US Electricity Grid Reportedly Penetrated By Spies 328
phantomfive worries about a report in the Wall Street Journal ("Makes me want to move to the country and dig a well") that in recent years a number of cyber attacks against US infrastructure have been launched over the Internet: "Cyberspies have penetrated the US electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials. The spies came from China, Russia, and other countries, these officials said, and were believed to be on a mission to navigate the US electrical system and its controls. The intruders haven't sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war."
Remember, folks... (Score:5, Insightful)
Re:Remember, folks... (Score:5, Funny)
Whenever you're starting to focus on the reality of life, new fear WILL be injected into it to distract you.
Oh god! I'm so afraid of the fear injecting big brother.
Re:Remember, folks... (Score:5, Insightful)
Not to mention the creation of an alien enemy. Obviously - OBVIOUSLY - the IP addresses come from Russia and China - and in no way could a proxy be used from those countries - by an American. No way that could ever happen.
Obviously the spies are Russian or Chinese, because Americans would have no reason to hack into their own government's systems.
Re:Remember, folks... (Score:5, Interesting)
In this case the parent is quite accurate. The truth is our electrical grid security has been dismal for decades. Hackers infiltrating control systems is only the latest discovery. If a foreign government wanted to sabotage our electrical grid it would be shockingly easy to do. 5 to 10 people working together with a few resources could black out the entire west coast for weeks if not months.
Okay, so now they can disrupt control systems from the comfort of their data center. Whoopy do. Yes, fix the data security, but spend the money to make the needed improvements to physical security and redundant infrastructure. Our grid is routinely stretched to the breaking point. There's very little extra capacity. I think of people realized how vulnerable our electrical grid really is, they'd be terrified. The fact electricity is so reliable we take it for granted is testimony to the quality of the people working in the field.
Imagine living in L.A. or San Francisco with no electricity for a week.
Re: (Score:3, Interesting)
So your statement should
Re:Remember, folks... (Score:5, Insightful)
Re:Remember, folks... (Score:5, Insightful)
Are there real threats? Yes, of course there are. But when enough scaremongering is mixed into them, you get the reaction that the OP AC shows: Cry wolf once too often and people will ignore you.
Also, there are a few things that I'd consider a lot more dangerous and worrysome that you don't hear about at all. Intentionally or not, your decision.
Re:Remember, folks... (Score:5, Insightful)
Re:Remember, folks... (Score:4, Insightful)
There are many real threats (assuming this one is). Why do we get to hear about this one now? Is it coincidence that this surfaces at the 'right' time when security money is being redistributed?
Re:Remember, folks... (Score:5, Insightful)
Probably not coincidence, but that doesn't mean it's sinister or improper. If you knew of a significant threat that wasn't being addressed, and it was that time when the People In Charge were working out where to spend money (i.e. are actively seeking information and advice on the most effective use of their funds), wouldn't that seem like an ideal time to try to raise awareness of it?
Or would you prefer to wait until there's no money to spend and nobody currently in a position to do anything about it before announcing it?
Not saying it isn't all another scam to get free money, but just because it might be doesn't mean it is.
Re: (Score:3)
I guess I, too, have heard the cry about wolves at least once too often...
I agree. I too tire of hearing of a different threat every single day. However, if you ignore one of them, and it turns out to be a real threat, thousands or even millions could die and whoever is in charge gets beaten over the head with it for all of history for not taking action.
Prime example. The President receives a Daily Briefing highlighting security issues. When I say, "Daily", I mean every single day, mentioning various security threats... EVERY DAY! Now, if you let one of them get by without a
Re:Remember, folks... (Score:5, Insightful)
I can well understand that. And I actually see the whole deal as an attempt to cover their butts to show that they "did something" concerning the threat. They'd be eaten alive by the media if something happened and nothing had been done.
9/11 is a prime example. What was the first thing we heard? The FBI knew ages before the attack that something like this was planned. Sure they did. And they also heard about a thousand other things that never happened.
You cannot prepare for everything. I do not expect that. I do expect reasonable preparations, at the most. My liberty is worth more than my life, and I do expect my government to primarily protect my freedom. If the solution to the terrorist craze is to eliminate all freedom then, well, why bother fighting? After all, a regime of terror, fear and total control is pretty much what the terrorists allegedly want to create for us. If we do that ourselves, do we really win?
Re:Remember, folks... (Score:4, Funny)
If "they" wanted to do real damage, wouldn't they invade the financial systems, rather than power grids?
Or maybe they did, but were unable sabotage anything without making it better.
