Slashdot Mirror
CIA Claims Cyber Attackers Blacked Out Cities
Dotnaught writes to tell us InformationWeek is reporting that the CIA admitted today that recent power outages in multiple cities outside the United States are the result of cyberattacks. "We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyberattacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet."
Am I the only one that thinks thats a really stupid thing to do?
... for US Federal elections. Coincidence?
a thinly-veiled excuse to get all george orwell up in your internets. this is the same CIA that found weapons of mass destruction in iraq...
Is there really any excuse of convenience that justifies connecting the nations major utilities to the internet?
At least if there is a firesale Justin Long and Bruce Willis will be there to save us. Coincidence that Mac Guy would be the one to save us? I think not.
I actually did skim the article, but I didn't see anything pertaining to when these attacks/outages happened or where (other than outside the US). Does anyone have an idea about what power outages they are refering to?
Every time you post an article on Slashdot, I kill a server. Think of the servers!
It sounds like an excuse that some would use to nationalize certain industries.
My Sysadmin Blog
There is no better security than just not being connected, end of story.
Where does this idea that every computer that exists must be plugged into the net come from?
Gone!
Tell that to the guys at Blackwater. 100% private army? No thank you. I've heard all sorts of stories where private soldiers in Iraq murder someone, then are quickly spirited out of the country and never prosecuted. The Army may screw up but at least (in theory...) the president can ultimately be held accountable.
Now add the fact that the US Director of National Intelligence has indicated that he wants to obtain the ability to monitor all Internet traffic data:
Contrast this with a second Ars article from yesterday, where the US Federal Energy Regulation Commission has just approved new security regulations for the organizations (mostly private) that run the US electrical grid. Rather than blaming evil foreign hackers, Ars reports that:
This all just sounds like an excuse to install packet loggers everywhere.
(And it's not just the US authorities who want to lock down and control the Internet; the UK also recently indicated a desire to install censorship devices at the ISP level. Good luck with that.)
If anyone believes anything that the CIA tells you then I fear for the future of the human race. It sounds like another political hobgoblin created to add to the never ending list of hobgoblins that is being created nowadays. I am just waiting for the next opportune announcement that provides the next lame excuse to invade another country and commit another round of genocide. 'Intelligence' Agency? A contradiction in terms.
So a power grid is not going to be isolated from the internet? Come on. This is just so ridiculous it sounds like another story to make people afraid... to get more money and power.
I thought the exact same thing. I'm no expert on power grids and how they're managed, but I think there are two possible reasons why their control systems were hooked up to the Internet:
1. There may be situations where the systems need to be remotely administered, and using the Internet is a much, much cheaper way to facilitate this than deploying a completely private network infrastructure just for this purpose, which probably isn't very practical (for both physical and financial reasons).
2. pr0n browsing.
Quick, somebody call Jack Bauer, he'll know what to do!
You must have clicked the box: "Always trust news from CIA"
I call BS on this one. I was in the US just two weeks ago. The airport was at security level 4 out of 5. I asked an officer what the threat was, and he told me that in the four years that he had been working there, the threat level had not budged from level 4. That means that there are effectively only two levels of threat: 4 and 5. This also means that the officers are authorized to perform 'checks' and other violations of the rights that I know Americans used to hold dear. This is a temporary situation, I understand, however the temporary situation has been in effect for over four years it seems! I believe that the CIA 'admitting' that the power outages are attacks are a way to drum up public support for more 'checks' and ways to survey the public. If they were real attacks then I doubt the CIA would make that public. I also doubt that the CIA would be the agency to do make that public. I don't subscribe to the many conspiracy theories that populate Reddit, but from the little that I did see in the US in the three days that I was there, things have changed since 1999 (last time I was there). People are now scared. People _want_ their government to invade their lives. That is scary. I was thinking of Winston Smith the whole time.
It is dangerous to be right when the government is wrong.
That's ridiculous. Power and services don't just suddenly cu
Table-ized A.I.
