'How 30 Lines of Code Blew Up a 27-Ton Generator' (wired.com) 110
After the U.S. unveiled charges against six members of the Sandworm unit in Russia's military intelligence agency, Wired re-visited "a secret experiment in 2007 proved that hackers could devastate power grid equipment beyond repair — with a file no bigger than a gif."
It's an excerpt from the new book SANDWORM: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers which also remembers the late industrial control systems security pioneer Mike Assante:
Among [Sandworm's] acts of cyberwar was an unprecedented attack on Ukraine's power grid in 2016, one that appeared designed to not merely cause a blackout, but to inflict physical damage on electric equipment. And when one cybersecurity researcher named Mike Assante dug into the details of that attack, he recognized a grid-hacking idea invented not by Russian hackers, but by the United State government, and tested a decade earlier...
[S]creens showed live footage from several angles of a massive diesel generator. The machine was the size of a school bus, a mint green, gargantuan mass of steel weighing 27 tons, about as much as an M3 Bradley tank. It sat a mile away from its audience in an electrical substation, producing enough electricity to power a hospital or a navy ship and emitting a steady roar. Waves of heat coming off its surface rippled the horizon in the video feed's image. Assante and his fellow Idaho National Laboratory researchers had bought the generator for $300,000 from an oil field in Alaska. They'd shipped it thousands of miles to the Idaho test site, an 890-square-mile piece of land where the national lab maintained a sizable power grid for testing purposes, complete with 61 miles of transmission lines and seven electrical substations. Now, if Assante had done his job properly, they were going to destroy it. And the assembled researchers planned to kill that very expensive and resilient piece of machinery not with any physical tool or weapon but with about 140 kilobytes of data, a file smaller than the average cat GIF shared today on Twitter....
Protective relays are designed to function as a safety mechanism to guard against dangerous physical conditions in electric systems. If lines overheat or a generator goes out of sync, it's those protective relays that detect the anomaly and open a circuit breaker, disconnecting the trouble spot, saving precious hardware, even preventing fires... But what if that protective relay could be paralyzed — or worse, corrupted so that it became the vehicle for an attacker's payload...?
Black chunks began to fly out of an access panel on the generator, which the researchers had left open to watch its internals. Inside, the black rubber grommet that linked the two halves of the generator's shaft was tearing itself apart. A few seconds later, the machine shook again as the protective relay code repeated its sabotage cycle, disconnecting the machine and reconnecting it out of sync. This time a cloud of gray smoke began to spill out of the generator, perhaps the result of the rubber debris burning inside it... The engineers had just proven without a doubt that hackers who attacked an electric utility could go beyond a temporary disruption of the victim's operations: They could damage its most critical equipment beyond repair...
Assante also remembers feeling something weightier in the moments after the Aurora experiment. It was a sense that, like Robert Oppenheimer watching the first atomic bomb test at another U.S. national lab six decades earlier, he was witnessing the birth of something historic and immensely powerful.
"I had a very real pit in my stomach," Assante says. "It was like a glimpse of the future."
[S]creens showed live footage from several angles of a massive diesel generator. The machine was the size of a school bus, a mint green, gargantuan mass of steel weighing 27 tons, about as much as an M3 Bradley tank. It sat a mile away from its audience in an electrical substation, producing enough electricity to power a hospital or a navy ship and emitting a steady roar. Waves of heat coming off its surface rippled the horizon in the video feed's image. Assante and his fellow Idaho National Laboratory researchers had bought the generator for $300,000 from an oil field in Alaska. They'd shipped it thousands of miles to the Idaho test site, an 890-square-mile piece of land where the national lab maintained a sizable power grid for testing purposes, complete with 61 miles of transmission lines and seven electrical substations. Now, if Assante had done his job properly, they were going to destroy it. And the assembled researchers planned to kill that very expensive and resilient piece of machinery not with any physical tool or weapon but with about 140 kilobytes of data, a file smaller than the average cat GIF shared today on Twitter....