Re: (Score:3, Informative)
Cheers
Re: (Score:3, Informative)
I assume this was meant as a joke, but seriously, if you were able to take out a large portion of the power grid for any sustained length of time, it would have a huge economic impact. Just from the loss of money while businesses and industries are unable to function would add up to millions, if not billions. That's not even counting the looting and rioting (come on, you know it would happen!)
Define sustained. Storm-related outages lasting a week or more are not rare, and do not lead to riots or widespread looting. This idea that power outages equal riots seems to stem from the 1977 NYC blackout, but that was a match in a fireworks factory. Most outages are just a bloody nuisance.
Re: (Score:3, Insightful)
Actually, it's a lot more common than that, if you study history. Whenever one group feels unfairly suppressed, and the means of suppression is disabled more than temporarily, you're apt to have an, at least minor, uprising. It usually doesn't lead to anything more than worse oppression in the future, of course, but it is a predictable result. (Doesn't *always* happen, but it's the way to bet.)
Re:Remember, folks... (Score:5, Insightful)
What the hell are systems like the electric grid doing hooked in any fashion to the publicly accessible internet?? These should be on their own network, separate and apart from anything that touches the public wan.
Seems like that would have been a no brainer?!?!
Re: (Score:3, Insightful)
If you have segregated networks, all the spy needs to do is find a single place to tap into your "secure" one, and you're toast. You thought it was secure, so you didn't lock it down properly. And somebody, somewhere left a way in, an unguarded terminal, or cheated and put a cross-connect to the public net for his own convenience, thinking it would never be found.
If it's all on the public net, but thoroughly locked down with good security and encryption protocols, and tight firewalls, you may be in better s
Re:Remember, folks... (Score:5, Insightful)
Why not have both? Use the most secure protocols in existence to protect your network, and then as an added measure against zero-day exploits provide strong physical security to keep people out of this network.
Such a piece of critical infrastructure shouldn't depend on any one human being who might be at a conference and need remote access. When a balistic missle submarine 1000 feet under the ocean is interpreting orders to nuke some foreign country do they depend on being able to reach some particular person to ask questions? Any system critical to national security must be engineered so that it is completely self-sufficient in a crisis.
Electrical grids are very critical to national security. A well-planned attack could leave melted transmission lines, damaged generators and gearboxes, and a nationwide blackout in its wake. With the possibility of substantial physical damage it isn't like you could just repair from this kind of catastrophe in a few days - or even weeks. Power plants are physical machines that have a symphony of fast-moving parts with thousands of tons of force being transmitted - a well-engineered attack could result in major failures.
Power grids should have as much security as any other piece of critical military infrastructure. They're going to be targets in any attack. The networks should be subject to routine penetration testing and auditing. Access needs to be the minimum needed to do any particular job. The system should be reasonably partitioned so that one spy getting a job in one office somewhere doesn't subject the entire system to compromise. Those who circumvent authorized procedures (rogue access points, bridges, etc) should be made public examples with criminal penalties. People should be given the funds needed to do their jobs right, and then should be expected to do them right.
Security is just a matter of being thorough and not cutting corners. There is a lot at stake here. I don't really care who is behind these penetrations (Chinese, hackers, whatever) - the blame rests with the folks who should be protecting this infrastructure.
Re: (Score:3, Insightful)
Yes, actually. He's called the President."
Trust me...when those subs get their orders, and they are verified by the means they use. They do NOT resurface to radio in and ask the president "Are you really, really sure?"
Re:Remember, folks... (Score:5, Insightful)
If you have segregated networks, all the spy needs to do is find a single place to tap into your "secure" one, and you're toast. You thought it was secure, so you didn't lock it down properly. And somebody, somewhere left a way in, an unguarded terminal, or cheated and put a cross-connect to the public net for his own convenience, thinking it would never be found.
Tha WOULD require them physical access to the facility. None of the control centers are going to just "allow" someone access to their network, let alone physical access to the facility. We are told to notify security (who will notify the police officer in the guard shack) if we see anyone who isn't badged.
If it's all on the public net, but thoroughly locked down with good security and encryption protocols, and tight firewalls, you may be in better shape. You know it's dangerous to let your guard down. And we're also pretty confident we have protocols which, when applied to spec, are truly cryptographically strong, and so forth.
The Control Centers aren't supposed to take that risk. Its separate the control centers from the company network AND from direct access to the internet.
Plus it's a lot cheaper than building out a whole nother net, including access for your critical engineer who's off at a conference somewhere when the unpredicted crisis with the unique system in your plant that she's the genius about requires immediate attention. Sometimes making sure the right people have solid access from anywhere they are is also essential to security. The public net - with the right protocols - does that.