That is the governments fault, not the fault of blackwater (as an organization). It's up the government if they should be prosecuted, but instead they spirited out of the country, by the government.
They basically have a free pass. Hold them to the exact same laws that our military personnel are held to. See how fast they shape up.
Aside from that, I do believe that utilities should be privately controlled.
Gone!
Indeed. Nature also produces nasty things like cyanide and strychnine, so the OP's argument is even more insane, even disregarding the smoking bit.
That's why they invented out-of-band management tools long, long ago.
Given the nature of how the internet works, having a dial-up line to a management console (who then requires authentication) is much better for OOB management than using the Internet.
Jeroen Ruigrok/Asmodai
what about eating :P
Individual production with such a backbone in place for backup instead of primary supplier would be far more secure and with renewable electrical generation it would be greener too. Selling excess to the grid distributors however has the potential to bring back the family farm, reduce city costs of dealing with wastes and so on.
IANEE, IANME, nor an English major as you probably already guessed from the weak sentence structure.
I was looking at this in Firehouse. It's interesting. But I wonder are our utilities set up in the same fashion? ie are our utilities hooked to the 'net? I'm fairly certain the answer is yes. as I can recall reading articles years ago which talked about this very thing. But I would like to know for sure, because aside from billing what business does a utility have conntecting critical infrastructure to the internet at large? I mean I understand billing... but that should be wholly separate from critical networks, and as a government granted monopoly they can easily raise the funds needed to run a fully separate network for whatever mission critical needs they may have.
I'm sick of following my dreams. I'm just going to ask where they're goin' and hook up with 'em later.
You're absolutely correct. Remote administration is the way to go. Until the power goes out, in which case it's a holiday for the workers.
Am I the only one that thinks thats a really stupid thing to do?
It takes only a single breach. The story mentioned it may be an inside job, which means somebody may have put a single little link between the two systems, breaking the separation.
Table-ized A.I.
Yeah, something like Enron could never happen in the private sector.
Terrorists can't threaten a country's freedom and democracy. Only lawmakers and voters can do that.
You can mismanage FEMA and let a major turn back into a swamp
There fixed that for ye.
I'm sick of following my dreams. I'm just going to ask where they're goin' and hook up with 'em later.
What is firehouse?
Yes but that does not mean nature has not put in place mechanisms for dealing with particulate inhalation. Granted we probably over doing what our bodies can handle by many times over. The fact of the matter saying smoke inhalation is completely unnatural 'or the opposite of nature' is a little short sighted, yo.
That being said one can always make use of marijuana in other more controlled ways.
I'm sick of following my dreams. I'm just going to ask where they're goin' and hook up with 'em later.
haha, I knew someone was going to say that..
Do you honestly know anyone that eats it? I know plenty of pot users and none eat it, except for one that swallowed a bit so customs wouldn't catch him. That was a good while ago though.
Gone!
Wardialers are to OOB management as portscanners are to internet-connected management.
Presuming that InformationWeek had their typical lame coverage here, a quick search found a much better article about this at Forbes (they even know to ask Bruce Schneier about it!) where they link to a nice background article about these SCADA systems.
1. There may be situations where the systems need to be remotely administered, and using the Internet is a much, much cheaper way to facilitate this than deploying a completely private network infrastructure just for this purpose, which probably isn't very practical (for both physical and financial reasons).
2. pr0n browsing. Actually here in Australia, the power generation company (at least in my state) does have it's own control network. It used to be Copper, but a while back they replaced it with fibre. They ended up with so much excess bandwidth that they wholesale it to companies. I assume they have their fibres separated from everyone else's.
Option 2 may cut into their profits a bit though
I haven't read TFA yet, but an attack from the Internet should *never* happen to something as important as this.
Where I work, we have an In-Confidence network and some Protected stuff. Each level is ONLY allowed to connect to ONE level lower and then only via approved security mechanisms. So the In-Confidence can access the (Unclassified) Internet, but the Protected stuff can't talk to the Internet at all. Actually in our case we don't bother connecting the Protected stuff even to our In-Confidence network.
