Staged Hack Causes Generator to Self-Destruct 258
An anonymous reader writes "It has been revealed that in a U.S. Department of Homeland Security exercise codenamed 'Aurora' conducted in March of this year, researchers were able to cause a power generator to self-destruct remotely via a hack which changed the operating cycle of the generator. 'Government sources said changes are being made to both computer software and physical hardware to protect power generating equipment. And the Nuclear Regulatory Commission said it is conducting inspections to ensure all nuclear plants have made the fix. Industry experts also said the experiment shows large electric systems are vulnerable in ways not previously demonstrated.'"
Don't connect it up (Score:4, Informative)
What is more interesting than the fact this was possible is the fact that some numb skull thought it might be a good idea to link critical control systems to a public network. I can see that there is scope for remote control, especially with a nuclear plant, but I hardly think sending the data over the Intertubes is the correct way to do it.
Um, WHY was the generator on the internet?!! (Score:5, Informative)
Yes, I know power plants will require some net access for web, email, etc. But the office worker network and the command and control computers and network for the generators should have nothing to do with each other! Separate systems, no network connectivity, the plant software should be operating in a vacuum bubble. The rest of the world should not exist for it, no way, no how. Oh, need to install a patch for the software? After being thoroughly tested and vetted on a proofing system, the software is then installed the old-fashioned way, off of CD-ROM's. Now if someone can fuck with the CD-ROM's, THAT I can understand. I can buy the plausibility of the NSA printer hack [vmyths.com], even if it was a hoax. (NSA puts a virus on printers heading to Iraq, takes down their network.) The story about the CIA sabotaging software for equipment the Russians were buying to use in their pipelines [damninteresting.com] is true. These are secure systems completely cut off from external contact that were sabotaged by the insertion of compromised components that were not detected. That makes perfect sense.
It always bothers me when I see movies showing hackers getting in to some place and gaining access to files on servers that should never have a connection to the outside world. Then again, maybe I'm giving the fictional syadmins of the target systems too much credit. Who knows, maybe next week we'll read about some Korean hackers who were able to compromise a Minuteman silo and add it to their botnet.
Re:this should not be possible (Score:2, Informative)
Working in dangerous or otherwise critical environments is all about having established procedures mimicing the way public key infrastructures work. Both public (technicians calling each other) and private (supervisors calling each other) keys (commands) should match and be verified on both sides before anything is executed.
Re:this should not be possible (Score:2, Informative)
It is possible. First, control systems are connected to a public network because the way electricity is traded among generators, transmission owners, and other members of the electric power community. They use the Internet as the common communications infrastructure for the business side, which gives orders to the production side (the generators). This is the way of the unregulated market, and it's starting to be run a lot like other industries. Because the production side is run by the business side, the connections between the two are inevitable, due to various benefits (lowered costs due to increased process intelligence, proactive maintenance, and a host of others).
Second, quick patching on control systems is a no-no. These systems run for 24x7, and are running highly customized and tested software. If a patch exists, it likely isn't under warranty from the vendor. This means that if a patch is applied, the vendor is well within their rights not to support the system anymore. Also, these systems typically can't just be rebooted, they are running real-time calculation and monitoring to ensure the process variables stay within controlled range. Shutting them down is often tantamount to shutting down the plant, which costs a metric f%&k-ton of money if it stays down.
Parent comment is not insightful, and certainly not intelligent, how about some corrective action Mods? Read the Blackout Report, it has perhaps the best explanation of how the power system function from top to bottom.
~Sticky
Re:this should not be possible (Score:3, Informative)
Re:this should not be possible (Score:3, Informative)
At least here in the UK, Telemetry and control signals are carried over the National Grid itself, nowadays using an optic fibre that runs alongside the earth wire. Case Study [teligenceuk.com].
I see no reason why all telemetry and control signals should not be carried in narrow- or broadband communications along the power infrastructure itself, and then restricted to a physically separate infrastructure when being processed. Data links to business systems can be provided using a one-way connection (Serial or optical). If you then want to have a real-time billing system, you can join all the business networks up, either along the same fibre-way (atop the pylons), or through the olde-fashioned interweb.
For telemetry, TCP/IP may often be your worst choice, since it has a high latency. If you want to protect your infrastructure from lightning strikes, you need to respond at the speed of light. Literally. Other control signals (demand etc.), may be able to wait a second or two, but you can't afford to risk the kind of packet loss you may receive if the teleco or ISP is having a bad day. So all the control stuff will need to be on multiple route redundant circuits anyway. Note I said circuits - you have to have whole circuits to yourself.
TCP/IP may have been well designed for critical communications networks. But it sure as hell ain't designed for critical real-time communications. Ergo you have to have a dedicated infastructure, so there is no excuse for having any connection, even firewalled from t'internet to the power station control systems.
If you really must share infrastructure, then for pete's sake, use the time-honoured TDM.
Re:Why mention Nuclear? (Score:1, Informative)