Forgot your password?
typodupeerror
Security IT

Smart-Grid Control Software Maker Hacked 96

Posted by timothy
from the 21-scadoo dept.
tsu doh nimh writes "Telvent, a multinational company whose software and services are used to remotely administer and monitor large sections of the energy and gas industries, began warning customers last week that it is investigating a sophisticated hacker attack spanning its operations in the United States, Canada and Spain. Brian Krebs reports that the attacker(s) installed malicious software and stole project files related to one of Telvent's core offerings — OASyS SCADA — a product that helps energy firms mesh older IT assets with more advanced 'smart grid' technologies. A follow-up story from Wired.com got confirmation from Telvent, and includes speculation from experts that the 'project files' could be used to sabotage systems. 'Some project files contain the "recipe" for the operations of a customer, describing calculations and frequencies at which systems run or when they should be turned on or off. If you're going to do a sophisticated attack, you get the project file and study it and decide how you want to modify the pieces of the operation. Then you modify the project file and load it, and they're not running what they think they're running.'"
This discussion has been archived. No new comments can be posted.

Smart-Grid Control Software Maker Hacked

Comments Filter:
  • by Anonymous Coward on Thursday September 27, 2012 @05:03PM (#41483083)
    The attackers will produce a cascading failure in the electrical grid that brings down the entire North American power grid. A few additional well timed physical attacks, and we're back to the bronze age for the foreseeable future. Food stocks will quickly run down, as will supplies of petrol. The government will attempt to exert control, but without food and as the situation deteriorates, most of the soldiers will go AWOL to try to get home to help family. Soon, the dying begins. Roving bands of robbers gradually coalesce into gangs ruled by small time warlords, and eventually regional rulers who hoard the remaining food, fuel, and ammo. The few isolated people who planned ahead and who have escaped into their countryside shelters are systematically hunted down, plundered, and given the option to swear fealty to the new regime or be dispatched. Huge fires sweep through most large cities and pollute the atmosphere with soot. Winter soon sets in early due to the reduced sunlight penetrating the atmosphere, and is the harshest one in generations. Eventually, as the winter ends and spring sets in, over 75% of the population is either dead or close to it. Suddenly, armies of foreign soldiers appear at our shores, and before long all of the remaining Americans are conscripted and forced to farm the still fertile fields of America's breadbasket for meager rations, which is still better than starvation and death.
    • by localman57 (1340533) on Thursday September 27, 2012 @05:20PM (#41483227)

      The attackers will produce a cascading failure in the electrical grid that brings down the entire North American power grid.

      Frankly, I'm surprised we haven't had this happen already. It always blows my mind when there's some massive cascading power failure across mulitple states, and people are somehow relieved that it wasn't terrorism. Just a normal failure. How the fuck is a system that just collapses all by itself better than one that has to be pushed to collapse?

      It seems to me that instead of fucking around with underware bombs and shit, our enemies might get a lot better cost return with some iron spikes, aluminum wire, and some helium filled weather balloons. Giant transmission lines in the middle of the desert are virtually impossible to defend, and are already stressed to the breaking point when it's hot across the nation. All they need is a little push...no complicated cyber-hacker-shit required.

      • Have to be hydrogen. We have a helium shortage, remember?
      • "Frankly, I'm surprised we haven't had this happen already"

        It hasn't happened yet because believe it or not it is not that easy to do. The U.S. power grid is segmented into three zones with safeguards that prevent an outage in one zone from tripping a blackout in another zone and this makes causing a nation wide blackout extremely unlikely.

    • Dude - you should totally make that into a short story; 'twould be a good one.
    • by Columcille (88542) on Thursday September 27, 2012 @05:49PM (#41483445) Homepage
      And someone will make some lame tv show about the whole thing.
    • by Anonymous Coward

      I really have only two questions.

      1. Will raiding parties sent out by the regional rulers be stuck with muzzleloaders (except badass officers; badass officers always get teashades and autopistols)?

      2. Will cute-but-surprisingly-asskicking-and-unsurprisingly-obnoxious girls cut the buttstocks off crossbows to make one-handed, but implausibly imbalanced, weapons? And maybe lose the stirrup, too; that serves no useful purpose...

