Report: Calif. power grid hacked Intruders exposed security weaknesses in the system

ASSOCIATED PRESS LOS ANGELES, June 9 — At the height of the California energy crisis, a key computer system involved in moving electricity throughout the state was targeted by hackers, the Los Angeles Times reported Saturday.

THE LIMITED SUCCESS of the hackers exposed security weaknesses in the system used by the California Independent System Operator, which oversees most of the state’s electricity transmission grid, the Times said. Officials said the problems have been corrected and there was no threat to the grid, even though the hackers came close to accessing critical parts of the system and could have disrupted the movement of power. Advertisement

The Times cited an internal agency report showing the attack began as early as April 25 and wasn’t detected until May 11. ISO officials said rolling blackouts May 7 and 8 were not connected to the hacking, and the FBI is investigating.

The report said the main offensive was routed through China Telecom from someone in Guangdong province in China. Hackers also apparently entered the system using Internet servers in Santa Clara and Tulsa, Okla.

GRID

-- Martin Thompson (mthom1927@aol.com), June 09, 2001

Answers

Have been expecting this to happen. These systems are very vulnerable to attack.

-- Martin Thompson (mthom1927@aol.com), June 09, 2001.

Fortunately, these hackers apparantly need to "rehearse" and do "trial runs" before the main attack. And, these give the Defense time and opportunity to learn to beef up security cyberdefense. This makes the "real" attack less likely to deliver its full "payload" of Y2K-level "The Earth Stands Still" type disruption intended.

Unfortunately, the serious threat of cyberterrorism to critical infrastructure is the "Y2K" type threat that never ends. The consequences of a worst-case attack would be almost identical to that feared for Y2K; except the threat is continuing, and the timing unknown. Reading http://www.nipc.gov (esp. the F.A.Q. sublink) gives any Y2Ker a strong sense of deja vu. All the familiar buzz words are there: "Mission critical" "Critical Infrastructure" "Cascading Effects" "Catastrophic widespread disruption".

The bottom line lesson is to Keep Preppin' --- or start now if you ignored Y2K and ***LUCKED*** out! Next time around, your luck might not be so spectacularly good!

-- Robert Riggs (rxr999@yahoo.com), June 09, 2001.

Here's the LA Times article:

Headline: Hackers Victimize Cal-ISO

Source: Los Angeles Times, Saturday, June 9, 2001

URL: http://www.latimes.com/cgi-bin/slwebcli? DBLIST=lt01&DOCNUM=44980&DBPUB=20010609BwTyxxiv&QDesc=Hackers% 20Victimize%20Cal-ISO

SACRAMENTO -- For at least 17 days at the height of the energy crisis, hackers mounted an attack on a computer system that is integral to the movement of electricity throughout California, a confidential report obtained by The Times shows.

The hackers' success, though apparently limited, brought to light lapses in computer security at the target of the cyber-attack, the California Independent System Operator, which oversees most of the state's massive electricity transmission grid.

Officials at Cal-ISO say that the lapses have been corrected and that there was no threat to the grid. But others familiar with the attack say hackers came close to gaining access to key parts of the system, and could have seriously disrupted the movement of electricity across the state.

Democratic and Republican lawmakers were angered by the security breach at an entity that is such a basic part of California's power system, given its fragility during the state's continuing energy crisis. One called the attack "ominous."

An internal agency report, stamped "restricted," shows that the attack began as early as April 25 and was not detected until May 11. The report says the main attack was routed through China Telecom from someone in Guangdong province in China.

In addition to using China Telecom, hackers entered the system by using Internet servers based in Santa Clara in Northern California and Tulsa, Okla., the report says. James Sample, the computer security specialist at Cal-ISO who wrote the report, said he could not tell for certain where the attackers were located.

"You don't know where people are really from," Sample said. "The only reason China stuck out is because of the recent political agenda China had with the U.S. . . . An ambitious U.S. hacker could have posed as a Chinese hacker."

The breach occurred amid heightened Sino-American tensions after the collision between a Chinese military jet and a U.S. spy plane. In early May, there were hundreds of publicly reported computer attacks apparently originating from China. Most of those incidents involved mischief; anti-American slogans were scrawled on government Web sites.

