Alexander Damisch, industrial business manager for embedded software solutions provider Wind River, discusses the vulnerability of power plant control systems in the wake of recent hacking attacks on power plant SCADA (supervisory control and data acquisition) systems.
Alexander Damisch, Wind River, Austria
These days, one often sees presentations of visions for the perfect European power network. These scenarios foresee widespread renewable energy all over the continent, or a virtual European power plant, or a European ‘smart grid’, and all those other buzzwords.
These presentations picture all of Europe, plus parts of North Africa, as effectively one giant power plant, with a full grid network. And whenever there is too much power from solar arrays in North Africa, and not enough power in a cold Austria in winter, there will be no problem in transmitting power from one to the other. In this world, everything is perfect.
The picture is compelling. But the complicated thing is having a full grid network across all these states, which means more than just putting frequency into a power line in one country and hoping that this meets the power demand on the other side. You really need a demand-driven network where you know exactly how much the other side needs, so that anything from a whole power plant could be shut down, down to the more efficient private home where one can switch on the washing machine when it is most efficient, and not during the football match when everybody jumps up to grab a beer from the fridge.
A lot of this is already happening today on a smaller scale, but it means you have to have open standards where different power sources, different distribution networks and end-users can communicate openly. However, this very openness itself opens up the threat of hacking.
The threat of power plant hacking
When we talk about hacking, it’s usually about PCs or credit card fraud. Rarely do we think about power plants going south or an entire nation’s energy network going down. But that’s exactly the threat that we are facing today.
The recent Stuxnet1 worm incident that hit SCADA systems shows how easily it can be done. It doesn’t even need someone to break in. Even US national security agencies are vulnerable. In 2008, the Pentagon was hacked into via a USB stick. The stick was placed into a laptop bag of an employee and, out of curiosity, he plugged it into his laptop in his office and suddenly the entire high security network was spread open.
It may sound like something from a James Bond film, but there is a threat that the US power grid could be brought down by a hostile country, or terrorists. And it is much easier than bringing explosives across borders.
Just by using a USB stick, it is possible to hack an entire network and it is very difficult to stop it. Just imagine how many devices need to be updated and how many of these devices operate remotely where you have to send service engineers. The cost for the power industry is unbelievable and the only reason is because security was an afterthought.
Who would ever hack a power plant? Totally unthinkable. But today there is even a worm for a specific supplier of SCADA systems. I do not wish to finger point, but it is something that many SCADA system suppliers didn’t even think about.
PROTECTING POWER PLANTS
When we talk to our customers, they demand a clear strategy to ensure nobody can hack their devices to bring them down or steal data. We can deliver a smart solution to handle this.
|Alexander Damisch of Wind River|
If you have an Internet connection, you need to look at the communication channels. Wind River is the first embedded real-time operating system vendor to deliver an out-of-the-box solution offering communication channels like an ethernet, certified against cyber hacking.
If one looks at the entire architecture and whether devices like HMIs (human-machine interfaces) have connectivity somewhere to an enterprise resource planning (ERP) system – where you collect information about downtime and so on – you would usually have a standard IT infrastructure, in many cases using Windows or Linux, which can create vulnerability.
BACKING AGAINST HACK ATTACKS
A British utility recently asked me what would be the smartest way to make sure that its systems are future proofed against a smart hacking attack in five years’ time, so that they don’t have to update all their systems at enormous cost.
The key is to make a clear distinction between what’s vulnerable and what’s not. What our Hypervisor system customers use is something we call time and space separation. That originally comes from the aerospace industry, and initially it was highly expensive, but it has become so mainstream that we can deliver it to our customers for their standard systems. We allow them to run an HMI, typically running Windows, and whatever program is run, it will not influence the highly critical real-time system on the same computer. You don’t even need to add extra computers.
So the answer is simple engineering; separating the systems in time and space so that if one part of the system is intruded, you cannot bring down critical systems. So diverse but consolidated systems are essential. If systems are separated from a hardware point of view, you increase not only hardware costs, but also the costs of maintenance.
With the Hypervisor time and space layer, with one CPU, you can have the Windows system running and a real-time system like Wind River VxWorks, but the systems are still totally separate. That means it is impossible for systems to be brought down by eating all the CPU time for example, and neither is it possible to overwrite memory, as it is protected.
The vulnerability of power plants
To a certain extent, all power plant systems are vulnerable. Those that have separated their systems are less vulnerable, but the more consumer technology is used, i.e. Microsoft Windows, the higher the risk. Windows is essentially vulnerable, as it is a highly attractive target for hackers. And Microsoft may not be especially concerned with whether Windows is totally bullet-proof in terms of SCADA systems, as the power industry is not where it makes most of its money.
