Forgot your password?
typodupeerror
Security Power Technology

Staged Hack Causes Generator to Self-Destruct 258

Posted by Zonk
from the tick-tick-tick-boom dept.
An anonymous reader writes "It has been revealed that in a U.S. Department of Homeland Security exercise codenamed 'Aurora' conducted in March of this year, researchers were able to cause a power generator to self-destruct remotely via a hack which changed the operating cycle of the generator. 'Government sources said changes are being made to both computer software and physical hardware to protect power generating equipment. And the Nuclear Regulatory Commission said it is conducting inspections to ensure all nuclear plants have made the fix. Industry experts also said the experiment shows large electric systems are vulnerable in ways not previously demonstrated.'"
This discussion has been archived. No new comments can be posted.

Staged Hack Causes Generator to Self-Destruct

Comments Filter:
  • by arabagast (462679) on Thursday September 27, 2007 @07:50AM (#20767091) Homepage
    because the automation system controlling the infrastructure is not connected to a public network, like say, the internet - right ?
    If it is, then someone should probably do some quick patching asap.
    • by drgonzo59 (747139) on Thursday September 27, 2007 @07:56AM (#20767155)
      You see they want remote control and monitoring but they also don't want to be on the Internet. They would have to build their own network, unless they are NSA, FBI or AT&T they cannot do that easily. Even then, once there is any remote control, the attacker doesn't have to jump over the fence of the power station, they have a choice to break one window of the building where the point of remote control is.
      • Re: (Score:3, Interesting)

        by SQLGuru (980662)
        Anyone wonder why they've been researching Ethernet over Powerlines? They already have the cables deployed all over the place, they just need to get the data flowing along with all of the other electrons.

        Layne
        • Re: (Score:2, Offtopic)

          If you mean BPL [howstuffworks.com], it has been rolled out in a few rural areas of the US. I know Cinergy has a lot of BPL customers around Cincinatti.

          I hoping it come to southern Indiana soon. Fast up and down.
        • by Mike89 (1006497)

          Anyone wonder why they've been researching Ethernet over Powerlines? They already have the cables deployed all over the place, they just need to get the data flowing along with all of the other electrons.

          Incorrect. Most high-voltage runs are accompanied by (at least some) fibre optic cable. At least, this is true in Australia (my father works for one of the larger transmission companies here).

          I believe it's also true in the US because I read somewhere the power companies were onselling this to ISPs?

          • by t0rkm3 (666910)
            True of at least some companies. I helped set up a SONET network for Calpine at that is precisely the infrastructure used.
      • by kent_eh (543303) on Thursday September 27, 2007 @09:24AM (#20768313)
        Our company has all our generators (and many other things) remotely controlled, and none of those systems are available to the public internet. We have it all captive on our own infrastructure.
        The local power utility ( I know several of their techs who work on the telemetry gear) also has a remote control system which in entirely on their own infrastructure, and has no interconnection with any system that is accessible from a public network.
        It may not be the absolutely cheapest way to do things, but it's also a lot more secure.
        What's the cost of this sort of failure compared to doing it "right" in the first place?
      • Re: (Score:3, Funny)

        by legirons (809082)
        You mean they need to jump a motorcycle into the guard post from an adjacent building, break into the control centre, and run nmap on a terminal on the internal network?
      • by evilviper (135110) on Thursday September 27, 2007 @11:31AM (#20770153) Journal

        They would have to build their own network, unless they are NSA, FBI or AT&T they cannot do that easily.

        What the hell is happening to /.? Has NOBODY here ever heard of a LEASED LINE?

        Call up Verizon or AT&T, tell them you want a T1 from point A to point B. You pay them a few dollars every month, and you have a direct, and fully-private connection from A to B.

        Public networks aren't the only way to communicate.
    • by LehiNephi (695428) on Thursday September 27, 2007 @08:06AM (#20767273) Journal
      It is. It has to be. It would be ideal if you could run isolated networks, but it's impractical. Let's say you run a facility with some gas turbine generators, as in this example. The generator package has to communicate with the control system. The control system has to communicate with the "business" network (for record-keeping, among other reasons), and the business network has to be connected to the internet. There are lots of things you can do to help secure the various levels of the network, e.g. firewalls, vLANs, packet filtering and inspection, intrusion detection and response, etc., but there still is a data path going all the way out from the lowest levels out to the "real world".