Protective relays are designed to function as a safety mechanism to guard against dangerous physical conditions in electric systems. If lines overheat or a generator goes out of sync, it's those protective relays that detect the anomaly and open a circuit breaker, disconnecting the trouble spot, saving precious hardware, even preventing fires... But what if that protective relay could be paralyzed — or worse, corrupted so that it became the vehicle for an attacker's payload...?
Black chunks began to fly out of an access panel on the generator, which the researchers had left open to watch its internals. Inside, the black rubber grommet that linked the two halves of the generator's shaft was tearing itself apart. A few seconds later, the machine shook again as the protective relay code repeated its sabotage cycle, disconnecting the machine and reconnecting it out of sync. This time a cloud of gray smoke began to spill out of the generator, perhaps the result of the rubber debris burning inside it... The engineers had just proven without a doubt that hackers who attacked an electric utility could go beyond a temporary disruption of the victim's operations: They could damage its most critical equipment beyond repair...
Assante also remembers feeling something weightier in the moments after the Aurora experiment. It was a sense that, like Robert Oppenheimer watching the first atomic bomb test at another U.S. national lab six decades earlier, he was witnessing the birth of something historic and immensely powerful.
"I had a very real pit in my stomach," Assante says. "It was like a glimpse of the future."
Is the lesson not to make generators connected? (Score:5, Insightful)
How often do such devices really need connectivity for firmware updates? Really, this is a lesson in isolation and access. Admittedly, shortsighted customers will probably ignore the lesson in favor of lower costs and convenience.
Re: (Score:1)
Admittedly, shortsighted customers will probably ignore the lesson in favor of lower costs and convenience.
I'm not disagreeing with you, however, manufacturers will release hardware with buggy software making this necessary. Or in some cases companies make it necessary for hardware to be able to phone home in order to stay functional.
Re:Is the lesson not to make generators connected? (Score:5, Insightful)
companies make it necessary for hardware to be able to phone home in order to check software license status.
FTFY.
Re: (Score:1)
Newest fluff, at least in Building Automation, is to also have them connected to the "cloud" to siphon off the data centrally... And most of those networks are still tightly controlled vlans because they communicate openly without encryption.
Re: Is the lesson not to make generators connected (Score:2)
Re: (Score:3)
The real problem here is that nobody wants to accept the cost of having an isolated system.
The manufacturer wants remote access and easy firmware update capability to keep their costs down. If it goes wrong, blame the owner for not securing their network.
The owner wants the manufacturer to have remote access and easy firmware update capability so they can resolve problems quickly and don't have to train someone to do those things locally. They also don't want to pay more than the bare minimum for network se
Re: (Score:2)
Look, snide comment about crappy consumerism aside, no, industrial equipment does not phone home. Hell many manufacturers simply tie the software license to the hardware itself. And you buy a software license whether you want one or not.
Re: (Score:2)
industrial equipment does not phone home
I imagine that most of it does by now.
And you buy a software license whether you want one or not.
Periodically. And if you forget to renew it, it quits working when the license expiration date rolls around. And the more we rely on software as a service, it phones home every time you log in, just to make sure your account is still paid up.
Re: (Score:1)
Re: (Score:2)
Such devices should be connected for monitoring but not for control (i.e. read-only).
Re:Is the lesson not to make generators connected? (Score:5, Insightful)
We've been able to do read-only, one-way communications in hardware for decades. It's like all the new generation of engineers can't use the "old stuff" because they think their "new hotness" designs have to be better than the old stuff that's been working for decades before they were even born.
IMHO the solution could be a main CPU/uC that controls the hardware and sends status information to a secondary CPU/uC which is only in charge of external communications and has read-only firmware. You can't reach the main CPU from the outside and you can't change what the com CPU is doing.
