Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Power United States

US Electricity Grid Reportedly Penetrated By Spies 328

phantomfive worries about a report in the Wall Street Journal ("Makes me want to move to the country and dig a well") that in recent years a number of cyber attacks against US infrastructure have been launched over the Internet: "Cyberspies have penetrated the US electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials. The spies came from China, Russia, and other countries, these officials said, and were believed to be on a mission to navigate the US electrical system and its controls. The intruders haven't sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war."
This discussion has been archived. No new comments can be posted.

US Electricity Grid Reportedly Penetrated By Spies

Comments Filter:
  • Remember, folks... (Score:5, Insightful)

    by Anonymous Coward on Wednesday April 08, 2009 @04:07AM (#27500801)
    ...you must live in perpetual fear. Whenever you're starting to focus on the reality of life, new fear WILL be injected into it to distract you. This is how the natural order sustains itself.
    • by Thanshin ( 1188877 ) on Wednesday April 08, 2009 @05:18AM (#27501141)

      Whenever you're starting to focus on the reality of life, new fear WILL be injected into it to distract you.

      Oh god! I'm so afraid of the fear injecting big brother.

    • Comment removed (Score:5, Insightful)

      by account_deleted ( 4530225 ) on Wednesday April 08, 2009 @05:39AM (#27501237)
      Comment removed based on user account deletion
    • by HangingChad ( 677530 ) on Wednesday April 08, 2009 @07:45AM (#27501809) Homepage

      In this case the parent is quite accurate. The truth is our electrical grid security has been dismal for decades. Hackers infiltrating control systems is only the latest discovery. If a foreign government wanted to sabotage our electrical grid it would be shockingly easy to do. 5 to 10 people working together with a few resources could black out the entire west coast for weeks if not months.

      Okay, so now they can disrupt control systems from the comfort of their data center. Whoopy do. Yes, fix the data security, but spend the money to make the needed improvements to physical security and redundant infrastructure. Our grid is routinely stretched to the breaking point. There's very little extra capacity. I think of people realized how vulnerable our electrical grid really is, they'd be terrified. The fact electricity is so reliable we take it for granted is testimony to the quality of the people working in the field.

      Imagine living in L.A. or San Francisco with no electricity for a week.

    • Re: (Score:3, Interesting)

      by furby076 ( 1461805 )
      You know, it's not fear mongering or paranoia if someone *IS* actually trying to get you. You don't think there are elements in Russia, China, Iraq, Iran, Afghanistan, North Korea and some other choice countries who are attempting to get us? You don't think any of them are in gov't and planning just in case? You don't think someone in China says "hmm we might fight America one day so lets hedge our bets. If we don't fight we don't activate the code, if we do fight BAM we got em".

      So your statement should
  • Big surprise (Score:2, Insightful)

    by cdgeorge ( 775179 )
    I'm sure China and Russia are having the same kind of problem.
    • Re:Big surprise (Score:5, Insightful)

      by AigariusDebian ( 721386 ) <aigarius&debian,org> on Wednesday April 08, 2009 @04:56AM (#27501051) Homepage

      Nope, electrical grid computers in exUSSR region do not even have the theoretical capacity to be connected to the public Internet. I am amazed there is an actual data linkage between the public Internet and the computers even remotely related to the power control functionality.

      • how else is a power station operator on a remote plant supposed to work? You don't expect them to go to the plant if it is hours away from anything. Stay at the plant, away from families? Forget it. operators telecommute too!

        People always say these things aren't connected to the internet and there are supposed to be seperate control and communication and PC networks but I bet few plants actually have that. Maybe super critical ones like nuclear, but your average small hydro or peaking gas plant...

        Time, Bud

        • And don't forget fools with laptops who leave their wi-fi on when they are connected to the internal network, and fools who install 'PCAnywhere' on their desktop hooked to their desktop, and the spread of the littls 3G modems and VPN's so people can work on the train. Couple this with really, really stupid behavior like unlocked SSH keys in NFS shared home directories, or Subversion and CVS storing passwords in clear text in people's home directories on NFS servers, and you have a disaster begging to happen

        • Re:Big surprise (Score:4, Informative)

          by SirGeek ( 120712 ) <sirgeek-slashdot ... inus threevowels> on Wednesday April 08, 2009 @07:08AM (#27501539) Homepage

          how else is a power station operator on a remote plant supposed to work? You don't expect them to go to the plant if it is hours away from anything. Stay at the plant, away from families? Forget it. operators telecommute too!