      (Our company has also been working with Idaho National Labs on this exact issue, can you tell? The government is taking it pretty seriously)

      There are a few problems. For example, there's a lot of old control gear out there, and if it talks ethernet, it assumes that anything it receives is legitimate. Also, the equipment involved is produced in small enough quantities that there can't be a great deal of effort expended on security features. It's not like Windows, where millions and millions of copies are sold, and lots of people actively look for holes.
      • It seems changes should be manageable on-site, while offsite monitoring should be done by dumps.

        i.e. You could burn discs with the necessary logs/data, you could set up a send-only piece of hardware, etc.

      • by sholden (12227)
        Surely you can have a one way data path from the control system to the "business" network. It means the "business" network only gets the data it is given and can't make real time queries, and if some data it doesn't have is required the control system will need to be updated to send that too.

        There's no need to plug in an ethernet connection (and the associated exposed network stack), a serial cable on which the data is sent (which does not read commands) should do.

        Of course it's a hassle and more costly tha
        • by LWATCDR (28044)
          That was what I was going to suggest. A two line signal+ground one way serial cable.
          Heck use an optical isolator to keep the electrically isolated for surge protection.
      • by dpbsmith (263124)
        "It is. It has to be. It would be ideal if you could run isolated networks, but it's impractical. Let's say you run a facility with some gas turbine generators, as in this example. The generator package has to communicate with the control system."

        Sure.

        "The control system has to communicate with the "business" network (for record-keeping, among other reasons),"

        What? Why? Why? Why?

        What's so darn important that it requires instantaneous communication? Why can't it just gather summaries in, you know, overnight
      • by arminw (717974) on Thursday September 27, 2007 @09:46AM (#20768589)
        .....has to communicate .....

        Really, has to? Electric systems have been around since the days of Edison and worked just fine without networks, specifically the Internet. Sacrificing security for convenience is a bad idea that Microsoft has amply demonstrated. Why can a power plant not be controlled locally, by a human operator, like they were in the past. Remote reading is a lot different than remote control. Much of this remote control pressure comes from bean counters in management. They want to eliminate the cost of hiring workers wherever possible.

        Normally, each generator, transformer and other equipment has safety devices that shut the machine down BEFORE any damage happens. Whatever happened to those? Do they depend on computers for that safety function now, that a simple relay or circuit breaker used to provide? If the setup in that experiment corresponds to the way power systems are run today, perhaps it's time to take a step into the past.
      • If people would only take a couple minutes to think about it, the explanation would be obvious. After all, there was no electricity distribution before the Internet existed.
      • Re: (Score:3, Insightful)

        by Hatta (162192)
        The control system has to communicate with the "business" network (for record-keeping, among other reasons)

        Use Sneakernet, not Ethernet.
    • by Rosco P. Coltrane (209368) on Thursday September 27, 2007 @08:07AM (#20767285)
      because the automation system controlling the infrastructure is not connected to a public network, like say, the internet - right ?

      You know, the internet isn't the only network out there. The telephone system is another, with wetware acting as clients and servers. For example:

      JOE (technician): *rrring*.. hello?
      JACK (mischievous social engineer): Hey Joe, this is Terry at central control
      JOE: Hi Terry, what can I do for you?
      JACK: I need you to offset the timing on the third generator coil by 20% please.
      JOE: Uh? 20%? That sounds dangerous.
      JACK: It's urgent! the power-grid is not stable, if you don't do this, we'll have New York in the dark!
      JOE: erh.. I really need to talk to my supervisor for this. Who did you say you were?
      JACK: I've already talked to your supervisor. John's gonna be really pissed off if you don't do this!
      JOE: Well ok then. Here goes...
      **KABOOM**

      See? no need for any internet, wetware can be hacked too.
      • Re: (Score:2, Informative)

        by guruevi (827432)
        Well, if there is an established procedure for offsetting timings on any coil (as in chain of command), 'Terry' should call your supervisor, not you and then when you (technician) say it is dangerous, there should be a call back to 'Terry' and his supervisor.

        Working in dangerous or otherwise critical environments is all about having established procedures mimicing the way public key infrastructures work. Both public (technicians calling each other) and private (supervisors calling each other) keys (commands
        • by arminw (717974)
          ....Working in dangerous or otherwise critical environments.....

