The following activity is designed to prompt expression of your knowledge of and ability to apply engineering professional skills. Its purpose is to determine how well your engineering program has taught you these skills. By participating, you are giving your consent to have your posts used for academic research purposes. When your posts are evaluated by the program assessment committee, your names will be removed. In order to post, click on the Sign In button in the upper right hand corner of the blog page, then sign in using your gmail account and password.
Time line: You will have 2 weeks to complete the on-line discussion as a team. Use this blog to capture your thoughts, perspectives, ideas, and revisions as you work together on this problem. This activity is discussion-based, meaning you will participate through a collaborative exchange and critique of each other’s ideas and work. The goal is to challenge and support one another as a team to tap your collective resources and experiences to dig more deeply into the issue(s) raised in the scenario. Since the idea is that everyone in the discussion will refine his/her ideas through the discussion that develops, you should try to respond well before the activity ends so that the discussion has time to mature. It is important to make your initial posts and subsequent responses in a timely manner. You are expected to make multiple posts during each stage of this on-going discussion. The timeline below suggests how to pace your discussion. This is just a suggestion. Feel free to pace the discussion as you see fit.
Tuesday Week 1 Initial Posts: All participants post initial responses to these instructions (see below) and the scenario.
Thursday Week 1 Response Posts: Participants respond by tying together information and perspectives on important points and possible approaches. Participants identify gaps in information and seek to fill those gaps.
Tuesday Week 2 Refine Posts: Participants work toward agreement on what is most important, determine what they still need to find out, & evaluate one or more approaches from the previous week’s discussion.
Thursday Week 2 Polish Final Posts: Participants come to an agreement on what is most important, and propose one or more approaches to address the issue/s.
Discussion Instructions
Imagine that you are a team of engineers working together for a company or organization to address the issue raised in the scenario. Discuss what your team would need to take into consideration to begin to address the issue. You do not need to suggest specific technical solutions but identify the most important factors suggest one or more viable approaches.
Suggestions for discussion topics
• Identify the primary and secondary problems raised in the scenario.
• Who are the major stakeholders and what are their perspectives?
• What outside resources (people, literature/references, and technologies) could be engaged in developing viable approaches?
• Identify related contemporary issues.
• Brainstorm a number of feasible approaches to address the issue.
• Consider the following contexts: economic, environmental, cultural/societal, and global. What impacts would the approaches you brainstormed have on these contexts?
• Come to agreement on one or more viable approaches and state the rationale.
Power Grid Vulnerabilities
In 2010, the US power industry received $3.4 billion as part of the recent economic stimulus package to help modernize the country's electric power system and increase energy efficiency.
The nation’s security experts are concerned about the increased vulnerability of the operational systems used to manage and monitor the smart grid infrastructure. Supervisory Control and Data Acquisition (SCADA) systems are one of the primary energy management systems used to control the power grid. SCADA systems are susceptible to cyber attacks because many are built around dated technologies with weaker protocols. To increase access to management and operational data, these systems and their underlying networks have been progressively more interconnected.
Contemporary hackers may circumvent technical controls by targeting a specific user within the utility instead of hacking directly into the grid. For example, a person with intention to launch cyber attacks could be employed by a business that sells products or services to a company, allowing regular e-mail interactions with the internal procurement office. The hacker could circumvent the company’s firewall by sending emails with a Trojan horse or advanced malware, thus creating a virtual tunnel to the procurement office’s computers. This would give the hacker undetected direct access to the company's network which could be used to launch further attacks.
Since 2000, successful cyber attacks to the SCADA systems of a number of US power generation, petroleum production, water treatment facilities, and nuclear plants have increased by tenfold. In April 2010, a Texas electric utility was attacked from Internet address ranges outside the US. In late 2010 and early 2011, Iranian nuclear power plants and German-headquartered industrial giant Siemens witnessed the powers of Stuxnet, the sophisticated malware designed to penetrate industrial control systems. Experts warn that Stuxnet or next-generation worms could incapacitate machines critical to US infrastructure, such as electric power grids, gas pipelines, power plants, and dams. The worm circumvents digital data systems and thwarts human operators by indicating that all systems are normal, when they are actually being destroyed.
Official US governmental standards for power grid cyber security are not robust enough to ensure against such threats. According to a January 2011 Department of Energy audit, the current standards are not “adequate to ensure that systems-related risks to the nation’s power grid were mitigated or addressed in a timely manner.”
