As Ang Cui added more juice to the power grid, overhead electric lines began to glow bright orange. Then, within seconds, the power lines evaporated in a flash of smoke, leaving an entire section of Manhattan in the dark.
No actual buildings or people lost power because, luckily, this was just a simulation – a tabletop diorama of Manhattan complete with tiny copper power lines and the Statue of Liberty relocated to a pared-down Central Park. Cui’s colleagues at Red Balloon Security Inc had unleashed a few lines of malicious code that knocked out a computer designed to protect electrical lines.
The real-world consequences were unmistakable: hackers could shut off power in parts of the city, an industrial plant or sports stadium by targeting the very systems designed to protect it.
“Whew – need to open a window,” said Cui, Red Balloon’s chief executive officer and founder, wafting his hands in an effort to clear the smoke swirling around his fourth-floor office. The charred remains of plastic poles were all that was left of the diorama’s power lines.
Safety devices like the one Cui’s team examined are key to the operation and stability of the modern electric grid. Known as protection relays, they cut the power when faults, or abnormal currents, threaten to damage equipment or harm people.
Researchers at Red Balloon discovered vulnerabilities on a relay made by the French firm Schneider Electric SE, called the Easergy P5. The company on Tuesday published a software fix for the device, which is not yet for sale in the US. A Schneider Electric spokesman said the firm is “extremely vigilant of cyber threats and continually assesses and evolves our products and R&D practices to better protect our offers, and our customers’ operations against them”.
“Upon learning of the vulnerabilities with the Schneider Electric Easergy P5 protection relay, we worked immediately to resolve them,” according to the spokesman. “We urge users of the product to follow the guidance we will provide in the Jan 11 security notification – which includes a software patch that will address the immediate risk – as part of our disclosure process. Users should implement general cybersecurity best practices across their operation to protect their systems.”
Red Balloon also tested devices from two other manufacturers but didn’t find any issues serious enough that they said were worth reporting to the companies or the public.
Red Balloon’s findings underscore the need for better cybersecurity in critical infrastructure, where flaws in computer networks that can be remotely access “can be tooled-up into a cyber weapon with very real physical impact”, Cui said.
“The vendor issuing a firmware fix to address this one vulnerability does not change the big picture,” he said. “The vendors need to do much better on security. We need to have robust security built into the firmware.”
Some experts warn such risks, while concerning, shouldn’t be overstated. Chris Sistrunk, a technical manager at the cybersecurity firm Mandiant Inc who focuses on industrial-control systems, said even if a protection relay such as the P5 failed, power could be back up and running to affected customers within hours. “The worst-case scenario is, it would cause some headaches for a single site, like the Superdome or a large manufacturer,” he said.
Following a December 2016 blackout in Ukraine, which officials have tied to Russian hackers, one analysis said that attackers tried to compromise a protection relay in the hope of extending the outage. While experts have said advanced power grids in Europe and the US are harder to attack, fixing them could be much harder if an attack were successful.
Devices like Schneider Electric’s relays are often kept behind network firewalls and not connected directly to the public Internet, giving operators some modicum of security. But sophisticated hackers could still find ways to exploit misconfigurations in those networks or even bypass physical barriers, ultimately giving them access to protected equipment.
Red Balloon recently built the miniature city in an effort recreate how hacks might impact the electrical grid. Among Red Balloon’s experiments with the faux city was a simulated ransomware attack on the P5 relay. “Shmancybear funsomware request!!!” flashed the warning on the P5’s index card-sized monochrome display, cycling back and forth between a pixelated bear in sunglasses. (Fancy Bear is the nickname for an infamous Russian state-sponsored hacking group.)
In Red Balloon’s simulations, Cui said, hackers could have knocked out several devices at once. And because industrial plants or other users likely have a finite number of spares on hand, an attack on several dozen devices could cause extended power outages. That, in turn, could easily lead to confusion and anger among those stranded without power.
“At the end of the day, they're all great capabilities that you can use to disrupt the power,” Cui said of vulnerabilities in safety devices in critical infrastructure. “Some are much, much more permanent than others.” – Bloomberg