Staged Hack Causes Generator to Self-Destruct 258
An anonymous reader writes "It has been revealed that in a U.S. Department of Homeland Security exercise codenamed 'Aurora' conducted in March of this year, researchers were able to cause a power generator to self-destruct remotely via a hack which changed the operating cycle of the generator. 'Government sources said changes are being made to both computer software and physical hardware to protect power generating equipment. And the Nuclear Regulatory Commission said it is conducting inspections to ensure all nuclear plants have made the fix. Industry experts also said the experiment shows large electric systems are vulnerable in ways not previously demonstrated.'"
this should not be possible (Score:4, Insightful)
If it is, then someone should probably do some quick patching asap.
Re:this should not be possible (Score:4, Insightful)
Why mention Nuclear? (Score:5, Insightful)
Re:this should not be possible (Score:5, Insightful)
You know, the internet isn't the only network out there. The telephone system is another, with wetware acting as clients and servers. For example:
JOE (technician): *rrring*.. hello?
JACK (mischievous social engineer): Hey Joe, this is Terry at central control
JOE: Hi Terry, what can I do for you?
JACK: I need you to offset the timing on the third generator coil by 20% please.
JOE: Uh? 20%? That sounds dangerous.
JACK: It's urgent! the power-grid is not stable, if you don't do this, we'll have New York in the dark!
JOE: erh.. I really need to talk to my supervisor for this. Who did you say you were?
JACK: I've already talked to your supervisor. John's gonna be really pissed off if you don't do this!
JOE: Well ok then. Here goes...
**KABOOM**
See? no need for any internet, wetware can be hacked too.
Re:Don't connect it up (Score:3, Insightful)
Decreasing DHS budget... (Score:3, Insightful)
2. Complain about lack of funding to solve desperate hole in our nation's security.
3. ???
4. Profit!
Disconnecting is NOT an option (Score:5, Insightful)
It's NOT that simple! If they are connected to the network, there is probably a very good reason for it, and not just cause some engineer wants to check his email and download pr0n while listening to the generators hum.
These generators more than likely are controlled by self-optimizing systems based on a variety of data that is collected. If they're providing power to various remote sites, they need the internet for gathering data from those sites.
The internet is more than just a public free-for-all, it is the communication medium for many business/mission-critical systems (see LehiNephi's response above). They really just need to have the right security in place to keep it safe.
There are Easier Ways... (Score:4, Insightful)
Re:Why mention Nuclear? (Score:4, Insightful)
Re:Jumping Generators (Score:3, Insightful)
Re:Disconnecting is NOT an option (Score:5, Insightful)
why do you need internet (the public one, with no QoS) to have remote access from one point (data collecting / stat computer) to the power plant ?
Yes, the data have to be collected from somewhere, but why not make a private WAN (or a VPN if best-effort QoS is OK for you) for this ? It's not about playing WoW with your neighbour, it's about remote controlling a nuclear core, so maybe it would make sense.
Re:Disconnecting is NOT an option (Score:4, Insightful)
Lazyness? Insanely stupid cost cutting?
Yes, the components of the system need to get data back to the dispatcher, and receive instructions in return. No, that doesn't require the internet. You can use a modem on a leased line. Yes, it really is possible to send and receive data without the intarweb.
The internet is a cheap, insecure way to accomplish what should be done on an expensive, secure, private network.
Money (Score:3, Insightful)
Re:Why mention Nuclear? (Score:1, Insightful)
Re:this should not be possible (Score:4, Insightful)
Really, has to? Electric systems have been around since the days of Edison and worked just fine without networks, specifically the Internet. Sacrificing security for convenience is a bad idea that Microsoft has amply demonstrated. Why can a power plant not be controlled locally, by a human operator, like they were in the past. Remote reading is a lot different than remote control. Much of this remote control pressure comes from bean counters in management. They want to eliminate the cost of hiring workers wherever possible.
Normally, each generator, transformer and other equipment has safety devices that shut the machine down BEFORE any damage happens. Whatever happened to those? Do they depend on computers for that safety function now, that a simple relay or circuit breaker used to provide? If the setup in that experiment corresponds to the way power systems are run today, perhaps it's time to take a step into the past.
Re:this should not be possible (Score:3, Insightful)
Use Sneakernet, not Ethernet.