          Do you REALLY think that a "properly" run allows "any" connections to their control units or SCADA systems ? I don't think so. I'm pretty sure that they have people there 24/7 to handle any type of contingencies.

          People always say these things aren't connected to the internet and there are supposed to be seperate control and communication and PC networks but I bet few plants actually have that. Maybe super critical ones like nuclear, but your average small hydro or peaking gas plant...

          They aren't the "power grid", they are power stations. The "power grid" are the master control centers (Like NYISO, CalISO, Midwest ISO, PJM, etc) and the local control centers. There are FERC [ferc.org] requirements for how THEY must be configured/setup (like the control room's network must be separated from the rest of the companies network, etc).

          Time, Budget, the need to get that sensor or remote control connected to something, anything, whatever is near by so we can talk to it *now* and then the temporary fix becomes permanent

          Nope. Not likely. If anything it is a PRIVATE network managed by the local control center.

  • So once a while (Score:5, Insightful)

    by microbee ( 682094 ) on Wednesday April 08, 2009 @04:12AM (#27500835)

    "Some officials" come forward and warn about threats from China, Russia, Iran and North Korea. "Ya know, Sir, we need funding for enhancing national security, so please make sure you get your budget right."

    • Quite so... (Score:3, Interesting)

      by denzacar ( 181829 )

      From TFA:

      But protecting the electrical grid and other infrastructure is a key part of the Obama administration's cybersecurity review, which is to be completed next week.
      Under the Bush administration, Congress approved $17 billion in secret funds to protect government networks, according to people familiar with the budget.
      The Obama administration is weighing whether to expand the program to address vulnerabilities in private computer networks, which would cost billions of dollars more.
      A senior Pentagon official said Tuesday the Pentagon has spent $100 million in the past six months repairing cyber damage.

      Sounds a lot like someone is making up excuses and drumming up support to ask for more government money.

      • Re:Quite so... (Score:5, Informative)

        by gclef ( 96311 ) on Wednesday April 08, 2009 @05:59AM (#27501281)

        Close, they're drumming up support for S.773 and S.778. These bills are designed to give the executive the power to control the security of vital parts of the internet. If they can show that these vital parts of the net are compromised, and therefore risking America, they have an easy talking point when lobbying congress members.

        • Re: (Score:2, Interesting)

          by Anonymous Coward

          Don't forget an easy way to shut down the internet when some whistleblower decides it's time to disseminate those files he has before the government removes him... Only instead of in the movies where he gets away with it, because the internet is 'free' and routes around damage. The whole damn thing suddenly goes dark because our glorious and incorruptable administrators decided it's 'better for all involved' this way.

  • Oh no... (Score:3, Funny)

    by Professeur Shadoko ( 230027 ) on Wednesday April 08, 2009 @04:13AM (#27500839)

    They must have the CIP module !

  • by onion2k ( 203094 ) on Wednesday April 08, 2009 @04:14AM (#27500847) Homepage

    former national-security officials

    Aren't these people just admitting that they were incompetent? That's refreshingly honest of them.

    • by Antique Geekmeister ( 740220 ) on Wednesday April 08, 2009 @06:30AM (#27501385)
      Not necessarily. I've been in the situation where security issues that I warned about, documented, and was refused resources or permission to secure were in fact used against my employer. The Morris Worm in 1988 was a particularly bad example: I had printouts of the management refusals to permit security updates in a locked cabinet to prevent tampering, and my goodness, was I glad I had those. I keep similar files to this day, as a matter of basic self-defense when layoffs are pending and managers are looking for things to blame on our technical people in order to fire them and avoid paying severance bundles.
  • Software programs? (Score:5, Insightful)

    by gzipped_tar ( 1151931 ) on Wednesday April 08, 2009 @04:16AM (#27500859) Journal
    I thought mission critical computers should not be reachable from the Internet. So the spies walked to those computers and planted the software there???
    • Re: (Score:3, Insightful)

      Maybe they got a job working on those systems. I have the internals of several major cities traffic signal systems in my head at the moment, and that is just what I was working on up to ten years ago.
      • Re: (Score:2, Interesting)

        Be careful if you live in the UK, this could be classed as material likely to be useful to a terrorist and get you arrested.

    • Duh! How do you outsource managing them to India or Whereverstan if they can't connect from there?

