Friday, September 28, 2007

Aurora Cyber-Attack - destroyed $Million dollar generator

Generator room at the Idaho National Laboratory was remote accessed by a hacker and a $1 Million diesel-electric generator destroyed. (U.S. Homeland Security photo)

A dozen or so newspapers yesterday (September 27) published a story on a simulated cyber attack on U.S. power grid infrastructure which succeeded in destroying the test generator. The "Aurora Generator Test" was
conducted in March 2007 by the U.S. Department of Homeland Security and involved the remote accessing of a generator control station by a foreign hacker. It resulted in the partial destruction of a $1 million dollar large diesel-electric generator. The Associated Press based its story on a copy of an official videotape it obtained on Wednesday. The full A.P. story can be found at the CHINA DAILY website http://www.chinadaily.com.cn/world/2007-09/27/content_6139437.htm

The simulated cyber attack was at the Idaho National Laboratory which is principally a nuclear powerplant testing facility. The massive diesel generator used in the test was removed from the Alaska power grid and transported to the vast testing complex located in the desert near Idaho Falls. Details of the Aurora test were leaked within a few days of its completion by a loose-lipped Homeland Security employee who showed it to a conference in Atlanta. The A.P. persisted for six months until they secured a copy of the tape.


Vancouver Incident:
Coincidentally, Vancouver, B.C. suffered its own "Aurora" attack yesterday, which is alleged to have been perpetrated by one of the 5,000 striking members of C.U.P.E., the civic employees union that has been picketing the employer for 71 days. The municipality's central computer system was hacked and the control of dozens of downtown traffic signals was sabotaged. The computer's clock was reset by seven hours, and it began to direct Left Turning signals downtown to revert to shorter night time intervals. The saboteur then called to an All Traffic AM radio station to boast. He identified himself as "C.U.P.E." and warned that traffic snarls would continue until the strike is over.

This is the type of emerging crime which will interest cyber-security experts here at the campus of B.C.I.T., where they maintain British Columbia's premier database on cyber-attacks on industrial and public infrastructure. [It's called the Industrial Security Incident Database] An interesting PowerPoint presentation was prepared by Eric J. Byres, B.C.'s leading expert on SCADA threats and it is a quick read. It can be found at: http://cansecwest.com/slides06/csw06-byres.pdf Back in 2003 Mr. Byres provided expert testimony to an investigatory panel of the U.S. Congress on "Security of Industrial Control Systems in National Critical Infrastructures", and he is likely consulting on critical U.S. research initiatives such as the Aurora tests.

Experts in Supervisory Control and Data Acquisition (SCADA) system vulnerability have long believed that the major threat was internal - disgruntled employees seeking revenge or perhaps staff who recklessly share access data with political activists or criminals. That was the case between 1982 - 2000 but changes have arrived along with commonality of software used in control systems and the greater reliance on employee remote access. Many attacks are now arriving via the Internet but there are other vulnerabilities managers do not like to discuss. More interesting, the B.C.I.T. team has noted a new vulnerability. Specialized I.T. equipment mated to equipment at point of manufacture - compressors, cooling units, valves, and electric generators, are being sniffed out by hackers and in some cases tampered with. (As demonstrated in the Aurora Generator Test) Foreign or domestic terrorists will employ the same knowledge as hackers, and as we saw with the recent Russian cyber-assault on Estonia, an entire country country can live in misery for weeks before the intruders are overcome.

Update Oct13 - I had crossposted this to a MILnews site... I just checked and saw it got 1,350 reads. Goes to show I should crosspost more often.

Update: Jan. 13, 2008 - Since writing this blog I've collected many examples but
a new (January 11/08) story out of Poland is my favorite. "A Polish teenager allegedly turned the tram system in the city of Lodz into his own personal train set, triggering chaos and derailing four vehicles in the process. Twelve people were injured in one of the incidents. The 14-year-old modified a TV remote control so that it could be used to change track points..." Described as an electronics buff and an exemplary student, the lad had notebooks full of observations made of the tram system. In other words he picked his target, did his reconn, and then modified a simple household device which gave him control over a public utility.

2 comments:

Adriel Desautels said...

We've been talking about these threats and risks for well over half a decade now. Maybe now people will start to take our concerns seriously.

Spy Guy said...

More than money is at stake. Live could hang in the balance. Computers have germinated almost every aspect of our lives. It is difficult to do anything now days without a computer being involved. Hacking of computers and networks has grown to epidemic proportions and continues to spread virtually unchecked. Computers are no stranger to the healthcare profession. Computerized imaging, blood analysis and heart monitoring have been around for years. That being said, threat of compromised
or contaminated hardware and software has taking on an increased sense of urgency
lately.

Medical devices such as pace-makers, defibrillators and other medical devices communicate over short distances via radio waves. This is required for changing setting and other critical functions as they permit doctors and other healthcare providers to monitor and even tweak the settings as needed without the need for surgery. While beneficial, this communication can be exploited for more sinister activities.

On March 12 2008 the Wall Street Journal reported that a doctor had teamed up with a computer scientist to hack into an ICD (implantable cardio defibrillator) that was introduced into the U.S. market back in 2003. The hacking team reversed engineered the communication protocol used to remotely access the device they reconnected to the ICD and attacked it in such a way that could compromise patient safety. This is quite concerning given Pacing and ICDs are increasingly being used in the management of arrhythmias and a number of different cardiac conditions.

A most likely attack scenario in one cyber security expert’s opinion is a portable computer with radio frequency communications capability armed with malicious code that would reprogram an implanted pacemaker being used in highly populated areas or events. Reprogramming must take place very close to the device so this would not be a massive attack weapon, but possibly a cyber assassination tool.

This is yet another warning sign how exposed we are to cyber attacks. Manufacturers should take security precautions to prevent malicious code being inserted during production of all computer controlled equipment. While we are not aware of any actual events of medical device tampering or hacking, there are other devices
that recently were found to have been contaminated with malicious code at the point of manufacture and shipped to businesses and consumers. It should also be noted that the FDA (Food and Drug Administration) has the oversight on medical devices and has stringent approval requirements that must be met as well as ongoing
monitoring and reporting of any issues or problems encountered.