          It used to be that all equipment was designed with specific hardware protection devices that would also protect against operator errors. If they use computers and software for that now, it is a step backwards IMHO. Adjusting the current or whatever to a dangerous value should not be possible. If it does happen, the machine should shut down, not self-destruct. Something sounds very fishy to me in this whole article.
      • by Errtu76 (776778)
        This sounds awfully familiar. Haven't you worked on the script for Hackers? I must say i'm a little disappointed you didn't mention Jack committing harikiri if Joe didn't cooperate.
      • Correct, but your senario only takes out one generator. What the fine article talks about, from a DHS standpoint, is a coordinated attack, set to go off everywhere at the same time. Much chaos would ensue...
      • Not possible (Score:5, Interesting)

        by dj245 (732906) on Thursday September 27, 2007 @09:51AM (#20768653) Homepage
        As someone who as worked in this position in a power station, let me say that this social engineering attack is not likely. You very quickly learn the names, attitudes, and voices of all the people that frequently call asking for changes to the generators. The number of people calling for these changes is usually a handful, 5 or less. If someone odd calls, we would often ask if another guy we knew was on vacation or sick.

        If someone we never had heard of called asking for something strange, I would have definitely asked to talk to someone I knew at the independent system operator, emergency or not.
      • by arminw (717974)
        ....**KABOOM**......

        Except that in the past at least, generators and other equipment had specific hardware devices, such as over current, overspeed and other protections that shut the machine off BEFORE it could go "KABOOM". Whatever happened to those? Do they rely on computers and software for that now? So in your scenario, the generator would be safely shut down before all that stuff was computerized.
    • Re: (Score:3, Interesting)

      by arivanov (12034)
      IIRC, The US network is connected in places or separated by weak bastion hosts. If you do not remember the case when Slammer caused blackouts in the North East, some of us do.

      Even if the USA network was not connected, the control systems themselves use laughable authentication (if any). Most other networks are similar. They have been built by control automation engineers whose knowledge of networking and security is somewhere between laughing stock and none. This is valid for the rest of the world, not just
    • Re: (Score:2, Informative)

      by StickyWidget (741415)

      It is possible. First, control systems are connected to a public network because the way electricity is traded among generators, transmission owners, and other members of the electric power community. They use the Internet as the common communications infrastructure for the business side, which gives orders to the production side (the generators). This is the way of the unregulated market, and it's starting to be run a lot like other industries. Because the production side is run by the business side,

      • by TigerNut (718742)
        If electricity is a commodity to be traded then the transactions should be encrypted the way bank transactions are, with all due attention paid to the security of the information and authentication of the originating system for each order. Additionally, the response of an individual generator to a given control input should still not be able to circumvent the safety system such that the power system becomes unstable to the point of overloading the generator.
    • by Phil-14 (1277)
      If the public power system weren't heavily networked, it would not be possible to hook the California power system's consumers (and their electric cars) to hydroelectric plants in Washington State, or Quebec.

      And even if it weren't connected to the public internet, it would still be connected to _an_ internet that could be hacked...

      It's too late for us to just Stop Using The Networks Because They Aren't Secure Enough, without massive expense. We're going to have to make them more secure the hard way.
    • What should not exist is any way for hardware to unintentionally self destruct via the software. That's a bug. Definitely a bug that should be fixed. Yeah, bugs are closely related to insecurity. But they shouldn't always be turned into a security issue. This sort of problem could be triggered by accident, no need to turn it into a witch hunt.

      Of hardware, there was the infamous Therac 25, an x-ray machine. They saved money by removing some failsafe hardware intended to limit the device to safe level

  • Don't connect it up (Score:4, Informative)

    by squoozer (730327) on Thursday September 27, 2007 @07:57AM (#20767165)
    There is a really simple and quick fix for this problem - don't connect the control equipment to a (public) computer network.

    What is more interesting than the fact this was possible is the fact that some numb skull thought it might be a good idea to link critical control systems to a public network. I can see that there is scope for remote control, especially with a nuclear plant, but I hardly think sending the data over the Intertubes is the correct way to do it.
    • Re: (Score:3, Insightful)

