SCADA on Thin Ice

The Ultra and the Enigma tracks the evolution of Information Technology beginning with World War II. The United States and Allies fought the greatest evil the world had known. In Duck and Cover I cover the Cold War period during which the threat of atomic warfare was very real. It is impossible to calculate what the possibilities of an actual interchange of nuclear weapons might have been at that time; but such possibilities were very, very real.  Such a war might have destroyed much of life on earth.  It certainly would have set civilization back hundreds, if not thousands of years and may have lead to the end of the human race. We live in a better time, I think - but risk is here and it lurks within the workings of Information Technology itself.
 
The term "Cyberterrorism" is beginning to show up in the media. After years of concerns being voiced by experts in the IT field, government is finally expressing interest. In the opinion of many of us, it is long overdue. Cyberterrorism is a genuine threat to our civilization. The likelihood of one or more catastrophes initiated by a cyber attack is real and probable. There's a how and a why. Let's start with 'how'. I'm going to describe this in layman's terms and as an extension of what I discussed in the previous article - 'back doors' and 'data abstraction'.
 
In Punch Cards and Power Looms I made reference to stacks of punch cards being inserted into computers. I opined that the more cards, the greater was the data abstraction and the greater the likelihood of extra or unwanted cards - being added to the stack. This addition is called a back door.  As programming languages replaced punch cards, the duties of the programmer as a code writer consisted of working with a piece of software called an editor (sort of a word processor) and included:
 
Writing Code
 
Submitting the code to some sort of interpretative software that translated the code to bytes that were then sent to the CPU
 
Testing and reviewing the results
 
Making necessary changes to the code
 
Repeating the cycle
 
This is called the "development cycle".  The result would be a computer program.  [Note to other coders : we know it is more complicated than that, but let's keep it simple for the rest of the folks.]
 
As time went on, more and more repositories of reusable code became available to the programmer to integrate into programs. Also, a new paradigm was introduced - The Visual Development Environment. This approach enabled the programmer to introduce, reproduce or acquire blocks of code without writing, but by dragging and dropping graphical 'objects'. This accelerates the speed of the development cycle but also accelerates the consumption of resources on computers, introduces greater and greater data abstraction and creates greater opportunities for back doors.
 
Parallel to this was the growth of the Internet and websites. Websites were originally composed of documents that were read and interpreted by a browser and displayed on the computer monitor screen. As time has gone by, more and more websites became computer programs. This website is itself such a computer program built in part by a Visual Development Environment and in part by writing code.  Huge amounts of data are acquired by websites through forms.  Forms accept data input by the user. That data is passed on to any number of repositories of data - called databases - and put to all kinds of uses some of which we might not be in favor of if we knew their nature. Great conveniences have been achieved whereby purchases can be made online. Communications with our friends and family are enhanced through email, Facebook, Google and many other social websites. We take all of this for granted, but within these processes lurks the danger of exploits.
 
'SCADA' is the abbreviation of "Supervisory Control and Data Acquisition".  That help any? Maybe not. You have "black boxes" in your car. You are likely to have little computer-like devices in your home like a router or a modem.  Before long, your refrigerator will have the ability to order your groceries.  Our washing machine weighs our dirty laundry before washing it. Visible and invisible, dedicated special-purpose hardware run by dedicated special-purpose software is everywhere in our industrialized technical society.
 
To narrow down to one of the potential targets of Cyberterrorism let's consider what we call the power grid.  We can define the term as 'a system of high tension cables by which electrical power is distributed throughout a region'. In the case of the contiguous 48 states of the United States, one could practically take region to mean the whole country, plus much of Canada.  Google "power grid". See how many times terms like decrepit, aging, congested, weaknesses, poorly maintained are displayed. Consider that in 2003 a power outage that started in one place in Ohio, caused by overgrown trees started a cascading effect that lost power to one sixth of our nation's population for up to two days. Far longer outages affecting less of the population have occurred just recently. Ten years have passed since the massive outage of 2003.  That is ten more years of aging.
 
More and more SCADA devices are used to control the grid. The process has come to be called the 'smart grid'. Such devices are accessed and manipulated through personal computers, most of which are connected to the Internet. I find a great deal of irony in the term "smart grid".  Let us review some terms I used in the previous articles in this series. In particular "hops" and "routing". These terms are fundamental in describing the usage of elective connections between devices on the internet. The "smart grid" is not nearly so smart as all that. In fact these massive power outages grew out of the grid's inability to use those same principles. And now these SCADA devices are exposed to attacks from skilled hackers who have learned to exploit the weaknesses offered by the data abstraction which allows back doors. In addition, the usage of forms for gathering data from the Internet can allow an exploit called Code Injection. This is a way of sending instructions from a form to the underlying Computer Language Interpreter to do malicious activities in the server's operating system.
 
The majority of those developing computer programs and websites today do not think about defending civilization against evil as Alan Turing and Claude Shannon and John von Neumann and many others did during World War II.
 
Many of my colleagues and I agree that there appears to be both a general lack of concern with security at websites and a lack of knowledge of how to 'harden' security at a website. Many web developers think that it is enough to have a password to protect a login page. Many would not think to 'hide' the login page itself or to change the default login name (usually 'admin').  Default login web page locations can easily be determined by automatic programs called "robots" which can then report back to the hackers and that web page could subsequently be subjected to password-breaking methods.  Changing the name of the login page is simple, basic and adds another layer of security. The indifference to doing so is just one example of such wide-spread lax security methods.
 
WW II and the Cold War were dangerous times. We still live in dangerous times. We should be as concerned about malicious cyber attacks that could infiltrate personal computers using the internet as a contact point and then burrow into the power grid bringing down a nations entire power system. The likelihood of this occurring is as likely as was a nuclear exchange during cold war times.  Every IT worker should have this in mind at all times. Sadly it is not the case.
 
To make a long story short : A massive power outage could by caused by hackers exploiting vulnerabilities in the internet and attacking SCADA devices with something like the Stuxnet Virus which was used to disable an Iranian nuclear facility a few years ago. Such an outage could lead to thousands of deaths and immense damage to the economy. An attack against the financial sector could send the entire world into a financial meltdown.
 
And why?
 
Terrorism motivates cyberterrorism. Cyber "hacking" and cyber "espionage" are practiced all the time. Just ask a seasoned network system administrator. The sysadmin would add that cyber defenses are constantly being probed.Much "hacking" is trivial, mischievous and probably not meant to destroy the world. Cyberespionage has been in the news lately. This form of activity is meant to gain advantage, not to destroy the world, but even these activities can get out of hand or they can be exploited by terrorists. 
 
Keep your powder dry, keep gas in your generator and test run it every month. And contact your representative.