Is it ? Can you honestly say that even the remote possiblity of a compromised system is worth the cost savings if it affects that existence of your company (as a control center) ?
You have THAT room connected to specific routers that only allow "limited" access and ensure that the users can't install software that would compromise that system. You block their access to ANYTHING that they don't need for business reasons. PERIOD.
Re: (Score:3, Interesting)
As the story unfolded the early reports said the machines were unpatched. Then that story seemed to be brushed for reasons I can only guess with tinfoil hat securely fastened.
I imagine there were many factors that met on that day contributing to the blackout. And I doubt the v
Re: (Score:3, Interesting)
Re:Remember, folks... (Score:4, Insightful)
Not necessarily. One of the cornerstones of Marxism (gasp!, not in US!) is the concept of perpetual revolution. If there is always a target, always a crusade against the badies, the government can more easily legitimatize and perpetuate bad policy (ie domestic wiretapping). This is always advertised as being for the good (but always at the expense) of the whole of the people. The vain promise, the mirage on the horizon, is a safer, happier people. The world will be secure from the bad guys!
Re: (Score:3, Insightful)
Are there real threats? Yes, of course there are. But when enough scaremongering is mixed into them, you get the reaction that the OP AC shows: Cry wolf once too often and people will ignore you. Also, there are a few things that I'd consider a lot more dangerous and worrysome that you don't hear about at all. Intentionally or not, your decision.
I disagree with your cry wolf. Lets say someone says there is a threat and everyone needs to be prepared and we are going to invest tons of resources to stop the threat. Now we stopped the threat before anything happened. Does that mean we cried wolf? I am willing to bet you a lot of people, including a hell of a lot of people here, would say "CRY WOLF CRY WOLF" when in reality - the threat was stopped due to our efforts. Then again, if we didn't stop the threat people would say "why didn't you do anythi
Re:Remember, folks... (Score:5, Insightful)
Mod parent up plse. He refers correctly to the type of brainwashing the way the Bush administration has pursuid the last 8 years. Off course there are still a number of elements present that continue this style up to today.
You mean like the Obama elements?
Re:Remember, folks... (Score:5, Insightful)
Mod parent up plse. He refers correctly to the type of brainwashing the way the Bush administration has pursuid the last 8 years. Off course there are still a number of elements present that continue this style up to today.
You mean like the Obama elements?
You have the "Create a crisis" part down, but you forgot the "Profit" line. [vodpod.com]
"Never let a serious crisis go to waste." -- Rahm Emanuel (Obama's Rove)
Re:Remember, folks... (Score:4, Interesting)
Re: (Score:2)
Well, there ya go. Prime transport method for viruses, worms, trojans...
Big surprise (Score:2, Insightful)
Re:Big surprise (Score:5, Insightful)
Nope, electrical grid computers in exUSSR region do not even have the theoretical capacity to be connected to the public Internet. I am amazed there is an actual data linkage between the public Internet and the computers even remotely related to the power control functionality.
Re: (Score:2)
how else is a power station operator on a remote plant supposed to work? You don't expect them to go to the plant if it is hours away from anything. Stay at the plant, away from families? Forget it. operators telecommute too!
People always say these things aren't connected to the internet and there are supposed to be seperate control and communication and PC networks but I bet few plants actually have that. Maybe super critical ones like nuclear, but your average small hydro or peaking gas plant...
Time, Bud
Re: (Score:2)
And don't forget fools with laptops who leave their wi-fi on when they are connected to the internal network, and fools who install 'PCAnywhere' on their desktop hooked to their desktop, and the spread of the littls 3G modems and VPN's so people can work on the train. Couple this with really, really stupid behavior like unlocked SSH keys in NFS shared home directories, or Subversion and CVS storing passwords in clear text in people's home directories on NFS servers, and you have a disaster begging to happen
Re:Big surprise (Score:4, Informative)
how else is a power station operator on a remote plant supposed to work? You don't expect them to go to the plant if it is hours away from anything. Stay at the plant, away from families? Forget it. operators telecommute too!
Do you REALLY think that a "properly" run allows "any" connections to their control units or SCADA systems ? I don't think so. I'm pretty sure that they have people there 24/7 to handle any type of contingencies.
People always say these things aren't connected to the internet and there are supposed to be seperate control and communication and PC networks but I bet few plants actually have that. Maybe super critical ones like nuclear, but your average small hydro or peaking gas plant...
They aren't the "power grid", they are power stations. The "power grid" are the master control centers (Like NYISO, CalISO, Midwest ISO, PJM, etc) and the local control centers. There are FERC [ferc.org] requirements for how THEY must be configured/setup (like the control room's network must be separated from the rest of the companies network, etc).
