Dotnaught writes to tell us InformationWeek is reporting that the CIA admitted today that recent power outages in multiple cities outside the United States are the result of cyberattacks. "We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyberattacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet."
Am I the only one that thinks thats a really stupid thing to do?
It takes only a single breach. The story mentioned it may be an inside job, which means somebody may have put a single little link between the two systems, breaking the separation.
Citing two Government Accountability Office reports on SCADA security, Paller said that people have been adding wireless and Windows to SCADA systems without really thinking about security. "They're gotten radically unsafe," he said.
Windows + wifi + scada + power_grid = fun_and_games
That's why they invented out-of-band management tools long, long ago. Given the nature of how the internet works, having a dial-up line to a management console (who then requires authentication) is much better for OOB management than using the Internet.
We are into lying, like, you know... BIG TIME! We also have secret wars, illegal financing, blackmail, brainwashing, manipulation of the press, assassination, extra-judicial surveillance, detention and punishment. What'd I leave out? Oh, yeah! "Harsh Interrogation". That's just "torture" between us. But I digress. The mainline business is lying - it's like the life-blood of the other operations.
Now trust us on this one: The Internet is extremely dangerous.
Wardialers are to OOB management as portscanners are to internet-connected management. ...
The same security concerns that apply to network management interfaces apply to OOB management interfaces.
These are excellent points. Given the number of responses, I don't know why you haven't been modded up already.
I've worked with all sorts of organizations who make access to their systems extra slow and tedious by requiring dialin. This is always explained as being for "security" reasons.
I don't think it's terribly different in power. Here, if you have central air, the power company asks you every month if they can install a gadget to let them turn your AC off whenever they feel like it, in "rolling blackout" fashion. They're not installing a dedicated line, which leaves either a signal over the powerline, or radio, either of which is likely to be VERY vulnerable.
It's been a looooong time since companies were interested in the best possible solution, these days when something like only making a 25% profit instead of a 27% profit can cause emotional investors to dump your stock, dropping the price, and causing your company a loss of net worth in the millions, they're mostly interested in just spending the least amount that they can.
mostly they use an out-of-bands, according to Bruce Parens they frequntly use RF signals over the powerlines!
It has historically operated over a primitive form of "BPL", analog or digital control signals transmitted over long-haul power lines, generally using a low-frequency signal. In Northern California, we can hear a RTTY signal around 137.5 KHz that might be SCADA leaking from power lines into the air, and the power companies have opposed the allocation of a ham frequency in that band becuase they claim
I thought the exact same thing. I'm no expert on power grids and how they're managed, but I think there are two possible reasons why their control systems were hooked up to the Internet:
1. There may be situations where the systems need to be remotely administered, and using the Internet is a much, much cheaper way to facilitate this than deploying a completely private network infrastructure just for this purpose, which probably isn't very practical (for both physical and financial reasons).
2. pr0n browsing.
Actually here in Australia, the power generation company (at least in my state) does have it's own control network. It used to be Copper, but a while back they replaced it with fibre. They ended up with so much excess bandwidth that they wholesale it to companies. I assume they have their fibres separated from everyone else's.
Option 2 may cut into their profits a bit though:P
I haven't read TFA yet, but an attack from the Internet should *never* happen to something as important as this.
Where I work, we have an In-Confidence network and some Protected stuff. Each level is ONLY allowed to connect to ONE level lower and then only via approved security mechanisms. So the In-Confidence can access the (Unclassified) Internet, but the Protected stuff can't talk to the Internet at all. Actually in our case we don't bother connecting the Protected stuff even to our In-Confidence network.
I would assume a power control system would be much higher security than In-Confidence (that's pretty low - any decent business should be at least that level in reality), and thus not allowed to talk to the Unclassified Internet.
This of course is for Government networks. The US power companies (as are most in Australia) are privately owned, so they don't have to worry about such trivial things as security rules.