    • by chill (34294)

      Dan Brown, is that you?

    • Soon, the dying begins. Roving bands of robbers gradually coalesce into gangs ruled by small time warlords, and eventually regional rulers who hoard the remaining food, fuel, and ammo.

      Given a large enough and complete enough failure, 'soon' = 48-72 hours.
    • I know how this ends. Chunky (tm) soup warms you up and fills you up. and then Weatherbreak.

    • by Dr Max (1696200)
      That's a great story i really enjoyed it. If you want to know the scary truth, a couple of guys with rifles could take the major power stations offline a lot longer than hackers, by simply shooting the insulators on the phases coming out of power stations.
  • Sure hope not. I mean, does every goddamn thing need to be computerized?

    • by brianhaddock (2740749) on Thursday September 27, 2012 @05:12PM (#41483159)
      Lots of utilities are rolling them out right now and big companies who want to keep an eye on their usage patterns demand them. Remember when they used to hand read meters? The guy would open the gate, dodge your barking dog, and write down the meter reading in his little book. Then they moved some to radio transmitting meters where a utility truck simply drove down your street and recorded the readings that were transmitted from each meter. Now they have meters that communicate wirelessly and send the readings to the utility company in at intervals.
      • Smart meters are a lot less safety critical than the SCADA control systems. Networking smart meters makes a lot of sense. It's desirable to do it right, but if the billing is messed up, it can be corrected. The ability to change the operation of the system needs to very secure in comparison.
    • by Spy Handler (822350) on Thursday September 27, 2012 @05:13PM (#41483169) Homepage Journal

      Yes because computerizing stuff increases efficiency. Look under the hood of your car, all those chips and sensors are helping your engine make a lot more horsepower for the same amount of fuel than engines from 30 years ago. (Or, same amount of power for less fuel consumption)

      What we should really be asking is, does everything need to connect to the internet? And is enabling USB ports on critical systems so that workers can bring infected USB stick from home to bridge an air gap a good idea?

      • by Dunbal (464142) * on Thursday September 27, 2012 @05:23PM (#41483247)
        Tell me how efficient they are when the whole grid goes down.
    • Sure hope not. I mean, does every goddamn thing need to be computerized?

      Computers make things more efficient. Which means you can consume more for the same price. If it weren't for the computers, people would have to get by on less. And if there's one thing people hate more than computers, it's getting by on less. So you get what we got right here. Which is the way we want it. Well, we get it. And I don't like it any more than you men.

      • by TWX (665546) on Thursday September 27, 2012 @05:35PM (#41483329)
        Computers only make things more efficient when the systems architects know how to do their jobs effectively and don't rely on vendors and consultants to do it for them. It's not in the interests of vendors or consultants to save their customer money. It's in their interests to make as much money from the customer as practical, and that can mean everything from selling them equipment that's overspec to selling far more equipment than necessary to excessive costs for setup and configuration that are difficult to determine at the outset of the project.

        As problematic as our telephone system has been at times, at least from a bureaucracy standpoint, that Bell did basic research and development in-house and for a long time owned almost everything internally, advances were made and the system functioned very well. The Baby Bells have inherited this legacy, and the biggest cracks have only manifested as they've each independently implemented technologies post-Ma-Bell, like DSL.

        If you've had to work with vendors extensively you'd realize what a bane it can be to actually achieving, especially when non-technical persons have the ultimate decision in your organization.
        • X only make things more Y when the Z know how to do their jobs effectively

          That tend to be true for just about any professional combination of X,Y, and Z. Don't you think?

          I worked in the power industry while our state was in the throws of deregulation. I know what you're talking about. But this thread isn't about that. And Ma-Bell suffered from the same flaws that the power companies do. Security is not a primary issue to them. During the glory days you're talking about, you could phreak the phone system with a Captin Crunch whistle. That was the state of their security.

      • by Anonymous Coward

        There's a downside to smart meters though. It's known that old power meters tend to get increased drag as they age. So say you use 1200kw this month, the meter may read as if you had only used 1125kw or so (that might be a bit of a large gap for a lower power use, but you get the idea).