The attack on the Cal-ISO computer system apparently had the potential for more serious consequences, given that the hackers managed to worm their way into the computers at the agency's headquarters in Folsom, east of Sacramento, that were linked to a system that controls the flow of electricity across California. The state system is tied into the transmission grid for the Western United States.

"This was very close to being a catastrophic breach," said a source familiar with the attack and Cal-ISO's internal investigation of the incident.

On May 7 and 8, as the infiltration was occurring, California suffered widespread rolling blackouts, but Cal-ISO officials said Friday that there was no connection between the hacking and the outages, which affected more than 400,000 utility customers.

"It did not affect markets or reliability," said Stephanie McCorkle, a spokeswoman for Cal-ISO.

Officials of the agency made no public acknowledgment of the attack until Friday when contacted by The Times. The agency did, however, call the FBI, which is investigating.

McCorkle said Cal-ISO did not make a public disclosure about the hacking "because it didn't impact the reliability of any of our internal networks."

"It didn't have a negative consequence and would not have impacted the public or market participants," McCorkle said.

After the attack was discovered, the report says, investigators found evidence that the hackers apparently were trying to "compile" or write software that might have allowed them to get past so-called firewalls protecting far more sensitive parts of the computer system.

The attackers focused on parts of the grid agency's computer system that are under development. In what may have been the most significant lapse, the system being developed was not behind a firewall, a security element designed to keep out those who are not entitled to access.

Additionally, so-called tripwires that might have alerted agency security personnel to the unauthorized entry were nonexistent. Nor were there logs within the system that might have identified users entering the system as the infiltration was occurring, the report notes.

What's more, dozens of ports into the computer system were open, when only a handful should have been available.

"All servers should be hardened regardless of their role or location in the network," the report says. "Only ports that are required to be open should be opened; all others should be disabled."

Complicating the investigation, workers at Cal-ISO rebooted their computers when the machines balked, apparently in response to the infiltration.

"This action limited our ability to discover all files and activity that may be related to this compromise," the report says.

Sample, the security engineer who wrote the report, downplayed the potential threat and said the attack was "something that we've been anticipating."

"It was a compromise, not really an attack," he said.

State legislators were not comforted by such distinctions.

"That's really amazing on two counts: that there were computers not behind a firewall and it took 17 days to discover," said state Sen. Debra Bowen (D-Marina del Rey), who chairs her chamber's Energy Committee.

Bowen, who was informed of the breach by The Times, called it a "serious matter" and said she was "very concerned to learn about this from the L.A. Times, rather than from the ISO itself." The lack of official notification, she said, adds to her skepticism about whether the agency has been forthcoming.

"It is embarrassing, so I can understand they would not want to talk about it," Bowen said. "We're going to ask some questions."

The Independent System Operator, established in 1998 when the state opened the newly deregulated electricity market to competition, is an essential component of the state's electricity system.

The purpose of the nonprofit entity is to balance the flow of electricity across the state and make last-minute power purchases to match demand and avoid blackouts. The Legislature reconfigured the agency earlier this year, giving Gov. Gray Davis the power to appoint the five-member board that oversees it.

"It is troubling that it happened," said Sen. Tom McClintock (R- Thousand Oaks). "It is disturbing that it took so long to be corrected. And it is galling that it was not reported to the Legislature."

McClintock labeled as "ominous" the possibility that the attack came from China. He said he is preparing a request for all documents related to the breach and is considering requesting a formal legislative inquiry.

ISO board member Mike Florio, who represents consumers, said he had a vague recollection that the board was informed of the attack. But he also was surprised to learn some of the details.

"We hire people to deal with this stuff," he said, "and they said they dealt with it."

-- Andre Weltman (aweltman@state.pa.us), June 11, 2001.

Energy vulnerable to cyber attacks

Monday, 11 June 2001 14:36 (ET)

Energy vulnerable to cyber attacks

By HIL ANDERSON, UPI Chief Energy Correspondent

LOS ANGELES, June 11 (UPI) -- The hackers who penetrated a computer system linked to California's beleaguered electricity grid earlier this spring apparently did no serious harm, however the incident came to light at about the same time a government advisory organization was warning that the entire U.S. energy industry needed to shore up its defense against cyberterrorism.