      by LehiNephi (695428)
      There's one problem with that: in today's world, data has to flow back to headquarters. Take an oil production facility for example. The plant has to send back a daily report detailing exactly how much gas/oil/water/CO2/H2S/sand/whatever is produced. Gas turbines send data back to the manufacturer for performance evaluation, maintenance scheduling, and troubleshooting. Yes, someone could do it manually, but there are myriad other functions that require network connectivity beyond the control system.
      • by prelelat (201821)
        why on earth could you not run two networks at the plant? I bet a thumb drive would work wonders for transferring data to a terminal in the same room to send data to headquarters. Hell you could have someone do it hourly if you really wanted, but you probably only need it once a day when you say do a backup of that same data. As for running the equipment, I'm sure it's ran all internally anyways, why do you have to have that computer network connected to the outside world?
      • by HaloZero (610207)
        Please. There are ways to do this safely without constant connectivity. You have a router that's connected for a sum total of five minutes - a random five minutes, mind you, but five minutes - not even five minutes, really. As long as it takes to xmit the data to a proxy server on the perimeter, which can then host it for whoever wants to come along and read the report at 3pm that day. Or whatever specified interval.
      • There's one problem with that: in today's world, data has to flow back to headquarters.
        Then use a Data Diode [tenix.com] it is a physically secure link that provides one-way data flow (it's essentially half of a fibre-optic pair, the transmit half is connected up while the receive half has been removed).
    • by theotherbastard (939373) on Thursday September 27, 2007 @09:07AM (#20768041)
      Except that would never work with how the power grid is setup. The plants all communicate with Central Control. (I know because I happen to work for an Electric Company) Central Control is a big room with video walls the likes of which you have never seen! (Our main one happens to be the largest video wall in North America) These control centers are (gues what!) controlling how much power goes out across the lines at any given moment. And it has to be carefully controlled otherwise you get a sag or a spike which does all sorts of damage.

      In addition to the Central Control there are Regional Dispatch Offices which have information about the grid as well. These mainly coordinate repair and upgrade efforts. But, they need to know which circuits are hot because people's lives are on the line.

      So, simply isolating the plants would not work. Certainly not in our day and age.
  • by brucmack (572780) on Thursday September 27, 2007 @08:03AM (#20767247)
    I don't understand why Nuclear power needed to be singled out. The electrical generators are pretty similar regardless of the fuel source. And if it blows up, it's not going to take the nuclear reactor / coal furnace / (insert steam source here) with it, since they tend to be very well separated from each other.
    • by AndersOSU (873247)
      Because the turbines is where your secondary coolant loop dumps most of its heat. If your heat sink stops functioning, your primary coolant heats up. If your power plant was designed by some guy in Russia in 1952, and you had bypassed the rudimentary safety interlocks, despite the Cyrillic script clearly telling you never to push this button, this could potentially cause a meltdown.
  • "cause a power generator to self-destruct remotely". This seems unlikely.

    What probably happened was that they "remotely caused a power generator to self-destruct."

    /stickler
  • by jollyreaper (513215) on Thursday September 27, 2007 @08:07AM (#20767283)
    I'm no computer security expert but I do know of the world's most unhackable firewall -- it's called a one inch air gap. Put that gap between the network cable and the NIC and nobody is gaining access.

    Yes, I know power plants will require some net access for web, email, etc. But the office worker network and the command and control computers and network for the generators should have nothing to do with each other! Separate systems, no network connectivity, the plant software should be operating in a vacuum bubble. The rest of the world should not exist for it, no way, no how. Oh, need to install a patch for the software? After being thoroughly tested and vetted on a proofing system, the software is then installed the old-fashioned way, off of CD-ROM's. Now if someone can fuck with the CD-ROM's, THAT I can understand. I can buy the plausibility of the NSA printer hack [vmyths.com], even if it was a hoax. (NSA puts a virus on printers heading to Iraq, takes down their network.) The story about the CIA sabotaging software for equipment the Russians were buying to use in their pipelines [damninteresting.com] is true. These are secure systems completely cut off from external contact that were sabotaged by the insertion of compromised components that were not detected. That makes perfect sense.

    It always bothers me when I see movies showing hackers getting in to some place and gaining access to files on servers that should never have a connection to the outside world. Then again, maybe I'm giving the fictional syadmins of the target systems too much credit. Who knows, maybe next week we'll read about some Korean hackers who were able to compromise a Minuteman silo and add it to their botnet.
    • by jamesh (87723)
      I have about 90 inches of air between my computer and the network, and it's not stopping me.