Re:Is the lesson not to make generators connected? (Score:5, Interesting)
read-only firmware
Do they even MAKE true ROMs anymore? I thought those were old hat, after the PROMs, the UV-erasable ROMs, the EROMs, and then the EEROMs. After all, it's so inconvenient to physically insert a socketed chip. (Do they even make SOCKETS anymore?)
For that matter, I head about "data diodes" more than a decade ago. And if nothing else, have a display with all of the interesting internals on it and a flashing light for warnings and point an internet-accessible camera at it. You (anyone) can LOOK at the data all day long, but you literally can't touch it. (Well, hack the camera and hop it over to the keyboard. But some Duck Tape fixes that.)
And is it "the new generation of engineers", or their teachers, or their managers who want / demand the newest stuff?
Re: (Score:2)
Do they even MAKE true ROMs anymore?
Isolated chips? Not sure, probably. They certainly make microcontrollers with all in one baked in ROM. It's cheaper than flash in sufficient bulk. Look up "mask ROM", still alive and kicking.
For that matter, I head about "data diodes" more than a decade ago.
An RS-232 link with Rx disconnected will do a fine job.
Re: (Score:2)
For that matter, I head about "data diodes" more than a decade ago.
An RS-232 link with Rx disconnected will do a fine job.
It can also be done with 100BASE-TX with one pair disconnected. In the past I have done this as a form of hardware port mirroring with each pair of a single 100BASE-TX link also feeding a pair of 100BASE-TX ports used for monitoring.
Re: (Score:3)
Yes, they do. In practice, they are EEPROMs that have one or more internal fuses that can be blown by the programmer. After the fuses are blown, the only way to modify the chip is to open up the package and break out the microprobes.
Re: (Score:2)
Just don't connect the Write Enable pin to anything. No matter how hacked the system gets it can't change the EEPROM if it doesn't have a Write Enable signal.
Re: (Score:2)
Do they even MAKE true ROMs anymore? I thought those were old hat, after the PROMs, the UV-erasable ROMs, the EROMs, and then the EEROMs. After all, it's so inconvenient to physically insert a socketed chip. (Do they even make SOCKETS anymore?)
You missed OTP EPROMs which replaced PROMs and are still made. A OTP EPROM (one time programmable) is a UV-erasable EPROM without the window in a plastic package. The same thing can be made with a Flash EPROM by disconnecting the programming voltage which was done in early PCs which supported Flash updating of their BIOS.
Some modern parts support hardware write protection. ISSI makes some.
The largest DIP and PLCC parts which could be used in a socket are 2 Mbytes. If you want a larger removable memory,
Re: (Score:2)
You can't reach the main CPU from the outside and you can't change what the com CPU is doing.
So how do you control it remotely?
You're very focused on security but unfortunately are giving up some necessary functionality in the process. We don't run grid infrastructure the way we did in the 50s and 60s.
Re: (Score:2)
It's not engineers that are the problem, it's the management who think they are helping when they fire the old guys that learned out to do it correctly the hard way, and want a lot of billable hours from lower-paid "coders". A proper FSM analysis and implementation would have made the hard to impossible, even if the system could accept certain external commands and still enforce strict safety conditions on the state transition. Additional fail-safes and hardware interlocks may even be called for.
Re: Is the lesson not to make generators connected (Score:1)
Re: (Score:3)
And you're going to guarantee that the device is read-only how, exactly? A firewall? An unhackable firewall that somehow only lets data out and not in?
Never mind that being able to remotely control the equipment is a necessary feature. What you're suggesting is simply another layer to hack.
Now, before you suggest something else fucking stupid, think.
Let's see... how about... code that can't be altered outside of safe parameters without a physical hardware switch being thrown, and the device can't operate in "normal" mode while that switch is thrown?
Right.
Concluding a thing can't be done because you can't think of how disregards the several billion other people on the planet, some of which might be smarter than you.
Get a clue before being a jackass (Score:5, Informative)
Before acting like a total jackass and calling people stupid, it's helpful to have SOME idea wtf you're talking about.
