C Y B E RS ECU R I T Y

Computer viruses have taken out hardened industrial control

systems. The electrical power grid may be next
By David M. Nicol

IN BRIEF

Every facet of the modern electri-

cal grid is controlled by comput-
ers. It is our greatest example of
physical infrastructure interlinked
with electronics.
The Stuxnet virus that infected
Iran’s nuclear program showed just
how vulnerable machines could be
to a well-crafted electronic virus.
The grid shares many of the vul-
nerabilities that Stuxnet exposed;
being larger, its vulnerabilities are,
if anything, more numerous.
Although a sophisticated attack
could bring down a large chunk of
the U.S. electrical grid, security is
being ramped up.

70 Scientific American, July 2011

© 2011 Scientific American
 L
ast year word broke of a computer virus that had
managed to slip into Iran’s highly secure nuclear en-
richment facilities. Most viruses multiply without
prejudice, but the Stuxnet virus had a specific target
in its sights—one that is not connected to the Inter-
net. Stuxnet was planted on a USB stick that was
handed to an unsuspecting technician, who plugged
it into a computer at a secure facility. Once inside, the virus
spread silently for months, searching for a computer that was
connected to a prosaic piece of machinery: a programmable
logic controller, a special-purpose collection of microelectron-
ics that commonly controls the cogs of industry—valves, gears,
motors and switches. When Stuxnet identified its prey, it
slipped in, unnoticed, and seized control.
The targeted controllers were attached to the centrifuges at
the heart of Iran’s nuclear ambitions. Thousands of these cen-
trifuges are needed to process uranium ore into the highly en-
riched uranium needed to create a nuclear weapon. Under
normal operating conditions, the centrifuges spin so fast that
their outer edges travel just below the speed of sound. Stuxnet
bumped this speed up to nearly 1,000 miles per hour, past the
point where the rotor would likely fly apart, according to a De-
cember report by the Institute for Science and International
Security. At the same time, Stuxnet sent false signals to control
systems indicating that everything was normal. Although the
total extent of the damage to Iran’s nuclear program remains
unclear, the report notes that Iran had to replace about 1,000
centrifuges at its Natanz enrichment facility in late 2009 or
early 2010.
Stuxnet demonstrates the extent to which common indus-
trial machines are vulnerable to the threat of electronic attack.
The virus targeted and destroyed supposedly secure equipment
while evading detection for months. It provides a dispiriting
blueprint for how a rogue state or terrorist group might use
similar technology against critical civilian infrastructure any-
where in the world.
Unfortunately, the electrical power grid is easier to break
into than any nuclear enrichment facility. We may think of the
grid as one gigantic circuit, but in truth the grid is made from
thousands of components hundreds of miles apart acting in un-
erring coordination. The supply of power flowing into the grid
VINCENT LAFORET Redux Pictures

must rise and fall in lockstep with demand. Generators must

dole their energy out in precise coordination with the 60-cycle-
per-second beat that the rest of the grid dances to. And while
the failure of any single component will have limited repercus-
sions to this vast circuit, a coordinated cyberattack on multiple

July 2011, ScientificAmerican.com 71

© 2011 Scientific American
 David M. Nicol is director of the Information Trust Institute
and a professor in the department of electrical and comput-
er engineering at the University of Illinois at Urbana-Cham-
paign. He has worked as a consultant for the U.S. Depart-
points in the grid could damage equipment so extensively that ment of Homeland Security and Department of Energy.
our nation’s ability to generate and deliver power would be se-
verely compromised for weeks—perhaps even months.
Considering the size and complexity of the grid, a coordinat-
ed attack would probably require significant time and effort to
mount. Stuxnet was perhaps the most advanced computer virus
ever seen, leading to speculation that it was the work of either
the Israeli or U.S. intelligence agencies—or both. But Stuxnet’s
code is now available on the Internet, raising the chance that a dows and Linux, which makes them as vulnerable to malware as
rogue group could customize it for an attack on a new target. A your desktop PC is. Attack code such as Stuxnet is successful for
less technologically sophisticated group such as al Qaeda proba- three main reasons: these operating systems implicitly trust
bly does not have the expertise to inflict significant damage to running software to be legitimate; they often have flaws that ad-
the grid at the moment, but black hat hackers for hire in China mit penetration by a rogue program; and industrial settings of-
or the former Soviet Union might. It is beyond time we secured ten do not allow for the use of readily available defenses.

