By: Joe Weiss
Protective relays are critical to the operation of the electric grid and the protection of large electric equipment in many industries including electric, nuclear, manufacturing, etc. Protective relays were originally electro-mechanical switches but have progressed to complex networked digital devices with enormous computing capabilities making them intelligent electronic devices (IEDs). Consequently, IEDs are now cyber vulnerable from both IT network and control system issues. In March 2007, the Idaho National Laboratory (INL) demonstrated the Aurora vulnerability by using IEDs to damage large rotating equipment, in this case a generator. The test assumed that the IEDs could be accessed. DOE has spent considerable sums of money to improve the cyber security of protective relays. However, it took less than a day for cyber security researchers (Mission Secure, Inc.-MSI) with NO power industry experience to compromise a very common industry IED – the SEL-751A (see 7/22/16 blog). The purpose of this exercise was not to single out Schweitzer but to demonstrate the generic vulnerabilities of IEDs and the lack of external security around them. Not every IED is critical but some are very critical and must be protected. A typical mid-sized utility may have hundreds or even thousands of substations and many thousands of IEDs but only a small percentage of the IEDs are protecting critical loads. These critical loads may be in transmission or distribution applications.
There continues to be reticence from many to believe the grid can be cyber vulnerable or that equipment can be damaged from a cyber attack. Consequently, we will be providing a demonstration at the 2016 ICS Cyber Security Conference (www.icscybersecurityconference.com) where we will take the SEL-751A used in a traditional motor control setting and compromise not only the SEL751A, but then take control of the motor. The cyberattack demonstration will highlight a loss of control of the relay, how such loss impacts an end device like a motor and how this can all be hidden from the operator. The attacks include an adversary gaining access to the relay, taking control of the relay, locking out administrators, changing the relay’s configuration, and taking control of a motor. In addition, the attacks will be masked to leave no trace, making it difficult for an operator to troubleshoot the disruption, determine that the disruption was caused by a cyberattack, let alone prevent the disruption from happening again. I am having a 20+ year utility relay expert, Mike Swearingen, who has served on numerous NERC and DOE committees and projects, to oversee the demonstration to assure its relevance. Mike will explain the relevance and significance of the test.
Protective relay issues can have real impacts. The 2008 Florida outage shut down power to approximately half the state of Florida for 8 hours because of relay setpoint changes, the 2015 Ukrainian hack shut down power to 230,000 customers by remotely opening breakers, refinery equipment was damaged from using wrong relay settings, and a nuclear plant experienced a loss-of-off-site power condition (the Fukushima condition) after every plant scram because of wrong relay settings. Given these actual cases, it should be evident that compromising relays can have very significant impacts. Consequently, the lack of appropriate cyber security of IEDs should be addressed as soon as possible.
Demo: Hacking a Protective Relay and Taking Control – the Grid is at Risk
By: Joe Weiss Protective relays are critical to the operation of the electric grid and the protection of large electric equipment in many industries including electric, nuclear, manufacturing, etc. Protective relays were originally electro-mechanical switches but have progressed to complex networked digital devices with enormous computing capabilities making them intelligent electronic devices (IEDs). Consequently, IEDs are now cyber vulnerable from both IT network and control system issues. In March 2007, the Idaho National Laboratory (INL) demonstrated the Aurora vulnerability by using
Control Systems Don’t Have to be Industrial
Control Systems are Used in Applications Beyond Just Industrial Control and Automation By: Joe Weiss Control systems are used to monitor and control physical processes. Measured variables include pressure, temperature, level, flow, voltage, current, resistance, power, weight (mass), speed, distance, direction, chemical composition, strain, size, color, radiation, etc. Control systems compare the measured variables to a setpoint. For example, a control system can check the temperature to see if it is too high or too low and automatically adjust conditions so the temperature returns
Inside the CRIT-EX 16.2 Cyberattack Readiness Exercise