> And you're going to guarantee that the device is read-only how, exactly?
The 1970s method of making sure a communications link is one-way was by simply cutting the receive wire. A device can only send data (be read-only) when the wire to receive updates is fucking removed. Dumbass.
In the 1980s, we used data diodes.
https://en.m.wikipedia.org/wik... [wikipedia.org]
In the 1990s, the US Navy (our oldest signals intelligence service) developed The Pump and the Network Pump, which allow full-speed acked communication while preventing any covert channels in the reverse direction. The full-speed thing was important because earlier designs delayed the acks until a semi-set interval, thereby slowing communication in the allowed direction. See Myong H. Kang, Ira S. Moskowitz, and Stanley Chincheck for further details.
As a stupid asshole once said:
"Now, before you say something else fucking stupid, think."
Re: (Score:2)
The 1970s method of making sure a communications link is one-way was by simply cutting the receive wire. A device can only send data (be read-only) when the wire to receive updates is fucking removed. Dumbass.
If that were a viable option it would be done so. Unfortunately the world is too complicated to limit communications to infrastructure in one direction. Especially electrical grid connected infrastrcture.
As a stupid asshole once said:
"Now, before you say something else fucking stupid, think."
Now that's an appropriate statement.
Re:Is the lesson not to make generators connected? (Score:4, Informative)
We used to control it very easily in hardware. A pin on a serial port on the industrial equipment needs to be high in order to write to its memory. It's a straight hardware path, no software is checking the pin and deciding whether to write. The serial port pin connects to a pin on the memory interface, and without voltage on that pin, you can't write to memory. The monitoring system is connected to the industrial equipment using a serial cable from which that pin has been removed. It is not physically possible to raise voltage on the write pin with this cable, even with malicious software. If you need to reprogram the equipment, you bring in a serial cable that has a write pin, plug it in, do your update, and then remove it. Serial cables in this context are controlled and clearly labeled with a large tag that easily identifies them and their purpose. It is part of your security protocol to keep write cables secured, control access, record checkouts and checkins, and audit the cables on the floor and in storage.
Yes, of course there are ultimately ways around this. But you're not getting sabotaged industrial equipment in this situation because the monitoring computer is on the wrong subnet, or because someone plugged in an unknown USB device, or whatever. It's going to require intentionally bypassing protocols.
Re: (Score:2)
Re: (Score:2)
Read only should never ever be done in software because no one can visually check it. It should be done in hardware, be clearly visible and be secured. A hardwired and locked switch, you have a read only data path and a switch to unlock to take it to a read write data path.
In that hardware, where was the internal protection, it does not make any sense, for that to ever change. You can have external controls but they should never over ride internal limits. Once the internal fault was detected in operation, w
Re: (Score:2)
Re: (Score:2)
"...firewall that somehow only lets data out and not in?" Surely you could have an LED transmitting from the internal (machine) side to a photovoltaic cell receiver on the external side. A high school kid could make that in shop class.
It saves money on employee wages (Score:3)
Think of it this way, if you have 10 employees and you save 1% on labor costs it's probably not worth the risk. If you have 100,000 it starts to look mighty attractive.
There's all sorts of crap like this. A buddy of mine drives a school bus
Re: (Score:2)
"Basically we're all being squeezed by efficiency experts..." Guess it's time for some security experts to squeeze the efficiency experts, eh?
Re: (Score:3)
There's only so much convenience you can have. A smart grid requires connectivity. It's one thing to berate a company with a co-located maintenance and control room for not isolating something, it's quite another for widely disperse infrastructure which effectively necessitates connectivity in the modern world.
I mean you could take this to a logical extreme, the air separation station which used to supply us with pure oxygen was not run locally. There was only one field operator there to hit a red button ev
Re: (Score:2)
Re: (Score:3)
Connectivity is usually provided for support, the companies that buy industrial equipment want to buy it as a service that includes the maintenance and often operation. The manufacturer either needs remote access, periodic visits or someone permanently on-site. The latter two are far more expensive and inflexible options.