On a side note, I'm constantly amazed at the expectation of vendors and PHBs that we will automatically open up our network so that some stray vendor can remotely debug their dodgy application. Yea sure, we'll let you in from your totally unknown network that has only knows what security holes and stuff going on inside it to access our server(s) with elevated privileges. Especially when everyone working in our IT department has gone through a security clearance, and they have whoever they snagged off the street.
Actually I've just had a look at TFA, and it doesn't have any sort of details on what / where (not USA) / when (well vaguely - recently) / why (profit ???) / how these attacks occurred.
On a side note, I'm constantly amazed at the expectation of vendors and PHBs that we will automatically open up our network so that some stray vendor can remotely debug their dodgy application.
My developers gave up on that a long time ago. Now, whenever the end user asks for live assistance, or in any one of a number of error conditions, we spawn off an ssh tunnel from the customer site to our mothership server, send the error/status report, and leave the thing open for three days.
Damn skippy. When I worked as a SCADA dev, we had one (1) machine connected to the internet, in a locked room. If you wanted to move something from there to a machine on the LAN, you did it by burning CDs, and the culture (rather than just the 'procedures') was genuinely against installing anything that wasn't absolutely necessary. Nobody outside of IT had admin access to their desktops.
That was our dev house procedures though. As you say, it all falls apart on the production systems. Once customers started using commodity Windows boxes, it was all over. We found one production box where the night watchman had hacksawed off the padlock on the back, opened it up and installed a sound card so that he could play games on it, presumably by plugging an optical drive in for the duration. It was pwoned by his warez and needed a brain wipe. Quis custodiet ipsos custodes?
Also, considering what was said at the bottom of the article, I have to say that I doubt the political nature of this announcement, Unless we think Windows is good here...
Paller said that people have been adding wireless and Windows to SCADA systems without really thinking about security. "They're gotten radically unsafe," he said.
Is there really any excuse of convenience that justifies connecting the nations major utilities to the internet?
At least if there is a firesale Justin Long and Bruce Willis will be there to save us. Coincidence that Mac Guy would be the one to save us? I think not.
I'm confused as to what you are asking, but it says in the article:
Paller said that Donahue presented him with a written statement that read, "We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyberattacks have been used to disrupt power equipment in several regions outside the United States. In at le
I actually did skim the article, but I didn't see anything pertaining to when these attacks/outages happened or where (other than outside the US). Does anyone have an idea about what power outages they are refering to?
We had power outages here in Vancouver, various blocks went out... but it was reported in the media that it was due to the high winds... hmmm, strange that only a few random blocks downtown were affected?
LA has been getting them over the past few weeks pretty regularly. Entire sections of Hollywood down for several hours at a time (maybe a dozen blocks at a time), and then a couple days later it will be a section starting a few blocks away. Seems to have stopped a couple weeks ago (or was it last week?) But of course I can't tell, I haven't been driving up and down LA to check if it's still happening. But it seemed really weird and random, and the cops were not directing traffic right away (which sugges
Why are we hearing about this from the CIA, of all places? I thought counter-intelligence was the purview of the FBI, and signals intelligence the role of the NSA.
"[...] the government must have the ability to read all the information crossing the Internet in the United States in order to protect it from abuse."
Contrast this with a second Ars article from yesterday, where the US Federal Energy Regulation Commission has just approved new security regulations [arstechnica.com] for the organizations (mostly private) that run the US electrical grid. Rather than blaming evil foreign hackers, Ars reports that:
"FERC notes, in its usual bureaucratic style, that "poor vegetation management" has caused most of the problems relating to past regional blackouts."
This all just sounds like an excuse to install packet loggers everywhere.
(And it's not just the US authorities who want to lock down and control the Internet; the UK also recently indicated a desire to install censorship devices at the ISP level [theregister.co.uk]. Good luck with that.)
Why are we hearing about this from the CIA, of all places? I thought counter-intelligence was the purview of the FBI, and signals intelligence the role of the NSA.
The FBI has jurisdiction over intelligence matters inside the U.S. and occasionally involving U.S. citizens and property abroad. The CIA has jurisdiction over intelligence matters outside the U.S. So investigating induced power outages in foreign cities would be a CIA task.