MARK DUNCAN AP Photo (left); MARK PETERSON Redux Pictures (center); EBRAHIM NOROUZI AP Photo (right)
the country’s power supply. Even knowing all this, the average control system engineer
would have once dismissed out of hand the possibility of remote-
THE BREAK-IN ly launched malware getting close to critical controllers, arguing
a year ago i took part in a test exercise that centered on a ficti- that the system is not directly connected to the Internet. Then
tious cyberattack on the grid. Participants included representa- Stuxnet showed that control networks with no permanent con-
tives from utility companies, U.S. government agencies and the nection to anything else are still vulnerable. Malware can piggy-
military. (Military bases rely on power from the commercial grid, back on a USB stick that technicians plug into the control sys-
a fact that has not escaped the Pentagon’s notice.) In the test sce- tem, for example. When it comes to critical electronic circuits,
nario, malicious agents hacked into a number of transmission even the smallest back door can let an enterprising burglar in.
substations, knocking out the specialized and expensive devices Consider the case of a transmission substation, a waypoint
that ensure voltage stays constant as electricity flows across long on electricity’s journey from power plant to your home. Substa-
high-power transmission lines. By the end of the exercise half a tions take in high-voltage electricity coming from one or more
dozen devices had been destroyed, depriving power to an entire power plants, reduce the voltage and split the power into multi-
Western state for several weeks. ple output lines for local distribution. A circuit breaker guards
Computers control the grid’s mechanical devices at every each of these lines, standing ready to cut power in case of a
level, from massive generators fed by fossil fuels or uranium all fault. When one output line’s breaker trips, all of the power it
the way down to the transmission lines on your street. Most of would have carried flows to the remaining lines. It is not hard to
these computers use common operating systems such as Win- see that if all the lines are carrying power close to their capacity,

TIMELINE

Digital Attacks, April 2000

A disgruntled former
January 2003
The Slammer worm
employee of a water bypasses multiple
Physical Harm treatment firm uses
stolen radio parts to
firewalls to infect the
operations center at
As industrial machinery goes online, the potential for wreaking havoc issue faulty commands Ohio’s Davis-Besse
grows. Intrusions over the past decade show that the grid is not the to sewage equipment nuclear power plant.
only vulnerability—anything with a microchip can be a target. in Queensland, The worm spreads
Australia, causing from a contractor’s March 2007
Davis-Besse more than 200,000 computer into the Government officials
nuclear plant gallons of raw sewage business network, simulate a cyberattack
to spill into local parks where it jumps to the on electricity genera-
and rivers. computers controlling tion equipment at the
plant operations, Idaho National Labor-
crashing multiple atory. A video of the
safety systems. The test, called Aurora, is
plant was off-line later leaked to CNN.
at the time.