We are pleased to add the following talk to the agenda of SecurityWeek's 2016 ICS Cyber Security Conference. (Conference registration is still available - with registrations up more than 100% for 2016, we encourage you to register now to reserve a spot) Cyber Stone Soup: Complex Training for Cyber Exercises This presentation will cover the importance of training cybersecurity for industrial control systems in a complex environment. While using lessons learned as examples, the presenter will provide a roadmap to plan and execute
Dragos Raises $1.2 Million to Counter ICS Cyber Threats
(SecurityWeek) - Dragos, a startup focused on protecting industrial control systems (ICS) from cyber threats, has raised $1.2 million from startup studio DataTribe. Founded by a small group of former NSA intelligence officers with experience in ICS security,Dragos offers a network asset discovery and visualization tool called CyberLens. The tool was developed specifically for control systems environments, which often require deep packet inspection through passive network scanning or data collection. However, CyberLens will not be the primary focus of the company as it
ICS Components Are Increasingly Vulnerable and Web Accessible: Report
Over the past few years, industrial control systems (ICS) components have proven to be increasingly vulnerable and more frequently accessible from the Internet, which significantly amplifies the risk they are exposed to, Kaspersky Lab researchers warn. According to numbers from Kaspersky, 189 vulnerabilities were discovered in ICS components last year, a ten-fold increase compared to 2010, when only 19 were published. Sophisticated attacks on ICS are on the rise as well, such as the Ivano-Frankivsk, Ukraine, incident last year, just one of the multiple attacks that
Unpatched Flaws Found in Sierra Wireless Industrial Gateways
A researcher has discovered several vulnerabilities in Sierra Wireless industrial gateways, but the vendor will not address the issues because the products are approaching end of life. Security researcher Karn Ganeshen reported recently that Sierra Wireless AirLink Raven XE and XT modems are affected by several flaws. One of the issues is related to the existence of a default account that allows an attacker with access to the network to log in to the device’s web administration interface. Read the Full Story at
Vulnerabilities Found in Siemens SICAM PAS Power Automation System
(SecurityWeek) - Researchers have discovered two vulnerabilities in Siemens’ SICAM Power Automation System (PAS). The vendor has patched one of the flaws and is currently working on addressing the other one. SICAM PAS is an automation system used by energy companies worldwide to operate electrical substations. The Windows-based software product is advertised as scalable, flexible, easy to operate and cost-efficient. Read the Full Story at SecurityWeek
Drone Attacks on Industrial Sites: A New Front in Cyber-Physical Security
We are happy to announce what will be a fascinating talk at the 2016 ICS Cyber Security Conference, presented by Jeff Melrose, Principal Technology Strategist for Cybersecurity at Yokogawa US. Abstract With new Drone technologies appearing in the consumer space daily, Industrial Site operators are being forced to rethink their most fundamental assumptions about Industrial Sites and Cyber-Physical security. This presentation will cover Electronic Threats, Electronic Defensive measures, Recent Electronic jamming incidents, Latest Drone Threats and capabilities, defensive planning, and Electronic Attack Threats
FERC’s Delaying of NERC CIP V5 Implementation Reinforces Need for Strong Cybersecurity Culture
Last week, the Federal Energy Regulatory Commission (FERC) granted a motion to postpone implementation of the North American Electric Reliability Corporation(NERC) Critical Infrastructure Protection (CIP) V5 Standards from April until July 1, 2016. Ted Gutierrez, the industrial control systems (ICS) & NERC CIP Product Manager at the SANS Institute conceded that the announcement was indeed, “a head scratching move from FERC,” as the implementation of V5 is now delayed to coincide with the unveiling of V6 standards. As such, facility owners
Financial Services Roundtable Ad Campaign Urges Congress to Pass CISA
The Financial Services Roundtable (FSR), an advocacy organization supporting financial, insurance, and asset management firms across the U.S., has launched a new ad campaign urging the Senate to pass the Cybersecurity Information Sharing Act (CISA), a bill designed to enable businesses to voluntarily and bilaterally share cyber threat information to protect consumers from cyber threats. The multiple-week advocacy campaign launched today in the nation’s capital and includes radio, digital and social media ads. The campaign also includes the release of a