GE Fixing Bug in Software After Warning About Power Grid Hacks

General Electric said on Wednesday it is fixing a bug in software used to control the flow of electricity in a utility's power systems after researchers found that hackers could shut down parts of an electric grid. From a report: The vulnerability could enable attackers to gain remote control of GE protection relays, enabling them to "disconnect sectors of the power grid at will," according to an abstract posted late last week on the Black Hat security conference website. Protection relays are circuit breakers that utilities program to open and halt power transmission when dangerous conditions surface.

Re:

[davester666]

it's been done, like, a million times already.

Re:And these breakers are connected to the network

[DickBreath]

If air gaps are not possible, then at least change which port Telnet is running on.

Re:

[davester666]

that will definitely slow down the hackers. all of a whole 10 seconds or so.

Re:

[DickBreath]

Not if they use ROT13. It would take them more than 10 seconds just to find the website that decodes it.

The managers that run important infrastructure already have air gaps. (between their ears)

Re:

[najajomo]

> If air gaps are not possible, then at least change which port Telnet is running on.

Are you an expert :)

Re:

[n329619]

I'm sure the squirrels would notice the difference.

Re:And these breakers are connected to the network

[darkain]

That simply isn't ideal anymore. When a critical situation happens, say an earthquake, how long does it take to deploy a person to a breaker unit to manually change its state? They NEED to be networked in today's age to have the level of agility needed to handle a situation.

Re:

[havana9]

You could but them on a separate network, disconnected from the main Internet, or even not using TCP/IP. One could use PSTN and a modem, or use the cellphone network to send SMS or even use a separate radio UHF network. By the way because they have also laid cables and fiber optics having a separate WAN could be feasible.

Re:

[thegarbz]

Sure if you ignore technical requirements and start sinking a shitload of money into the system that will lead to public outrage as Americans cease to enjoy their ludicrously low electricity prices you can do ANYTHING.

PSTN, modems, SMS, you don't seem to realise just how much data is required by SCADA systems and how quickly they need to respond.
UHF? I take it you've never actually looked at coverage at these frequencies. HF maybe, but then you're into a new world of problems.
As for cables, they did lay the

info on Recloser

[Joe_Dragon]

the ones on lines need some kind of remote so they can send messages and get turn on commands. They also have local control so there can be a lock out / tag out.

https://en.wikipedia.org/wiki/... [wikipedia.org]
https://www.youtube.com/watch?... [youtube.com]
https://www.youtube.com/watch?... [youtube.com]

Re:

[aaarrrgggh]

Yes, but there are secure systems for connecting them. GE is just half-ass about their systems.

While I am sure S&C have issues as well, they are at least conscious about security.

Re:

[thegarbz]

Sorry but horseshit. These companies in general know very little about security. Leave security to those people who specialise in it and put every installation behind a proper VPN before it gets a cable plugged in. And then put the crappy security provided by these protocols in anyway.

Not that it matters what these companies build, because the end user will screw it up anyway. I went into a substation at a power plant in Germany the other day. I've never visited this power plant before. The maintenance supe

Re:

[thegarbz]

Air gaps on important infrastructure, people

Airgaps only make a grid unmanagable which would lead to more poweroutages. The answer isn't airgapping, it's actually knowing security.

If your idea of security is to simply airgap then you're going to fall victim by many other attack vectors.

Re:

[tlhIngan]

Airgaps only make a grid unmanagable which would lead to more poweroutages. The answer isn't airgapping, it's actually knowing security.

If your idea of security is to simply airgap then you're going to fall victim by many other attack vectors.

Exactly. Have we all forgotten about Stuxnet already? For those who don't know, Stuxnet is a worm that attacked Iran's nuclear weapons facilities. Iran had their variable speed drives airgapped (standard Siemens SCADA system). And yet, Stuxnet crossed over, and managed

Re:

[GNious]

Just pondering - if they've strung up a set of powerlines, would it be all that impossible to also put up some control-wires, and have that system air-gapped from internet/telecoms/whatever ?

Re:

[thegarbz]

Yes. These days many utilities also run fibre. They also did run control lines but in the past they were for basic copper allowing remote substation intertrips before centralised control became a thing (e.g. OMG my breaker didn't open, please upstream stop feeding me power signal).

The problem with the cost comes in retrofitting the grid now, rather than when it was first built. Helicopter time isn't cheap.

Re:

[GNious]

Cheers - been 20 years since I took an introductory course to being an electrician, always curious who things are done now :)

Helicopter time isn't cheap.

Nor are fried grids :)

Billions can attack a network target

[PeterM from Berkeley]

If your asset is attached to the network, literally billions of people could potentially attack it, from anywhere on the world. Not only that, but they can unleash automated attacks upon your asset from other Internet targets they've previously compromised.

If your asset is on its own network, or is non-networked, that cuts down on the number of possible attackers tremendously.

So, critical infrastructure should NOT be on the Internet, or at least not without a correspondingly LARGE investment in security commensurate to the risk.

--PeterM

Re:

[thegarbz]

If your asset is not on a network, no one will care about attackers because power outages will become incredibly common due to the inability to properly manage the grid.

If your asset is on it's own network, just expect to pay the appropriate price for electricity when the providers are forced to build a nation wide network of their own, and let me tell you Americans are currently getting one hell of a bargain on electricity.

The internet is a necessity. But then so are VPN tunnels, firewalls, and proper netw

Where are the technical details?

[najajomo]

Would these 'GE protection relays' be connected to the Internet using SCADA units running under Microsoft Windows?

Cyber Security Issues for Protective Relays [gegridsolutions.com]: 2008

The Northeast blackout of 2003 [wikipedia.org]

Is this in reponse to black outs last week?

[See Attached]

Did anyone else notice a bunch of blackouts last week? I heard a few folks around the states mention it, but the press was REAL quiet? Maybe slashdotters can confirm? This is a good place to look for trends! so.. maybe this thread is old news?

Different Controllers?

[Neuronwelder]

When you are dealing with something as important as a power grid, I'd feel safer if you put as much human oversight as you can into it. Hacking never ends, Make sure the human oversight staff is to be educated into not being tricked.

Fomer insider here.

[Anonymous Coward]

I am a former employee for GE at exactly this business segment, and I have used the relays in question and was a designer on a related product. This does not surprise me at all. The thing is though, that GE actually tried really hard to get security right. Some employees weren't very good, but for the most part the company did the right things. The problem was customers. Customers _hated_ security features because it made things more difficult for their dummy techs to fix problems quickly. So - typica