CIA Claims Cyber Attackers Blacked Out Cities

Dotnaught writes to tell us InformationWeek is reporting that the CIA admitted today that recent power outages in multiple cities outside the United States are the result of cyberattacks. "We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyberattacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet."

Just in time...

[subl33t]

... for US Federal elections. Coincidence?

Re:Why are systems like this hooked onto the inter

[Asmodai]

That's why they invented out-of-band management tools long, long ago.
Given the nature of how the internet works, having a dial-up line to a management console (who then requires authentication) is much better for OOB management than using the Internet.

OOB management isn't a panacea

[sshore]

Wardialers are to OOB management as portscanners are to internet-connected management.

Better news report

[greg1104]

Presuming that InformationWeek had their typical lame coverage here, a quick search found a much better article about this at Forbes [forbes.com] (they even know to ask Bruce Schneier about it!) where they link to a nice background article [forbes.com] about these SCADA systems.

Re:TFA is leaving out the most important informati

[Wolfier]

From some articles it seems that the affected cities are from Central and South America, including some in Mexico.

Re:Something smells.

[Solandri]

Why are we hearing about this from the CIA, of all places? I thought counter-intelligence was the purview of the FBI, and signals intelligence the role of the NSA.

The FBI has jurisdiction over intelligence matters inside the U.S. and occasionally involving U.S. citizens and property abroad. The CIA has jurisdiction over intelligence matters outside the U.S. So investigating induced power outages in foreign cities would be a CIA task.

Re:New cyber baddies!

[jimrob]

I hope you realize that we didn't actually vote in Bush, ever. Period, end of story. Both elections were stolen. Thanks.

Gore and Kerry lost. Get over it. Typical Democrat whining - don't take fault for your shortcomings (i.e., poor choices in presidential candidates), but rather scream "UNFAIR!" and try to change the system to your advantage.

I'm not saying Bush is a great guy (I'm not fond of him at all), but he won. Get used to it. Quit making up excuses, and get over your egotistical Democrat mindset of "if we don't win, the other side cheated."

The people aren't even being allowed to know what they want. Freed of mandates (let's not forget Bush's tax cut of up to $100,000 for buying a SUV... if you're a qualifying business owner) the auto company is free to market whatever they like. People pretty much buy what they're sold, it's sad but true.

The whole reason the American auto industry is failing is because they CAN'T market what they want. They're forced to manufacture anemic go-karts with expensive technology out the tailpipe that total out in the most minor of accidents. Americans don't want cars like that, but environmentalists keep cramming them down our throats.

I know exactly what kind of car I want. Something simple, easy to work on, and devoid of computer control. I can't get that because of GOVERNMENT IMPOSED ENVIRONMENTAL REGULATIONS enacted by DEMOCRATS that REQUIRE extremely complex (compared to prior technology) design and technology.

More Democrat egotism. "The people would agree with us and buy hybrids if only those damned Republicans and big businesses didn't get in their way! It's not at all possible that they don't want them. We know they do, it's what we want!"

So if you want to blame us for something, blame us for being placid and/or stupid. But honestly, Bush wasn't our fault (not Jr. anyway) and we want to buy vehicles which are more environmentally conscious. Some of us would even like to give them up entirely in favor of golf carts and public transportation, but I admit we're in the minority.

We, we, we. You guys just have your finger on the pulse of everything, don't you? Nobody disagrees with you, nobody has differing opinions.

I wouldn't give up my car for a golf cart. I wouldn't take a bus somewhere if you held a gun to my head. (Sit next to a bum soaked in urine while I wonder what that sticky stuff on the seat is? No thanks!) I don't want to fly down the interstate in a souped-up Rascal [rascalscooters.com].

Bush was our fault. He won because of two reasons. First, people didn't like Al Gore. Second, people really didn't like John Kerry. But, being a Democrat, you can't believe your choices in candidates were inferior. Therefore, Bush cheated.

Re:Why are systems like this hooked onto the inter

[Rogerborg]

Damn skippy. When I worked as a SCADA dev, we had one (1) machine connected to the internet, in a locked room. If you wanted to move something from there to a machine on the LAN, you did it by burning CDs, and the culture (rather than just the 'procedures') was genuinely against installing anything that wasn't absolutely necessary. Nobody outside of IT had admin access to their desktops.

That was our dev house procedures though. As you say, it all falls apart on the production systems. Once customers started using commodity Windows boxes, it was all over. We found one production box where the night watchman had hacksawed off the padlock on the back, opened it up and installed a sound card so that he could play games on it, presumably by plugging an optical drive in for the duration. It was pwoned by his warez and needed a brain wipe. Quis custodiet ipsos custodes?

Re:15% solution

[QuickFox]

Sure it's a republic [wikipedia.org], as opposed to a monarchy [wikipedia.org].

But it's also a democracy [wikipedia.org], as opposed to a dictatorship [wikipedia.org].

More precisely, it's a representative democracy [wikipedia.org], as opposed to a direct democracy [wikipedia.org].

Republic means that it's not led by a hereditary monarch — as opposed to a monarchy where there is a hereditary monarch.

Democracy means that the people of the country either make the laws and the government decisions, or elect representatives who make the laws and the government decisions — as opposed to a dictatorship where the people have no say (or have practically no say).

Representative democracy means that you vote for representatives who make the laws and govern — as opposed to direct democracy where the people make the laws and/or govern.

It's abundantly clear that the US is a republic and a representative democracy.

It's a weak democracy, since it's a two-party system where it's mathematically extremely difficult for any but the two ruling parties to come to power, but that only makes it weak, it's still a democracy.

Why do some people get this weird illusion that republics are not democracies? Are you under the impression that Britain having a queen makes it more democratic than the US? Or do you give these words completely different meanings?

I find it unsettling and worrying that some people are so badly informed about something so very important. The school system must be terribly bad in your country.

DHS CyberWarfare table-top exercise

[Anonymous Coward]

This past week I participated in a CyberWarfare table-top exercise being run by DHS and the state government. Our state currently has no policies in place (nor do most other states) and this exercise was a starting point. I found the timing of this particular news item quite fascinating, in that respect.

I'll have to say, I came out with a lot more respect for our utilities after the exercise than when I went in. The utility sysadmin was sitting at the table with me, and his comments gave me every impression that he was quite competent. At least in our state, the SCADA systems are not hanging directly on the internet on upatched Win95 boxes, or anything even close. Nearly all of the SCADA is on private network, and the rest is on leased lines. All of their ICCP (The protocol different utilities use to trade information with each other - really the glue that holds the grid together.) is behind firewalls, and the guy appears to have a basic understanding of the security of all the guys he has to connect to with ICCP, as well as the inherent security aspects of ICCP, itself.

He did speak of visiting another utility, some time back. That utility had been advised to run their ICCP connections through a firewall, so they did. The ethernet cable came into a hole on one side of the firewall box, and that same cable came out through a hole on another side. There! The connection went through a firewall!

As for the table-top exercise, it was quite an interesting thing to participate in. I hope to see what results from having done it.

Re:OOB management isn't a panacea

[starfishsystems]

Wardialers are to OOB management as portscanners are to internet-connected management.
...
The same security concerns that apply to network management interfaces apply to OOB management interfaces.

These are excellent points. Given the number of responses, I don't know why you haven't been modded up already.

I've worked with all sorts of organizations who make access to their systems extra slow and tedious by requiring dialin. This is always explained as being for "security" reasons.

Um, no. All they're doing is substituting one physical layer of the network stack for another, neither of which have meaningfully secure access controls. Security, to the degree that it's addressed at all, would have to be done further up the stack. And that being the case, why again do we have to dial in?