Hacking the grid

The July issue of Scientific American carries an article by computer scientist David Nicol which looks at the issue of coordinated cyber attacks on industrial control systems. Nicol illustrates the seriousness of this problem with a discussion of the Stuxnet computer virus, thought by some to have been created by western intelligence agencies in an attempt to disable the infrastructure of Iran’s nuclear weapons programme.

Given that electricity grids are controlled by the same types of computers used in ordinary business environments, which are vulnerable to viral infection, Nicol argues that hackers could disable the physical machinery within power plants and substations…

“[A] coordinated cyberattack on multiple points in the grid could damage equipment so extensively that our nation’s ability to generate and deliver power would be severely compromised for weeks – perhaps even months.”

Nicol calls for a more concerted effort to close the gaps. This would include physical security checks at grid-operator workstations, and the use of cryptographic techniques which act as signatures that safeguard access to the control networks.

What Nicol doesn’t discuss in any detail is the fundamental nature of modern power grids, and the degree of interconnectedness required between network nodes. With popular talk of ‘smart grids’, which could facilitate the mass deployment of small-scale alternative and renewable energy sources, this becomes all the more important.

As for Nicol’s description of Stuxnet as “perhaps the most advanced computer virus ever seen”, I was under the impression that the Stuxnet code is fairly crude. Media reports give the impression of something cobbled together on the fly rather than worked out in detail by teams of crack cyber warriors based in the Virginia suburbs and Tel Aviv.

Other than that, Nicol’s article is an informative read. The writer, an academic expert on high-performance computing and cyber security at the University of Illinois, is right to highlight the very real danger of cyber attacks on sensitive civil infrastructure. Such warnings are surely necessary to jolt policymakers out of their current sense of complacency.