      Remember, today, nothing is as mission critical as it is cost critical...

    • I thought mission critical computers should not be reachable from the Internet. So the spies walked to those computers and planted the software there???

      that happens in the military, where there's a defined physical space between mission critical rigs, unconnected to the internet, and non mission critical rigs, and you must use physical media, "launder" it on a standalone computer, then transfer the data to the mission critical computers.

      I do think, tough, that in any event physical security built into the systems would block major damage; no sane engineer would avoid building that into the infrastructure. After all we do have circuit breakers at home, w

    • Re: (Score:2, Insightful)

      USB Keys in car parks used by personel?
  • While arpanet/the internet was originally designed for just these sorts of things, the modern reality is that critical infrastructure shouldn't really be attached to the internet. Shouldn't there be a private network entirely isolated from the public internet for these things?

    Yes it'd be more expensive and it make it less easy for private contractors to work on stuff from their offices, but the word 'critical' is a bit of a clue here.

    Not that even this would guarantee security, but it makes it a heap load h

    • by MichaelSmith ( 789609 ) on Wednesday April 08, 2009 @04:23AM (#27500895) Homepage Journal
      The systems I work on are typically airgapped, but there is a constant push from users for some access to the internet. A user might need to access meteorological information, and the simplest way is to go online to get the data. Another user might need to refer to work instructions on the corporate intranet, but the intranet gets you to the internet anyway. Like it or not, the internet is working its way into many types of work and many people are starting to expect it to be available.
      • by jolyonr ( 560227 ) on Wednesday April 08, 2009 @04:28AM (#27500905) Homepage

        Then I'd suggest they need two PCs.

        • by Anonymous Coward on Wednesday April 08, 2009 @05:01AM (#27501075)

          I actually do work with these exact systems. I have yet to install a system in a control room that had net access to the operator consoles or even the operational servers. These computers - yes, running Server 2003/8 or XP Pro - are patched to the latest and greatest before they leave our shop, but once on-site should never, ever, ever interact with the Internet.

          That being said, the PI data servers are designed to be a go-between for the internal secure network, and the rest of the world so the data logging can reach those who need it. Not only does the PI server have security protocols built in, but is required to be installed in a DMZ with full firewall protections, and in some cases a dedicated leased hard line to an off-site office.

          So, to summarize, no, the Op stations, the Op servers, should NEVER be connected to the Internet, and we do out best to disable any way of the operators even getting to the OS level, but there are times and reasons that you need to hook the internal network (through full security measures) to the outside world.

          • by AB3A ( 192265 ) on Wednesday April 08, 2009 @09:44AM (#27503427) Homepage Journal

            I am a control systems engineer, a member of ISA-99, and a contributor to several other standards on industrial control system cyber security.

            The parent post is what SHOULD be done in a recently installed system. I can tell you from experience of dealing with other infrastructure (not the electric grid) that it isn't always that way. There were many systems installed around Y2k that are still in service. And most of you will remember that back then very few people took security seriously. Back then it was all about compatibility. Security wasn't even an issue. The big issue was SHARING the data.

            Control systems and SCADA have long working lives ranging from ten to twenty years. The reason for this is because the field I/O validation cost is significant. It dwarfs the cost of the software, the control center, and all that lovely flashy stuff you're so used to seeing. Updating a configuration is very expensive, not just in validation costs, but also training costs, for miscellaneous costs such as review of operating procedures, control system narratives, and so forth. This is why many are forced to keep their systems isolated in the hope that by doing so, things will somehow stay secure.

            But these days, that's no easy feat. Nearly every company has a contingent of data surfing desk jockeys with enough authority and enough dream-weaving synergy talk to push for interconnections. That's when things get very ugly.

            The problem isn't that they want the data. The problem is that they want the data IN REAL TIME. Most of the time these idiots say the term though they do not understand the implications or even what it means. And that's how the exploits get started.

            There are solutions. There are relatively secure methods for moving data in and out of a SCADA system. But they need careful review by people who know both the industrial side of things (to identify what is at risk) and the IT side of things (to know what the potential vectors could be). And the number of people with that kind of expertise is extremely small. We're talking about hundreds or maybe a thousand such people world-wide.

            There simply aren't enough people to train the trainers who will train the trainers. And so, we're stuck with the status quo until we can build a community of cross trained people who understand industrial processes, control systems, and IT large enough to handle this situation.

