Hacking for real damage still takes ’boutique’ touch

By Blake Sobczak | 07/28/2017 08:08 AM EDT

LAS VEGAS — To hack a power grid, you may need a doctorate. At the very least, you should be pursuing one.

"Evil bubbles" wear out a water pumping system in a simulated cyberattack that would require great expertise, coordination and expense to pull off. Blake Sobczak/E&E News

LAS VEGAS — To hack a power grid, you may need a doctorate. At the very least, you should be pursuing one.

Tasos Keliris and Harrys Konstantinou, both Ph.D. candidates in electrical engineering at New York University Abu Dhabi in the United Arab Emirates, recently mapped out the U.S. power grid, bought popular equipment and searched for bugs they could exploit to cut off electricity.

A flaw they found in one protective relay — the GE 750 — earned a 9.8 on a 10-point cyber severity scale set by U.S. government officials.

Advertisement

"When we first saw [the score], we were like, ‘Whoa,’" said Keliris, who noted that it was the first time he had coordinated disclosing a digital vulnerability with U.S. authorities and the affected company. He, Konstantinou and NYU Abu Dhabi assistant professor Michail Maniatakos waited over a year before publicly discussing their findings to give GE and grid defenders a chance to take action.

The team of academics laid out their findings yesterday at the Black Hat cybersecurity conference here, intending to jump-start a conversation about electric sector security. But despite posing a provocative question — "Are cyber-attacks on the power grid limited to nation-state actors?" — the three researchers emphasized that their methodical approach to attacking the grid isn’t suited for the faint of heart.

For starters, the piece of GE equipment they targeted is "mostly used at the distribution level," Keliris observed, so "you wouldn’t have a city going down, just a neighborhood."

Secondly, while they were able to unearth troves of maps, equipment contracts and other sensitive grid-related data online, such intelligence would be largely out of reach to less experienced hackers.

"You’d have to know what you wanted to get in order to get it," Keliris explained on the sidelines of the conference, "so you need to have a pretty good understanding of the grid’s structure, how it operates."

The GE 750 is a type of protective relay, which instructs circuit breakers along the grid to open or close in certain conditions, cutting off or restoring the flow of electricity. Keliris and company uncovered a weakness that allowed them to coax an encrypted password out from the device using a communication protocol known as Modbus. They were then able to crack the password and use it to access the device itself.

From that vantage point, they could lock out actual operators, or command the device to constantly trip circuit breakers, flicking the lights on and off.

The researchers demonstrated this on a real GE 750 connected to a simulated grid.

The only real-world examples of hackers bringing down parts of a power grid took a team of at least 20 people, experts say. Those attacks, in 2015 and 2016, briefly brought down power to a few hundred thousand people total in Ukraine — no small feat, but hardly a cascading blackout.

Other examples of digital attacks wreaking physical havoc, such as the Stuxnet worm, which damaged Iranian nuclear centrifuges in the late 2000s, are rare. Experts say that shows hackers’ capability and intent are still more important than the underlying vulnerabilities in critical infrastructure.

It’s less clear how long that will hold true.

"We all want to know what to expect in the future: Is this an immediate threat?" said Marina Krotofil, lead cybersecurity researcher at industrial automation giant Honeywell.

Krotofil had just disclosed an elaborate cyberthreat to pump systems that involved lowering pressure along the pipes to produce bubbles, which are harmful to the system’s mechanics.

She acknowledged that her demonstration would require an extraordinarily knowledgeable, well-resourced and determined attacker to launch outside of a lab.

"This is a boutique attack, let’s say at the governmental levels," she said in her presentation at Black Hat yesterday.

Even in her miniature example, the 610-pound pump system cost $50,000. It took weeks of work for the "evil bubbles" to flow.

"I cannot tell you how many people were involved in troubleshooting this — it’s just insane," Krotofil said. "Yesterday, we were trying to troubleshoot it for three hours just to get it to work."

Real-world hackers would face similar hurdles.

"All of these attacks have high engineering complexity, which requires high coordination," Krotofil said.

Konstantinou said it would take a skilled adversary to replicate some of his own NYU Abu Dhabi team’s research on soft spots in U.S. electric distribution.

"What you saw is quite elaborate," he said. "The grid is robust. It’s not so simple."