it with serial connectivity and access all the ports that are connected. “There is no way to compartmentalize the user that is accessing it and there is no way of tracking that user,” Traverse says.
Despite these challenges, however, SCADA weaknesses can and must be addressed to prevent hacker attacks on critical utility infrastructure, like the one shown by the Aurora exercise. Fortunately, the security community has developed ways to prevent hackers from getting into utility systems. “We never want to say we give you an absolute fool-proof solution,” Traverse warns. “But we give you double encryption — superior protocols, the ability to overcome weak authentication problems, the ability to separate and compartmentalize your users, and the ability to implement a security model and be alerted if there is problem.”
A major problem, however, for any infrastructure protection involves what Traverse calls “the rising tide,” meaning the bad guys, the hackers who want to wreak havoc on utility systems and who always come up with new ways to invade systems. The Aurora test exposed one particular vulnerability, which companies are working to eliminate. “The question is, will we ever be ahead of the game?” Traverse says. “We constantly are trying to protect ourselves from the rising tide.”
Wake Up Call
So what did the industry learn from the Aurora hacker exercise? Maybe not much.
Utility companies certainly applied the patches prescribed by the DHS, but they were motivated to improve system security long before the Aurora exercise happened (see “ CIP Goes Live ”).
Furthermore, insiders suggest this particular vulnerability wasn’t among the most serious facing the industry. According to Gunther, in order for a hacker attack like the one tested in Aurora to succeed, the hacker would’ve had to know about the specific vulnerability or discover it by chance. Then, the hacker needed to gain physical access to the control system or access to the communications path. Finally, the test assumed none of the operator’s safety protocols worked and warnings went unnoticed.
“[Aurora] certainly was a viable scenario, but if you start really drilling down, the level of risk in general is pretty small,” Gunther says. And to the degree the test focused attention on one particular vulnerability, it could prove counterproductive by diverting attention from the broader need for layers of defense in utility systems.
“A test like Aurora can be fascinating to watch and see how it breaks down at the individual level,” Highfill says. “But at the end of the day you have to make sure