I call BS on this one. I was in the US just two weeks ago. The airport was at security level 4 out of 5. I asked an officer what the threat was, and he told me that in the four years that he had been working there, the threat level had not budged from level 4. That means that there are effectively only two levels of threat: 4 and 5. This also means that the officers are authorized to perform 'checks' and other violations of the rights that I know Americans used to hold dear. This is a temporary situation, I understand, however the temporary situation has been in effect for over four years it seems!
I believe that the CIA 'admitting' that the power outages are attacks are a way to drum up public support for more 'checks' and ways to survey the public. If they were real attacks then I doubt the CIA would make that public. I also doubt that the CIA would be the agency to do make that public. I don't subscribe to the many conspiracy theories that populate Reddit, but from the little that I did see in the US in the three days that I was there, things have changed since 1999 (last time I was there). People are now scared. People _want_ their government to invade their lives. That is scary. I was thinking of Winston Smith the whole time.
This information was released at a major security conference. If they wanted to just scare everyone they would have released this info more directly to the public rather than at a meeting of specialists who could see through a line of BS. And if they were really going for the fear factor they'd leak this on a monday or tuesday morning, not at 6pm on the friday before a long weekend. It sounds to me like they want to diminish any possible panic, not amp it up. Notice they're not blaming terrorists or enemies either; the strong implication is organized crime with some kind of inside connections. I tend to be pretty skeptical of CIA but based on the little info that is here I'm guessing they're not making this up, and they probably are hoping that letting people know who are responsible for computer security at more localized levels will make it more likely for them to trace the perps.
That's ridiculous. Power and services don't just suddenly cu
At least when they do cut out, the residual power left in the system enables you to submit your incomplete slashdot message posting. What an age to be alive!
Presuming that InformationWeek had their typical lame coverage here, a quick search found a much better article about this at Forbes [forbes.com] (they even know to ask Bruce Schneier about it!) where they link to a nice background article [forbes.com] about these SCADA systems.
And it is often caused by the fact that many control systems today depends on operating system from the same vendor as all other machines, namely Microsoft. In one way it's useful to have the machines on the net. This because it's cheap and easy to get a DSL line to the remote unmanned locations. The problem is that even if you do a VPN connection there is still a risk that the firewalls can be penetrated. (misconfiguration etc.)
There is always a balance between cost and protection and it's easy to cut back the costs, since the risks are very hard to weigh. Many companies calculates with a certain amount of downtime caused by "unforseen" events. What's in this category also depends on the amount of money put into the security bag. They are just comparing the agreements with their customers and the cost for protection and are figuring out that "OK, we can allow to have a day or more downtime without violating our customer agreements".
It's all about money, but sometimes you may think that there are people as mean as Marwin Meathead [hermanhedning.com].
The cyber-attacks were the result of cyber-intrusions conducted by cyber-hacker cyber-criminals intent on causing cyber-damage. When caught they will be elligable for cyber-representation by cyber-lawyers for cyber-prosecution. Unfortunately said attorneys will be unable to practice cyberlaw due to the cyber-trademark registered by cyber-lawyer Eric Menhart.
That is the governments fault, not the fault of blackwater (as an organization). It's up the government if they should be prosecuted, but instead they spirited out of the country, by the government.
They basically have a free pass. Hold them to the exact same laws that our military personnel are held to. See how fast they shape up.
Aside from that, I do believe that utilities should be privately controlled.
Republic means that it's not led by a hereditary monarch — as opposed to a monarchy where there is a hereditary monarch.
Democracy means that the people of the country either make the laws and the government decisions, or elect representatives who make the laws and the government decisions — as opposed to a dicta
Why are systems like this hooked onto the internet (Score:5, Insightful)
Re:Why are systems like this hooked onto the inter (Score:4, Insightful)
It takes only a single breach. The story mentioned it may be an inside job, which means somebody may have put a single little link between the two systems, breaking the separation.