      The "1 inch (or mm) air gap" idea is a good one, but getting harder and harder to implement. If a tech has a laptop connected to the internal network, and has wireless enabled, and its in range of the hacker then you have a problem (in theory - see the recent apple wireless compromise)

      If he has a PC connected to the internal network with no wireless, but has his phone connected to it via USB, then in theory that coul
    • I'm no computer security expert but I do know of the world's most unhackable firewall -- it's called a one inch air gap. Put that gap between the network cable and the NIC and nobody is gaining access.

      Sorry, not enough. Smart hackers up the line voltage in the network cable to 20kV to cross the one inch air gap.
    • by SQLGuru (980662)
      Actually, the connections come in when you start looking at feeding operating data into the business processes.....or when you want to monitor the state of the machine to automatically trigger preventative maintenance.....or automated control.

      Layne
      • Actually, the connections come in when you start looking at feeding operating data into the business processes.....or when you want to monitor the state of the machine to automatically trigger preventative maintenance.....or automated control.

        But still, why aren't they hardening the shit out of these interfaces? Is it because nobody takes software engineering seriously? There are a lot of tricky and subtle problems that knock airplanes out of the sky but aerospace engineers are paid the big bucks to make sure that doesn't happen. Their employers know that faults that do make it past inspection lead to massive class-action suits from the survivors' families.

        The only two explanations I can think of: A) Fight Club car recall theory where the busin

      • by b0s0z0ku (752509)
        Actually, the connections come in when you start looking at feeding operating data into the business processes.....or when you want to monitor the state of the machine to automatically trigger preventative maintenance

        Business processes: they're usually not required to be instantaneous. You could do just as well logging data to a removable HDD or other media of choice and then physically reconnecting it.

        Monitoring: the link doesn't have to be two way -- the monitoring system could just spit data out ove

    • by ScentCone (795499)
      the plant software should be operating in a vacuum bubble

      The problem is that they can't. If you think back to some of the more recent spectacular blackouts, you'll recall that the reason they were so far-reaching was that the networked systems that allow the generation and distribution systems (often run halfway across the continent by different parties/agencies) to talk to each other and properly duck out of the way or isolate themselves from damaging surges and faults... weren't fast enough or well-eno
      • by TheLink (130905)
        Even if you used private networks, determined hackers could still tap into them so you'd have to use encryption, firewalls and all that - which pushes the cost up even more.

        "Big, multi-state/province blackouts can only be prevented when the whole system IS internetworked"

        Not correct. Big multistate blackouts can be prevented if you don't have a big grid in the first place. Each electrical network will be isolated from the others. But apparently it is more expensive to do things this way (assuming a safer en
  • by bracktra (712808) on Thursday September 27, 2007 @08:14AM (#20767355)

    "Fast and resolute mitigating action is needed to avoid a national disaster," the letter said. But five years later, there is no such program. Federal spending on electronic security is projected to increase slightly in the coming fiscal year, but spending in the Department of Homeland Security is projected to decrease to less than $100 million, with only $12 million spent to secure power control systems.
    1. Stage PR stunt about an impending 'emergency!!!'.
    2. Complain about lack of funding to solve desperate hole in our nation's security.
    3. ???
    4. Profit!
  • by Isbjorn (755227) on Thursday September 27, 2007 @08:17AM (#20767375)
    I am the system administrator for a large state government agency. Recently I was essentially forced to connect a Windows XP boiler control system for an electrical generation plant to the Internet, so that the vendor can do remote maintenance. If I hadn't found out about it, it would be connected directly without even a firewall... This system had no anti-virus software, and of course it has a popular remote-control software installed for the vendor's access. The only reason I can sleep at night is that the plant is far away from any populated area, and may be shut down due to other reasons soon. I will be sending this video to a number of people in an email today.
    • You should of said that it will not go on the network with off any anti-virus software and that you must have full control over installing updates. Also you should have a firewall for the full site no just a software fire wall on each pc.
    • by b0s0z0ku (752509)
      Throw OpenVPN on the network gateway and make that subnet only accessable via VPN. OpenVPN is SSL/key based, so it's more secure than passwords (and can be combined with passwords). Plus, it's free, and there's a Windows GUI client that's simple enough for even a developmentally challenged chimp to use. No key file; no access.

      -b.

  • by trelanexiph (605826) on Thursday September 27, 2007 @08:24AM (#20767457) Homepage
    From TFA "researchers were able to cause a power generator to self-destruct remotely via a hack which changed the operating cycle of the generator"

    You mean they upgraded it to Microsoft Windows Vista?
  • The TV movie Category 6: Day of Destruction [imdb.com] went into details that US power plants are vulnerable to remote attacks, and featured such a guy who managed to make generators self-destruct from his home PC (he died when connectivity was cut off, and realising what he did, he went to the power plant to fix things locally, but too late).