2000 2001 2002 2003 2004 2005

72 Scientific American, July 2011

© 2011 Scientific American
 then a cyberattack that trips out half of the output lines and functions. Yet Windows assumes that any program with the right
keeps the remaining ones in the circuit may overload them. name is trusted code. Hackers thus find ways to alter the AUTO-
These circuit breakers have historically been controlled by de- EXEC.BAT file so that it runs the attackers’ code.
vices connected to telephone modems so that technicians can dial Attackers can also use clever methods that exploit the econom-
in. It is not difficult to find those numbers; hackers invented pro- ics of the power industry. Because of deregulation, competing util-
grams 30 years ago to dial up all phone numbers within an ex- ities share responsibility for grid operation. Power is generated,
change and make note of the ones to which modems respond. transmitted and distributed under contracts obtained in online
Modems in substations often have a unique message in their dial- auctions. These markets operate at multiple timescales—one mar-
up response that reveals their function. Coupled with weak ket might trade energy for immediate delivery and another for to-
means of authentication (such as well-known passwords or no morrow’s needs. A utility’s business unit must have a constant
passwords at all), an attacker can use these modems to break into flow of real-time information from its operations unit to make
a substation’s network. From there it may be possible to change smart trades. (And vice versa: operations need to know how much
device configurations so that a danger condition that would oth- power they need to produce to fulfill the business unit’s orders.)
erwise open a circuit breaker to protect equipment gets ignored. Here the vulnerability lies. An enterprising hacker might break
New systems are not necessarily more secure than modems. into the business network, ferret out user names and passwords,
Increasingly, new devices deployed in substations may commu- and use these stolen identities to access the operations network.
nicate with one another via low-powered radio, which does not Other attacks might spread by exploiting the small programs
stop at the boundaries of the substation. An attacker can reach called scripts that come embedded in files. These scripts are ubiq-
the network simply by hiding in nearby bushes with his com- uitous—PDF files routinely contain scripts that aid in file display,
puter. Encrypted Wi-Fi networks are more secure, but a sophis- for example—but they are also a potential danger. One computer
ticated attacker can still crack their encryption using readily security company recently estimated that more than 60 percent
available software tools. From here he can execute a man-in-the- of all targeted attacks use scripts buried in PDF files. Simply read-
middle attack that causes all communication between two legit- ing a corrupted file may admit an attacker onto your computer.
imate devices to pass through his computer or fool other devices Consider the hypothetical case where a would-be grid attacker
into accepting his computer as legitimate. He can craft mali- first penetrates the Web site of a software vendor and replaces an
cious control messages that hijack the circuit breakers—trip- online manual with a malicious one that appears exactly like the
ping a carefully chosen few to overload the other lines perhaps first. The cyberattacker then sends an engineer at the power plant
or making sure they do not trip in an emergency. a forged e-mail that tricks the engineer into fetching and opening
Once an intruder or malware sneaks in through the back the booby-trapped manual. Just by going online to download an
door, its first step is usually to spread as widely as possible. Stux- updated software manual, the unwitting engineer opens his pow-
net again illustrates some of the well-known strategies. It prolif- er plant’s gates to the Trojan horse. Once inside, the attack begins.
erated by using an operating system mechanism called autoexec.
Windows computers read and execute the file named AUTO­ SEARCH AND DESTROY
EXEC.BAT every time a new user logs in. Typically the program an intruder on a control network can issue commands with po-
locates printer drivers, runs a virus scan or performs other basic tentially devastating results. In 2007 the Department of Home-
land Security staged a cyberattack code-named Aurora at the Ida-
ho National Laboratory. During the exercise, a researcher posing
as a malicious hacker burrowed his way into a network connect-
January 2008 April 2009 ed to a medium-size power generator. Like all generators, it cre-
A senior CIA official The Wall Street Journal ates alternating current operating at almost exactly 60 cycles per
reveals that hackers reports that cyber- second. In every cycle, the flow of electrons starts out moving in
have frequently spies from “China, one direction, reverses course, and then returns to its original
infiltrated electric Russia and other
state. The generator has to be moving electrons in exactly the
utilities outside countries” have
the U.S. and made penetrated the same direction at exactly the same time as the rest of the grid.
extortion demands. U.S. electrical power During the Aurora attack, our hacker issued a rapid succes-
In at least one case, grid and left behind October 2010 sion of on/off commands to the circuit breakers of a test genera-
the hackers were able software that could Security officials in tor at the laboratory. This pushed it out of sync with the power
to shut off the power be used to disrupt Iran, Indonesia and
grid’s own oscillations. The grid pulled one way, the generator
supply to several the system. elsewhere report
(unnamed) cities. the discovery of the another. In effect, the generator’s mechanical inertia fought the
Stuxnet virus, a piece grid’s electrical inertia. The generator lost. Declassified video
of malware designed shows the hulking steel machine shuddering as though a train
specifically to interfere hit the building. Seconds later steam and smoke fill the room.
with industrial control Industrial systems can also fail when they are pushed be-
systems made by
Siemens. yond their limits—when centrifuges spin too fast, they disinte-
grate. Similarly, an attacker could make an electric generator
produce a surge of power that exceeds the limit of what the
transmission lines can carry. Excess power would then have to
2006 2007 2008 2009 2010 2011 escape as heat. Enough excess over a long enough period causes
the line to sag and eventually to melt. If the sagging line comes

July 2011, ScientificAmerican.com 73

© 2011 Scientific American
 H OW I T WO R K S

Holes in the Grid

 he modern electrical grid involves an intricate balance between the
T currents and making sure no single component gets stretched be-
amount of energy needed by society and the amount generated at yond its limits. Any one of these parts might suffer from the attention
power plants. Dozens of components orchestrate the flow of elec- of malicious actors. Here are some of the most troublesome choke
trons over distances of hundreds of miles, aligning the alternating points and the ways they might be compromised.