            I know many of you probably think you have it bad in the office IT business. And it is. Just know that there is far more truth in the Homer Simpson character than you'd ever dream of...

        • Then I'd suggest they need two PCs.

          Then you have a badly integrated UI. What if a user confused one with the other at a critical moment?

        • they need two PCs.

          What? No copy paste? You're talking crazy now.

      • Re: (Score:3, Insightful)

        by drsmithy ( 35869 )

        The systems I work on are typically airgapped, but there is a constant push from users for some access to the internet. A user might need to access meteorological information, and the simplest way is to go online to get the data. Another user might need to refer to work instructions on the corporate intranet, but the intranet gets you to the internet anyway. Like it or not, the internet is working its way into many types of work and many people are starting to expect it to be available.

        Then your users nee

        • by pjt33 ( 739471 )

          I've worked at a games company which had precisely that setup, so it's mind-boggling that major infrastructure companies wouldn't do it.

        • Re: (Score:3, Interesting)

          There are some situations where security MUST override convenience.

          Tell that to the union. Remember power industry operational environments are blue collar work places. I have seen people in similar environments go to any length to get a system they don't want to see shut down. They will play totally dumb, like not noticing they are using the wrong keyboard for hours at a time. Assume that your users are hostile to you. Then design a solution.

      • by Lumpy ( 12016 ) on Wednesday April 08, 2009 @07:11AM (#27501563) Homepage

        Blowing all my moderation to reply to this.

        Let me make this clear. Putting a critical system on to the internet is pure, stupid, incompetence.

        ALL of your "situations" can be solved with a second $399.95 DELL sitting next to the critical workstation. Anyone saying that that is not practical is a blathering moron. I have seen MANY water filtration plants that the Supervisors in charge of the whole operation are so incompetent they put the entire plant's operation system on the corporate or city network. Then we have the low quality SCADA software called WonderWare that is so badly written that the company requests they have direct access to the machines so they can issue fixes faster.

        If any mission critical machines are on anything but a sealed private non connected network, the person that designed it is a incompetent idiot that should take the fall for any failures. Gitmo time for whoever approved or asked for interconnection.

        I have been appalled at the amount of interconnection I see in really important SCADA systems. I have seen this stupidity in major infrastructure control systems for 14 years now. Typically put here by some asshole manager that wants to "keep an eye" on his guys while he is at home. he get's a workstation (typically the one in his office) set up with a second network card and Pc anywhere or another Remote control system to interconnect the secure to the un-secure. and does it with a stupid windows box. Then the idiot uses it to check email, surf the net,etc... All installed by your friendly company IT slackie After the SCADA installation guys go home.

        Every system I looked at that was "secure" typically had one of these bridging computers on it the only way to find the is to do a hard audit of every computer, the rate of finding these security breaches goes up as the age of the installation increases.

        • Re: (Score:3, Interesting)

          ALL of your "situations" can be solved with a second $399.95 DELL sitting next to the critical workstation. Anyone saying that that is not practical is a blathering moron.

          In all the control room environments I have worked in this approach is just not acceptable. The users expect to get a single, integrated UI environment.

          • Re: (Score:3, Informative)

            by Lumpy ( 12016 )

            If you were the designer, then you did not do your job educating them as to why they are not supposed to do that, and the repercussions for not following them

            It is the SCADA system designers job to inform the customer as to the incredible danger of their desire to be convenient.

            If you were a employee that worked at one of those stations, why did you never voice your concern about it? One word to the regulators and your bosses would have been screamed at and fined heavily for having an integrated UI for in

          • Re: (Score:3, Interesting)

            by Rich0 ( 548339 )

            The solution is oversight. Congress passes a law noting that major pieces of infrastructure are critical to national security. An oversight body is created to set policies for administration of such intrastructure. Violation of these policies carries criminal penalties.

            Then you have the Feds start busting control rooms. Manager in charge gets sent to prison.

            Let's see how fast those managers can arrange to have competent people on-duty 24x7 and not need to use pcAnywhere or whatever to get in.

            As much as

        • Re: (Score:3, Interesting)

          by sjames ( 1099 )

          Color codes can help a lot. Blue network is scada, green is public. Scada network has blue ports, blue cables and blue stripes on the devices. Public internet has same deal but in green.

          Plugging anything in the wrong color is a firing offense. Specially designated and signed off gateway machines might have a blue port and a green port and special markings that it is OK. Otherwise, any color mis-match or mixing is to be reported immediately.