Re:Disconnecting is NOT an option (Score:1, Insightful)
I can't believe that was moded insightful.
It is mostly bunk (Score:5, Insightful)
The generator pictured in the video is not the kind used in large power plants. It appears to be a diesel generator similar to the kind that is used for backup power in many buildings. Backup generators are typically 1 MW or lesss, whereas big power plant generators are 1000 MW or more. It is like comparing a RC controlled model airplane with a 747. Besides being bigger, the 747 and the power plant will have much more elaborate systems to protect things from damage and destruction caused by malfunctioning equipment and/or misbehaving control systems. When there are billions of dollars and
The thing that could cause the generator to jump and destroy itself like in the video is to attempt to synchronize it with the grid out of phase or at the wrong speed. Another post in this thread, "This has happened before computer controls" by Maximum Prophet hit on the correct answer. In small, unattended, backup generators synchronization may be automated by computer, but in large power plants nobody trusts the computer enough to allow this critical operation to be automated. It is still typically done by hand with the aid of old fashioned non-digital equipment. Even if one did mis-synchronize a generator (and it does happen) other protective devices shut things down quickly to limit the scope of damage. And yes, mis-synchronization does happen in real life every once in a while, usually in a brand new installation and usually because the instruments are wired up wrong. The result can be damage sometimes, but I never heard of it destroying a whole plant.
That is not to say that cyberwar is not a threat, nor to say that it is not good policy to isolate all critical control computer from the net. Again its a matter of money. If you are running a $5 billion power plant, your budget is big enough to hire real people to come and maintain systems rather than using remote diagnostics. Or, if you do want remote diagnostics, you can afford to use leased private lines rather than the internet. Power plants and the power grid can afford gold standard security and they should be required to do it. I don't oppose the security thrust, but I do oppose the hyped up scare tactics designed to panic us into unwise government spending.
I spent most of my life modeling power plants and their control systems to build operator training simulators. As part of training, we inject myriads of simulated malfunctions. As part of debugging of the models, we get to see just about every detail of the plant and its control and its safeguards working incorrectly before we debug them and make them correct. That gave me and others experiences up to our chinny chin chins about what can go wrong and what the consequences might be.
I'm afraid that what this is about is another naked grab for government money and using scare tactics to get it. Mr. Joe Weiss in the video works for EPRI. He, and the government committee on critical infrastructure protection, were both singing the song in 1999 that no matter what Y2K bugs might exist, they couldn't do any real harm. Get it? Not that the Y2K bugs didn't exist or would be fixed (at proved to be the case) but that they couldn't do any substantial harm no matter what. Now these same people are saying that a few hacks can cause widespread and catastrophic damage. One can not argue both sides of this issue and keep credibility. If a control system misbehaves, it matters not whether the problem is inadvertent or malevolent. Yet these people pooh pooh the risk of inadvertent bugs yet hype the danger of malevolent ones. It's bunk.
EPRI wants $100 billion to automate everything in the power grid as a massive research project. Next they'll want another $250 billion to secure it from cyberwar threats. DOE wants a national DOE control center for the
Don't Use The Internet For This (Score:3, Insightful)
There is absolutely no excuse whatsoever for making this equipment accessable from the public Internet. None. Zero. Zilch.
Frame Relay T1 lines are cheap nowadays, and they should be using them.
Re:this should not be possible (Score:5, Insightful)
What the hell is happening to
Call up Verizon or AT&T, tell them you want a T1 from point A to point B. You pay them a few dollars every month, and you have a direct, and fully-private connection from A to B.
Public networks aren't the only way to communicate.
Re:Um, WHY was the generator on the internet?!! (Score:1, Insightful)
The "fight club" theory is exactly right.
Industry and utilities are more or less entirely windows based, and normally use whatever programming skills their existing engineer possess.
The reason you don't see a lot of "accident x causes by windows update" or "loss y caused by buggy VB program" is that:
a) Most everything "critical" to human or machine safety and security is protected by "dumb" failsafes and interlocks close to the hardware (ie. overflow valves, motion stops, fuses).
b) That's the cost of doing business "in the real world" to most people. They feel comfortable about a computer that only works 99.9% of the time; that's a nice mesoscopic reliability figure that isn't that much worse than many human or hardware factors.