Time, Budget, the need to get that sensor or remote control connected to something, anything, whatever is near by so we can talk to it *now* and then the temporary fix becomes permanent
Nope. Not likely. If anything it is a PRIVATE network managed by the local control center.
Re: (Score:2, Informative)
You do know that the US penetrated the Soviet pipeline system and has caused industrial accidents with that right?
The US didn't "penetrate" the pipeline system. The Soviets did it to themselves by stealing software.
Lesson to be learned: If you find pipeline control software inside a big wooden rabbit then don't take it and certainly don't run it.
Re: (Score:3, Informative)
So once a while (Score:5, Insightful)
"Some officials" come forward and warn about threats from China, Russia, Iran and North Korea. "Ya know, Sir, we need funding for enhancing national security, so please make sure you get your budget right."
Quite so... (Score:3, Interesting)
From TFA:
But protecting the electrical grid and other infrastructure is a key part of the Obama administration's cybersecurity review, which is to be completed next week.
Under the Bush administration, Congress approved $17 billion in secret funds to protect government networks, according to people familiar with the budget.
The Obama administration is weighing whether to expand the program to address vulnerabilities in private computer networks, which would cost billions of dollars more.
A senior Pentagon official said Tuesday the Pentagon has spent $100 million in the past six months repairing cyber damage.
Sounds a lot like someone is making up excuses and drumming up support to ask for more government money.
Re:Quite so... (Score:5, Informative)
Close, they're drumming up support for S.773 and S.778. These bills are designed to give the executive the power to control the security of vital parts of the internet. If they can show that these vital parts of the net are compromised, and therefore risking America, they have an easy talking point when lobbying congress members.
Re: (Score:2, Interesting)
Don't forget an easy way to shut down the internet when some whistleblower decides it's time to disseminate those files he has before the government removes him... Only instead of in the movies where he gets away with it, because the internet is 'free' and routes around damage. The whole damn thing suddenly goes dark because our glorious and incorruptable administrators decided it's 'better for all involved' this way.
Oh no... (Score:3, Funny)
They must have the CIP module !
Former officials... (Score:5, Funny)
Aren't these people just admitting that they were incompetent? That's refreshingly honest of them.
Re:Former officials... (Score:5, Interesting)
Re: (Score:3, Informative)
I'm afraid not, that was 20 years ago: I no longer have the originals. There were a set of published security updates for telnet and sendmail at the time, which the Morris Worm probably exploited on my systems: the vendors had not revealed all the exploit details. (Few vendors do.) We frankly didn't bother to do extensive analysis at the time, we had critical work to do and a lot of systems to rebuild, very painfully, from bootstrap systems that hadn't been tested in years and backup policies that I'd also
Software programs? (Score:5, Insightful)
Re: (Score:3, Insightful)
Re: (Score:2, Interesting)
Be careful if you live in the UK, this could be classed as material likely to be useful to a terrorist and get you arrested.
Re: (Score:2)
From the article it seems that the software could be activated whenever its masters behind the scenes wish so, which is not quite easy if it has to be manually triggered by insiders (workers could get fired, etc..)
Given control of the firmware and software at some point I can think of a way to do it on the traffic signal system. Just send it messages through its normal inputs. Send morse code in through a pedestrian signal button, look for feedback in the flashing walk signal.
Maybe for the power system you could signal it through its fault database. A pylon on fire reported by a Mr A Cross of Smith street has a particular meaning to your hidden easter egg. If that system is not appropriate you could (ab)use other s
Re: (Score:2)
TFA also said "Intelligence officials worry about cyber attackers taking control of electrical facilities, a nuclear power plant or financial networks via the Internet."
You have to wonder at what point someone thought it would be a good idea to directly connect hardware responsible for the safe operation of a nuclear power plant to the Internet. Or do they mean "taking control" in terms of something slightly less sinister, like vandalising the plant's public web page and internal e-mail system?
Re: (Score:2)
Duh! How do you outsource managing them to India or Whereverstan if they can't connect from there?
Remember, today, nothing is as mission critical as it is cost critical...
Re: (Score:2)
I thought mission critical computers should not be reachable from the Internet. So the spies walked to those computers and planted the software there???
that happens in the military, where there's a defined physical space between mission critical rigs, unconnected to the internet, and non mission critical rigs, and you must use physical media, "launder" it on a standalone computer, then transfer the data to the mission critical computers.