    And there we go, 3 years later the government wakes up to the threat as well.

    Guess my advice to government fellows is: watch more TV, it'll raise your IQ. OMG the irony :(
  • With a staged hack I can launch an ICBM...
  • by ExE122 (954104) * on Thursday September 27, 2007 @08:39AM (#20767661) Homepage Journal
    These post are getting ridiculous. Too many people are saying "why don't they just disconnect it from the network?" and getting modded as "insightful".

    It's NOT that simple! If they are connected to the network, there is probably a very good reason for it, and not just cause some engineer wants to check his email and download pr0n while listening to the generators hum.

    These generators more than likely are controlled by self-optimizing systems based on a variety of data that is collected. If they're providing power to various remote sites, they need the internet for gathering data from those sites.

    The internet is more than just a public free-for-all, it is the communication medium for many business/mission-critical systems (see LehiNephi's response above). They really just need to have the right security in place to keep it safe.

    • by makapuf (412290) * on Thursday September 27, 2007 @09:13AM (#20768141)
      s/the internet/a private wan

      why do you need internet (the public one, with no QoS) to have remote access from one point (data collecting / stat computer) to the power plant ?

      Yes, the data have to be collected from somewhere, but why not make a private WAN (or a VPN if best-effort QoS is OK for you) for this ? It's not about playing WoW with your neighbour, it's about remote controlling a nuclear core, so maybe it would make sense.

    • by nels_tomlinson (106413) on Thursday September 27, 2007 @09:24AM (#20768321) Homepage
      If they are connected to the network, there is probably a very good reason for it...

      Lazyness? Insanely stupid cost cutting?

      Yes, the components of the system need to get data back to the dispatcher, and receive instructions in return. No, that doesn't require the internet. You can use a modem on a leased line. Yes, it really is possible to send and receive data without the intarweb.

      The internet is a cheap, insecure way to accomplish what should be done on an expensive, secure, private network.

      • Yea, modems were never hacked either... Guess you were still in diapers before the 90's.
        • by hcdejong (561314)
          You can (could?) get private phone lines, that aren't connected to the public phone network at all ('direct line'). The telephone company can connect incoming lines directly to each other, bypassing the exchange entirely. To hack such a line, you'd need physical access to the exchange building.

  • We also need to look out for homer Simpson's in the control room to mess things up like the one time he spilled some food on the control panel killing the power at the new york albany power plan and he got off by blaming it on Max Power.
  • by xfmr_expert (853170) on Thursday September 27, 2007 @08:42AM (#20767701)
    There are easier ways to damage the bulk power grid (or local transmission). Pick up a rifle at your nearest sporting goods store. Go to your nearest transmission substation (or even large generating plant). Take a shot at the porcelain on one of the transformer bushings. Kablam! You just removed a few hundred MW (or perhaps more) or generating capacity or transfer capability and caused millions of dollars in damage. If it's a generating station, the cost of lost revenue could drive the total to 70 or 80 million. Actually, I have seen bushings with bullet holes. Obviously not that common, or something would be done about it, but it does happen. It won't always cause an immediate and catastrophic failure, but it certainly can. Especially if one keeps trying... The bigger danger to this nations power grid is lack of investment and a severe brain drain in engineering personnel.
  • Jumping Generators (Score:4, Interesting)

    by torkus (1133985) on Thursday September 27, 2007 @08:53AM (#20767835)
    What a bunch of sad geeks we've become. Instead of crying about how it was connected to the 'net i watched the video.

    I'd like to know what they did to make a multi-ton generator JUMP like that thing did. After a few jumps there were a couple chunks of black stuff flying around. If you watch the "full" video it's clear they cut it at least once if not more. I'm guessing it took them quite a long while to get the generator to "blow up".

    Anyone have thoughts as to how they did it? I'm going to guess they messed with the fuel/air mix or delivery and caused a massive backfire while under/overloading the alternator side. I'd guess for kicks they also forcibly turned off the cooling fans creating an over-temp in the engine. Assuming i'm right and they cut out 95% of the video length that explains it a bit better. The failure seemed two-fold: A failed main-crankshaft seal spewed out white "smoke" (read over-temp coolant) and something up by the valves making black smoke.