Ideally the kit would be reporting only, but often that means "our intention is that it does reporting only" and a lot of the time that's just decided after it was developed.
One of my old c
Re: Is the lesson not to make generators connected (Score:1)
No bigger than a GIF? (Score:5, Funny)
Is "GIF" the new unit of file size? What happened to "Libraries of Congress"?
Re: (Score:2)
Right. It's just like saying "it was no longer than a piece of string".
a line of code is just a string. (Score:2)
Right. It's just like saying "it was no longer than a piece of string".
It's right there in the heading !!
It's as long as 30 pieces of string...
Re: (Score:1)
You both are right. They took that string and cut it into 30 pieces to make it easier to read. Or to make it easier to write?
Re:No bigger than a GIF? (Score:4, Insightful)
Not only that, but you can have hand-drawn GIF files under 1KB and converted-from-video GIF files above 10MB.
I'm not sure why people keep making over-simplified comparisons as if all readers are pre-school children. Let them learn what "140 kilobytes" mean - after all it should be part of basic knowledge in today's society, just like kilograms and kilometres.
Re: (Score:3)
Let them learn what "140 kilobytes" mean - after all it should be part of basic knowledge in today's society
Yeah, but even if everyone knows it's 143360 bytes, some marketing drone at a shady disk maker invents a novel way to cheat and says it's only 140000. Which is not that novel -- like, US 2x4 lumber is really 1.5x3.5, etc.
Re:No bigger than a GIF? (Score:4, Funny)
Remember that 14KiB != 14KB.
K has always meant 1000, it doesn't matter if the computer industry twisted it to mean 1024 or that your operating system reported the wrong values for four or five decades, K has always equaled 1000 this whole time.
Re: (Score:2)
Indeed, my mistake. Thank you for the correction.
I just want to point out that it's kB (1000) and KiB (1024), though.
Re:No bigger than a GIF? (Score:5, Informative)
The International System of Units (SI) [wikipedia.org] defines the prefix kilo as 1000 (10 exp3); per this definition, one kilobyte is 1000 bytes. The internationally recommended unit symbol for the kilobyte is kB.
In some areas of information technology, particularly in reference to digital memory capacity, kilobyte instead denotes 1024 (2 exp10) bytes. This arises from the prevalence of powers of two in memory circuit design.
So basically, Your username literally means "1000 bytes". If you wanted it to mean "1024 bytes" it should have been "Kibibyte".
Re:No bigger than a GIF? (Score:4, Insightful)
So basically, Your username literally means "1000 bytes". If you wanted it to mean "1024 bytes" it should have been "Kibibyte".
My username predates that "1000 bytes" lawsuit and efforts to redefine the unit.
Re:No bigger than a GIF? (Score:4, Funny)
"1000 bytes lawsuit and efforts to redefine the unit."
You have it backward. The whole computer industry tried to redefine the unit for decades. It failed, get over it.
Re: (Score:2)
That's retarded. The SI unit of information should be the bit, not byte. Same stupidity as using kilograms as the base unit.
Re: (Score:2)
There are multiple kilos.
Your mental inflexibility isn't proof someone else is wrong. kilobytes is 1024 bytes. It isn't kK, which would be 1000. It's kB, which isn't a metric measurement, so, obviously, doesn't conform to metric standards.
Re: (Score:2)
And 2x4s are two inches by four inches (in the US). Not.
Re: (Score:3)
Re: (Score:2)
Yeah, that's another debate entirely. I'm on the GIF side, though. GIF stands for Graphics Interchange Format and I don't care what the creator of the format says. Acronyms are not words, they don't follow syntactic or linguistic rules. "It's GIF but it's pronounced JIF" is just plain idiotic bullshit.