I do think, tough, that in any event physical security built into the systems would block major damage; no sane engineer would avoid building that into the infrastructure. After all we do have circuit breakers at home, w
Re: (Score:2, Insightful)
Why are they on the internet? (Score:2)
While arpanet/the internet was originally designed for just these sorts of things, the modern reality is that critical infrastructure shouldn't really be attached to the internet. Shouldn't there be a private network entirely isolated from the public internet for these things?
Yes it'd be more expensive and it make it less easy for private contractors to work on stuff from their offices, but the word 'critical' is a bit of a clue here.
Not that even this would guarantee security, but it makes it a heap load h
Re:Why are they on the internet? (Score:5, Informative)
Re:Why are they on the internet? (Score:5, Insightful)
Then I'd suggest they need two PCs.
Re:Why are they on the internet? (Score:4, Informative)
I actually do work with these exact systems. I have yet to install a system in a control room that had net access to the operator consoles or even the operational servers. These computers - yes, running Server 2003/8 or XP Pro - are patched to the latest and greatest before they leave our shop, but once on-site should never, ever, ever interact with the Internet.
That being said, the PI data servers are designed to be a go-between for the internal secure network, and the rest of the world so the data logging can reach those who need it. Not only does the PI server have security protocols built in, but is required to be installed in a DMZ with full firewall protections, and in some cases a dedicated leased hard line to an off-site office.
So, to summarize, no, the Op stations, the Op servers, should NEVER be connected to the Internet, and we do out best to disable any way of the operators even getting to the OS level, but there are times and reasons that you need to hook the internal network (through full security measures) to the outside world.
Re:Why are they on the internet? (Score:5, Interesting)
I am a control systems engineer, a member of ISA-99, and a contributor to several other standards on industrial control system cyber security.
The parent post is what SHOULD be done in a recently installed system. I can tell you from experience of dealing with other infrastructure (not the electric grid) that it isn't always that way. There were many systems installed around Y2k that are still in service. And most of you will remember that back then very few people took security seriously. Back then it was all about compatibility. Security wasn't even an issue. The big issue was SHARING the data.
Control systems and SCADA have long working lives ranging from ten to twenty years. The reason for this is because the field I/O validation cost is significant. It dwarfs the cost of the software, the control center, and all that lovely flashy stuff you're so used to seeing. Updating a configuration is very expensive, not just in validation costs, but also training costs, for miscellaneous costs such as review of operating procedures, control system narratives, and so forth. This is why many are forced to keep their systems isolated in the hope that by doing so, things will somehow stay secure.
But these days, that's no easy feat. Nearly every company has a contingent of data surfing desk jockeys with enough authority and enough dream-weaving synergy talk to push for interconnections. That's when things get very ugly.
The problem isn't that they want the data. The problem is that they want the data IN REAL TIME. Most of the time these idiots say the term though they do not understand the implications or even what it means. And that's how the exploits get started.
There are solutions. There are relatively secure methods for moving data in and out of a SCADA system. But they need careful review by people who know both the industrial side of things (to identify what is at risk) and the IT side of things (to know what the potential vectors could be). And the number of people with that kind of expertise is extremely small. We're talking about hundreds or maybe a thousand such people world-wide.
There simply aren't enough people to train the trainers who will train the trainers. And so, we're stuck with the status quo until we can build a community of cross trained people who understand industrial processes, control systems, and IT large enough to handle this situation.
I know many of you probably think you have it bad in the office IT business. And it is. Just know that there is far more truth in the Homer Simpson character than you'd ever dream of...
Re: (Score:3, Interesting)
Such products exist. The problem is that data often does need to go both ways.
For example, load shed, distribution system models, and demand forecasts often go to servers and clients outside the distribution control center.
These sorts of operations are near-real time processes.
Likewise the outputs include run times, certain transient events, and hourly/daily total meter data often go in the other direction.
As I said before, with careful consideration given to a DMZ between the office network and the control
Re: (Score:2)
Then I'd suggest they need two PCs.
Then you have a badly integrated UI. What if a user confused one with the other at a critical moment?
Re:Why are they on the internet? (Score:5, Funny)
On one they're controlling the power station, on the other they're reading slashdot.
Unless typing 'FIRST POST! LOL' on the wrong box causes a reactor meltdown, I think we'll be ok :)
Jolyon
Re: (Score:2)
they need two PCs.
What? No copy paste? You're talking crazy now.
Re: (Score:3, Insightful)
The systems I work on are typically airgapped, but there is a constant push from users for some access to the internet. A user might need to access meteorological information, and the simplest way is to go online to get the data. Another user might need to refer to work instructions on the corporate intranet, but the intranet gets you to the internet anyway. Like it or not, the internet is working its way into many types of work and many people are starting to expect it to be available.
