By Ron Benvenisti. With the recent electricity outages and American Airlines system outage as well as some of the more serious problems outlined below it’s time for the public to be aware of …Utility companies talk about securing their IT networks and control systems but the truth is they are already severely compromised according to Price-Waterhouse-Coopers.

Savvy attackers don’t vandalize a site or create obvious moves on the network; they know to stay under the radar.

The past couple of weeks we’ve seen the Senate and CIA websites vandalized (just a calling card left at the front door), and a huge breach at Citibank where credit card and account numbers were reaped by the truckload, also right out the front door via their public website.

We don’t hear much about what’s up (or down) with the utility companies that supply our basic utilities like water, gas and electricity. We don’t hear about or ever see their sites vandalized or customer records being breached. That’s not because it’s not possible, it’s because whoever is poking around does not want to call attention to the fact that they have the ability to control these critical infrastructure networks.

Sorry, no calling cards.

Even though compromised utility companies are pretty much like breached corporate networks where files are altered, suspicious outbound transmissions zoom past the firewalls, log entries reveal unauthorized access to oftentimes critical applications. The dangers are not just limited to civilian and business power availability. Besides the recent Senate and CIA cyber-vandalism there is a real threat to our national security.

The Department of Defense relies on commercial electric power for nearly 99 percent of its power needs at military installations,” said Paul Stockton, assistant secretary of defense, Homeland Defense and Americas’ Security Affairs, Department of Defense at a recent Energy and Commerce Committee hearing.

The so-called ”Grid Reliability and Infrastructure Defense Act” or ”GRID Act” would give the President the authority to order rapid emergency measures to ensure the reliability of the bulk-power system in the event of a natural disaster or cyber-attack.

To minimize the real chances of a crippling cyber attack, the power industry has been taking steps to bolster its security, but it might be a case of too little/too late.

Most of the energy control systems rely on a system called SCADA (Supervisory Control and Data Acquisition). SCADA is an old technology controlling computer systems that monitor and control infrastructure processes like water, gas, electricity and emergency notification systems. When I say old, I mean this system was designed in the 1950’s but evolved slowly over time as communications moved from person to person, telephony and now to local and wide area networks. Utilities were slow to catch up on their reliance on telephone based communications compared to financial institutions and even government, which is notoriously slow at implementing new technology.

Train Wreck?

In the late 1980’s I did a controlled experiment with a well known and critical railway system where it was pretty simple to gain access, via a PC, to the SCADA system that controls the stop and go signals and track switches over what were basically phone lines.

It was possible to tap into the lines with a PC and override the commands and feedback of the system to basically control the system at will. Today, while more difficult to access through internet protocols, it is still quite easy for hackers to gain entry to the control systems.

Gerry Cauley, president and chief executive officer of the North American Electric Reliability Corporation, testified before the House committee. “I am most concerned about coordinated physical and cyber attacks intended to disable elements of the power grid or deny electricity to specific targets, such as government or business centers, military installations, or other infrastructures. These threats differ from conventional risks in that they result from intentional actions by adversaries and are not simply random failures or acts of nature.”

Try to imagine the impact of what a successful attack on the power grid would look like which is coordinated with other aggressive actions such as attacks on traffic control systems for train, vehicle and even aircraft. Considering that the systems would only fall back on generator power for 3-7 days and even on generator power, assuming those generator control systems were not compromised, they would still power the infected systems to take control of the infrastructure. Wouldn’t you like to be on the Amtrak Accela or on a 757 at 30,000 feet?

The recent disruption of 14 Iranian nuclear sites in June 2010 by the now famous Stuxnet “malware” is an example of a well researched and highly targeted attack on the “proprietary” details of the Siemens’ WinCC/PCS7 SCADA system that controls the speed of the centrifuges (which are critical to enriching uranium which is the key source of nuclear power) spinning them out of control while the monitoring software showed no abnormal activity. The attackers used four “zero-day attacks” (attacks with no warning and therefore no protection by existing anti-virus systems) to install a rootkit (a method of obtaining the highest level of administration) which in turn logs in to the SCADA’s database and steals design and control files. It then accesses and makes changes to the control system hiding those changes. To the operators everything looks fine while the system is literally being ripped to shreds.

As a humorous sidebar: In 1998 the NYC Dep’t of Transportation came to me implement the now commonplace traffic cameras which let commuters see the actual traffic conditions around the city. I called the project “Cyber Jam Cam”. During initial testing of the system, we stuck a streaming media device as a “man in the middle” between the camera feed and the internet broadcast servers. Instead of the traffic view we were able to broadcast Bugs Bunny cartoons and Three Stooges clips. Needless to say we had to filter the entire system by assigning hard-coded addresses to every device on the system to prevent any injections. Perhaps I should have inserted NASCAR clips.

With the new government regulations requiring every cell phone to have the capability of receiving text messages from the President of the United States and the Dep’t of Homeland Security I predict that we will soon see messages from Mickey Mouse or Uncle Moishy instead of Uncle Sam. Have a restful sleep, if you can.