CAL ISO *internal ops* machines cracked

[Timothy McVeigh]

SACRAMENTO
For at least 17 days at the height of the energy crisis, hackers
mounted an attack on a computer system that is integral to the movement
of electricity throughout California, a confidential report obtained by
The Times shows.
<BR>     The hackers' success, though apparently limited, brought to
light
lapses in computer security at the target of the cyber-attack, the
California Independent System Operator, which oversees most of the
state's massive electricity transmission grid.
<BR>     Officials at Cal-ISO say that the lapses have been corrected
and that
there was no threat to the grid. But others familiar with the attack say

hackers came close to gaining access to key parts of the system, and
could have seriously disrupted the movement of electricity across the
state.
<BR>     Democratic and Republican lawmakers were angered by the
security
breach at an entity that is such a basic part of California's power
system, given its fragility during the state's continuing energy crisis.

One called the attack "ominous."
<BR>     An internal agency report, stamped "restricted," shows that the

attack
began as early as April 25 and was not detected until May 11. The report

says the main attack was routed through China Telecom from someone in
Guangdong province in China.
<BR>     In addition to using China Telecom, hackers entered the system
by
using Internet servers based in Santa Clara in Northern California and
Tulsa, Okla., the report says. James Sample, the computer security
specialist at Cal-ISO who wrote the report, said he could not tell for
certain where the attackers were located.
<BR>     "You don't know where people are really from," Sample said.
"The only
reason China stuck out is because of the recent political agenda China
had with the U.S. . . . An ambitious U.S. hacker could have posed as a
Chinese hacker."
<BR>     The breach occurred amid heightened Sino-American tensions
after the
collision between a Chinese military jet and a U.S. spy plane. In early
May, there were hundreds of publicly reported computer attacks
apparently
originating from China. Most of those incidents involved mischief;
anti-American slogans were scrawled on government Web sites.
<BR>     The attack on the Cal-ISO computer system apparently had the
potential
for more serious consequences, given that the hackers managed to worm
their way into the computers at the agency's headquarters in Folsom,
east
of Sacramento, that were linked to a system that controls the flow of
electricity across California. The state system is tied into the
transmission grid for the Western United States.
<BR>     "This was very close to being a catastrophic breach," said a
source
familiar with the attack and Cal-ISO's internal investigation of the
incident.
<BR>     On May 7 and 8, as the infiltration was occurring, California
suffered
widespread rolling blackouts, but Cal-ISO officials said Friday that
there was no connection between the hacking and the outages, which
affected more than 400,000 utility customers.
<BR>     "It did not affect markets or reliability," said Stephanie
McCorkle, a
spokeswoman for Cal-ISO.
<BR>     Officials of the agency made no public acknowledgment of the
attack
until Friday when contacted by The Times. The agency did, however, call
the FBI, which is investigating.
<BR>     McCorkle said Cal-ISO did not make a public disclosure about
the
hacking "because it didn't impact the reliability of any of our internal

networks."
<BR>     "It didn't have a negative consequence and would not have
impacted the
public or market participants," McCorkle said.
<BR>     After the attack was discovered, the report says, investigators

found
evidence that the hackers apparently were trying to "compile" or write
software that might have allowed them to get past so-called firewalls
protecting far more sensitive parts of the computer system.
<BR>     The attackers focused on parts of the grid agency's computer
system
that are under development. In what may have been the most significant
lapse, the system being developed was not behind a firewall, a security
element designed to keep out those who are not entitled to access.
<BR>     Additionally, so-called tripwires that might have alerted
agency
security personnel to the unauthorized entry were nonexistent. Nor were
there logs within the system that might have identified users entering
the system as the infiltration was occurring, the report notes.
<BR>     What's more, dozens of ports into the computer system were
open, when
only a handful should have been available.
<BR>     "All servers should be hardened regardless of their role or
location
in the network," the report says. "Only ports that are required to be
open should be opened; all others should be disabled."
<BR>     Complicating the investigation, workers at Cal-ISO rebooted
their
computers when the machines balked, apparently in response to the
infiltration.
<BR>     "This action limited our ability to discover all files and
activity
that may be related to this compromise," the report says.
<BR>     Sample, the security engineer who wrote the report, downplayed
the
potential threat and said the attack was "something that we've been
anticipating."
<BR>     "It was a compromise, not really an attack," he said.
<BR>     State legislators were not comforted by such distinctions.
<BR>     "That's really amazing on two counts: that there were computers

not
behind a firewall and it took 17 days to discover," said state Sen.
Debra
Bowen (D-Marina del Rey), who chairs her chamber's Energy Committee.
<BR>     Bowen, who was informed of the breach by The Times, called it a

"serious matter" and said she was "very concerned to learn about this
from the L.A. Times, rather than from the ISO itself." The lack of
official notification, she said, adds to her skepticism about whether
the
agency has been forthcoming.
<BR>     "It is embarrassing, so I can understand they would not want to

talk
about it," Bowen said. "We're going to ask some questions."
<BR>     The Independent System Operator, established in 1998 when the
state
opened the newly deregulated electricity market to competition, is an
essential component of the state's electricity system.
<BR>     The purpose of the nonprofit entity is to balance the flow of
electricity across the state and make last-minute power purchases to
match demand and avoid blackouts. The Legislature reconfigured the
agency
earlier this year, giving Gov. Gray Davis the power to appoint the
five-member board that oversees it.
<BR>     "It is troubling that it happened," said Sen. Tom McClintock
(R-Thousand Oaks). "It is disturbing that it took so long to be
corrected. And it is galling that it was not reported to the
Legislature."
<BR>     McClintock labeled as "ominous" the possibility that the attack

came
from China. He said he is preparing a request for all documents related
to the breach and is considering requesting a formal legislative
inquiry.
<BR>     ISO board member Mike Florio, who represents consumers, said he

had a
vague recollection that the board was informed of the attack. But he
also
was surprised to learn some of the details.
<BR>     "We hire people to deal with this stuff," he said, "and they
said they
dealt with it."

http://www.latimes.com/news/front/20010609/t000047994.html