Then your users nee
Re: (Score:2)
I've worked at a games company which had precisely that setup, so it's mind-boggling that major infrastructure companies wouldn't do it.
Re: (Score:3, Interesting)
There are some situations where security MUST override convenience.
Tell that to the union. Remember power industry operational environments are blue collar work places. I have seen people in similar environments go to any length to get a system they don't want to see shut down. They will play totally dumb, like not noticing they are using the wrong keyboard for hours at a time. Assume that your users are hostile to you. Then design a solution.
Re:Why are they on the internet? (Score:5, Interesting)
Blowing all my moderation to reply to this.
Let me make this clear. Putting a critical system on to the internet is pure, stupid, incompetence.
ALL of your "situations" can be solved with a second $399.95 DELL sitting next to the critical workstation. Anyone saying that that is not practical is a blathering moron. I have seen MANY water filtration plants that the Supervisors in charge of the whole operation are so incompetent they put the entire plant's operation system on the corporate or city network. Then we have the low quality SCADA software called WonderWare that is so badly written that the company requests they have direct access to the machines so they can issue fixes faster.
If any mission critical machines are on anything but a sealed private non connected network, the person that designed it is a incompetent idiot that should take the fall for any failures. Gitmo time for whoever approved or asked for interconnection.
I have been appalled at the amount of interconnection I see in really important SCADA systems. I have seen this stupidity in major infrastructure control systems for 14 years now. Typically put here by some asshole manager that wants to "keep an eye" on his guys while he is at home. he get's a workstation (typically the one in his office) set up with a second network card and Pc anywhere or another Remote control system to interconnect the secure to the un-secure. and does it with a stupid windows box. Then the idiot uses it to check email, surf the net,etc... All installed by your friendly company IT slackie After the SCADA installation guys go home.
Every system I looked at that was "secure" typically had one of these bridging computers on it the only way to find the is to do a hard audit of every computer, the rate of finding these security breaches goes up as the age of the installation increases.
Re: (Score:3, Interesting)
ALL of your "situations" can be solved with a second $399.95 DELL sitting next to the critical workstation. Anyone saying that that is not practical is a blathering moron.
In all the control room environments I have worked in this approach is just not acceptable. The users expect to get a single, integrated UI environment.
Re: (Score:3, Informative)
If you were the designer, then you did not do your job educating them as to why they are not supposed to do that, and the repercussions for not following them
It is the SCADA system designers job to inform the customer as to the incredible danger of their desire to be convenient.
If you were a employee that worked at one of those stations, why did you never voice your concern about it? One word to the regulators and your bosses would have been screamed at and fined heavily for having an integrated UI for in
Re: (Score:3, Interesting)
The solution is oversight. Congress passes a law noting that major pieces of infrastructure are critical to national security. An oversight body is created to set policies for administration of such intrastructure. Violation of these policies carries criminal penalties.
Then you have the Feds start busting control rooms. Manager in charge gets sent to prison.
Let's see how fast those managers can arrange to have competent people on-duty 24x7 and not need to use pcAnywhere or whatever to get in.
As much as
Re: (Score:3, Interesting)
Color codes can help a lot. Blue network is scada, green is public. Scada network has blue ports, blue cables and blue stripes on the devices. Public internet has same deal but in green.
Plugging anything in the wrong color is a firing offense. Specially designated and signed off gateway machines might have a blue port and a green port and special markings that it is OK. Otherwise, any color mis-match or mixing is to be reported immediately.
For extra paranoia, all blue network devices get the high octet set
Re: (Score:2)
Very convenient ... (Score:5, Insightful)
So, the week before a review is due looking into whether or not they should increase the flow from the money pump, "current and former national-security officials" have come forward to draw attention to a network of spies in the power grid.
Look, I'm not saying that cyber-attacks don't happen, or that there isn't a risk, but bloody hell, this article reads like a well-crafted piece of BS, designed to put the N back into FUDing.
Re: (Score:2)
While I was reading it (well I didn't really, but pretend you believed me RTFA), I had a hunch that these officials really got all the threat ideas from certain hot anti-terrorism show. Power grid attack? That sounds too familiar. What's next, I guess a bunch of armed terrorists are just going to break into the white house?
Re: (Score:3, Funny)
this article reads like a well-crafted piece of BS, designed to put the N back into FUDing.
Nuding?
Re: (Score:2)
this article reads like a well-crafted piece of BS, designed to put the N back into FUDing.
Nuding?
Where?
