How the Grinch would hack the power grid

There was a new warning that a crippling cyber attack could take down critical infrastructure and the power grid. “We have had our 9/11 warning. Are we going to wait for the cyber equivalent of the collapse of the World Trade Centers?" asked John Michael McConnell, former Director of the National Security Agency for President Clinton, and Director of National Intelligence for George W. Bush and President Obama. He added, “All of a sudden, the power doesn't work, there's no way you can get money, you can't get out of town, you can't get online, and banking, as a function to make the world work, starts to not be reliable. Now, that is a cyber-Pearl Harbor, and it is achievable."

When it comes to vulnerable critical infrastructure, the power grid jumps to mind because it has hundreds of millions of nodes and each node is a potential hackable point of attack. Hurricane Sandy spread the dreadful what-if we had no power experience to “more than 7.9 million utility customers.” The report titled “Terrorism and the Electric Power Delivery System [PDF]” stated, “Unlike hurricanes, however, terrorists may strike with no warning and selectively destroy the most important facilities, such as major substations. Some of the lost equipment may take months or even years to replace.”

How the Grinch or terrorists could steal Christmas by hacking the power grid

After reading the depressing National Academies report which highlighted how much power grid security sucks, it seemed like a semi-appropriate scenario if the Grinch represented “terrorists” and if America was Whoville . . . because every Who down in Whoville, from the tall to the small, liked electricity a lot. The Grinch, however, did not. “It could be his head wasn't screwed on just right;” but he hated all the noise from their tech toys and thought, "I must stop this whole thing! But how?” Then the Grinch “got a wonderful, awful idea.” He would take down the power grid “to stop Christmas from coming.”

Dr. Seuss may turn over in his grave if he were to know that the Grinch represented terrorists to spice up the same old song and “cautionary tale” dance about power grid insecurity. It may be that I’ve spent too much time working on the Christmas tree Angel program for kids lately, but here you go:

For physical access to sabotage the grid, the Grinch might send his dog Max to disable “very large, difficult to move, often custom-built, and difficult to replace” transformers. High-voltage transformers “are vulnerable both from within and from outside the substations where they are located,” according to The National Academies. “Most are no longer made in the United States, and the delivery time for new ones could run from months to years.”

Since the report concluded that “even a few pernicious people in the wrong place are a potential source of vulnerability” and the utility workforce is aging, the Grinch might be able to gain employment access to launch an insider attack. Or the Grinch might simply pose as a utility employee to present a “personnel vulnerability.” He could do this by social engineering because “you know, that old Grinch was so smart and so slick, he thought up a lie, and he thought it up quick!”

Such physical attacks might be stopped by “strengthening background checks,” adding “system tools that can identify physical and control system problems and potential incidents,” by hardening “enclosures for key transformers” and by “improved electronic surveillance.”

There have been massive surveillance “improvements” since the report was written in 2007. This highlights the government’s serious over-classification issues. In 2008, Homeland Security “concluded that the report would be classified in its entirety.” Finally in 2012, the report was approved for public release “except that several pages of information deemed classified are available only to readers with the necessary security clearance.”

How the Grinch would hack the grid

For a cyber attack, the Grinch might begin on SHODAN and looking up SCADA systems that control critical infrastructure, or by using Metasploit so hacking the grid might be as Firesheep-easy as pushing a button. Or maybe he would use a $60 piece of malware that is capable of bypassing “an entire defense-in-depth implementation."

The report stated:

All SCADA systems are potentially vulnerable to cyber attacks, whether through Internet connections or by direct penetration at remote sites. Any telecommunication link that is even partially outside the control of the system operators is a potentially insecure pathway into operations and a threat to the grid. Wireless communications within substations is a particular concern. If they could gain access, hackers could manipulate SCADA systems to disrupt the flow of electricity, transmit erroneous signals to operators, block the flow of vital information, or disable protective systems.

The report is a watered-down version of previous Homeland Security warnings; DHS said industrial control systems that are connected directly to the Internet could be easily located and hacktivists could point, click and destroy. DHS added that ICS could be "accessed with minimal skills in order to trespass, carry out nefarious activities, or conduct reconnaissance activities to be used in future operations." If launched by a nation state, the Pentagon would undoubtedly classify it as an act of war.

The National Academies reported that if terrorists took down the power grid, it “could lead to turmoil, widespread public fear, and an image of helplessness that would play directly into the hands of the terrorists.” If outages happened “during times of extreme weather, they could also result in hundreds or even thousands of deaths due to heat stress or extended exposure to extreme cold.”

Unlike the fictional Grinch growing a heart to save the day, the threat to our critical infrastructure is very real and needs saving. The U.S. is not the only country with a vulnerable power grid; Europe is also trying to “confront the smart grid’s cyber challenge.” 

FREE Computerworld Insider Guide: Five IT certifications that won’t break you
Join the discussion
Be the first to comment on this article. Our Commenting Policies