The Los Angeles Times reported during the weekend that unidentified hackers had burrowed into the computer system of the California Independent System Operator (ISO), and were apparently attempting to learn enough to write software that would get past the firewalls protecting areas of the system that are used to manage the flow of electricity on the grid.

"This was very close to being a catastrophic breach," a source familiarwith the attack told the newspaper.

The unauthorized entry was made easier, according to the Times, by a lackof "trip-wires" within the system that would have alerted ISO officials to the intruders.

Although the incidents were said not to have played any role in the rolling blackouts that occurred in April and May, the National Petroleum Council warned in a June 6 report that the entire U.S. energy industry needed to increase the level of its computer security in order to prevent future and potentially more damaging hacker attacks.

The NPC, an industry group formed to advise the federal government on energy matters, warned that energy companies that have been accustomed to dealing with the threat of an explosion -- either accidental or intentional -- are not adequately prepared for an attack from cyberspace, even though the industry has become increasingly reliant on computers.

"This critical reliance is a recent phenomenon resulting in new threats and a high level of vulnerability because the development and adoption of processes to ensure security in this area has not kept pace," the NPC report stated. "The new weapon is electronic bits versus bombs in the old paradigm."

The concept of cyberterrorism aimed at energy infrastructure, plus the worst-case scenarios developed in the days prior to the arrival of Y2K, have led to concerns of hackers shutting down power plants, transmission lines, pipelines and refineries. The NPC advised that energy companies, as well as various municipalities and other government entities, to update their capabilities and work more closely in responding to problems.

"Receipt of real-time information is critical in protecting the oil and natural gas infrastructures, and rapid reporting of incidents is vital," the report said.

The threat to commerce, however, is likely more immediate than the threat of some hacker shutting off the lights.

While computers help run a larger share of the production of energy, the fast-paced trading of energy commodities and the high-stakes financial end of the business could suffer an even more egregious insult from a cyberterrorism attack.

"The reliance on cyber technologies creates the opportunity for interrupted communications, false or misleading transactions, fraud, or breach of contracts, and can result in potential loss of service, loss of stakeholder confidence, or the failure of the business itself," the NPC said. "The due diligence standards in this new environment remain ill defined and transitory."

The NPC also speculated that without a national, if not international, framework for dealing with cyber terrorism there might be a chance that some party might drag its feet in fixing a computer system if the resulting price swings has gone in its favor.

"When infrastructure disruptions occur, conflicts of interest can develop between the various entities involved, that inhibit response, restoration of service, and future infrastructure protection," said the report.

http://www.vny.com/cf/News/upidetail.cfm?QID=193090

-- Martin Thompson (mthom1927@aol.com), June 13, 2001.

Fair use for educational/research purposes only!

California Power Grid Hack Underscores Threat to U.S. Robyn Weisman June 13, 2001 Last month's 17-day hack into California's power grid could presage future hacks by foreign entities with hostile intentions. Experts have determined that the cyber attacks perpetrated last month on California Independent System Operator (Cal-ISO) were made at random. But the 17-day intrusion into the networks running California's leading electric power grid has caused consternation among state and federal bureaucrats. In addition to the threat of further power disruption, officials fear the intrusion could herald a push on the part of foreign governments and other entities to gather classified intelligence and other sensitive data for hostile purposes.

"I'm not sure why they see it as intelligence-gathering," SecurityFocus.com incident analyst Ryan Russell told NewsFactor Network. "The more interesting aspect is that this appears to be one of the first publicly known examples of information warfare, or cyberwar, or whatever you want to call it -- that is, getting remote access to some critical infrastructure and damaging it or shutting it down." Calming Fears

Cal-ISO spokesperson Greg Fishman told Newsbytes Tuesday that the attacks were confined to a "practice network" and that they posed no threat to the actual power grid or the primary power distribution network that handles the Western U.S.

Fishman did say, however, that the agency still takes the security breach very seriously. The Federal Bureau of Investigation (FBI) is looking into the incident.