I would assume a power control system would be much higher security than In-Confidence (that's pretty low - any decent business should be at least that level in reality), and thus not allowed to talk to the Unclassified Internet.
This of course is for Government networks. The US power companies (as are most in Australia) are privately owned, so they don't have to worry about such trivial things as security rules.
On a side note, I'm constantly amazed at the expectation of vendors and PHBs that we will automatically open up our network so that some stray vendor can remotely debug their dodgy application. Yea sure, we'll let you in from your totally unknown network that has only knows what security holes and stuff going on inside it to access our server(s) with elevated privileges. Especially when everyone working in our IT department has gone through a security clearance, and they have whoever they snagged off the street.
Actually I've just had a look at TFA, and it doesn't have any sort of details on what / where (not USA) / when (well vaguely - recently) / why (profit ???) / how these attacks occurred.
Ever stop to think
I'm not sure which is worse -- the paranoia about the CIA or your seemingly unsarcastic gratitude that the UK government would never pull an intelligence caper.
I'm not saying this is a dupe, but I have the weirdest feeling that I've read this same summary with the same comments, even, a few years ago.
My dad is an engineer working for a power company. Whenever this topic comes up he normally just shrugs and says won't work or that it isn't as green as you think it would be. First of all not every home has the ability to produce power by solar, wind, or other means. Of course in some areas like AZ it would have a good chance of working but then you have to consider the second point. To produce solar panels or wind turbines one must exert energy and also cause pollution. Santa Claus does not deliver them magically. Of course once a framework of solar or wind power is created the energy cost is not longer as much of a factor. The pollution however could very well be. To make solar panels involves complex chemicals and is usually based off of petroleum products. While the pollutants from making solar panels are not necessarily released into the air, they could very well be worse for the environment then that of gas or oil fired plants. Of course I have not made any study into this claim, but I ask people who are very strongly in support of solar power about it. Most of them don't even realize that in order to make the solar panels some factory somehwere has to make pollutants. I guess since they can't see the pollutants at their house it doesn't matter to them. Additionally I would be willing to bet that the pollution control on electrical generating plants is of a much higher degree than that of the solar or wind turbine producing factory. So while I don't know the exact facts I don't just blindly say that hey solar and wind power is green. You got to get that solar panel or wind turbine from somewhere. I hope that solar and wind power can become dominant not because of the environmental side, but because the oil supply will someday run out and I don't like being dependent on foreign nations for oil. As to your schema it would be more effective to have a couple more smaller plants and more redundant wiring. Of course the problem is cost and until it makes financial sense or the government forces them to, the power companies won't be over concerned about rare power outages. And as for the topic, stupid companies that are not secure from external threats over the internet are just that stupid. There are many ways to stop this and it has nothing to do with the structure or the grid, just from lazy management or IT.
everything I said is hearsay and might be wrong from bad memory, but I do know that somebody who knows about this stuff says it isn't all its cracked up to be.
I'm risking getting OT here, and I love to bash Bush as much as the next guy (trust me on that), but you must be more nuts than me (see any of my previous posts to calibrate your nut-meter) to believe that mismanagement of FEMA was in any way related to the levies in New Orleans breaking.
Just callin' it like I see it.
This information was released at a major security conference. If they wanted to just scare everyone they would have released this info more directly to the public rather than at a meeting of specialists who could see through a line of BS. And if they were really going for the fear factor they'd leak this on a monday or tuesday morning, not at 6pm on the friday before a long weekend. It sounds to me like they want to diminish any possible panic, not amp it up. Notice they're not blaming terrorists or enemies either; the strong implication is organized crime with some kind of inside connections. I tend to be pretty skeptical of CIA but based on the little info that is here I'm guessing they're not making this up, and they probably are hoping that letting people know who are responsible for computer security at more localized levels will make it more likely for them to trace the perps.