Ya not a real surprise (Score:5, Interesting)
Everyone wants money for their projects. Part of getting it is knowing what to sell in your given field. Well, as of late with federal government dollars, national security has been the name of the game. Was more narrow to anti-terror but they are kind losing focus on that. So, it is also no surprise that is what people use to try and get the money, even if what they want really has fuck all to do with it.
For example Consolidated Edison wants to install a super conducting core in for New York's power grid. Reason is the existing grid has load problems and this looks like the best way to handle it, rather than massive amounts of more copper. This is expensive, of course. To the best of my knowledge when this is deployed, it'll be the first super conductor used for commercial power delivery. Means plenty of R&D in addition to the actual costs. Well, sure would be nice if the government would help pay for that... So they got them to.
How? Well they sold it to DHS as an "anti-terror" deal. No idea how this is supposed to be more terror resistant, but DHS bought it and that's what's important. They gave ConEd something like half the money they need for the project.
Now you know that ConEd isn't really doing this as an anti-terror measure, they are doing it as a "grid is overloaded" measure. However, they put that spin on it to get government funding, and it worked. I'm betting this is a similar money grab.
China and Russia? (Score:5, Funny)
China, Russia, and other countries,
So you mean there are people capable of hacking the US energy grid but who can't start the attacks from a hacked box in Madagascar?
"Who's attacking us?"
"Sir, the attacks come from half a million infected machines all around the world."
"From all coutries?"
"Yes, sir."
"So China and Russia too?"
"Hmm, Yes, of course, sir"
"Damn commies... We should've nuked them a long time ago."
Re: (Score:3, Interesting)
So you mean there are people capable of hacking the US energy grid but who can't start the attacks from a hacked box in Madagascar?
Maybe the attackers did start the attacks from the box in Madagascar or wherever, but if that box could be hacked by the attackers then I suppose it's possible that it was also hacked by those tracking these attacks who found evidence pointing back to the usual suspects. That becomes all the more likely if at least some of the hacked systems are parts of a honey net or monitoring of compromised systems in the US shows an abnormally high level of communication back to some countries and not others.
What I
This is the new war. (Score:4, Insightful)
There's a reason the military is starting to get mighty interested in nerdy types, although most programs designed to leverage these skills are in their infancy. We need to get serious about this fast; other nations certainly are.
Re: (Score:2)
The power to disrupt a nation's economy via information warfare measures represents a much clearer threat than people trying to get something through airport security.
Unless... They're bringing the virus by plane!
From now on, all computers will have to be formatted to pass security.
Don't worry, the stewardesses will give you a Windows CD to reinstall the internet in your portable during flight.
Re: (Score:2)
That said, I'm delighted to know that Microsoft is finally giving up on further Windows development and just putting the Internet right onto XP discs. I've always wanted my very own copy of the Internet.
Re: (Score:2)
Gimme a break; it's early on the east coast
Re: (Score:3, Insightful)
The threat is actually in consumer PCs, insecure and filled with malware. My fear is that, if we do not get those boxes secure soon, the Powers That Be will see them as a threat and, instead of requiring you, the user, to take responsibility for your box, demand that all boxes have to be made "secure", i.e. have some kind of mandatory surveillance available to them, or that you may only install whatever is approved and seen as ok by whatever entity your country may put in that place. All in the name of nati
No control structure is on internet (Score:4, Insightful)
Re: (Score:2)
Now somewehere in the depths of the US power grid somebody reads the above comment and thinks silently ... "d'oh!"
Re: (Score:2)
Now somewehere in the depths of the US power grid somebody reads the above comment and thinks silently ... "d'oh!"
Finally an appropriate Simpsons reference.
Re: (Score:2)
Re your sig; I first learnt the philosophy of science not from HS (which I dropped out of in '76) but from reading a book by Randi ~30yrs ago so I checked out your amazon link and lo and behold it's Sagan's masterpiece.
Seriously, genuine skeptcisim is a SKILL that needs constant practice but will serve you well in all aspects of daily life, I highly recommend the authors in aepervius' sig.
Nation states responsible? (Score:2)
I always thought that nation states would be much more careful than to leave anything behind and would also limit their activities very much in order not to be detected and possibly embarrass their government (diplomacy and all). Also this kind of actitvity could be considered as an act of war.
But since this kind of activity could very well be conducted by other entities than nation states. And they are. All the time. They are also very hard to trace.
Given those facts maybe nation states use this excuse and
Had to be done (Score:3, Funny)
Air conditioners... (Score:2, Flamebait)
The time that power goes out most frequently where I live (New York City, Hudson Valley, Syracuse all year round) is during the summer on the hottest days. What is straining the electrical grid so much? Air conditioners. On the hottest days of the summer you will always experience brownouts, and sometimes, the days get to hot that a large section of our part of the country loses power.