Sources
Audit Report: Federal Energy Regulatory Commission’s Monitoring of Power Grid Cyber Security. (January 26, 2011). U.S. Department of Energy, Office of Inspector General, Office of Audits and Inspections.
Computer Expert Says US Behind the Stuxnet Worm. (March 3, 2011). Agence France-Presse.
Cyberwar: In Digital Combat, U.S. Finds No Easy Deterrent. (January 25, 2010). New York Times.
Hacking the Smart Grid. (April 5, 2010) Technology Review.
New Breed of Hacker Targeting the Smart Grid. (June 1, 2010). Coal Power Magazine.
SCADA system vulnerabilities are beginning to be addressed by SCADA system vendors and consultants by developing new internal firewalls and external monitoring/anti-virus systems. The Security Compliance Institute (ISA) has also began to certify and test control and SCADA system components to insure against security threats since 2009, (http://www.isasecure.org/About-Us.aspx).
ReplyDeleteI would suggest to increase securities at the SCADA system as well as on the interconnectivity of the gird system. the increase of firewall at different stage so triggers any warning signals before the cyber attack reaches main SCADA system would be prevented. therefore, the damage would be at one point or on one gird.
ReplyDeleteanother possibility would be to have an ease of dis-connection switch for each gird that is connected to a bigger network, so in a case of attack and finding the location of attack, we could easily disconnect other gird system from the main grid to prevent a bigger loss of the network. as the example in Iranian nuclear, that could have been prevented by securing each level of the reactor, so if it gets attack, then it disconnected from the rest of the system and network to prevent any more damage.
one last thing that could be considered is to update the security system every second.
One conceptually simple approach would be to isolate all SCADA-related communications equipment from the internet. In a smaller system, this may only require taking the supervisory computer system offline, but in larger systems (such as a nation-spanning power grid) this may require the development of a large, independent network of computers.
ReplyDeleteQuantum key distribution may be utilized to ensure only authorized computers enter this network, and that information transmitted over the network has not been intercepted or modified. (http://www.toshiba-europe.com/research/crl/qig/quantumkeyserver.html)
This, however, may not be a viable solution for a $3.4 bn dollar budget.
The primary issue that this brings up is that the power system is vulnerable to a remote unauthorized party tampering. It also has another effect where a remote unauthorized party could steal private power usage data. Thus the main stakeholders are people using the grid, in that they could have their power access restricted, and their private power usage data stolen.
ReplyDeleteThis is not a special issue. All systems connected to the internet have to deal with preventing unauthorized remote access. There are several companies that have the express goal of helping with cyber security for systems on the internet. One possible resource that I'm aware of is Bruce Schneier, someone who has wrote volumes about designing a secure system.
One possible solution would be to have a read only interface between the grid control system and the internet. This would allow the power companies to have remote reading, but without the risk of a remote unauthorized user tampering. This however does not block the possibility of user data being copied by unauthorized parties.
In 2004 the Department of Homeland Security began funding a large-scale research program through Idaho National Laboratories. Their mission was both research and development in cyber security solutions and vulnerabilities to industrial and government energy control and supervisory systems. The outcome of this research was the development of the US-CERT organization (United States Computer Emergency Readiness Team), which provides coordination of security measures, and vulnerability alerts to industrial users of SCADA systems as well as venders and engineering firms developing/maintaining them.
ReplyDeleteWhile Brian's idea of developing an industrial/government interconnected "internet" system for SCADA control systems would indeed reduce and minimize hackers and terrorist organizations chances of breaking in, it would have no effect on internal sabotage issues. Unfortunately this would also be a monumentous undertaking both in execution, construction, design and funding. Therefore continued research and development funding for security measures is necessary, however again never competely adequate. http://www.us-cert.gov/control_systems/csdocuments.html
Post 1:
ReplyDeleteIt seems that my first post was lost. Here is a summary of it's content:
"then sign in using your gmail account and password." I am unable to complete this requirement. Please contact Viji Murali at viji.murali@wsu.edu for more info.
• Identify the primary and secondary problems raised in the scenario.
Primary Problem: Poorly designed system connected to the internet.
Secondary Problem: Poorly designed system deployed.
• Who are the major stakeholders and what are their perspectives?
Primary - Utility Customer: Wants cheep, but reliable power
Secondary - Utility: Wants to be able to easily maintain their systems.
Secondary - Engineers: Wants to minimize work done.
