Risk assessment of a power plant: evaluating the security of a supervisory control and data acquisition system.

ABSTRACT

With the increased potential of a bona fide cyber terrorist attack and the possibility of a future "war in the wires," we must continue to sterilize the networks connected to critical infrastructures. This paper provides a risk assessment of an existing operational computer network used to control a boiler system generating power and heat for an installation. The methodology used in evaluating the security of the system is described along with specific recommendations for minimizing the risk associated with connecting the network to the Internet for the purposes of remote data collection and administration. Our assessment and proposed recommendations may be applied to any critical infrastructure with a requirement for remote administration and/or data collection.

INTRODUCTION

As an aftermath of the terrorist events that occurred on September 11, 2001, the President of the United States created the Office of Homeland Security to analyze, plan, and coordinate the interior defense of the country. One of the critical components of this new organization was the creation of the President's Critical Infrastructure Protection Board (CIPB), tasked "to ensure protection of information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems" (US 2003a). Within a year, the organization, in conjunction with computer security experts from academia, industry, and government, produced a draft of a national strategy to secure cyberspace that outlines some of the critical steps required for the United States to secure its information systems from deliberate cyber attacks. The key sectors addressed in this document were critical infrastructures such as banking and finance, transportation, and electrical power. This document was recently finalized and endorsed by the President of the United States (US 2003b).

The forensics analysis of al Qaeda computers seized from the caves of Afghanistan in the spring of 2002 suggests an extremely high level of interest from this terrorist group in how to remotely control, through the Internet, electrical substations, pipelines, dams, and communication grids (Gellman 2002). The devices used to control such systems remotely are called supervisory control and data acquisition (SCADA) systems. They use their own application protocol but employ the standard transmission control protocol/Internet protocol (TCP/IP) used by computers to communicate across the Internet and local intranets. The computer devices used to control critical systems and the protocols they use to communicate are often not well understood except by the vendors who develop them. Because they are not as common as the familiar Internet application protocols, they are not subject to the constant scrutiny of the Information Assurance (IA) community. However, the threat against such systems is real. One utility reported 100,000 scans a month in 2001 (Dagle et al. 2002).

The problem with such a situation is that assuming information systems are secure because the nodes on the network and the protocols used to communicate are obscure is a fatal mistake. Obscurity only slows the development of attacks on the system. Given enough time and money to replicate the devices used in the system, a motivated cyber agent or cyber warrior will develop tools to attack the system. The proliferation of such tools to the computer underground is then trivial (Welch 2002).

In this paper we describe a risk assessment of a power plant's information system. The power plant is real and operational with a network of control devices and computers controlling the plant's central boilers. The plant is capable of producing over 5 MW of electricity as well as central heating. Ultimately, the goal of the project is to reduce the cost of operating the plant by remotely administering the system and enabling a software application to dynamically control the mechanical equipment. The software makes decisions based on several attributes, such as electrical and fuel tariffs, ambient air temperature, and the number of personnel on site. The purpose of the assessment is to identify specific threats and vulnerabilities of the system and then take the necessary steps to minimize the risk associated with connecting the network to the Internet. In order to fully evaluate the network, we conducted a penetration test using open-source software tools that both cyber attackers (i.e., computer hackers) and computer security professionals use to evaluate network security. We emphasize open-source tools because these tools are freely available for download on the World Wide Web and, thus, could be obtained by anyone. An organization with more resources could purchase more advanced tools or modify the open-source software tools to fit their needs.