          For extra paranoia, all blue network devices get the high octet set

    • by Yvanhoe ( 564877 )
      I am not sure that it would really help. It is just a matter of plugging on the good wire. If the protocols used aren't secure, it doesn't make much of a difference whether or not they are connected on the net. As soon as a network is necessary, internet is as good as any...
  • by krou ( 1027572 ) on Wednesday April 08, 2009 @04:19AM (#27500875)
    From the article:

    Under the Bush administration, Congress approved $17 billion in secret funds to protect government networks, according to people familiar with the budget. The Obama administration is weighing whether to expand the program to address vulnerabilities in private computer networks, which would cost billions of dollars more.

    So, the week before a review is due looking into whether or not they should increase the flow from the money pump, "current and former national-security officials" have come forward to draw attention to a network of spies in the power grid.

    Look, I'm not saying that cyber-attacks don't happen, or that there isn't a risk, but bloody hell, this article reads like a well-crafted piece of BS, designed to put the N back into FUDing.

    • While I was reading it (well I didn't really, but pretend you believed me RTFA), I had a hunch that these officials really got all the threat ideas from certain hot anti-terrorism show. Power grid attack? That sounds too familiar. What's next, I guess a bunch of armed terrorists are just going to break into the white house?

    • Re: (Score:3, Funny)

      by Thanshin ( 1188877 )

      this article reads like a well-crafted piece of BS, designed to put the N back into FUDing.

      Nuding?

    • by Sycraft-fu ( 314770 ) on Wednesday April 08, 2009 @05:01AM (#27501077)

      Everyone wants money for their projects. Part of getting it is knowing what to sell in your given field. Well, as of late with federal government dollars, national security has been the name of the game. Was more narrow to anti-terror but they are kind losing focus on that. So, it is also no surprise that is what people use to try and get the money, even if what they want really has fuck all to do with it.

      For example Consolidated Edison wants to install a super conducting core in for New York's power grid. Reason is the existing grid has load problems and this looks like the best way to handle it, rather than massive amounts of more copper. This is expensive, of course. To the best of my knowledge when this is deployed, it'll be the first super conductor used for commercial power delivery. Means plenty of R&D in addition to the actual costs. Well, sure would be nice if the government would help pay for that... So they got them to.

      How? Well they sold it to DHS as an "anti-terror" deal. No idea how this is supposed to be more terror resistant, but DHS bought it and that's what's important. They gave ConEd something like half the money they need for the project.

      Now you know that ConEd isn't really doing this as an anti-terror measure, they are doing it as a "grid is overloaded" measure. However, they put that spin on it to get government funding, and it worked. I'm betting this is a similar money grab.

  • by Thanshin ( 1188877 ) on Wednesday April 08, 2009 @04:25AM (#27500897)

    China, Russia, and other countries,

    So you mean there are people capable of hacking the US energy grid but who can't start the attacks from a hacked box in Madagascar?

    "Who's attacking us?"
    "Sir, the attacks come from half a million infected machines all around the world."
    "From all coutries?"
    "Yes, sir."
    "So China and Russia too?"
    "Hmm, Yes, of course, sir"
    "Damn commies... We should've nuked them a long time ago."

    • Re: (Score:3, Interesting)

      by Zocalo ( 252965 )

      So you mean there are people capable of hacking the US energy grid but who can't start the attacks from a hacked box in Madagascar?

      Maybe the attackers did start the attacks from the box in Madagascar or wherever, but if that box could be hacked by the attackers then I suppose it's possible that it was also hacked by those tracking these attacks who found evidence pointing back to the usual suspects. That becomes all the more likely if at least some of the hacked systems are parts of a honey net or monitoring of compromised systems in the US shows an abnormally high level of communication back to some countries and not others.

      What I

  • by palegray.net ( 1195047 ) <philip.paradisNO@SPAMpalegray.net> on Wednesday April 08, 2009 @04:28AM (#27500907) Homepage Journal
    Trust me folks, it's coming. It won't be pretty, either. The power to disrupt a nation's economy via information warfare measures represents a much clearer threat than people trying to get something through airport security.

    There's a reason the military is starting to get mighty interested in nerdy types, although most programs designed to leverage these skills are in their infancy. We need to get serious about this fast; other nations certainly are.
    • The power to disrupt a nation's economy via information warfare measures represents a much clearer threat than people trying to get something through airport security.

      Unless... They're bringing the virus by plane!

