A government video shows the potential destruction caused by hackers seizing control of a crucial part of the U.S. electrical grid: an industrial turbine spinning wildly out of control until it becomes a smoking hulk and power shuts down.
The video, produced for the Homeland Security Department and obtained by The Associated Press on Wednesday, was marked "Official Use Only."
It shows commands quietly triggered by simulated hackers having such a violent reaction that the enormous turbine shudders as pieces fly apart and it belches black-and-white smoke.
The video was produced for top U.S. policy makers by the Idaho National Laboratory, which has studied the little-understood risks to the specialized electronic equipment that operates power, water and chemical plants.
Vice President Dick Cheney is among those who have watched the video, said one U.S. official, speaking on condition of anonymity because this official was not authorized to publicly discuss such high-level briefings.
"They've taken a theoretical attack and they've shown in a very demonstrable way the impact you can have using cyber means and cyber techniques against this type of infrastructure," said Amit Yoran, former U.S. cybersecurity chief for the Bush administration.
Yoran is chief executive for NetWitness Corp., which sells sophisticated network monitoring software.
"It's so graphic," Yoran said. "Talking about bits and bytes doesn't have the same impact as seeing something catch fire."
The electrical attack never actually happened.
The recorded demonstration, called the "Aurora Generator Test," was conducted in March by government researchers investigating a dangerous vulnerability in computers at U.S. utility companies known as supervisory control and data acquisition systems.
The programming flaw was quietly fixed, and equipment-makers urged utilities to take protective measures.
There was no evidence any U.S. utility company suffered damage from hackers or terrorists using this technique, U.S. officials said.
But these officials cautioned that affected systems are not routinely monitored as closely as many modern corporate computer networks, so there would be little forensic evidence to study after such a break-in.
Industry experts cautioned that intruders would need specialized knowledge to carry out such attacks, including the ability to turn off warning systems.
"The video is not a realistic representation of how the power system would operate," said Stan Johnson, a manager at the North American Electric Reliability Corp., the Princeton, N.J.-based organization charged with overseeing the power grid.
A top Homeland Security Department official, Robert Jamison, said companies are working to limit such attacks.
"Is this something we should be concerned about? Yes," said Jamison, who oversees the department's cybersecurity division. "But we've taken a lot of risk off the table."
President Bush's top telecommunications advisers concluded years ago that an organization such as a foreign intelligence service or a well-funded terror group "could conduct a structured attack on the electric power grid electronically, with a high degree of anonymity, and without having to set foot in the target nation."
Ominously, the Idaho National Laboratory — which produced the new video — has described the risk as "the invisible threat."
Experts said the affected systems were not developed with security in mind.
"What keeps your lights on are some very, very old technology," said Joe Weiss, a security expert who has testified before Congress about such threats. "If you can get access to these systems, you can conceptually cause them to do whatever it is you want them to do."
The Homeland Security Department has been working with industries, especially electrical and nuclear companies, to enhance security measures.
The electric industry is still working on their internal assessments and plans, but the nuclear sector has implemented its security measures at all its plants, the government said.
In July the Federal Energy Regulatory Commission proposed a set of standards to help protect the country's bulk electric power supply system from cyber attacks.
These standards would require certain users, owners and operators of power grids to establish plans and controls.
For original story:
CISSP, MCSE, CSTA, Security+ SME