    This is probably something you could do to a regular car if you were poking around in the engine management computer.
    • Re: (Score:3, Insightful)

      by trybywrench (584843)
      looks like a thrown rod, maybe they somehow cut off the supply of oil? I don't think the oil pump is usually under any kind of computer control though. ..maybe they over revved the engine and blew a piston that way. Keep the tach red lined long enough and something bad will happen. I don't know about a backfire, wouldn't a backfire cause a stall in the worst case? It looks like something mechanical broke inside the engine (that shudder) and then it slowly ground to a hault.
    • More likely they forced it out of phase, which basically turns the general coils into a motor, working against the engine.
    • by russotto (537200)
      All they'd have to do is connect the generator to the grid out-of-phase. The grid tries to drive it one way (remembering that a generator and a motor are pretty much the same), it's being mechanically driven the other way... something's gotta give, and it won't be the grid.
  • by Anonymous Coward
    I don't usually post anonymously, but I will this time.

    I used to be a developer for a SCADA/HMI software vendor. That stands for Supervisory Control And Data Acquisition [wikipedia.org] / Human Machine Interface.

    It is quite common for such software to be used in places where its failure could cause injury or death.

    Many of our customers put their SCADA systems on the Internet, so that our support staff could work with their systems, as well as to allow our consultant engineers to remotely upload new releases.

    One da

    • by b0s0z0ku (752509)
      ne day my boss told me that a lot of our customers didn't use SSL encryption, either because they couldn't be bothered with it, or because they couldn't figure out how to install the server software or certificate correctly.

      Maybe there's a market for a prepackaged OpenVPN appliance/router that'll spit out a self-installing .exe file with appropriate client certificates, the OpenVPN program, and the GUI client, so even a newb at a remote site can install it if given to him on a USB key.

      -b.

  • "researchers were able to cause a power generator to self-destruct remotely via a hack which changed the operating cycle of the generator"

    My dad used to make hard drive cabinets walk across the room by doing a slow read in one direction and a fast read in the other. (Sorry if I'm sketchy on the details, but it was something like that. The story was told long ago and the events happened even longer before that. This was back when hard disk platters were 12" across, copper-colored, and held a few MB each.)
  • The threat is real (Score:4, Interesting)

    by Maximum Prophet (716608) on Thursday September 27, 2007 @09:19AM (#20768235)
    We know that, because *we* did it to the Soviets. http://www.msnbc.msn.com/id/4394002 [msn.com]

    And their machines weren't even connected to the internet. So all the people who are saying, "Just disconnect it", well, that's not good enough. We have to engineer systems that are hardened and handle failure gracefully. And don't use stolen software.
  • Money (Score:3, Insightful)

    by Detritus (11846) on Thursday September 27, 2007 @09:27AM (#20768365) Homepage
    As I've said before, it's all about money. There are almost irresistible forces that lead organizations to connect control systems to the Internet. An isolated private internet is extremely expensive and difficult to maintain. It's so much easier, cheaper, and tempting, to plug that cable into the public internet, perhaps with a crappy firewall to provide an illusion of security. Even if an engineer is willing to stick his neck out and say that it's an unacceptable security risk, he isn't being a team player and will be overruled by someone higher up the food chain.
  • Back when I was working on the Trident sub program (early 1980's), one of the veteran submariners told me about an incident on a sub. Subs have multiple generators, and the Navy was attached to manual controls. So, the procedure for brining a 2nd generator online, is to spin it up, watch the phase angle meter, and switch it in when there's 0 phase difference. What happened, was a new guy followed the procedure, but threw the switch when the two generators where 180 degress out of phase. The generator j
  • ... distinctiveness to our own.

    FTFA:
    "It's equivalent to 40 to 50 large hurricanes striking all at once," Borg said, "resistance is futile."
  • Of all the stupid things the government classifies as secret, here they publicise an attack vector and a specific vulnerability? Maybe they should have kept the particulars of this excercise a secret and just pushed for better security measures on networks controlling our physical infrastructre. Hmm
  • It is mostly bunk (Score:5, Insightful)

    by anorlunda (311253) on Thursday September 27, 2007 @10:49AM (#20769497) Homepage
    There is no such thing as an "operating cycle" to change for a generator.

