Iranian cyber-reconnaissance of US power companies
A military computer scientist explores the growing threat and the forms the attacks could take
By Paulo Shakarian, PhD Posted on 4 June 2013
Dr. Paulo Shakarian is a Major in the US Army and a computer scientist who authored the upcoming Elsevier book Introduction to Cyber Warfare along with his wife, sociologist Jana Shakarian, and computer security expert Andrew Ruef. He has written over 20 published articles in scientific and military journals and has been featured inThe Economist,WiredandPopular Sciencefor his work on cyber-warfare and artificial intelligence.
Previously, Dr. Shakarian served two combat tours in Operation Iraqi Freedom. He currently works as an Assistant Professor at the US Military Academy at West Point, where he teaches classes on computer science and information technology. His website is: shakarian.net/paulo. [divider]
Recently, the Wall Street Journal reported that malicious Iranian hackers have conducted cyber-reconnaissance against American power companies. While the precise details as to which systems they reconnoitered was not reported, the story highlights a few trends in cyber-warfare that Jana, Andrew and myself have become familiar while researching our recent Elsevier/Syngress book: Introduction to Cyber-Warfare. In particular, it highlights the concerns about cyber-attacks against the power grid and illustrates the growing cyber-threat originating from Iran.
Cyber attacks against the power grid
Thankfully, a successful cyber-attack against the US power grid has yet to be carried out. However, such an attack is certainly possible, and this fear has been stated in the past – for instance, when the Wall Street Journal reported that Russian and Chinese hackers had infiltrated power grid systems in 2009. Two basic types of threats against the power grid are component-wise and topological attacks.
In a component-wise attack, a malicious hacker would focus on specific “smart” components of the power grid such as a certain generator or substation. In 2007, a US Department of Energy experiment showed this type of operation to be viable against a power generator. In the experiment, the generator was connected to a computer network, and a red team of hackers was able to physically destroy the generator by placing it out of sync with the power grid to which it was connected (though certain normal protections were purposely turned off in the trial).
Though this project illustrated that such an attack was possible, properly carrying out such an operation in the real world would require specific knowledge of the targeted component. Unlike traditional business information technology systems, power grid systems are more specialized and much less common. As a result, the cyber-reconnaissance or information gathering phase of the attack becomes very important. This is why many are concerned about the recent Iranian reconnaissance against power companies.
The second type of attack, directed against the topology of the power grid, is a bit scarier. In this scenario, the attacker takes a small number of key systems offline in order to initiate a cascading failure. In 2003, the eastern US experienced such a failure (not caused by a cyber-attack) emanating from Ohio, which led to large-scale blackouts that spanned several states. What occurs in a cascading failure is that after a key power transmission station is disabled, power flow is automatically redirected to ensure the consumers keep their electricity. If the power flow redistribution causes certain lines to exceed their capacity, they may fail, causing another redirection of flow – which in turn could potentially lead to more failures.
The key to being able to carry out such an attack is having a detailed map of the targeted power grid and an understanding of how the various systems interact. Again, obtaining this information requires a reconnaissance effort.
Despite the seriousness of the potential to attack the power grid, an adversary must have the capability to actually perform a cyber-operation. Though cyber-attacks are generally less expensive than kinetic military operations, they do require people with the right education, training and experience. Further, an organization looking to set up such a capability would have to make it a priority to ensure these people are properly salaried or they risk losing them to the general technology sector. It appears that the Iranian government has made an investment in this area after their national embarrassment in the wake of dissident use of Twitter following the 2009 presidential elections and the 2010 discovery of Stuxnet.
Some of these efforts are publically acknowledged, such as the “Cyber Police” designed to crack down on “improper” citizen use of the Internet, or the “Halal Internet” – Iran’s efforts to limit access to certain foreign websites and services. Other efforts have a less clear connection to the Iranian regime (though dissident groups will claim a more direct affiliation). These shadier undertaking include cyber-attacks by various malicious hacking groups going by monikers such as the “Iranian Cyber Army” or the “Cutting Sword of Justice.”
Attacks by these groups started in late 2009 and have been reported regularly since that time. Targets have included Twitter, the Voice of America’s website, various American banks and Saudi Aramco. The attacks have been a mixed bag in terms of complexity. However, while generally not reaching the prowess of malicious hackers from Russia or China, there has been an increase in sophistication over the past four years.
So while it is unclear as to the precise level of threat posed by the activities conducted by the alleged Iranian hackers against American power companies, such activities should be taken seriously. Cyber-attacks against the power grid are certainly possible, and malicious Iranian hackers are improving in capability. As the cat-and-mouse game continues between those attempting to attack and defend such systems, we will probably hear more such reports in the future. Hopefully, the defenders are more successful when it comes to the power grid.
The opinions in this article are solely those of the author and do not necessarily reflect the opinions of the US Military Academy, the US Army or the Department of Defense.