Shut down power grid? There's an app for that

Power lines

A new report from the respected think tank Pike Research has concluded that the world's electrical grid security is in a state of "near chaos."

The report titled "Utility Cyber Security" states "the attackers clearly have the upper hand" and that many of the attacks on the electrical grid cannot be prevented.

The electrical grid is suffering from aging infrastructures with older equipment having no security built into it, the report says. Much of the equipment is decades old, and the only security it has is what is called in the security industry "security by obscurity," a term that describes attempts to use the relative rarity of a system as the only defense against cyber attack.

Can America Survive?: 10 Prophetic Signs That We Are The Terminal Generation - (Hardcover)

TRENDING: Had Obama not played the race card, George Floyd might be alive

While Pike estimated a total of $14 billion will be funneled into the national power grid between now and 2018, with 63 percent of that devoted to cyber security, a "$60 piece of software can bypass an entire defense-in-depth implementation."

The report explains this is largely due to a lack of consistent standards and warns the shutdown of a local electrical grid can cause a "cascade effect" and deprive an entire region of power.

According to the report, industrial control systems are vulnerable, especially in light of the discovery of Stuxnet, a virus that targeted the control system software at Iran's Bushehr nuclear facility causing severe damage.

"Stuxnet was a mission and not simply a piece of malicious code," the report says. "It was not detected until after it had accomplished its purpose and, most likely, evaded detection for more than a year after its release. Few utilities, vendors or analysts are willing to discuss that even more sophisticated attacks may now be in process, which, so far, have completely evaded detection."

The Stuxnet virus has been rewritten in a common programming language called C++ and is available for download from several hacking sites.

To illustrate the weaknesses of the systems, the report pointed to a $60 smart phone app that could reach a WiFi-enabled supervisory control and data acquisition (SCADA) system and potentially give a hacker control over parts of the system. The application uses the WiFi capability of the smart phone to access a programmable logic controller (PLC) and take control of the controller's operation.

Hiding behind obscure software programs is no longer a protection for the electrical grid. Hacking conferences are starting to offer classes in how to hack into industrial control systems. They are giving demonstrations on how control systems work and that SCADA systems, directly connected to the Internet, can be easily located and penetrated.

"Hacktivists"  -- people who use computer hacking as a means to promote a social agenda -- could point, click and shut down an entire electrical network from anywhere in the world, the report notes. The hackers do not have to be experts on computer systems or process control networks; instead, these systems could be "accessed with minimal skills in order to trespass, carry out nefarious activities, or conduct reconnaissance activities to be used in future operations." Many of the software programs needed to shut down parts of the national power grid can be downloaded from the Internet.

Attempting to protect the electrical grid components from cyber attack is almost impossible as they are often old, expensive and designed to last for decades before replacing them, the report suggests.

"SCADA networks must support a mix of old and new, possibly for another 30 years until all the old devices' service lives have run their course," the report explains.

The threat is not science fiction. In an experiment caught on video and released on the Internet, an electrical power generator was hacked and damaged remotely. According to CNN, the experiment, dubbed "Aurora," was conducted in 2007 by the U.S. Department of Energy.

"DHS acknowledged the experiment involved controlled hacking into a replica of a power plant's control system," said CNN. "Sources familiar with the test said researchers changed the operating cycle of the generator, sending it out of control."

The video:

It is estimated that by the end of 2015 the United States will have over 440 million hackable points of entry into the national power grid, and the utility companies are far behind the hackers for control of their systems. Security is only as strong as its weakest link, and the best attackers know instinctively to look for that weak link, the report says.

The report goes on to state that no enforceable smart grid security standards exist anywhere in the world for power distribution grids. There is also no audit or certification process for the grid's security. The only security that takes place is to comply with government guidelines.

Mark Weatherford, vice president and chief security officer, North American Electric Reliability Corp., wrote, "The interoperable design of smart grids, unless carefully planned and operated, can provide avenues for intentional cyber-attack or the unintentional introduction of errors that impact bulk power system reliability."

Joel Gordes, president of West Hartford consultant Environmental Energy Solutions, reported in the Hartford Business Journal, "Our entire society is dependent on two things: electricity and telecommunications. It makes us vulnerable. Remember, we are linked into one large grid, so if one goes down, it could all cascade."

In one case, a power blip in Ohio caused a blackout throughout much of the eastern U.S. in 2003.

In the meantime, the report notes that without a strong set of enforceable guidelines with penalties, U.S. electoral grid operators would not spend the funds needed to properly secure their networks.

The report states, "This lack of enforceable requirements leads to a scene of mass chaos in utility cyber security. Many utilities – as with large companies in any industry – will only invest in cyber security when financial punishment for not investing is threatened, similar to failing an audit and being fined."

Stuxnet showed "assume nothing" and "security by obscurity will no longer be acceptable." Now there's a potential new threat, the son of Stuxnet, Duqu, and cybersecurity experts are worried there may be other more malicious worms on the way. 

"That is it in a nutshell; be scared, be very scared," said Gordes. "You can trim the trees all you want, but this is a big concern."