    The generator pictured in the video is not the kind used in large power plants. It appears to be a diesel generator similar to the kind that is used for backup power in many buildings. Backup generators are typically 1 MW or lesss, whereas big power plant generators are 1000 MW or more. It is like comparing a RC controlled model airplane with a 747. Besides being bigger, the 747 and the power plant will have much more elaborate systems to protect things from damage and destruction caused by malfunctioning equipment and/or misbehaving control systems. When there are billions of dollars and /or human lives at stake, one invests more in safeguards such as electromechanical relays, breakers and other non digital gadgets.

    The thing that could cause the generator to jump and destroy itself like in the video is to attempt to synchronize it with the grid out of phase or at the wrong speed. Another post in this thread, "This has happened before computer controls" by Maximum Prophet hit on the correct answer. In small, unattended, backup generators synchronization may be automated by computer, but in large power plants nobody trusts the computer enough to allow this critical operation to be automated. It is still typically done by hand with the aid of old fashioned non-digital equipment. Even if one did mis-synchronize a generator (and it does happen) other protective devices shut things down quickly to limit the scope of damage. And yes, mis-synchronization does happen in real life every once in a while, usually in a brand new installation and usually because the instruments are wired up wrong. The result can be damage sometimes, but I never heard of it destroying a whole plant.

    That is not to say that cyberwar is not a threat, nor to say that it is not good policy to isolate all critical control computer from the net. Again its a matter of money. If you are running a $5 billion power plant, your budget is big enough to hire real people to come and maintain systems rather than using remote diagnostics. Or, if you do want remote diagnostics, you can afford to use leased private lines rather than the internet. Power plants and the power grid can afford gold standard security and they should be required to do it. I don't oppose the security thrust, but I do oppose the hyped up scare tactics designed to panic us into unwise government spending.

    I spent most of my life modeling power plants and their control systems to build operator training simulators. As part of training, we inject myriads of simulated malfunctions. As part of debugging of the models, we get to see just about every detail of the plant and its control and its safeguards working incorrectly before we debug them and make them correct. That gave me and others experiences up to our chinny chin chins about what can go wrong and what the consequences might be.

    I'm afraid that what this is about is another naked grab for government money and using scare tactics to get it. Mr. Joe Weiss in the video works for EPRI. He, and the government committee on critical infrastructure protection, were both singing the song in 1999 that no matter what Y2K bugs might exist, they couldn't do any real harm. Get it? Not that the Y2K bugs didn't exist or would be fixed (at proved to be the case) but that they couldn't do any substantial harm no matter what. Now these same people are saying that a few hacks can cause widespread and catastrophic damage. One can not argue both sides of this issue and keep credibility. If a control system misbehaves, it matters not whether the problem is inadvertent or malevolent. Yet these people pooh pooh the risk of inadvertent bugs yet hype the danger of malevolent ones. It's bunk.

    EPRI wants $100 billion to automate everything in the power grid as a massive research project. Next they'll want another $250 billion to secure it from cyberwar threats. DOE wants a national DOE control center for the
    • by wawannem (591061) on Thursday September 27, 2007 @12:15PM (#20770837) Homepage

      whereas big power plant generators are 1000 MW or more.


      Heh... that's it? I once heard of a professor somewhere that was able to build a portable generator, small enough to fit in the rear half of a small car, capable of outputting 1,210 MW...
      • Re: (Score:3, Funny)

        by cdrguru (88047)
        Nonsense. Do you understand what the output of such a generator would be?

        I believe it is very high voltage with not-so-much current. Well over 100,000 volts.

        The separation between the output terminals would be larger than the space occupied by the car.

        OK, what if I'm wrong and it is lots and lots of current. At 1200MW the output current would require something that isn't going to fit in a car to connect to the output terminals.

        Either way, it isn't fitting in the space of a car. Not even an Excursion.
  • by maz2331 (1104901) on Thursday September 27, 2007 @10:54AM (#20769561)
    Whatever the reason's given for connecting any critical infrastructure to the public Internet, it is far too risky of a proposition to seriously consider it. They absolutely should be using private WANs, preferably encrypted eight ways to Sunday.

    There is absolutely no excuse whatsoever for making this equipment accessable from the public Internet. None. Zero. Zilch.

    Frame Relay T1 lines are cheap nowadays, and they should be using them.

The ideal voice for radio may be defined as showing no substance, no sex, no owner, and a message of importance for every housewife. -- Harry V. Wade

Working...