      From now on, all computers will have to be formatted to pass security.

      Don't worry, the stewardesses will give you a Windows CD to reinstall the internet in your portable during flight.

      • As amusing as your post may be, the scary thing is how you might be right on some ways. I'd love to belief Homeland Security couldn't possibly be that idiotic, but they've pulled some pretty dumb crap in the past.

        That said, I'm delighted to know that Microsoft is finally giving up on further Windows development and just putting the Internet right onto XP discs. I've always wanted my very own copy of the Internet.
    • Re: (Score:3, Insightful)

      by Opportunist ( 166417 )

      The threat is actually in consumer PCs, insecure and filled with malware. My fear is that, if we do not get those boxes secure soon, the Powers That Be will see them as a threat and, instead of requiring you, the user, to take responsibility for your box, demand that all boxes have to be made "secure", i.e. have some kind of mandatory surveillance available to them, or that you may only install whatever is approved and seen as ok by whatever entity your country may put in that place. All in the name of nati

  • by aepervius ( 535155 ) on Wednesday April 08, 2009 @04:32AM (#27500933)
    AFAIK the whole remotely controlled stuff is not on internet or anything but on modem and similar box (can't remember their name) to which you have to directly dial in (non routable), and is separately powered from the power grid. If not I would fire the ass of the guy in responsibility: who in their right mind would put the control structure for a power grid, on something which can only be accessed when the same power grid is functioning. Also there are local control which override any possible remote control anyway.
    • by fluch ( 126140 )

      Now somewehere in the depths of the US power grid somebody reads the above comment and thinks silently ... "d'oh!"

      • Now somewehere in the depths of the US power grid somebody reads the above comment and thinks silently ... "d'oh!"

        Finally an appropriate Simpsons reference.

    • Thanks, I was looking for someone with a clue.

      Re your sig; I first learnt the philosophy of science not from HS (which I dropped out of in '76) but from reading a book by Randi ~30yrs ago so I checked out your amazon link and lo and behold it's Sagan's masterpiece.

      Seriously, genuine skeptcisim is a SKILL that needs constant practice but will serve you well in all aspects of daily life, I highly recommend the authors in aepervius' sig.
  • I always thought that nation states would be much more careful than to leave anything behind and would also limit their activities very much in order not to be detected and possibly embarrass their government (diplomacy and all). Also this kind of actitvity could be considered as an act of war.
    But since this kind of activity could very well be conducted by other entities than nation states. And they are. All the time. They are also very hard to trace.
    Given those facts maybe nation states use this excuse and

  • by TechnoFrood ( 1292478 ) on Wednesday April 08, 2009 @05:24AM (#27501175)
    Spy sappin' my generator.
  • The time that power goes out most frequently where I live (New York City, Hudson Valley, Syracuse all year round) is during the summer on the hottest days. What is straining the electrical grid so much? Air conditioners. On the hottest days of the summer you will always experience brownouts, and sometimes, the days get to hot that a large section of our part of the country loses power.

    Millions of New Yorkers depend on electricity in their daily lives. Prolonged power outages are not only a nuisance -- they are also potentially life-threatening and can cause major economic losses.

    Power outages occur most often during the summer months, when residents run air conditioners and power usage is at its peak.

    http://www.nyc.gov/html/oem/html/hazards/utilities_power.shtml [nyc.gov]
    - - -
    http://en.wikipedia.org/wiki/Northeast_Blackout_of_2003# [wikipedia.org]

  • I'd better stick to a gasoline powered vehicle, those damn foreign Cyberspies with be monkeying around which the electricity switch

    . . . and wow, does the Internet need electricity to run? I hope those foreign Cyberspies now what they will be starting, when they cut off the US supply of porn.

    It ain't gonna be pretty. Maybe we can convert the Internet to run on gasoline?

  • Cause they hold all our debt and killing our economy means we can't pay them back....

    • Then I hope they don't get the idea that we couldn't (or wouldn't) anyway.

      If I couldn't get my money back, at least I'd like a bit of entertainment.