But even if you have an operating system that is very stable, if you are not constantly updating it (which is very expensive), you have to have a strategy to deal with hacking. The problem should be solved by making sure the communication channels cannot be hacked, but also on the architecture level.
|Iran’s Bushehr nuclear plant, the apparent target of a hacking attack by a government agency|
The ISA99 Industrial Automation Control Systems and Security standard talks about dealing with security. Looking at the certification we did for our VXWorks customers, that certification is based on their ideas. There’s a huge database on what vulnerabilities exist and how to deal with them.
For the customer, the question is: “What shall I do to make sure I really took the right steps in case something happens five years from now?”. And, if something does happen, whether they did everything they could to prevent it. Do I really have the right answer?
There’s huge uncertainty in the market over this because there is no real standard that is totally clear and dominating, and which states clearly you have to do this and that. The industry does have the MILS (Multiple Independent Levels of Security) – a clear standard which makes sure everything is totally separated. This is used worldwide – the CIA and US National Security Agency use it – but while it works perfectly well, it is also very expensive.
Wind River offers a MILS product, but it doesn’t really apply to the power industry as it is based on military technology and a little too heavyweight. But industrial applications really need something like the MILS standard and that’s exactly where our ideas about architectural changes come in.
There also needs to be clear regulation about power plant security. Oil and gas companies require certification to make sure known vulnerabilities are addressed. If a power plant is hacked – in the worst case, let’s say somebody is dying – what would happen? Liability issues would be raised immediately and the court would ask to be shown that the company did everything it could to prevent this. To do this, you have to prove that the technology used was the best available at that time. Every regulation is driven by the cost of liability. If there weren’t huge potential liability costs, nobody would have a certification or regulation for anything.
So people have to look at what’s state-of-the-art, and that’s what’s happening today. Our customers are coming to us and saying, “We have been using your operating system for 15, 20 years. Luckily we haven’t had any problems so far, but now everything is connected to the Internet – what can you do to make it secure?”
We use start-of-the-art solutions, but whether in future this will be something required by regulation I cannot say. But it is obvious that our customers are going down that path, so if something goes wrong they can prove they had everything possible available at that time to avoid any problem.
Smart meters vulnerability
Smart meters are another vulnerable part of the network. They have to communicate over a standard mechanism. There are over 14 billion electro-mechanical meters in the European Union. Exchanging them with smart meters using a proprietary standard would be impossible. Smart meters are very hackable, which creates two main risks.
An aerial view of Iran’s Bushehr reactor Source: GeoEye
Firstly, they can be hacked to obtain information about power demand. By hacking into smart meter infrastructure, the smart grid could be fooled into thinking that a small city needs a lot more power. This has the potential to bring down the whole system.
The other is billing information. Why couldn’t an evil genius hack into billing information and claim that they didn’t use any energy? In the US, California utility Pacific Gas & Electric found that many private households were deeply unhappy about wrong billing information. We don’t know if someone hacked into the meters or something simply went wrong with the billing system, but we have already seen vulnerabilities with smart meters that point to future problems. With all the recent coverage about hacking, it is only a matter of time before an under-utilized 16-year-old discovers the potential fun of messing around with the smart meter in the home. Another scenario is a burglar hacking into the smart meter data system via the Internet to find out whether a certain property is using any electricity or not.
The Netherlands has decided it does not want to install smart meters in every home because they contravene the European Convention on Human Rights, as it is not clear what data is being transferred, whether the data is secure, whether a neighbour can find out what is being transferred and so on. There are huge issues with smart meters, not only with hacking, but also over the integrity of the data transfer.
The rapid change in the power industry, by having everything connected to the Internet, is catching people on the hop. Preparedness has become a key challenge.
1. Called Stuxnet, the worm (virus) is the first publicly identified piece of malware to target industrial SCADA systems. Upon insertion of an infected USB stick, the worm copies itself to other USB systems on the computer and looks for Siemens Simatic WinCC or PCS 7 software. If it finds one of these programmes, it tries to upload data from the systems to the Internet using a currently unknown vulnerability in the controller’s software and changes its code in unknown ways. An infestation by the Stuxnet worm is rumoured to have delayed the start up of Iran’s Bushehr nuclear power plant in September. Detailed analysis by anti-virus software company Symantec suggests Stuxnet is likely to be the work of a government agency.
Power Engineering International Archives
View Power Generation Articles on PennEnergy.com