As a part of anti-terrorism measurers in 2002, the Idaho National Laboratory (INL) received a new task – to identify possible weaknesses of critical infrastructure. This was not the first time, when the federally funded research and development center added another area of interest to its list. Even though the new research received the very broad name – “Critical Infrastructure Protection”, its primary focus was on vulnerabilities of supervisory control and data acquisition (SCADA) systems. The majority of SCADA systems receive commands remotely through the Internet. This fact makes SCADA systems an attractive target for remote attacks, which could manipulate electrical power grid, water supply plants, and other industrial processes without the necessity of attackers to be anywhere in close proximity.
Because of the high importance of this research, the U.S. Department of Energy made a decision to create the National SCADA Test Bed within the INL. Since it was a new area for the specialists from INL, they needed the help of an expert. Their choice became Joe Weiss, who back then worked as the Executive Consultant for the international energy consulting company KEMA. They reached out to him, and Joe Weiss agreed to help. He used his connections with vendors of SCADA systems worldwide, and soon samples of SCADA systems and testing equipment started arriving to the INL. All this equipment was put to use immediately.
Less than two years later, in August 2004, the INL presented its first demonstration of the successful remote attack on the SCADA system during the KEMA Control System Cyber Security Workshop in Idaho Falls. In front of two hundred attendees, “attackers” from Sandia National Laboratory (SNL) in Albuquerque successfully attacked a simulated power substation. They were able to not only infiltrate the local network, protected by a firewall, but also to gain the full access to the SCADA system in charge of the power substation. At first, the “attackers” opened and closed all breakers at the substation. Then they performed the same actions again, but this time the “attackers” demonstrated their ability to hide the actual status of breakers from a substation’s operator. The breakers were actually opened, when the SCADA system reported to the operator the status of breakers as closed.
During the discussions at the same workshop, several real life cases of hacking of SCADA systems were mentioned. The first case took place in 2002, when an unidentified utility in the U.S. lost control of its SCADA system for two weeks. Since the utility’s customers did not lose electricity, this case was never officially reported. Another unreported case was a virus attack on a European utility. During four weeks, the utility could not access the status information from several distribution substations. The third case was associated with a large electric utility company in Asia, which recently was the target of three cyber-attacks.
The INL continued its experiments. In August 2006, it presented a second hacking attack at the KEMA Control System Cyber Security Conference in 2006 in Portland, Oregon. This time around “hackers” from the Pacific Northwest National Laboratory overpowered all security measures and took control of a simulated power grid. They were able to change the voltage without the grid operator’s knowledge. Again, the SCADA system, controlling the grid, reported to the operator no changes in voltage.
Until the year 2007, all known cases were limited to a loss of control of SCADA systems. Things changed drastically in March 2007, when the INL performed a new test that resulted in a physical damage to a power generator. This test became known as the Aurora Generator Test by the name of vulnerability – Aurora. It demonstrated the devastating result of a cyber-attack on a power generator, controlled by SCADA system. There was a short, less than 60 seconds, video that was made for the Department of Homeland Security (DHS), which shows a hacked power generator. At first, the generator shakes. A few seconds later, the generator, being torn apart from inside, catches a fire and sends out the cloud of smoke. Six months later, in September 2007, the Associated Press made this classified video available for the general public. Shortly the video disappeared from the AP video-site, but some copies of it still could be found on YouTube.
The INL made its name widely known among SCADA systems manufacturers. It was March 2008, when representatives of Siemens discussed with experts from the INL a vulnerability test for the one very specific Siemens-made SCADA system. The INL tested some of Siemens’ systems before, but this time it was about the PLC (programmable logic controller).
In May 2007, the INL received a test system from Siemens. Around the same time, the Department of Homeland Security issued the alert related to the Boreas vulnerability. Boreas attacked SCADA systems during an upgrade process. When a pre-installed operating system (in most cases Windows) received its remote updates, the Boreas vulnerability used a previously unknown security breach in this upgrade process in order to modify or disable components within the SCADA system. Certainly, researchers from the INL look at Siemens-made PLCs from this point of view too.
On November 15, 2007, the testing was completed, and INL sent its findings related to vulnerabilities of Step 7 software used in PLCs to Siemens headquarters in Germany. Next year the overview of results were presented to the attendees during the 2008 Siemens Automation Summit. The presentation itself in the PDF form was posted on Siemen’s web-site. It became unavailable after November 2010, when a computer security expert from Germany Ralph Langner wrote in his blog, “To get an idea of what a decent lab environment for Stuxnet research looks like, check out this great presentation from INL and Siemens.” Langner became well known for the general public for his statements blaming the USA (and the INL in particular) for the creation of the Stuxnet computer worm. Stuxnet attacked the Iranian uranium enrichment centrifuges by taking over control of the Siemens-made PLCs.
Answering to those accusations the INL issued a statement rejecting its involvement of any kind in creation of Stuxnet.