Investigations of threats to corporate computer hardware and software systems traditionally have shown that the greatest number of attacks come from internal sources. Substation control systems and IEDs are different in that information about them is less well known to the general public.
However, the hardware, software, architecture, and communication protocols for substations are well known to the utilities, equipment suppliers, contractors, and consultants throughout the industry. Often, the suppliers of hardware, software, and services to the utility industry share the same level of trust and access as the utility individuals themselves.
Consequently, the concept of an insider is even more encompassing. A utility employee knows how to access the utility’s computer systems to gather information or cause damage, and also has the necessary access rights (keys and passwords).
The utility must protect itself against disgruntled employees who seek to cause damage as well as employees who are motivated by the prospect of financial gain. Computer-based systems at substations have data of value to a utility’s competitors as well as data of value to the competitors of utility customers (e.g., the electric load of an industrial plant).
Corporate employees have been bribed in the past to provide interested parties with valuable information; we have to expect that this situation will also apply to utility employees with access to substation systems. Furthermore, we cannot rule out the possibility of an employee being bribed or blackmailed to cause physical damage, or to disclose secrets that will allow other parties to cause damage.
A second potential threat comes from employees of suppliers of substation equipment. These employees also have the knowledge that enables them to access or damage substation assets. And often they have access as well. One access path is from the diagnostic port of substation monitoring and control equipment.
It is often the case that the manufacturer of a substation device has the ability to establish a link with the device for the purpose of performing diagnostics via telephone and modem (either via the Internet or else by calling the device using the public switched telephone network).
An unscrupulous employee of the manufacturer could use this link to cause damage or gather confidential information. Additionally, an open link can be accessed by an unscrupulous hacker to obtain unauthorized access to a system. This has occurred frequently in other industries.
Another pathway for employees of the utility or of equipment suppliers to illicitly access computer-based substation equipment is via the communications paths into the substation.
A third threat is from the general public. The potential intruder might be a hacker who is simply browsing and probing for weak links or who possibly wants to demonstrate his prowess at penetrating corporate defenses.
Or the threat might originate from an individual who has some grievance against the utility or against society in general and is motivated to cause some damage. The utility should not underestimate the motivation of an individual outsider or amount of time that someone might dedicate to investigating vulnerabilities in the utility’s defenses.
A fourth threat is posed by criminals who attempt to extort money (by threatening to do damage) or to gain access to confidential corporate records, such as maintained in the customer database, for sale or use.
The fifth, and arguably the most serious, threat is from terrorists or hostile foreign powers. These antagonists have the resources to mount a serious attack. Moreover, they can be quite knowledgeable, since the computer-based systems that outfit a substation are sold worldwide with minimal export restrictions, and documentation and operational training is provided to the purchaser.
The danger from an organized hostile power is multiplied by the likelihood that an attack, if mounted, would occur in many places simultaneously and would presumably be coupled with other cyber, physical, or biological attacks aimed at crippling the response capabilities.