Re: (Score:3)
Actually you know what? Someone at Apple, Google or Microsoft should create a .JIF format just to block the "GIF is pronounced JIF" idiocy, once and for all.
Re: (Score:2)
They found that mentioning that the 30 lines of code averaged almost 5 kilobytes per line made real software people roll their eyes in disbelief. So they bury the fact that they needed 140 kB of code to do this, and headline fitting that into 30 lines.
Re: (Score:2)
Or maybe it's just modern software, the 30 lines of code needed 139kB of libraries.
Re: (Score:2)
that was my immediate reaction, as well.
Or maybe that's to trigger the buffer overflows . . .
hawk
Re: (Score:1)
They where all zipped :(
I wonder... (Score:2)
Breaking machines by using them in ways they were not designed for. Thatâ(TM)s a new one... An Oppenheimer moment rightfully so.
Porn blew up a pipeline (Score:4, Informative)
It is theorized that operators watching porn resulted in a pipeline rupture and fire [wikipedia.org] which killed three people. Nothing was ever proven as the operators (having admin privileges) wiped the logs and pled the 5th Amendment during the investigation.
Why these things need to be connected to the Internet I'll never understand.
Re:Porn blew up a pipeline (Score:4, Insightful)
Why these things need to be connected to the Internet I'll never understand.
You're right, they don't need to be; you can always instead physically send somebody out to (middle-of-nowhere, Alaska) with a laptop to diagnose/adjust/reprogram them in person, whenever something goes wrong.
As to why they often are connected to the Internet, it's because nobody wants to be sent out to (middle-of-nowhere, Alaska) with a laptop to diagnose them in person -- particularly if the equipment in question is balky and has be re-serviced several times a week.
Re: (Score:3)
it's because nobody wants to be sent out to (middle-of-nowhere, Alaska) with a laptop to diagnose them in person
It's worse than that. Nobody wants to wait at home with the lights off until someone at some company sends a tech out to the middle of nowhere either. This connectivity is as much driven by customer and regulatory demands as it is cost savings.
Re: (Score:3)
nobody wants to be sent out to (middle-of-nowhere, Alaska) with a laptop
If your only tool is a laptop ....
Having worked in the utility biz: odds are very good that what needs fixing is hardware. So you head out with a toolbox, spare fuses and other consumables. And a laptop. Even if the software can tell you which subsystem is in trouble, it can't tell you which part or parts have failed. You go up with some test equipment and chase down the fault in the circuit.
Re: (Score:2)
There are efficiency advantages too. If you're getting a data feed from the devices constantly then you can do condition monitoring and fix things pro-actively when they need doing, rather than based on manufacturers service intervals or just when it breaks, it's big business these days.
Also works the other way as can reduce maintenance by only doing it when necessary, for things like power stations that have huge outage windows then this can make a big difference.
Re: (Score:2)
That's a false dichotomy. "able to connect remotely" is not the same as "reachable over the public internet".
It weighs about as much as a what? (Score:1)
There is no such thing as a an M3 Bradley tank. There is a M3 Bradley Cavalry Fighting Vehicle. It is also not a tank; the point I care more about. A tank is something the infantry in the M3 Bradley will go over to at 4am and ask if the tank can be started so they can get warmed up.
Re:It weighs about as much as a what? (Score:4, Funny)
Besides, M3 is a little small for military purposes. For comparison, to install a 60" TV on the wall you need to use M8.
Re: (Score:2)
The M8 also has a lot more armor than the M3...
Re: (Score:2)
You're splitting hairs. The M3 is a light tank intended for recon and fast movement over rough terrain. It's not a main battle tank, but it is a type of tank and if you pointed at it and said "look at that tank" no one would reply "Where? Is it behind that tracked armoured fighting vehicle with the turret-mounted gun?"