Said Fishman: "[The hackers] may have stumbled upon us, but the activities directed against us were quite purposeful. Even if this attempt was not particularly successful, it's appropriate to take it seriously, to investigate it properly, and if possible find the people who were involved."

Honk If You're From China

Sources have connected the Honker Union of China (HUC) with the defacements of Cal-ISO Web sites, which occurred between April 25th and May 11th of this year. Defacement archivist Web site Alldas.de recorded 130 HUC-linked hacks during the three-week time period, all protesting the death of Chinese fighter pilot Wang Wei, who was killed when his F-8 jet collided with an American spy plane on April 1st.

Russell told NewsFactor that there is no way to determine conclusively that HUC defaced all of the 130 Web sites mentioned, including that of Cal-ISO. The hackers defaced the sites with Chinese flags, photos of the downed pilot, and text excoriating the U.S. and its perceived imperialism.

"You can't tell if it came from a person in China," Russell told NewsFactor. "It's standard procedure to bounce through several systems to hide your location."

Russell added that during the so-called China "hack week," his firm saw a large increase in scans from Korea and the Netherlands that matched the types of attacks the Chinese hackers were using to deface U.S. Web sites. This indicates that they were most likely using compromised hosts in those countries to launch attacks.

Many Means to End

Whoever or whatever combination of operatives perpetrated these attacks, the methods used to pick targets were unusual. The hackers chose sites based on IP addresses, either through their number range or through their provider.

SBC Communications Corp. (NYSE: SBC) subsidiary Pacific Bell hosted several sites that were victims of the attacks. In addition, on May 2nd, the hackers defaced almost a dozen Web sites whose protocol addresses began with 209. On May 3rd, similar intrusions were made on sites whose addresses began with 204.

Said Frank Cilluffo, a senior policy analyst for the Center of Strategic & International Studies: "You still don't know if you're dealing with a kid, organized crime, an intelligence service or an economic competitor."

Countered Russell: "It doesn't matter much, does it? If we lose some critical infrastructure, we're still screwed."

This story contains additional material contributed by Newsbytes.

http://www.newsfactor.com/perl/printer/11220/

-- Martin Thompson (mthom1927@aol.com), June 13, 2001.

Calif. lawmaker demands report on hack of power grid

6/22/01 4:21 PM Source: Reuters

SAN FRANCISCO, June 22 (Reuters) - A California state lawmaker on Friday asked the manager of the state's power grid to detail the steps it has taken to prevent its computer network from being hacked again after an earlier breach that is being investigated by the FBI.

Sen. Tom McClintock, a Republican from the Los Angeles suburb of Thousand Oaks, asked the California Independent System Operator (ISO) to deliver to him within a few days a report detailing how and why the recent hack had happened and what the ISO is doing to prevent future attacks.

McClintock, who has warned that hacker attacks on the California grid have potential to paralyze the state, met with staff members of the California Independent System Operator (ISO) for an hour and a half on Friday at his request.

The FBI is investigating the hack, which happened sometime between April 25 and May 11, but was not disclosed until about a month later, the ISO has said.

After the Los Angeles Times reported on the hack citing an internal ISO report, the agency, which oversees most of the state's power and the second-largest electricity grid in the nation, confirmed that its system had been penetrated but said no critical operations were at risk.

ISO staffers reassured McClintock Friday that the incident was a relatively minor attack on a computer set up for testing software and connected to the Internet, said ISO spokesman Gregg Fishman.

The attack took place during a time when parts of the state fell to rolling blackouts and around the time of escalated tensions between the United States and China after a U.S. Navy surveillance plane collided with a Chinese jet fighter.

Although the attack appeared to come from somewhere in China, ISO staff have said they are not sure the hack originated there because it is so easy for a hacker to hide his tracks online.

"The principal concern, obviously, is national security issues," said McClintock.

(Elinor Abreu, San Francisco bureau, elinor.abreu@reuters.com, 415- 677-3919)

Copyright 2001, Reuters News Service

http://news.cnet.com/investor/news/newsitem/0-9900-1028-6355397- 0.html?tag=ats

-- Martin Thompson (mthom1927@aol.com), June 22, 2001.