Target power grid hackers, urges expert

RICHMOND HILL, ONTARIO - Hackers are penetrating the national power grid, say industry insiders who want the federal government to act.

"We certainly know from our customers that their systems have been infiltrated. It's been going on for some time," said Doug Westlund, president of N-Dimension Solutions, a Richmond Hill, Ont. cyber security company that works with North American utilities.

"I can't tell you who they are, but they're close to home for sure."

Westlund, whose company is part of a research project sponsored by the United States Department of Energy to protect the emerging digital "smart grid" against cyber attacks, likened the incidents to a covert penetration and reconnaissance of the U.S. system in 2009.

Those cyberspies also reportedly embedded software in utilities' computers that could have disrupted future service. Officials speculate either Russia or China was responsible.

Westlund said the Canadian intrusions appear to have been to navigate the systems and their controls, not to embed malicious codes.

Francis Bradley, of the Canadian Electric Association, said, "we will, at times, see potential attacks," against parts of the grid.

"Intrusion detection systems at the companies will pick up people trying to effectively ping some of the servers. But we have not seen a loss of power to customers as a result of a cyber attack."

Security jitters about the interconnected North American power system are deepening as the industry evolves from the largely isolated systems of the electro-mechanical world to a grid built around interoperable, wireless digital technologies. The goal is to optimize generation, transmission and distribution.

The most worrisome change involves tens of millions wireless "smart meters" being installed in homes and businesses for faster, more efficient two-way communications with local utilities, which in turn link to transmission operators and power generators.

"There will be more and greater potential for cyber attack because there will potentially more vectors of attack," said Bradley. "This is real. I see the kinds of resources that companies are putting into this and they would not be devoting the sorts of resources that they are to IT security on an ongoing basis if this was not real. Their response is commensurate with the threat and the response is significant."

But he dismisses shrill claims that the smart grid is shaping up to be dangerously insecure.

"The world was supposed to end with Y2K. There are always people out there who will have that perspective... because it's an unknown."

Yet the digitalization of critical infrastructure is happening in tandem with the weaponization of the web — and governments are responding.

The U.S. has declared its digital infrastructure a strategic asset and made cyber security a national security priority. Britain has made cyber security a top issue in its national security strategy.

Canada last fall unveiled a national cyber security strategy which resembles more of a policy framework than an action plan, with what many consider a paltry $90-million in five-year funding.

But Bradley, who has criticized federal inaction in the past, said the government now seems committed.

"For the first time in many years, at least on the IT-security front, I'm seeing very positive steps being taken by the federal government that I hadn't seen." He declined to elaborate.

News emerged recently that security chiefs in Britain have enlisted Prime Minister David Cameron to press companies responsible for critical national infrastructure, including National Grid, to allow the government's electronic spy agency to keep watch for hackers on their systems.

Bradley, the association's vice-president of policy development, says Canada should do something similar, short of allowing government intelligence agents to patrol the online corporate domains that own and operate an estimated 85 per cent of the nation's critical infrastructure.

"I'm not going to suggest which group or agency should be doing it, but I think somebody has to gather and aggregate that information and draw conclusions about it. There would certainly be benefit to having somebody having access to intrusion-detection logs," he said.

"Is it just happening with relation to electricity or is it happening to banking, is it happening to telecommunications, is it happening to government services? Is it the same tools that are being used, is it the same IP addresses? Is somebody gathering this information and analyzing where these attacks are coming from?

"It's absolutely critical that somebody do this and that should be somebody within the federal government" who goes beyond the limited reach of the existing Canadian Cyber Incident Response Centre, he said.

Westlund, too, says the federal government must step up.

"You can't manage what you can't measure and right now we're not measuring any of this stuff, we're not monitoring it."

Unlike water or gas, electricity cannot be stored it must be generated and then immediately used. It is the world's most extreme just-in-time commodity.

That means generation and transmission operations must be monitored and controlled constantly, increasingly by hooking up millions of wireless devices across the continent to the Internet, potentially exposing the system to power hackers and other cyber attacks.

Meanwhile, many of the main industrial control systems that regulate breakers, relays, feeders and the flow of electricity have lifespans of up to 25 years and have yet to be replaced. Mitigation and compensation measures to help them mesh with the newer technologies are creating additional weak links and vulnerabilities.

But it is the arrival of smart meters that potentially opens a vast new front of "attack vectors" that could allow sophisticated intruders access into the system — for anything from denial-of-service assaults and identity theft, to stealth attacks on power plants.

Most but the earliest, low-cost smart meter models now have at least basic security features, though utility-sponsored tests in the U.S. have still hacked successfully into some.

Hackers also like limelight. The first one to turn out the lights in Ottawa or Toronto would achieve lasting infamy.

"There's a general consensus amongst my colleagues and most of us in the security business that the smart meter technology has gotten way out in front of the security technology," said Mark Weatherford, chief security officer for the Washington-based North American Electric Reliability Corporation. NERC enforces reliability standards for North America's gigantic and interconnected bulk power system of power generators, transmission lines and control systems.

Though smart meters belong to the distribution side of the grid, Weatherford worries they could be manipulated to unbalance the generating and transmission sides.

For example, a hacker exploiting some common vulnerability in the meters servicing a city could potentially turn off 100,000 or more meters, or "flip" the power on and off, causing the electrical load to "ripple" back through the system, tripping breakers, throwing power plants off-line and possibly frying equipment.

A chill went through the critical infrastructure industry last summer when a malicious computer worm called Stuxnet attacked Iran's uranium enrichment plants.

Stuxnet was the first piece of malware built not only to spy on industrial control systems, but to reprogram them, and reportedly destroyed about 1,000 Iranian centrifuges. Some experts speculate the U.S. or Israel was responsible for the attack.

"Stuxnet without a doubt showed all the vulnerabilities and more that we have in our grid and critical infrastructure system," said Westlund. Stuxnet code is now widely available and, "pieces of it can be repurposed quite easily to attack something closer to home. That's where we see this all heading. From a threat-risk profile it's huge, absolutely huge."

In a speech in Tehran, Iranian Brig-Gen. Massoud Jazayeri raised the possibility of retaliatory cyber strikes against the U.S. — and by extension Canadian — power grid.


in Year