In light of President Obama’s recent Executive
Order on cybersecurity for critical infrastructure, security has become
even more critical and most utility folks realize that utiltiies need to get very serious about it.  The Cooperative Reserach Network has developed a guide on cybersecurity for utilities.  And a new security standard for MultiSpeak was released in
January 2013 that goes beyond secure sockets (SSL) and transport layer
security (TLS) and implements message-level security. 

If you haven’t paid much attention to cybersecurity for utilities, a recent article about a gaping hole that would allow intruders to crash substations provides serious motivation to take cybersecurity more seriously.

A few months ago, two engineers, Adam Crain of Automatak and independent researcher Chris Sistrunk, discovered a potentially catastrophic vulnerability in the electric grid.  They found  that a flaw in multiple vendors’ software that is used to monitor substations makes it easy for an internet intruder to disable substation monitoring and potentially cause a widespread power outage.

The engineers developed a program specifically to check for vulnerabilities in implementations of a widely-used communications protocol DNP3 that plays a crucial role in SCADA systems, where it is primarily used for communications between SCADA control centers, Remote Terminal Units (RTUs), and Intelligent Electronic Devices (IEDs).  DNP3 allows remote substations to be monitored from a control center.

The first DNP3 program they targeted belonged to Triangle MicroWorks, which provides a DNP3-based data gateway for SCADA sytems.  They found that Triangle was vulnerable to break in.  They checked other vendors and found that they could successfully break  into16 different SCADA vendors.   They sent a detailed report to the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).   The research showed that some implementations were third-party components in other software packages. This vulnerability can be exploited remotely (over an IP-based implementation) as well as from the local system (through a serial-based implementation).

The engineers then checked other vendors and discovered that they could break into nine other vendors’ systems. The vendors impacted are by what ICS-CERT calls the “DNP3 IMPROPER INPUT VALIDATION VULNERABILITY” are Alstom, IOServer, Kepware Technologies, MatrikonOPC,  Schweitzer Engineering Laboratories, Software Toolbox, SUBNET Solutions Inc., and Triangle MicroWorks.

Inruders can

put either the master
station or an outstation/slave into an infinite loop or Denial of Service condition by
sending a specially crafted TCP packet from the master station or from an outstation on an
IP-based network. If the device is connected via a serial connection,
the same attack can be accomplished with physical access to the master
station or outstation. The device must be shut down and restarted manually to reset the loop
state. The IP-based vulnerability could be exploited remotely, but the serial-based vulnerability is not exploitable remotely. Local access to the serial-based outstation is required.

The result is that this type of attack prevents operators from seeing what is going on in substations. 

It seems that this type of attack is difficult to prevent.  Traditional firewalls are not designed to stop this type of intrusion because they have to let DNP3 traffic through. ICS-CERT recommends a virtual private network (VPN).  Also apparenlty current cybersecurity regulations don’t cover serial communications, even though serial communications are commonly used in substations especially with older equipment.