        So here's the trade off. Our power bill, three months ago was an actual reading, which was around 900kw or so (guessing). Two months ago was an Estimate, and it was listed as 1600kw. Then last month was another actual reading

        • by sumdumass (711423)

          On demand gas or propane is the best solution for a water heater. The smart grid turning your water heater off is problematic if you are not a 9-5er or had a couple of kids. I can easily run out of hot water on certain days because the damn thing is off and need to take a shower in the cold to save making the kids do the same. God forbid someone starts a load of laundry at the wrong time either.

          Well, when I say can, I meant before I change the heater out. Put in an on demand gas system and never run out of

        • by tlhIngan (30335)

          There's a downside to smart meters though. It's known that old power meters tend to get increased drag as they age. So say you use 1200kw this month, the meter may read as if you had only used 1125kw or so (that might be a bit of a large gap for a lower power use, but you get the idea).

          True, because it's mechanical and subject ot all sorts of enviornmental conditions of cold and heat, so they do read slower as they lose calibratoin. Though the power company does swap out meters on a regular basis - usually

    • by Mashiki (184564)

      They're mandatory in Ontario and as far as I know, the entire province has them installed, so this could get very interesting to say the least. Or until the meters are all updated, well I was always against them to begin with. Our hydro rates have done nothing but increase since they've been installed. Right on track for 22c/KWH by 2016 baby! [financialpost.com] Gotta love it.

    • by PPH (736903)

      One of the major overhead costs of your residential service is (was) reading your meter by having someone drive around in a car, jump out at every few houses and write down the readings.

      I guess utilities could offer an option to people who think they'll get hacked or the meters will make their junk fall off: Pay for a meter reader and they'll leave the old analog one on your house.

  • Smart GRID not METER (Score:1, Informative)

    by Anonymous Coward

    stop spamming the thread with crying about your smart meters, this is much much bigger than you

  • The main problem is that only the hackers that have not tried to hack their system, did not hack their systems. And the more terrifying truth is that there is not even one vendor with secure solution out-there. I am just amazed of how they even put the word "secure" in there product!!!!
  • by chill (34294) on Thursday September 27, 2012 @05:49PM (#41483447) Journal

    This is a good example of why the gov't is worried about cyber security for critical infrastructure. Just like there are minimum standards for building and fire safety there needs to be minimum standards for IT infrastructure security.

    • by kiwimate (458274)

      Err, not saying that I agree or disagree, but wasn't there a story on these hallowed pages [slashdot.org] yesterday saying exactly the opposite?

      • by chill (34294)

        Sort of. They were saying this isn't enough, claiming an "offensive" component is also needed.

        Keep in mind, it was penned by an ex-military guy who just joined a cyber security consulting firm. He's saying we need to change the laws to allow something like a digital version of Blackwater.

        It is like he read his first cyberpunk novels and thinks Shadowrun was a good idea for real life.

  • by guttentag (313541) on Thursday September 27, 2012 @05:49PM (#41483453) Journal

    ...investigating a sophisticated hacker attack spanning its operations in the United States, Canada and Spain... and they're not running what they think they're running.

    Sounds like they need a modern-day Inigo Montoya to do their security: <SPANISH ACCENT>"You keep using that software, I do not think you're running what you think you are running."</SPANISH ACCENT> And if the worst happens, he can exact revenge: "Hello. My name is Inigo Montoya. You killed my power grid during a level 85 raid. Prepare to die."

  • That's right, keep banging on that war drum. While the leaders are making all the big noise and keeping everyone distracted, the governments and their military are already engaged in full-on, no-holds-barred combat.

    We took out 50% of Iran's nuclear capacity with nothing more than a USB stick loaded with Lady Gaga albums and porn.

    But at least Iran was smart enough to put an AIR GAP between their critical systems and the rest of the world. We had to rely on a human to use the Sneakernet to infect those cent

There is no opinion so absurd that some philosopher will not express it. -- Marcus Tullius Cicero, "Ad familiares"

Working...