• What outside resources (people, literature/references, and technologies) could be engaged in developing viable approaches?
How about GridStat? They do this sort of research.
Outside resources include: Network Security experts and distributed systems experts.
• Identify related contemporary issues.
People want things to work but don't want to think about them. See the TV.
• Brainstorm a number of feasible approaches to address the issue.
A secure independent network should be used. If that can't be done, high end VPN hardware should be used with the the secure network and internet on separate isolated (not routed) interfaces.
• Consider the following contexts: economic, environmental, cultural/societal, and global. What impacts would the approaches you brainstormed have on these contexts?
Economic: If the power fails industry stops.
Environmental: Don't fix, no power is good for the environment.
Societal: People will riot in the streets if there isn't power.
Global: The world is a problem.
Post 2:
ReplyDeleteAmin, You bring up an interesting idea about causing the system to disconnect. The problem I see with this is that an attacker could try to get into the system with the sole intent of causing it to disconnect, this will allow them to then proceed to make a physical attacks against the system undetected (because the system is disconnected it will not be able to report errors.)
Brian, I like your idea of a independent network. Your second plan, Quantum keys, is still too much of a research idea to be practical. If it does eventually become mass produceable that is the logical next step. (Keep in mind that current quantum computer technology will require a dedicated fiber network anyway.)
Peter: How do you propose making a read only system? Using modern digital devices it is very cost ineffective to implement true read only interfaces. If one is developed it would still require a private network for the back end systems to communicate.
As i mentioned in my post as well as Matt, increasing the firewall security and up to dating the anti-virus software can help momentary but it is not good for a long term security. A secure firewall can be created by well computer skill that cannot let through any viruses through internet.
ReplyDeleteBrian mentioned simply to disconnection of the SCADA system from internet that could be a possible way. I would think what if the money that ($3.4 billion) is given by government would be spent on making/create/establish a new independent network that is isolated from the internet network and is able to communicate internally within the SCADA system and power grid and only power utilities have access to the network. this way it could help preventing domestic and foreign(terrorist) attack on the US power.
Andrew mentions quite a few good points and all of these points are important to consider. We know that power is an essential part of human, but also, there are some down side to it. First of all the environment which will be effected so bad. Based on the power source/generation we can define what sort of impact it has on its surrounding besides providing a good service to the human. If the power is generated at the nuclear, any damage at the site could have unforgettable consequences for human and other habitats. If it is generated by coal, air pollution and ozone layers gets effected, even if the power comes from the water and wind could harm some species.
But what if the power is interrupted for a few days or months, then economical aspect comes to mind, many industrial area will be shut down, price of their product increase, people lays off the work, it will be a ciaos. As Andrew mentioned in his post.
I would say, in order to have a very secure SCADA system the money should be spent on making the SCADA network independent of internet.
Post 2:
ReplyDeleteThis is the 25th time I've posted this comment. For some reason it keeps getting deleted after about 5 minutes. Whoever is deleting my comments I would appreciate it if you stopped.
Amin, You bring up an interesting idea about causing the system to disconnect. The problem I see with this is that an attacker could try to get into the system with the sole intent of causing it to disconnect, this will allow them to then proceed to make a physical attacks against the system undetected (because the system is disconnected it will not be able to report errors.)
Brian, I like your idea of a independent network. Your second plan, Quantum keys, is still too much of a research idea to be practical. If it does eventually become mass produceable that is the logical next step. (Keep in mind that current quantum computer technology will require a dedicated fiber network anyway.)
Peter: How do you propose making a read only system? Using modern digital devices it is very cost ineffective to implement true read only interfaces. If one is developed it would still require a private network for the back end systems to communicate.
This is what i have posted last night at this time: Lucky this time first i wrote on a word a saved it there. this should be my last night post.
ReplyDeleteAs i mentioned in my post as well as Matt, increasing the firewall security and up to dating the anti-virus software can help momentary but it is not good for a long term security. A secure firewall can be created by well computer skill that cannot let through any viruses through internet.
Brian mentioned simply to disconnection of the SCADA system from internet that could be a possible way. I would think what if the money that ($3.4 billion) is given by government would be spent on making/create/establish a new independent network that is isolated from the internet network and is able to communicate internally within the SCADA system and power grid and only power utilities have access to the network. this way it could help preventing domestic and foreign(terrorist) attack on the US power.
