Some companies, both vendors and asset owners, continue to give away the proverbial “baby with the bath water.” Case in point (from an article at automation.com but which was a general press release):
August 7, 2008 – Reykjavik Energy selected ABB to upgrade and integrate five utility automation systems – geothermal power plants, district heating, water and wastewater – into a single state-of-the-art 800xA extended automation system that will be operated from a central control room.
Reykjavik Energy is Iceland’s largest utility, providing almost 70 percent of the country’s population – including the capital, Reykjavik – with electric power, district heating, hot and cold water, and wastewater treatment.
The company operates two geothermal power plants which provide 240 megawatts (MW) of electricity and 700 MW of heat to some 26,000 homes and businesses in 20 communities.
According to Reykjavik Energy, the district heating system is the “largest and most sophisticated in the world.” Hot water is pumped via 2,500 kilometers of pipes to heat buildings and keep pavement and outdoor parking lots free of ice in winter, as well as supply the many outdoor swimming pools and spas with a constant stream of hot geothermal water.
Cold groundwater is distributed to consumers throughout the Greater Reykjavik area, and the region’s sewage is piped to several wastewater treatment plants throughout the area.
System 800xA as the integration platform for current and future systems
ABB supplied the original distributed control systems for the utilities in the late 1990s and has evolved all five systems to its state-of-the-art Extended Automation System 800xA in accordance with the advanced and growing requirements of Reykjavik Energy.
ABB has sold more than 4,000 of these systems since its introduction in 2004, improving industrial productivity, safety, and operational profitability for customers in virtually every industry.
Reykjavik Energy is in an expansive phase of development, acquiring and integrating other utilities and extending its geographical reach and customer base. System 800xA enables the customer to easily integrate the control systems, databases and automation hardware of future acquisitions.
The customer’s previous investments in PLCs (programmable logic controllers) supplied by a diverse array of vendors have all been integrated into the System 800xA solution. Some 50,000 I/Os (input/output) data signals are processed by the solution.
ABB is a leader in power and automation technologies that enable utility and industry customers to improve performance while lowering environmental impact. The ABB Group of companies operates in around 100 countries and employs more than 115,000 people.
Why is such a press release a bad idea? Well if I were a bad guy with malicious intentions I now know that the whole of Iceland’s power generation and heating (hot water distribution) is now controlled by a single, centralized control system. But, not only that I know that it is an ABB system. Specifically an: Extended Automation System 800xA.
So now if I was a bad guy, I could research or perhaps even purchase an Extended Automation System 800xA an probe it for vulnerabilities. Through this press release my reconnaissance was greatly simplified. I now know that there is a single point of failure that I need to pw0n in order to control, or DOS the network.
Instead of diversifying their network, effectively making it more complicated to attack. Reykjavik Energy has conveniently collapsed the entire nation’s energy control grid into one nicely packaged application and broadcasted it to the world.
So what do I mean by “just not getting it”? Well perhaps this type of public announcement, though attractive to the vendor “touting their PR horn” and to the asset owner, really doesn’t serve ethers’ best interests in terms of security.