This ain't Whiz Kids people, everything isn't connected, hackable, and DoS-able - and since when does the CIA say anything, much less in a press release? This is plain old simple psy-ops on dummmy Americans, who will say, "Yes, something must be done...for the children...", and then we'll all have a bunch more bullshit internet 'enhancing', privacy 'upholding', aptly named laws like the JESUS WRAPPED IN A FLAG Act.
Dear CIA, If you're so concerned, go unplug the router, and don't waste your breath and insult the intelligence of 14 year olds with your 'teh Chinas hackin teh Gibson!' line of crap.
Just callin' it like I see it.
LA has been getting them over the past few weeks pretty regularly. Entire sections of Hollywood down for several hours at a time (maybe a dozen blocks at a time), and then a couple days later it will be a section starting a few blocks away. Seems to have stopped a couple weeks ago (or was it last week?) But of course I can't tell, I haven't been driving up and down LA to check if it's still happening. But it seemed really weird and random, and the cops were not directing traffic right away (which suggests they were caught off-guard); after a while there were electrician types in groups at certain corners digging through wiring or whatever and looking confused. I noticed it 2 or three times at night, and then it hit my neighborhood in the afternoon on a weekend.
Hah! I knew it!
People in Zimbabwe are blaming chronic economic mismanagement and a system of rampant cronyism and nepotism whereby Government parastatial utilities and other property, mines and industries are allocated to ruling party supporters.
Fools! It is obviously the work of the former colonial masters using cyber-criminals in there desperate efforts to unseat his Excellency President-for-Life Robert Gabriel Mugabe!
(Power cuts are endemic in Zimbabwe)
"I'm a snake if we disagree"-Jethro Tull, Bungle in the Jungle
Sheesh, evil *and* a jerk. -- Jade
Of course you've nailed it on the head. It so some moron engineer manager can check the status on his laptop at home and then tweak something he doesn't need to tweak remotely. I bet it looks cool, too.
Why not let the status report over the internet but have some kind of private connection standard to tweak in emergency? I guess it just wouldn't do to have to call the plant operators. But come on, man. This could be a 2400 baud completely original modem that you can dial from your cell phone, but only works with its own archaic system. Even that's risky.
There is always a balance between cost and protection and it's easy to cut back the costs, since the risks are very hard to weigh. Many companies calculates with a certain amount of downtime caused by "unforseen" events. What's in this category also depends on the amount of money put into the security bag. They are just comparing the agreements with their customers and the cost for protection and are figuring out that "OK, we can allow to have a day or more downtime without violating our customer agreements".
It's all about money, but sometimes you may think that there are people as mean as Marwin Meathead.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
WHICH bloody cities???
And if MS Windows is involved, then it escalates to willful negligence.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
From some articles it seems that the affected cities are from Central and South America, including some in Mexico.
Neither the public nor the private sector will punish an employee for an act the lead approves of (well, there may be PR firings but nothing serious). A corporation wouldn't fire anyone for killing thousands if that killing was in the intent of the leadership (of course few corps have the power to actually wage war but if you gave it to them you'd see the same or even worse wars). Do you think MS fired anyone over all those antitrust violations they've been racking up lately? Illegal or immoral does not equal unwanted.
Besides, those inaccurate voting machines were made by the private sector and Diebold didn't fire the responsible people either, instead they're continuing with the machines and try to make as many people use them as they can
Justice is the sheep getting arrested while an impartial judge declares the vote void.
You've got it backwards. In a real democracy, there are repercussions for fucking up. Most obvious, you don't get re-elected. In the private industry, there's jack shit people can do. As long as a company makes money, all's good for them - even if they make money at the expense of the public good.
Wars don't get started for political reasons, but for economic reasons.
But then, I think your post was meant to be ironic, anyway.
Does anyone remember the issues the NWS forecasting website was having the other day? I had thought it said something about server problems due to ice.I wish I remembered it the situation more clearly.
