Staged Hack Causes Generator to Self-Destruct

An anonymous reader writes "It has been revealed that in a U.S. Department of Homeland Security exercise codenamed 'Aurora' conducted in March of this year, researchers were able to cause a power generator to self-destruct remotely via a hack which changed the operating cycle of the generator. 'Government sources said changes are being made to both computer software and physical hardware to protect power generating equipment. And the Nuclear Regulatory Commission said it is conducting inspections to ensure all nuclear plants have made the fix. Industry experts also said the experiment shows large electric systems are vulnerable in ways not previously demonstrated.'"

Don't connect it up

[squoozer]

There is a really simple and quick fix for this problem - don't connect the control equipment to a (public) computer network.

What is more interesting than the fact this was possible is the fact that some numb skull thought it might be a good idea to link critical control systems to a public network. I can see that there is scope for remote control, especially with a nuclear plant, but I hardly think sending the data over the Intertubes is the correct way to do it.

Um, WHY was the generator on the internet?!!

[jollyreaper]

I'm no computer security expert but I do know of the world's most unhackable firewall -- it's called a one inch air gap. Put that gap between the network cable and the NIC and nobody is gaining access.

Yes, I know power plants will require some net access for web, email, etc. But the office worker network and the command and control computers and network for the generators should have nothing to do with each other! Separate systems, no network connectivity, the plant software should be operating in a vacuum bubble. The rest of the world should not exist for it, no way, no how. Oh, need to install a patch for the software? After being thoroughly tested and vetted on a proofing system, the software is then installed the old-fashioned way, off of CD-ROM's. Now if someone can fuck with the CD-ROM's, THAT I can understand. I can buy the plausibility of the NSA printer hack, even if it was a hoax. (NSA puts a virus on printers heading to Iraq, takes down their network.) The story about the CIA sabotaging software for equipment the Russians were buying to use in their pipelines is true. These are secure systems completely cut off from external contact that were sabotaged by the insertion of compromised components that were not detected. That makes perfect sense.

It always bothers me when I see movies showing hackers getting in to some place and gaining access to files on servers that should never have a connection to the outside world. Then again, maybe I'm giving the fictional syadmins of the target systems too much credit. Who knows, maybe next week we'll read about some Korean hackers who were able to compromise a Minuteman silo and add it to their botnet.

Re:this should not be possible

[LeRandy]

At least here in the UK, Telemetry and control signals are carried over the National Grid itself, nowadays using an optic fibre that runs alongside the earth wire. Case Study.

I see no reason why all telemetry and control signals should not be carried in narrow- or broadband communications along the power infrastructure itself, and then restricted to a physically separate infrastructure when being processed. Data links to business systems can be provided using a one-way connection (Serial or optical). If you then want to have a real-time billing system, you can join all the business networks up, either along the same fibre-way (atop the pylons), or through the olde-fashioned interweb.

For telemetry, TCP/IP may often be your worst choice, since it has a high latency. If you want to protect your infrastructure from lightning strikes, you need to respond at the speed of light. Literally. Other control signals (demand etc.), may be able to wait a second or two, but you can't afford to risk the kind of packet loss you may receive if the teleco or ISP is having a bad day. So all the control stuff will need to be on multiple route redundant circuits anyway. Note I said circuits - you have to have whole circuits to yourself.

TCP/IP may have been well designed for critical communications networks. But it sure as hell ain't designed for critical real-time communications. Ergo you have to have a dedicated infastructure, so there is no excuse for having any connection, even firewalled from t'internet to the power station control systems.

If you really must share infrastructure, then for pete's sake, use the time-honoured TDM.