Millions of New Yorkers depend on electricity in their daily lives. Prolonged power outages are not only a nuisance -- they are also potentially life-threatening and can cause major economic losses.
Power outages occur most often during the summer months, when residents run air conditioners and power usage is at its peak.
http://www.nyc.gov/html/oem/html/hazards/utilities_power.shtml [nyc.gov]
- - -
http://en.wikipedia.org/wiki/Northeast_Blackout_of_2003# [wikipedia.org]
Re: (Score:2)
Well, so much for all those electric cars . . . (Score:2)
I'd better stick to a gasoline powered vehicle, those damn foreign Cyberspies with be monkeying around which the electricity switch
. . . and wow, does the Internet need electricity to run? I hope those foreign Cyberspies now what they will be starting, when they cut off the US supply of porn.
It ain't gonna be pretty. Maybe we can convert the Internet to run on gasoline?
Why they don't kill the Electric Grid (Score:2)
Cause they hold all our debt and killing our economy means we can't pay them back....
Re: (Score:2)
Then I hope they don't get the idea that we couldn't (or wouldn't) anyway.
If I couldn't get my money back, at least I'd like a bit of entertainment.
I have my doublts. (Score:2)
From The Internet (Score:2)
Old news - real, but old (Score:2)
Why is this stuff connected to the Internet? (Score:2)
I don't get it.
Why is this stuff connected to the Internet?
Who decided to connect it to the Internet?
When did they start connecting it to the Internet? They always used to tell us not to worry, because it wasn't.
Can't these guys afford a few leased lines?
It's okay (Score:4, Funny)
But it's okay. A man by the name of Jack Bauer has been alerted to the situation. And knowing his previous record I'm confident that he will deal with the crisis, because all of the bad people operate within driving distance to him.
Wolf! (Score:3, Interesting)
It is rather stupid to keep crying wolf, when there is little to nothing to raise the alarm about. Or, alternatively, it is very clever, if you want people to not take security warnings seriously; only, I can't see why anybody in America would wan't to achieve that.
Don't we hear these allegations all too often? It's "the Chinese and Russians" they say, and apparently it comes from the CIA or something, so we can't get to see any documentation. Perhaps some would like to think they can poison China's or Russia's reputations with this kind of stories, but as I point out, all they achieve is to weaken America's defence by undermining public trust in the agencies that are supposed to help protect them - it seems idiotic to me.
And objectively, why should China or Russia want to harm America? Like it or not, they are no longer likely to be enemies of America in a future, global conflict, which will probably be between the industrialised and developing nations. To my mind it seems more believable that the culprits are international criminal gangs; multinational companies have grown to almost nation-like power, and it seems almost unthinkable that international gangs haven't grown proportionally, especially since the introduction of the internet. They would certainly have an interest in staking out as much of the public infrastructure as they can. And, of course they might also see an interest in people not believing public security warnings.
The Attention is Healthy (Score:5, Informative)
Forget the major computers in the major control centers. That's what everyone thinks of first. At that level it is becoming like the Indians and athropologists in the Grand Canyon. For every utility cyber worker there seems to be 30 government gumshoes and overseers looking over their shoulders. One would expect no aspects of security to be neglected at that level.
The NERC letter refers to devices at a lower level. Primarily, what the industry calls "protective relays" in substations. From 1888 to a few years ago these functions were really done with electromechanical relays. Now, many of them have been replaced by digital equivalents on a one-by-one basis. In a household analogy, it is like the difference between a central electric control computer for the house, as compared to a "smart" digital LED light bulb. One worries about the central computer being hacked, but at first blush, not the light bulb.
The problem is that the engineers who deal with this level of equipment aren't used to thinking of these devices like the light bulb instead of like computers in a network. They have not identified many of these low-level devices as "cyber critical". The NERC letter urges utilities to change that culture.
This is an industry that owns and maintains hundreds of millions of diverse pieces of equipment. Every day, some fraction of them are converted to digital. No single study, no single policy can change this infrastructure overnight. I think they are approaching cybersecurity thoroughly and methodically, but it will take time.
Remember Y2K? Roughly the same collection of hundreds of millions of devices were threatened by a common-mode failure (Y2K). It was very analogous to an external cyber attack. The utility industry tackled Y2K, thoroughly reviewed all those devices, and performed flawlessly on the morning of 1/1/2000.
My point? Sure we should worry about cyber attacks on critical infrastructure, but don't jump to the conclusion that no security exists or that nothing competent is being done about it.