  • I'm doubting the veracity of these claims. We lack the technology to send spies down mains wires.
  • It sounds to me like someone needs to try and grab more control over that Internet thing. First pedophiles, then terrorists, it seems that you can start whole revolutions [slashdot.org] (linked in case anyone missed yesterday's news) using it and now THIS? The government must find a way to control it or we're all doomed! AAAaaaaaaaaaaaaaaaa!!!!!!!!!!
  • From time to time they have conducted mock attacks and it has been demonstrated more than once that an external agent could destroy various pieces of equipment by ordering them to perform out of spec. And there are other weak points as well - hack into the railroads and instruct the train to deliver the coal to the wrong place, for example. But here's a story from August 13 2001 in the LA Times [jammed.com]

    For two weeks last spring, hackers wormed their way inside a computer system that plays a key role in moving elec

  • I don't get it.

    Why is this stuff connected to the Internet?

    Who decided to connect it to the Internet?

    When did they start connecting it to the Internet? They always used to tell us not to worry, because it wasn't.

    Can't these guys afford a few leased lines?

  • It's okay (Score:4, Funny)

    by psnyder ( 1326089 ) on Wednesday April 08, 2009 @07:17AM (#27501613)
    The module that allows outsiders to do this is called the CIP device. I hacks into the governments firewall. Who knew they had just one layer of protection over every bit of US infrastructure, that it's all linked together, and that it could be so easily circumvented by a genius hostage in a matter of hours?

    But it's okay. A man by the name of Jack Bauer has been alerted to the situation. And knowing his previous record I'm confident that he will deal with the crisis, because all of the bad people operate within driving distance to him.
  • Wolf! (Score:3, Interesting)

    by jandersen ( 462034 ) on Wednesday April 08, 2009 @07:19AM (#27501623)

    It is rather stupid to keep crying wolf, when there is little to nothing to raise the alarm about. Or, alternatively, it is very clever, if you want people to not take security warnings seriously; only, I can't see why anybody in America would wan't to achieve that.

    Don't we hear these allegations all too often? It's "the Chinese and Russians" they say, and apparently it comes from the CIA or something, so we can't get to see any documentation. Perhaps some would like to think they can poison China's or Russia's reputations with this kind of stories, but as I point out, all they achieve is to weaken America's defence by undermining public trust in the agencies that are supposed to help protect them - it seems idiotic to me.

    And objectively, why should China or Russia want to harm America? Like it or not, they are no longer likely to be enemies of America in a future, global conflict, which will probably be between the industrialised and developing nations. To my mind it seems more believable that the culprits are international criminal gangs; multinational companies have grown to almost nation-like power, and it seems almost unthinkable that international gangs haven't grown proportionally, especially since the introduction of the internet. They would certainly have an interest in staking out as much of the public infrastructure as they can. And, of course they might also see an interest in people not believing public security warnings.

  • by anorlunda ( 311253 ) on Wednesday April 08, 2009 @08:11AM (#27502107) Homepage
    The WSJ article was apparently triggered by a letter [wsj.com] sent by NERC (North American Electric Reliability Council) to its members. I think it shows a healthy development of security digging down to yet another layer of depth.

    Forget the major computers in the major control centers. That's what everyone thinks of first. At that level it is becoming like the Indians and athropologists in the Grand Canyon. For every utility cyber worker there seems to be 30 government gumshoes and overseers looking over their shoulders. One would expect no aspects of security to be neglected at that level.

    The NERC letter refers to devices at a lower level. Primarily, what the industry calls "protective relays" in substations. From 1888 to a few years ago these functions were really done with electromechanical relays. Now, many of them have been replaced by digital equivalents on a one-by-one basis. In a household analogy, it is like the difference between a central electric control computer for the house, as compared to a "smart" digital LED light bulb. One worries about the central computer being hacked, but at first blush, not the light bulb.

    The problem is that the engineers who deal with this level of equipment aren't used to thinking of these devices like the light bulb instead of like computers in a network. They have not identified many of these low-level devices as "cyber critical". The NERC letter urges utilities to change that culture.

    This is an industry that owns and maintains hundreds of millions of diverse pieces of equipment. Every day, some fraction of them are converted to digital. No single study, no single policy can change this infrastructure overnight. I think they are approaching cybersecurity thoroughly and methodically, but it will take time.

    Remember Y2K? Roughly the same collection of hundreds of millions of devices were threatened by a common-mode failure (Y2K). It was very analogous to an external cyber attack. The utility industry tackled Y2K, thoroughly reviewed all those devices, and performed flawlessly on the morning of 1/1/2000.

    My point? Sure we should worry about cyber attacks on critical infrastructure, but don't jump to the conclusion that no security exists or that nothing competent is being done about it.

Some people only open up to tell you that they're closed.

Working...