Communication path
(Internet connection
or phone lines)
Botnet
City
Power lines

Information
connections
Distribution The control station must
Control station substation have up-to-the-second
Generating station Transmission The grid’s nerve centers, The last step before information about what is
It does not matter if the substation control stations monitor electricity goes into going on at every step of
fuel is coal, uranium or Electricity coming out conditions throughout. homes or businesses, the process for technicians
even solar—electricity of generating stations They are also where these substations might to make smart decisions
going into the U.S. power comes at very high supply meets demand. combine power coming about what to do next.
grid must alternate at 60 voltages—the better When demand goes up, in from a few different Hackers with access to
cycles a second, and it to avoid losses from prices follow, and a utility power stations and send thousands of ordinary
must enter perfectly electrical resistance might activate more it out on dozens or hun­- computers—a so-called
aligned with the rhythm en route. Transmission power capacity to provide dreds of smaller lines. botnet—could direct
of the rest of the grid. substations are the first additional supplies. Al­- Newer stations might these machines to send
An attacker might send step in bringing this though the operations be equipped with wire­- messages that interrupt
instructions to a generator voltage down. Many center of a control station less communications the flow of ordinary
that throws its output off older stations have is not supposed to be equipment—either radio network traffic. Such a
by a half-step, the electrical dial-up modems so that connected to the Internet, signals or Wi-Fi. An denial-of-service attack
equivalent of throwing technicians can dial in and its business center must intruder who hides just would mean that control
your car into reverse while perform maintenance. be. A hacker might burrow outside a station’s walls operators would be mak-
heading down the highway Hackers can use these into the business side and could intercept traffic ing decisions based on old
at 50 miles per hour. devices to access and use links between that side and mimic legitimate information—­something
The generator—like your change critical settings. and operations to infect instructions. akin to driving a car using
car’s transmission—will critical control systems. the information you had
end up a smoking heap. 10 seconds ago.

into contact with anything—a tree, a billboard, a house—it could mands to change substation control settings. Often these sta-
create a massive short circuit. tions are responsible for monitoring hundreds of substations
Protection relays typically prevent these shorts, but a cyber- spread over a good part of a state.
attack could interfere with the working of the relays, which Data communications between the control station and sub-
means damage would be done. Furthermore, a cyberattack could stations use specialized protocols that themselves may have vul-
also alter the information going to the control station, keeping nerabilities. If an intruder succeeds in launching a man-in-the-
operators from knowing that anything is amiss. We have all middle attack, that individual can insert a message into an ex-
seen the movies where crooks send a false video feed to a guard. change (or corrupt an existing message) that causes one or both
Control stations are also vulnerable to attack. These are com- of the computers at either end to fail. An attacker can also try
mand and control rooms with huge displays, like the war room just injecting a properly formatted message that is out of con-
in Dr. Strangelove. Control station operators use the displays to text—a digital non sequitur that crashes the machine.
monitor data gathered from the substations, then issue com- Attackers could also simply attempt to delay messages trav-