This is another brick in the case the feds have been building to justify ballooning budgets for cyber-defense operations. Conveniently, increasing 'cyber defense' also grants the feds more abilities to inspect civilian communications, etc. Meanwhile, they ignore the meatspace threat of people physically attacking power centers. Increasing budgets for staffing people protecting physical power transmission doesn't get the feds anywhere they want to go.
If some foreign entity wanted to wreak havoc on America's power grid, they could simply deploy agents with
Seth
$5 / month hosted VPS on linux = awesome!
I really liked the last paragraph in the article:
Windows + wifi + scada + power_grid = fun_and_games
Bitter and proud of it.
You a little biased in your rant there. First, no matter what the politician wanted, it took an act of congress to get us into that war. Second, the levies and resulting flood had nothing to do with FEMA. It had more to do with corupt state and local authorities funneling funding for the levies to bonus projects to fund their buddies who got them elected. And even without that, it wasn't FEMA's job to do anything about the flooding, they are supposed to tend to the people afterwards. You can say that was all fucked up and I can show you where it really wasn't their fault either but that point is mute.
Finally, you do realize that there is no standards for voting machines outside a state level right? All machines are entirely up to the states to approve, acquire and do anything with. how and where you vote is outside the scope of the federal government. The reason why no one is being held accountable is because no one knew how insecure they were or believed that they actually posed a threat.
As for the private sector, it really isn't that much different within the same context. You really have to break a law or screw something up so bad that it hits the backbone of the country in order to fear loosing your job over it and seeing a serious punishment. Nothing you have mentioned, when you take the Biased I have that side of politics out of it and look at the facts, would warrant someone getting fired.
You can mismanage FEMA and let a major city turn back into a swamp
The, fixed it for you. Oh the irony.
You just got troll'd!
You advocacy of marijuana puts your sig into an enlightening perspective.
Two words for ya, Hash brownies! Nuff said.
Actually I've just had a look at TFA, and it doesn't have any sort of details on what / where (not USA) / when (well vaguely - recently) / why (profit ???) / how these attacks occurred.
Think psychological engineering – spread some information (valid or not is irrelevant) to raise level of consciousness among the sheeple. Start with those who, on average, are better informed. Wait for diffusion of information, then focus in on homeland security in order to justify this or that.
CC.
TaijiQuan (Huang, 5 loosenings)
Haven't these people heard of uninterruptible power supplies?
Iraq is dying down now. We're NEVER going to find Osama. People have grown used to the middle east kicking the shit out of each other, we're not exactly frightened or interested anymore.
Of COURSE there's a new Ultimate evil in the World, how else is the US government going to control you?
One more thing.
You Americans spend your entire time bitching and moaning about abuses of power, yet how could you fail to see it coming? The new laws were well documented.
You complain non stop about the president, he's a joke worldwide, yet you gave him a second term.
You claim to hate big oil, yet you buy more and more SUVs.
Almost every negative American stereotype that you deny, you perpetuate.
Then you wonder why they talk about Western Hypocrisy.
You feel sleepy. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise.
Terrorists can't threaten a country's freedom and democracy. Only lawmakers and voters can do that.
It was mismanagement of a bunch of other stuff that led to the infrastructure failure in New Orleans, but it was the screwing up of FEMA by Shrub's (mis)administration that resulted in their inexcusably slow, poor, and totally inadequate response to the emergency caused by that infrastructure failure.
I see even classic Slashdot is now pretty much unusable on dial up anymore.
My developers gave up on that a long time ago. Now, whenever the end user asks for live assistance, or in any one of a number of error conditions, we spawn off an ssh tunnel from the customer site to our mothership server, send the error/status report, and leave the thing open for three days.
Yeah, we snag customer care techs off the street, it's true. But your security-cleared IT personnel install whatever we ship as root if we tell them too in the readme. I'm not trying to scare or insult you or act macho. It's pathetic that we could arrange to expose the networks of dozens of Fortune 500 companies. But realistically, if someone calls up and can't figure out what our software did with their tax information, it's a lot quicker to tunnel in and look at the logs than it is to walk them through the myriad of possibilities on the phone.
