10/15/99 Hacker: I Can Black Out 30 U.S. Electric Utility Grids NEW YORK (Dow Jones)--A member of an elite computer hacker group plans to release a report in early November listing about 30 U.S. electric utilities whose grids he claims he can shut down with ease. He says he's writing the report for the public good, after being shocked by complacency among utilities. "I'm looking at about 30 different sites. All have a couple of things in common, which is why they made the scope of the paper," wrote the hacker, known as "Mudge," in an electronic mail interview with Dow Jones Newswires. Utilities have a host of potential vulnerabilities, Mudge wrote. "Is there a jolly candy-like red button that says: 'Shut down grid?' No...There are many ways of achieving an end result, not just one." Mudge is part of L0pht, an eight-member group based outside of Boston. L0pht - pronounced "loft" and spelled with a zero instead of a letter "o" - describes itself as something of a Ralph Nader for the information age. It has been operating since 1992 and has a consulting business called L0pht Heavy Industries. Members of the group are publicly known only by their Internet monikers, never their legal names. (Microsoft fixed one of its software programs in a hurry after L0pht pointed out its Achilles heel.) Mudge says he's alerting utilities to the bridges they've left down across their moats, lest a "malicious intruder" find them the same way he did. Perhaps even more unnerving than the idea of a clever "cracker" (the dark counterpart to a hacker) playing havoc with utility networks is that cyber-terrorists may have been welcomed through the front door. Both Mudge and the U.S. Federal Bureau of Investigation point out that utilities are especially vulnerable because they've hired so many consultants to root out their Y2K problems, essentially letting strangers poke around their most sensitive systems. "Heck, the damn Y2K 'consultants' are much more dangerous than any mythical 'hacker'," Mudge wrote. Mudge may be right about duplicitous Y2K contract workers, said Scott Bradner, senior technical consultant at Harvard University and vice president for standards with The Internet Society. Bradner said he knew of at least three incidents of Y2K consultants "putting in back doors" in their clients' systems for future mischief, although none was working for an electric utility. "This is a problem that will last well beyond Jan. 1, 2000," testified Michael A. Vatis, director of the FBI's National Infrastructure Protection Center, before the Senate Judiciary Subcommittee on Technology and Terrorism last week. And vetting those and other threatening program insertions will be at least as hard as debugging programs for Y2K, he said. At any time, the grid could fall prey to rogue programmers, cyber-terrorists, hostile governments, or criminal syndicates, Vatis warned. Also compounding the Y2K problem is that crackers might use the upcoming New Year's Eve "as a cover for an attack of one type or another," Bradner said. Recovery from blackouts masterminded by crackers would be slow if utility operators were sent hunting after red herring Y2K problems, Bradner said. Mudge turned his attention towards utilities when L0pht Heavy Industries audited a major power company. "The results were terrifying," he wrote. L0pht members testified before the U.S. Senate about Internet vulnerability in May 1998. Part of the impetus for the report came when, "after the Senate testimony we provided on problems with critical infrastructure components, there were several electric companies that stood up and said 'that's impossible...blah, blah, blah'," Mudge wrote. That perceived effort by utilities to "dilute" L0pht's warning and not address the issue forced the hackers into "delivering the information in a more heavy-handed fashion," Mudge wrote. The report will be posted on the advisories section of L0pht's website, www.L0pht.com. Usually programming weaknesses are exposed on the site simultaneously to wolves and lambs alike, but in this case Mudge wrote that utilities will be given a chance to plug their security holes before that information is put out. Mudge claimed the L0pht site has 500,000 viewers each day. Even unskilled vandals on the Internet, known as "script kiddies," could follow steps laid out by L0pht on its site to do damage if companies don't act, he indicated. The only utility Mudge cited by name as claiming that cracking into its grid was "impossible" is BEC Energy's (BSE) Boston Edison Co. A spokesman for the utility declined to comment for this article, saying the subject was "very speculative." The North American Electric Reliability Council, a power industry organization, is aware of the cyber security dangers its members face, said spokesman Eugene F. Gorzelnik. "It's something we've thought about and factored into our contingency plans," Gorzelnik said. NERC doesn't discuss those plans publicly, he said. "We're aware of hackers' attempts to intrude on electric systems. There have been attempts, but none successfully," he said. Even if utilities are paying attention, their investors don't seem to be. "This is a topic that is totally unexplored," said Paul Cole, a utility analyst with ABN-AMRO in New York. Companies might be working on it internally, he said, but "it's not disclosed, talked about, or considered by the investment community." Said Robert Rubin, an analyst with Bear Stearns and Co. in New York: "We're working under the assumption people aren't trying to break into a regional transmission grid." With electric deregulation and a wave of mergers keeping investors busy, "it's not going to really hit my radar," he added. When NERC determines that a member might be especially vulnerable to sabotage, it communicates that concern to the member and puts them in touch with "appropriate government agencies," Gorzelnik said. But Vatis of the FBI told the Senate that his team is stretched thin. "The FBI's case load for computer hacking and network intrusion cases has doubled each of the last two years," Vatis testified. Breaking into utility grid controls can't usually be done through a Web site, Harvard's Bradner said. Most utilities "aren't stupid enough to have Internet access. But I know of one" with such an arrangement, Bradner said. And "they're expanding it, which is unfortunate," he added. Also expanding is the number of people who might have legitimate access to control programs. Formerly monopolistic utilities are spreading ownership of power plants across several buyers under divestments spurred by electric deregulation, and independent system operators are starting to manage grids on a regional basis. Usually the chink in a utility's cyber-armor is a dial-up access line for operators working off-site, he said. Companies expect the secrecy of that phone number "all too often...to be their protection, and that's very poor protection indeed," Bradner said. One screen against intruders is SecurID, a device made by RSA Security Inc. (RSAS) that changes six-digit passcodes constantly, Bradner said. "If you have a mechanism of that ilk on that dial-up line, then it's much less of an issue," Bradner said. Still, "if you make it easy enough for employees to access (systems) remotely, you make it possible for malicious intruders to access as well," Mudge wrote to Dow Jones Newswires. "Things are only difficult once. After that you let the program you wrote do all the hard work. Often times it's not even difficult the first time." By Erik Baard DOW JONES NEWS