Sensationalist BULLSHIT (Score:5, Interesting)
Re: (Score:1)
Sensationalist bullshit is far easier to produce than something actually accurate. And, you know, when you try to find out how things actually work, you may find that the engineers doing the design for these are not completely incompetent and have some non-software safety mechanisms in there...
Re: (Score:2)
Effective? Sure, on the short term. But a small team of technicians can repair and replace this in less than a few hours with the proper equipment.
Right. So if you organise a mass attack on 3000 of these things, how many teams are there to go around?
Re: (Score:1)
Re: (Score:2)
OK. Interesting. Thanks.
Re: (Score:3)
But you can't prove that, can you? You may replace grommets, but I bet that you can't tell me that the representative governor settings are enough to prevent the love joint from failing or shaft and/or generator damage after the love joint is destroyed. So it takes 60 resets instead of 3. Given the cycle time here, that's not a lot of time to react.
Re:Sensationalist BULLSHIT (Score:4, Insightful)
Dude, RTFA. I did. You've moved beyond wrong.
"The test director ended the experiment and disconnected the ruined generator from the grid one final time, leaving it deathly still. In the forensic analysis that followed, the labâ(TM)s researchers would find that the engine shaft had collided with the engineâ(TM)s internal wall, leaving deep gouges in both and filling the inside of the machine with metal shavings. On the other side of the generator, its wiring and insulation had melted and burned. The machine was totaled."
Re: (Score:1)
Re: (Score:1)
What the article described was the generator being burned out, even without the mechanical damage it would have been scrap. In my lessons at university, I learned that a generator like this has to be in sync with the network before connecting. That means that the voltage from the generator has to match the voltage in the grid in frequency and phase.
If it is connected when not in sync, extremely large currents will flow through the generator, and those will create huge forces as well. Large currents heat thi
Re: (Score:2)
Its called a love joint
Lovejoy? As in the brand name that has become one of the standard coupling designs?
Re: (Score:2)
Made the account just to discredit this absolute idiocy.
What did you discredit? The power went out. A team of technicians will take more than "a few hours" just to reach most generators in service. I see your comment about "every single plant has an on call team". LOL mate you worked in a very sheltered and very lucky industry if you think that is the case. Now back in the wider industrial reality there are whole industries where said electricians could be whole charter flight away.
It is an IS design problem (Score:2)
Bad Design, Bad Security Implementation and Shoddy IT Work overall. I wonder if this was in the real world.
Re: (Score:3)
All of this is done in most cases, though you'll obviously find someone who cut some wrong corners.
But in most cases, payload delivery is not "over the internet" but by a subverted local agent inserting media that will deliver the payload into the network directly. Subversion is done by methods of the kind Snowden described from his time with CIA: arrange an accident where target person is the guilty party, have a recruiter "save" target person from responsibility to create deep sense of debt. Proceed from
Re: (Score:2)
The subnet should have been isolated and encrypted.
Yep. Firewalls and network gear are impenetrable. There's never been many reported cases of isolated networks being reconfigured and traversed by attackers over the years, no sirree.
Defense in depth my friend. Just isolating and being done with it is sloppy. Even the best isolations can be broken (yes, including physical ones).
Re: (Score:2)
A couple serious design faults with the generator (Score:2)
What a waste (Score:2)
This is like having a good old fashion beheading to make sure a knife can take off someone's head. You know, because we need to be 100% certain. The coders and engineers at the company who built the generator know that without proper limits and electronic controls, the thing will definitely burn up/blow up. If asked nicely, I'm sure they could have told the US government, the thing would fail.
That fact that large industrial equipment will fail when run improperly is hardly a fact that needs proving. Thi
Re: (Score:2)
So IOW (Score:3)
640Kbyte IS enough for everyone!
I don't understand (Score:2)
I don't understand, the safety relays of an industrial machine would be connected and writable? Are there really designs like that int the wild? I understand monitoring being connected, but surely safety relays would need something like a ROM chip replacement to ever get updated. Otherwise it was just a horrible design.