Andrew mentions quite a few good points and all of these points are important to consider. We know that power is an essential part of human, but also, there are some down side to it. First of all the environment which will be effected so bad. Based on the power source/generation we can define what sort of impact it has on its surrounding besides providing a good service to the human. If the power is generated at the nuclear, any damage at the site could have unforgettable consequences for human and other habitats. If it is generated by coal, air pollution and ozone layers gets effected, even if the power comes from the water and wind could harm some species.
But what if the power is interrupted for a few days or months, then economical aspect comes to mind, many industrial area will be shut down, price of their product increase, people lays off the work, it will be a ciaos. As Andrew mentioned in his post.
I would say, in order to have a very secure SCADA system the money should be spent on making the SCADA network independent of internet.
MATT,
ReplyDeleteI agree, it is difficult to remove the threat of internal sabotage of these (or any, for that matter) systems. This is one representation of the 'human element' in the issue, and I believe it is a somewhat chaotic variable to control. There may always be the chance that a disgruntled or mentally unstable employee might attempt to wreck havoc, and if the outside influence is great (being paid off, family members endangered threatened, etc...) there is the chance that an employee might intentionally do some damage. I believe that it would be difficult to create a foolproof method to circumvent this issude, as I believe it is impossible to determine whether a person is absolutely uncorruptable.
So, how can we keep people from breaking important stuff?
Quite likely, a (low level? high level?) system of checks and balances between individuals is already in place at some, if not all, key points of failure around the country. If this is the case, it may prevent an individual from acting against the well being of the stake holders, i.e., everyone who uses electricity and does not prefer to have radiation in the air or drinking water, i.e., everyone who is living in the industrial/post-industrial era, i.e., mostly everyone alive (http://www.worldenergyoutlook.org/database_electricity10/electricity_database_web_2010.htm).
I believe it would be interesting to further investigate this sub-issue. For my next post, I will try to come up with some research on human-level security, and possibly some ways to further improve it with the $3.4bn in stimulus money.
-----
Also, part of the prompt caught my eye when I re-read it before posting today:
"The worm circumvents digital data systems and thwarts human operators by indicating that all systems are normal, when they are actually being destroyed."
This leads me to ask: wouldn't it be effective to enact a hardware-level system of checks to ensure systems are running mechanically/electrically/radiologically safe? Several of the same checks could be run in parallel to ensure that, if one indicator or component fails (have you read 'Andromeda Strain' by Michale Crichton?) the operator is still made aware of the condition of the equipment. This would certainly circumvent the issue of software-level intrusions, that prevent the operator from seeing a problem, but it may require several more operators to manually monitor all of the equipment to ensure the slightest error does not encur an unnecessarily major shutdown.
Of course, this also necessitates the ability to shut down a plant (safely) on the hardware level - that is, if we are to follow the same lines of logic that lead to the conclusion of hardware-level monitoring. This process may be require very complex logic, especially for nuclear power plants where the shutdown process is quite involved.
Well, blogger has eaten my previous post apparently. This has gotten to be a real hassle.
ReplyDeleteLooking over our posts, I think we need to take a step back and try and make sure we have a grasp of the problem before trying to offer solutions. Saying more firewalls and layers of protection might be the right idea, but it's general without knowing the issue. It would be a good idea to parametrize a couple of the angles before offering solutions.
Who are the potential attackers? There will be a significant difference if we are dealing with a kid trying to shut his school's power down for a day, a "terrorist" trying to create wide blackouts, or a shady advertiser trying to steal users power usage data. The attacker will have access to a separate set of resources and intelligence depending on where they are coming from and what they want.
The next question is what information or control is most valuable to the attacker? We could secure the power going to people's home, but then have an attack in the section coming from the power plant. Or we could secure all of the control systems, but still have the confidential power usage data poorly protected.
In addition, even though we are worrying about the digital security, we also need to cover the physical aspect as well. The best encryption methods are useless if the attackers can get their hands on the hardware and key used to decrypt. A single vulnerable transformer station might be used to stage an attack from inside the system if it is not secured.
Going back to Andrew's question, now that I think about it, there are ways to make a read only link, but it is expensive and impractical. Also, as mentioned above, if the attacker got inside the system, the one way link is useless.
One method I discovered which is being considered is the development of a new microkernel architecture based operating system for computer and control systems operating in a SCADA system. This would essential reduce or limit the lines of code necessary to this dedicated operating system. Systems like this were first utilized for dedicated control systems and are arguably making a come-back for just these SCADA security issues.
