For the past couple of weeks some friends and colleagues and I have been discussing a CNN story on the vulnerability of SCADA controlled generators. The story fed to CNN by the DHS is that power generators, under SCADA control, can be destroyed via cyber attack by telling or tricking the PLC into over-cycling the generator and thus adversely effecting the local or national power grid . After some discussion, most of us have decided that the story is largely bunk. Even if we ignore the fact that the generator shown in the DHS video appears to in the ~1500 kW size range (significantly smaller then the multi-megawatt generators used for local or regional grid generation), the idea that a critical piece of power generating equipment would lack a something as simple as a mechanical governor – an 18th c. technology – let alone an electronic one to prevent the system from operating beyond safe levels seems patently absurd. An electrical engineering friend has suggested that the current steam turbine generators used by utilities do not currently include deep levels of automatic systems — so any such attack on a utility could never effect online turbine speed. Additionally, even if such a vulnerability did somehow exist is would be very simple to insert PLC programming which did not allow for the system to run out of tolerance.
So why would DHS release such a report — we know why CNN engages in fear mongering where ever it can. The purpose seems to be alluded to near the end of the piece where CNN explains that the DHS cyber-security budget is a scant 100 million dollars. The goal here seems to be to get people riled up to pressure congress to flood DHS with more money. As fear-mongering coup de grĂ¢ce, CNN finds someone to say that Iran has the same generators, SCADA systems, and passwords as those used in America. This is so appallingly absurd and transparent it simply causes my head to spin.
The problem is, that there are security concerns with SCADA systems and the desire of managers to save money and place them on an Internet connected network. The problems though instead of being related to evil cyber-terrorists are much more mundane. Such as the effect of Viruses, Trojans, and Denial of Service Attacks on these systems. If a virus should interrupt communications with a water filtration control system, for instance, this could cause response problems leading to some contamination. Fighting viruses, however, does not get you billions in taxpayer funding. Nowadays only the most fearful scenarios get the money — regardless of merit.