Parent
Re:Why are systems like this hooked onto the inter (Score:3, Interesting)
I really liked the last paragraph in the article:
Windows + wifi + scada + power_grid = fun_and_games
Re:Why are systems like this hooked onto the inter (Score:5, Informative)
Given the nature of how the internet works, having a dial-up line to a management console (who then requires authentication) is much better for OOB management than using the Internet.
Parent
Re: (Score:3, Funny)
HI! We are the US's Profesional Lying Team! (Score:3, Interesting)
We also have secret wars, illegal financing, blackmail, brainwashing, manipulation of the press, assassination, extra-judicial surveillance, detention and punishment. What'd I leave out? Oh, yeah! "Harsh Interrogation". That's just "torture" between us. But I digress. The mainline business is lying - it's like the life-blood of the other operations.
Now trust us on this one: The Internet is extremely dangerous.
Really. You'll have to get on board with us o
OOB management isn't a panacea (Score:4, Informative)
Parent
Re: (Score:3, Informative)
The same security concerns that apply to network management interfaces apply to OOB management interfaces.
These are excellent points. Given the number of responses, I don't know why you haven't been modded up already.
I've worked with all sorts of organizations who make access to their systems extra slow and tedious by requiring dialin. This is always explained as being for "security" reasons.
Um, no. All the
Re:OOB management isn't a panacea (Score:4, Interesting)
It's been a looooong time since companies were interested in the best possible solution, these days when something like only making a 25% profit instead of a 27% profit can cause emotional investors to dump your stock, dropping the price, and causing your company a loss of net worth in the millions, they're mostly interested in just spending the least amount that they can.
Parent
Re: (Score:3, Interesting)
Re:Why are systems like this hooked onto the inter (Score:5, Interesting)
1. There may be situations where the systems need to be remotely administered, and using the Internet is a much, much cheaper way to facilitate this than deploying a completely private network infrastructure just for this purpose, which probably isn't very practical (for both physical and financial reasons).
2. pr0n browsing.
Option 2 may cut into their profits a bit though
I haven't read TFA yet, but an attack from the Internet should *never* happen to something as important as this.
Where I work, we have an In-Confidence network and some Protected stuff. Each level is ONLY allowed to connect to ONE level lower and then only via approved security mechanisms. So the In-Confidence can access the (Unclassified) Internet, but the Protected stuff can't talk to the Internet at all. Actually in our case we don't bother connecting the Protected stuff even to our In-Confidence network.
I would assume a power control system would be much higher security than In-Confidence (that's pretty low - any decent business should be at least that level in reality), and thus not allowed to talk to the Unclassified Internet.
This of course is for Government networks. The US power companies (as are most in Australia) are privately owned, so they don't have to worry about such trivial things as security rules.
On a side note, I'm constantly amazed at the expectation of vendors and PHBs that we will automatically open up our network so that some stray vendor can remotely debug their dodgy application. Yea sure, we'll let you in from your totally unknown network that has only knows what security holes and stuff going on inside it to access our server(s) with elevated privileges. Especially when everyone working in our IT department has gone through a security clearance, and they have whoever they snagged off the street.
Actually I've just had a look at TFA, and it doesn't have any sort of details on what / where (not USA) / when (well vaguely - recently) / why (profit ???) / how these attacks occurred.
Parent
Re: (Score:3, Interesting)
My developers gave up on that a long time ago. Now, whenever the end user asks for live assistance, or in any one of a number of error conditions, we spawn off an ssh tunnel from the customer site to our mothership server, send the error/status report, and leave the thing open for three days.
Yeah, we snag custome
willful negligence vs gross negligence (Score:5, Funny)
And if MS Windows is involved, then it escalates to willful negligence.
Parent
Re:Why are systems like this hooked onto the inter (Score:4, Informative)
Damn skippy. When I worked as a SCADA dev, we had one (1) machine connected to the internet, in a locked room. If you wanted to move something from there to a machine on the LAN, you did it by burning CDs, and the culture (rather than just the 'procedures') was genuinely against installing anything that wasn't absolutely necessary. Nobody outside of IT had admin access to their desktops.
