Hackers pose a serious risk to utility's computer networks, but few companies want to talk about it, finds Keith Nuthall

Last May, a co-ordinated attack on essential computer networks in the tiny Baltic republic of Estonia set nerves on edge among European internet security specialists. Following the removal of a Russian war memorial from the centre of the country's capital, Tallinn, a still unidentified group of computer users bombarded Estonian political, government, media and banking websites with so much data, they were forced offline.

For utilities, incidents of this type prompt some serious questions. How secure are utility computer networks against cyber attacks? And what is being done at European and international level to address the threat?

Part of the problem in trying to gauge the extent of the threat is that utilities (like most companies and public organisations) are reluctant to talk about it. They do not want to admit the possibility of their networks being hacked, because once a cyber criminal is roaming around their internal networks, data can be stolen, programs can be corrupted and systems sabotaged to the extent that they can be shut down. But rest assured the threat is real.

In January, senior CIA cyber security analyst Tom Donahue claimed that hackers had attacked the computer systems of utility companies outside the US, causing on at least one occasion a power blackout in several cities.
"We do not know who executed these attacks or why, but all involved intrusions through the internet," Donahue, the CIA's top cyber security analyst, told a New Orleans gathering of 300 American, British, Swedish, and Dutch government officials and engineers from utility and other network operators. Donahue said: "We have information from multiple regions outside the US of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge."

Networks targeted
As regards the Estonian attacks, there were reports that electricity networks were targeted, with a small power plant being taken down temporarily. However, Jose Nazario of Arbor Networks told Utility Week that he had seen no hard evidence of this.
Concerns keep surfacing about utility vulnerability, especially in the US with its high level of government transparency. In May, America's largest public power company, the Tennessee Valley Authority, was accused by a US Government Accountability Office report of being vulnerable to cyber attacks. With its computer systems directing electricity to more than 8.7 million customers, the report raised concerns by concluding "both its corporate network infrastructure and control systems
networks and devices were vulnerable to disruption".

In Russia, there have been reports that hackers took control of a gas pipeline for a day in 1999. In January 2003, a rapidly spreading virus disabled a safety monitoring system at Ohio's inactive Davis-Besse nuclear plant for five hours. And last March, the US Department of Homeland Security conducted a controlled experiment involving hackers breaking into a the computer network of a replica power plant, changing its operating cycle and sending it out of control.

To some degree, plain common sense tells us that utilities could be attacked by hackers using the internet, just as any company could. Utility assets are maintained by computers and inevitably many of them use networks, such as the supervisory control and data acquisition systems long used by electricity companies. To some degree or other, most are accessible online. While access may be restricted to specific portals, and firewalls may be employed to prevent unauthorised browsing of data, determined hackers can break into most networks.

Secrecy
Secrecy makes it difficult for companies to keep up to date with the competence of hackers and therefore the likely threat they present. A utility is unlikely to issue a press release drawing attention to the fact that it has been attacked. UK-based senior network security consultant Martin Voelk says: "Information like this is usually not made publicly available. If it happens, companies try to disguise it. And consultants cannot disclose this kind of information."

Among the utility organisations contacted by Utility Week, National Grid gave a typical response. "We take precautions against all kinds of security threats," a spokesman said. "For security reasons we do not comment on the measures taken to protect our systems."

These measures are understood only by those with a depth of knowledge about computer systems that is beyond that of the average utility manager. It is little wonder, therefore, that many utilities buy in the expertise they need. Essentially, systems they put in place are larger and more sophisticated versions of the computer security recommended for home internet use, involving passwords, intruder detection systems, firewalls, the encryption of messages, anti-virus monitoring and the like.

These solutions do not come cheap. Security systems for a small network with 100 computers could cost £7,500 and for those involving 1,000 computers, it could be as much as £30,000. For a municipal water utility or small local power firm serving a community network, this is serious money. Voelk says: "Security is a background cost that does not give immediate and obvious benefit, unless a company falls victim to an attack. It is difficult to make that clear to an enterprise from a sales point of view."
The same is true about paying for advice and training. Voelk says a key emerging risk is from employees within a utility, not anonymous hackers trying to use their expertise to gain access to a system. After all, employees have the passwords and authorised access anyway, and may work from home using their laptops.

Access control
"You need to control who has access to controlling devices within a network," he says. He also says companies need to have rules about what third party software can be installed on employees' laptops, to prevent the inadvertent installation of malicious software that could allow hackers access to a network. These kinds of complex guidelines need to be designed company by company and it costs time and money to do so.

Governments and international organisations also taking the threat of cyber attack more seriously. The European Commission, for instance, is concerned that there is insufficient co-ordination between European Union member states with regards to internet security.
At present, there is no body at EU level to operationally co-ordinate responses to cyber attacks from outside the EU. There is an agency temporarily responsible for the subject area, the European Network and Information Security Agency (Enisa), but it is based far from Europe's urban centres in Crete, Greece, and does not have an operational role. Rather it investigates internet security problems within Europe and makes recommendations for policies. It also advises network operators on how to protect themselves.

This work has been welcomed by the Commission and others, but there is concern in Brussels that this is too weak a response. As a result, information society commissioner Viviane Reding has said that early next year she will release a detailed policy paper "aimed at improving the preparation and the response capability at the European level" against cyber attacks. In the meantime, Enisa will continue in operation. Its current mandate was due to expire in 2009, but it has now been extended to 2012. Nato has decided to set up its own operational unit, declaring at its Romania summit in April that it wanted to develop "structures and authorities" to create co-ordinated responses to cyber attacks on member countries.

Nato defence
This work will be overseen by a Nato Cyber Defence Management Authority (CDMA), although - disappointingly for the Estonian government and other eastern Europeans - cyber attacks will not require member countries to automatically offer mutual assistance. The requirement is merely that Nato members consult each other in the event of an internet attack on computer networks.

Nonetheless, the Brussels-based CDMA will help reinforce national systems, creating central lines of communication and developing strategies for future threats. Furthermore, seven Nato countries have agreed to establish a Co-operative Cyber Defence Centre of Excellence in Tallinn, Estonia. It will conduct research and training on cyber warfare and employ a staff of 30, half of them specialists from the sponsoring countries, Estonia, Germany, Italy, Latvia, Lithuania, Slovakia and Spain.
For further information visit: www.enisa.europa.eu or www.martinvoelk.com
Keith Nuthall is a freelance journalist.

Comment on this story

Screen name

Email (For verification only. Your details will not be retained or passed on. Not for publication)

Comment

Report Abuse

Sign up to our free email newsletters