As for the "Oppenheimer" moment? I can't even respond to so much cringe...
Slashdotters have a duty here (Score:3)
It's our duty, as people [most of us, anyway] who understand how computers and networks actually work, to tell the people around us who do not, the following things:
1. Stories like this are sensational garbage; they're aimed at those ignorant in the tech, and designed to make sales, attract clicks, and/or manipulate public opinion to pave the way for some regulation/legislation that SOMEBODY wants.
2. Anybody who hooks critical infrastructure to the internet is a MORON.
3. Anybody who designs a critical system into which ANY foreign code can get loaded is a MORON.
4. The Movie "Independence Day" is total fantasy - there's no such thing as a virus that can be run on all architectures (including unknown architectures) and certainly no way for such an imaginary-virus to narrowly target a piece of unknown mystery hardware and control it to the point of its own destruction.
Let's face it: we all know too many programmers who, having been educated to see computers as abstract black boxes, cannot write code to properly control a bit of hardware, even when they have access to all the documentation for a system, including schematics and component data sheets. The idea that a properly designed bit of hardware is vulnerable to destruction at the hands of code written by somebody without access to, and without detailed documentation for, that hardware is pure bunk. The imaginary killer virus would need to be written to execute on the particular processor architecture, know which bits to manipulate in which registers/ports/peripherals to manipulate, which ways to manipulate them, including any timing, masking, inversion, enabling etc, and in some cases which peripherals or buses to go through to get at the ports/registers that need to be manipulated, and so on. There's simply no way to do this without detailed knowledge of the targeted system. Furthermore, any safety-critical system is constantly checking its own code and will shutdown safely if anything attempts to corrupt that code - good luck getting a virus in there in the first place. Incidentally, this is all a good reason to not use COTS stuff in critical infrastructure...
Every time somebody claims to have proven this stuff (without being a total fraud) there is always a disclaimer or some other fine print that should be examined, in which there is an admission of the ways things had to be rigged or manipulated to make the so-called demonstration "work".
Re: (Score:1)
Re: (Score:2)
1. Stories like this are sensational garbage; they're aimed at those ignorant in the tech, and designed to make sales, attract clicks, and/or manipulate public opinion to pave the way for some regulation/legislation that SOMEBODY wants.
2. Anybody who hooks critical infrastructure to the internet is ...
Okay you had me at number 1. The story is sensational garbage so I'll just connect my critical stuff to the internet. Thanks for the consult.
I really hope it's not your job to explain stuff like this to other people. You start by dismissing the problem. Then proceed with dismissing end user requirements while calling them a moron. Then you made assumptions about the nature and origin or protection of code. And proceeded to downplay the idea of a virus attacking multiple machines, despite that being exactly
"..unprecedented attack on Ukraine's power grid... (Score:2)
...in 2016" Would would be the second attack on Ukraine's power grid after the Soviet Union forced their dangerous reactor design on Chernobyl and other sites.
VPN (Score:2)
Why don't power-stations simply use a VPN connection? They offer total internet privacy and security using military-grade encription!
New book? (Score:2)
Re: (Score:2)
Who wrote this? (Score:2)
Zero Days (Score:1)
https://www.imdb.com/title/tt5446858/
So much drama (Score:2)
Or have the safety systems standalone and disconnected from the network. Problem solved. If only nukes were so easy to stop.
Re: (Score:1)
Fuses? (Score:1)
In electronics and electrical engineering, a fuse is an electrical safety device that operates to provide overcurrent protection of an electrical circuit.
It is a sacrificial device; once a fuse has operated it is an open circuit, it must be replaced or rewired, depending on type.
I have seen equipment fail and not the fuses. It's rare. Technicians jokingly might blame it on Murphy's Law. The circuit will fail to protect the fuse.
I believe that a few good engineers out there try to design to prevent a
Windows (Score:2)
Friends don't let friends use Windows. Not on critical equipment or anything you care about.