News

U.S. Video Shows Simulated Hacker Attack

A government video shows the potential destruction caused by hackers seizing control of a crucial part of the U.S. electrical grid: an industrial turbine spinning wildly out of control until it becomes a smoking hulk and power shuts down.

The video, produced for the Homeland Security Department and obtained by The Associated Press on Wednesday, was marked "Official Use Only." It shows commands quietly triggered by simulated hackers having such a violent reaction that the enormous turbine shudders as pieces fly apart and it belches black-and-white smoke.

The video was produced for top U.S. policy makers by the Idaho National Laboratory, which has studied the little-understood risks to the specialized electronic equipment that operates power, water and chemical plants. Vice President Dick Cheney is among those who have watched the video, said one U.S. official, speaking on condition of anonymity because this official was not authorized to publicly discuss such high-level briefings.

"They've taken a theoretical attack and they've shown in a very demonstrable way the impact you can have using cyber means and cyber techniques against this type of infrastructure," said Amit Yoran, former U.S. cybersecurity chief for the Bush administration. Yoran is chief executive for NetWitness Corp., which sells sophisticated network monitoring software.

"It's so graphic," Yoran said. "Talking about bits and bytes doesn't have the same impact as seeing something catch fire."

The electrical attack never actually happened. The recorded demonstration, called the "Aurora Generator Test," was conducted in March by government researchers investigating a dangerous vulnerability in computers at U.S. utility companies known as supervisory control and data acquisition systems. The programming flaw was quietly fixed, and equipment-makers urged utilities to take protective measures.

There was no evidence any U.S. utility company suffered damage from hackers or terrorists using this technique, U.S. officials said. But these officials cautioned that affected systems are not routinely monitored as closely as many modern corporate computer networks, so there would be little forensic evidence to study after such a break-in.

Industry experts cautioned that intruders would need specialized knowledge to carry out such attacks, including the ability to turn off warning systems.

"The video is not a realistic representation of how the power system would operate," said Stan Johnson, a manager at the North American Electric Reliability Corp., the Princeton, N.J.-based organization charged with overseeing the power grid.

A top Homeland Security Department official, Robert Jamison, said companies are working to limit such attacks.

"Is this something we should be concerned about? Yes," said Jamison, who oversees the department's cybersecurity division. "But we've taken a lot of risk off the table."

President Bush's top telecommunications advisers concluded years ago that an organization such as a foreign intelligence service or a well-funded terror group "could conduct a structured attack on the electric power grid electronically, with a high degree of anonymity, and without having to set foot in the target nation." Ominously, the Idaho National Laboratory -- which produced the new video -- has described the risk as "the invisible threat."

Experts said the affected systems were not developed with security in mind.

"What keeps your lights on are some very, very old technology," said Joe Weiss, a security expert who has testified before Congress about such threats. "If you can get access to these systems, you can conceptually cause them to do whatever it is you want them to do."

The Homeland Security Department has been working with industries, especially electrical and nuclear companies, to enhance security measures. The electric industry is still working on their internal assessments and plans, but the nuclear sector has implemented its security measures at all its plants, the government said.

In July the Federal Energy Regulatory Commission proposed a set of standards to help protect the country's bulk electric power supply system from cyber attacks. These standards would require certain users, owners and operators of power grids to establish plans and controls.

Featured

  • Microsoft Adding Google G Suite Migration in Exchange Admin Center

    Microsoft's Exchange Admin Center will be getting the ability to move Google G Suite calendar, contacts and e-mail data over to the Office 365 service "in the coming weeks."

  • Qualcomm Back in Datacenter Fray with AI Chip

    The chip maker joins a crowded field of vendors that are designing silicon for processing AI inference workloads in the datacenter.

  • Microsoft To Ship Surface Hub 2S Conference Device in June

    Microsoft on Wednesday announced a June U.S. ship date for one of its Surface Hub 2S conferencing room products, plus a couple of other product milestones.

  • Kaspersky Lab Nabs Another Windows Zero-Day

    Kaspersky Lab this week described more about a zero-day Windows vulnerability (CVE-2019-0859) that its researchers recently discovered, and how PowerShell was used by the exploit.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.