ReplyDelete[http://www.ijikm.org/]
Additionally nano-technology may offer smaller physical security devices which could minimize the threat of physical or insider threats at operation facilities. This is another possible means of developing an elaborate check-and-balance approach to industrial system security.
This comment has been removed by the author.
ReplyDeletePost 3:
ReplyDeleteI think there is always people who want to attack the system and cause a huge cost on government and tax payer such as domestic and international terrorists, as well as there are some people who are not mentally stable. Examples of these people are criminals, and those who have put their personal rag at the government by attacking to the public utilities. One way to look at this is to have a monitor system 24/7 on these type of people.
The important part of this issue is how can we make the system safe enough so it is not easy to be broke into? And if did happen how to use alternative way to provide utility to people who are the main stake holder on this issue so to prevent any chaos? How to detect any individual computer for the search of malware codes?
Most people here, suggested to have independent network, then comes the point how costly it is going to be? How difficult is to maintain and well serviced? And how can make it secure? Because when the private network is built, there is always ways that hackers can hack into. (Although not a computer guy)
One new thing that I would suggest is to have an international law against hackers/cyber attackers and leave no safe heaven area for the hackers. Here in the US we have laws which are well enforced and it is not easy for hackers to attack from inside US soil (only those who do not like to be arrested, but if someone does not care, then will attack from here). But the problem with this sort of laws is that other countries need to have a government with no corruption because then would be hard to enforce the laws.
One more thing is to monitor all the computer guys (if possible) because these people are only capable of writing codes and implementing them.
Finally, I would say that to have a based system operating system for the SCADA system that only is able to read the SCADA functions and activity and does not accept any codes that are not familiar to the system.
This comment has been removed by the author.
ReplyDeleteIn regard to profiling potential attackers, wouldn't we want to employ measures that would provide protection against all conceivable attacks, and not just most conceivable attacks - protect against 'worst case' instead of 'most case'? I know this wouldn't be foolproof, but it would provide the best that we can (hopefully) provide in a (hopefully) economic manner.
ReplyDeleteWe know Stuxnet has occurred, and that it was an advanced attack that implied sophisticated knowledge of SCADA systems. If we then design our systems to protect against most attacks, possibly kids everywhere who are trying to shut down the school's power, aren't we still vulnerable to those who have much more detailed knowledge?
Basically, I'm concerned that some potential attackers are biding their time, and aren't necessarily going to make a move until conditions meet their criteria for attack. I'm also concerned that the intent of these attacks would be to do major harm, i.e., shut down New York instead of York Elementary. I think we need protection against potentially government-backed attacks (in other words, ones which have a lot of funding and several well-versed people creating them) which may, in fact, be what Stuxnet is. (http://www.telegraph.co.uk/technology/8274009/Stuxnet-Cyber-attack-on-Iran-was-carried-out-by-Western-powers-and-Israel.html)
I have read an article from internet (Link 1) which talks about the cyber-attack and potential proactive steps that can be taken. Because no matter if we have a well filtered activity that filters any mal function, or have a well performed firewall and other malware function, the intrusion is always one step ahead. On this link, there are some way of protection is offered.
ReplyDelete1. Is obtaining independent affirmation of level of security assurance of the technology that are going to be installed
2. Use an EAL 6+ high robustness security which it is the level of US government protection
One way that could be suggested to protect the power grid from any cyber-attack is to let government to have access to facility electronically (based on the ECPA act of 1986 this is not possible without any authorization) because having government involved in participating into the security and looks for any potential threat could be helpful.
As Brian mentions in his post that there is other potential concern that could have happen and has a very sever harm is not considering the low level attack such as school shut down power that could shut the whole New York.
1:
http://www.securityweek.com/how-stop-cyber-attack-it-happens
I spoke to Peter last week about his last post - the one about characterizing potential attackers. When talking to him, I realized that I mistook the meaning of his post - I was thinking of severity when he was thinking about type.
ReplyDeleteIt could be interesting to look at the potential holes left open by only considering large-scale and severe attacks - are there lower-level holes in security that are still left open? If left exposed, will they translate to a greater problem later on? What could these holes be? What aren't we considering?
Off hand, I can think of at least one way that one might be able to tamper with the system. Namely, initiate a fault in one way or another. It would probably be hard to protect against someone intentionally faulting the system - of course, intentionally creating a fault for the purpose of causing a major outage would likely be a very dangerous (meaning unlikely, hopefully) caper!