That was our dev house procedures though. As you say, it all falls apart on the production systems. Once customers started using commodity Windows boxes, it was all over. We found one production box where the night watchman had hacksawed off the padlock on the back, opened it up and installed a sound card so that he could play games on it, presumably by plugging an optical drive in for the duration. It was pwoned by his warez and needed a brain wipe. Quis custodiet ipsos custodes?
Parent
Just in time... (Score:3, Informative)
Re:Just in time... not how you think (Score:3, Interesting)
Re: (Score:2)
i smell... (Score:2, Insightful)
Die Hard 4.0 (Score:4, Funny)
At least if there is a firesale Justin Long and Bruce Willis will be there to save us. Coincidence that Mac Guy would be the one to save us? I think not.
Re: (Score:2)
Re: (Score:2)
Where and When? (Score:4, Interesting)
Re: (Score:3, Interesting)
Los Angeles (Score:3, Insightful)
Re:Where and When? (Score:4, Funny)
Parent
Why not use air-gap firewalls? (Score:3, Insightful)
Where does this idea that every computer that exists must be plugged into the net come from?
Re: (Score:3, Interesting)
Microsoft, Linksys, Google, Yahoo
Something smells. (Score:5, Interesting)
Now add the fact that the US Director of National Intelligence has indicated that he wants to obtain the ability to monitor all Internet traffic data [arstechnica.com]:
Contrast this with a second Ars article from yesterday, where the US Federal Energy Regulation Commission has just approved new security regulations [arstechnica.com] for the organizations (mostly private) that run the US electrical grid. Rather than blaming evil foreign hackers, Ars reports that:
This all just sounds like an excuse to install packet loggers everywhere.
(And it's not just the US authorities who want to lock down and control the Internet; the UK also recently indicated a desire to install censorship devices at the ISP level [theregister.co.uk]. Good luck with that.)
Re: (Score:3, Informative)
We don't have TIME!!! (Score:4, Funny)
Re:We don't have TIME!!! (Score:4, Funny)
Parent
This is really serious! (Score:3, Insightful)
BS (Score:4, Interesting)
I don't think so (Score:5, Interesting)
Parent
Re: (Score:3, Funny)
Thinking of unpersons is doubleplusungood.
Pfffft (Score:5, Funny)
Re:Pfffft (Score:4, Funny)
At least when they do cut out, the residual power left in the system enables you to submit your incomplete slashdot message posting. What an age to be alive!
Parent
errrr (Score:2)
Better news report (Score:5, Informative)
This is a real risk (Score:3, Interesting)
There is always a balance between cost and protection and it's easy to cut back the costs, since the risks are very hard to weigh. Many companies calculates with a certain amount of downtime caused by "unforseen" events. What's in this category also depends on the amount of money put into the security bag. They are just comparing the agreements with their customers and the cost for protection and are figuring out that "OK, we can allow to have a day or more downtime without violating our customer agreements".
It's all about money, but sometimes you may think that there are people as mean as Marwin Meathead [hermanhedning.com].
What really happened: (Score:3, Funny)
Cyber-lame.
Re: (Score:2)
Re: (Score:2, Insightful)
Re: (Score:2)
They basically have a free pass. Hold them to the exact same laws that our military personnel are held to. See how fast they shape up.
Aside from that, I do believe that utilities should be privately controlled.
Re:15% solution (Score:5, Insightful)
Parent
Re: (Score:3, Informative)
But it's also a democracy [wikipedia.org], as opposed to a dictatorship [wikipedia.org].
More precisely, it's a representative democracy [wikipedia.org], as opposed to a direct democracy [wikipedia.org].
Republic means that it's not led by a hereditary monarch — as opposed to a monarchy where there is a hereditary monarch.
Democracy means that the people of the country either make the laws and the government decisions, or elect representatives who make the laws and the government decisions — as opposed to a dicta
Re: (Score:3, Insightful)
Re: (Score:2)
Re: (Score:2)
Re:TFA is leaving out the most important informati (Score:5, Informative)
Parent