74 Scientific American, July 2011 Illustration by George Retseck

© 2011 Scientific American
eling between control stations and the substations. Ordinarily to interpret the message. Based on this information, the firewall
the lag time between a substation’s measurement of electricity allows some messages through and stops others. An auditor’s job
flow and the control station’s use of the data to adjust flows is is partly to make sure the firewalls in a utility are configured
small—otherwise it would be like driving a car and seeing only properly so that they do not let any unwanted traffic in or out.
where you were 10 seconds ago. (This kind of lack of situational Typically the auditors would identify a few critical assets, get a
awareness was a contributor to the Northeast Blackout of 2003.) hold of the firewall configuration files, and attempt to sort
Many of these attacks do not require fancy software such as through by hand the ways in which a hacker might be able to
Stuxnet but merely the standard hacker’s tool kit. For instance, break through the firewall.
hackers frequently take command over networks of thousands Firewalls, though, are so complex that it is difficult for an au-
or even millions of ordinary PCs (a botnet), which they then in- ditor to parse all the myriad possibilities. Automated software
struct to do their bidding. The simplest type of botnet attack is tools might help. Our team at the University of Illinois at Urbana-
to flood an ordinary Web site with bogus messages, blocking or Champaign has developed the Network Access Policy Tool,
slowing the ordinary flow of information. These “denial of ser- which is just now being used by utilities and assessment teams.
vice” attacks could also be used to slow traffic moving between The software needs only a utility’s firewall configuration files—it
the control station and substations. does not even have to connect to the network. Already it has
Botnets could also take root in the substation computers them- found a number of unknown or long-forgotten pathways that at-
selves. At one point in 2009 the Conficker botnet had insinuated tackers might have exploited.
itself into 10 million computers; the individuals, as yet unknown, The doe has come out with a roadmap that lays out a strategy
who control it could have ordered it to erase the hard drives of ev- for enhancing grid security by 2015. (A revision due this year ex-
ery computer in the network, on command. A botnet such as Con- tends this deadline to 2020.) One focus: creating a system that
ficker could establish itself within substations and then have its recognizes an intrusion attempt and reacts to it automatically.
controller direct them simultaneously to do anything at any time. That would block a Stuxnet-like virus as soon as it jumped from
According to a 2004 study by researchers at Pennsylvania State the USB stick. But how can an operating system know which
University and the National Renewable Energy Laboratory in programs are to be trusted?
Golden, Colo., an attack that incapacitated a carefully chosen mi- One solution is to use a one-way hash function, a crypto-
nority of all transmission substations—about 2 percent, or 200 in graphic technique. A hash function takes a fantastically huge
total—would bring down 60 percent of the grid. Losing 8 percent number—for example, all the millions of 1s and 0s of a computer
would trigger a nationwide blackout. program, expressed as a number—and converts it to a much
smaller number, which acts as a signature. Because programs are
WHAT TO DO so large, it is highly unlikely that two different ones would result
when microsoft learns of a potential security liability in its Win- in the same signature value. Imagine that every program that
dows software, it typically releases a software patch. Individual wants to run on a system must first go through the hash func-
users and IT departments the world over download the patch, up- tion. Its signature then gets checked against a master list; if it
date their software and protect themselves from the threat. Un- does not check out, the attack stops there.
fortunately, things are not that simple on the grid. The doe also recommends other security measures, such as
Whereas the power grid uses the same type of off-the-shelf physical security checks at operator workstations (think radio
hardware and software as the rest of the world, IT managers at chips in identification badges). It also highlights the need to exert
power stations cannot simply patch the faulty software when tighter control over communication between devices inside the
bugs crop up. Grid control systems cannot come down for three network. The 2007 Aurora demonstration involved a rogue device
hours every week for maintenance; they have to run continuous- tricking a generator’s network into believing it was sending au-
ly. Grid operators also have a deep-rooted institutional conserva- thoritative commands. These commands eventually led to the de-
tism. Control networks have been in place for a long time, and struction of the generator.
operators are familiar and comfortable with how they work. These worthwhile steps will require time and money and ef-
They tend to avoid anything that threatens availability or might fort. If we are going to achieve the doe roadmap to a more secure
interfere with ordinary operations. grid in the next decade, we are going to have to pick up the pace.
In the face of a clear and present danger, the North American Let us hope we have even that much time.
Electric Reliability Corporation (NERC), an umbrella body of
grid operators, has devised a set of standards designed to pro- MORE TO EXPLORE
tect critical infrastructure. Utilities are now required to identify Roadmap to Secure Control Systems in the Energy Sector. Jack Eisenhauer et al. Energetics
their critical assets and demonstrate to NERC-appointed audi- Incorporated, January 2006. www.oe.energy.gov/csroadmap.htm
tors that they can protect them from unauthorized access. Security of Critical Control Systems Sparks Concern.  David Geer in IEEE Computer,
Yet security audits, like financial audits, cannot possibly be Vol. 39, No. 1, pages 20–23; January 2006.
exhaustive. When an audit does go into technical details, it does Trustworthy Cyber Infrastructure for the Power Grid. Multiuniversity research project
funded by the U.S. Department of Energy. www.tcipg.org
so only selectively. Compliance is in the eye of the auditor.
What Is the Electric Grid, and What Are Some Challenges It Faces? U.S. Department
The most common protection strategy is to employ an elec- of Energy. www.eia.doe.gov/energy_in_brief/power_grid.cfm
tronic security perimeter, a kind of cybersecurity Maginot line. SCIENTIFIC AMERICAN ONLINE
The first line of defense is a firewall, a device through which all For an extended look at the history of electronic attacks on physical structures,
electronic messages pass. Each message has a header indicating visit S­ cientificAmerican.com/jul2011/lights-out
where it came from, where it is going, and what protocol is used

July 2011, ScientificAmerican.com 75

© 2011 Scientific American