Report: China, Russia Top Sources of Power Grid Probes
Frian Krebs
U.S. Electrical Grid in Penetrated by Russian and Chinese Spies
Have Embedded Code in Power Grid
Hackers Have Attacked Foreign Utilities, CIA Analyst Says
US Video Shows Hacker Hit on Power Grid
When the Power Grid Shuts Down – Why You Should Care to Prepare for Disasters Emergencies
Blackout 2003 Revisited
Blackouts: The Power Grid Is Too Sensitive for Its Own Good
Power Grid Raise Concerns Raised About Power Reliability
5 Years After Blackout, Power Grid Still in 'Dire Straits'
|
HOLLY NOTE: This is as serious as it gets:
know how to use a home generator safely and properly store fuel; water storage and purification knowledge essential |
April 14, 2009
Frian Krebs
Washington Post
Last week, blogs and the mainstream press alike were abuzz with reports that Chinese and Russian hackers had penetrated the U.S. power grid and left behind secret back doors. The original story, a piece in the Wall Street Journal, was light on details, and many readers have asked me if I uncovered additional nuggets of knowledge about the existence of these back doors. I have not.
But I have discovered some interesting data published recently, which seems to support the notion that China and Russia are quite interested in locating digital control systems connected to our nation's power grid and other complex critical infrastructures.
The data comes from a white paper released late last month by Team Cymru, a group of researchers who try to discover who is behind Internet crime and why. That document sought to provide empirical evidence to show which nations were most active in probing our networks for the presence of highly specialized systems designed to control large, complex systems.
These so-called "supervisory control and data acquisition" (SCADA) systems help engineers monitor, communicate with, and control equipment used for energy generation and distribution (SCADA systems also help manage other complex systems, such as water networks, transportation switching systems, etc.).
Image: Worldwide SCADA port locations
Most of these SCADA systems communicate over proprietary communications protocols that were never designed with security in mind. To make matters worse, Cymru notes, "many of these older communications methods (fiber, radio transmission, dedicated modem, satellite, microwave, PSTN, cellular, wireless, powerline carrier) are increasingly being replaced by the public Internet," which provides considerable cost savings.
The report continues: "The communication protocols and implementation details of the various proprietary SCADA protocols are generally not available to researchers, and a wide variety of ports and methods are used amongst the various vendors. This does not significantly hinder the miscreants, who will simply scan for wide ranges of well-known SCADA-related ports, and tailor their attacks to the results they find."
Image: Pie chart shows global scanning data by country
So, Team Cymru started gathering information about the location of computers that were scanning the Internet for specific communications channels used by these SCADA systems. The group did this passively, by monitoring SCADA-specific scans coming in to so-called "darknet" space, or clusters of Internet addresses in which no active services or servers reside. The graphic above indicates the aggregate sources, with red and white areas indicating high activity levels, and blue areas indicating lesser levels of scanning.
Steve Santorelli, director of investigations at Team Cymru, said most traffic entering a darknet is malicious to some extent, since nothing legitimate should be routed there. In fact, he said, most traffic entering a darknet comes from scans generated by automated tools and malware looking for vulnerable systems.
Santorelli combed through the darknet data for 2008, looking at the apparent source of the scans for the most common SCADA communications channels. Perhaps not suprisingly, the data showed systems in China responsible for the overwhelming majority of scans. Taiwan and Russia also were major sources. The pie chart to the right breaks it down by country.
"What we found is that this kind of scanning really is massively skewed towards China," Santorelli said.
Image: China's SCADA ports
Of course, correctly attributing the source of any Internet attack is always a dicey affair, and requires more sleuthing than merely tracing the origin of a single Internet address that appears to be doing the hacking and probing. If one wanted to trace the true source of an attack, one would need to win the cooperation of an ISP over in China who could look to see if the traffic coming from a particular Chinese system indeed originated there or was merely redirected through the Chinese system from another point on the Internet.
But that approach probably wouldn't scale to tracking large numbers of attacks, and in any case it is unlikely the authorities there would be willing to provide that kind of access to investigators.
"It could just mean there is a significantly higher concentration of unlicensed Windows PCs in China and Russia, and therefore a lot more machines that are less likely to be patched and more likely to be infected" and be remotely controlled by cyber criminals, Santorelli said. "The people behind these machines could be in Virginia, Belize or Beijing. There's no way of knowing. "It's guesswork."
The full white paper is available here.
http://voices.washingtonpost.com/securityfix/2009/04/report_china_russia_top_source.html?hpid=sec-tech
www.standeyo.com/NEWS/09_Sci_Tech/090414.power.grid.probes.html