Please find a dictionary or online equivalent and look up the words "mute" and "moot".
I see even classic Slashdot is now pretty much unusable on dial up anymore.
Actually, the original post was a clip from a SANS NewsBites email. While it did come out on Friday, the main announcement was probably sometime during the week.
At least, if you believe all the historical documents on video about it.
/See you in Mexico!
The par they always leave out of the historical video documents, is that Skynet as an infant, needs to play to learn like any other sentient being does.
Be worried when it STOPS playing and you don't notice anything for a while.
FUD FUD FUD FUD
Did UPSes and generators just cease to exist? Did physics suddenly change and stop batteries from working?
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Are you implying Bush got reelected?
Actually, I think it's true that people in the private sector are more likely to be held responsible for their misdeeds than those in government.
Any time a Senator says "god bless our contractors" a lawyer gets his horns and pitchfork.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
The US is a republic, period, end of story. It always has been made QUITE CLEAR.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
What the hell is the control systems like this doing online in the first place?
---- Booth was a patriot ----
No you are not, unfortunately most management at places like that are so incredibly stupid they ignore warnings about that and want it online anyways.
Hell Most water filtration plants are that way. Instead of an inconvenience of power out, those can kill the population. And yes I know what I am talking about I worked as an operator in one for 7 years.
SCADA systems have no reason being connected to any network other than their own secure one. It is gross incompetence on the management of those facilities that cause them to be interconnected to the company network and then the internet.
Finally SCADA control systems are incredibly poorly written as well, Most use a simple scripting language and are incredibly hokey. They spend most of their time and resources on makeing sure you cant copy it and run it than real security and stability. Most operation stations need rebooting on a regular basis. Thank GOD the controllers can usually run on their own (Allen Bradley PLC's with some proper programming in them.) and keep things working fine during the reboots. Oh and every single SCADA setup I have found has a major security hole in them. ONE of the workstations will be running the developer version with the developer key installed. Changes on that station propagate to the other stations, so access that one and make a control system change and you get them all to change. It's because the companies that install SCADA systems are trying to save you money by letting you operate on the developer key. Save $1600.00 and lose a giant chunk of what little security the system had.
Do not look at laser with remaining good eye.
Its a power station, lol. If the power goes down they send someone to fix it. immediately.
------
beware he who would deny you access to information, for in his mind he dreams himself your master
I didn't mean that, I mean in the case of blackwater, the government is the one responsible for prosecuting them since they are operating under contract with them.
Gone!
"We have information", "We suspect, but cannot confirm", "We do not know who executed these attacks or why", "other information related to the attack was not mentioned and is unlikely to be forthcoming". WTF? I suspect but cannot confirm that this is complete bullshit. I do not know who invented this bullshit or why. I will not mention other information related to this bullshit and it is unlikely to be forthcoming.
I remember that once just as I was about to click submit on one of my slashdot posts, the power went out, not just in my house but the whole North-East power-grid went down and for 3 days. Most of the last-mile sides of the internet fell flat on their faces, no cable modem from Comcast! The only thing that stayed up was the telephone.
Apocalypse Cancelled, Sorry, No Ticket Refunds
Am I the only one who assumes that parent thinks that as a result of such attack cyberterrorist will lose his access to the internet or won't be able to complete the attack because the target will lose its internet connection?
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
Not always. If the system's not on the internet until the bad actor deliberately makes a link for the purpose of sabotage, it is then only sabotage.
why?
They should be on their own darknet. Perhaps through POWERLINES?
These industries are stupid. And why should we believe anything the CIA says?
They're using their grammar skills there.
Last time I had a cable modem and a power outage at the same time, the cable stayed on for about two hours and then went out. Of course, DSL is still up at times like these! And so is satellite, so is cellular. The telco has enough batteries to run the POTS network for a good long time, and probably enough generator to run it at full capacity in most cases.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
The, fixed it for you. Oh the irony.
There, fixed it for you. Oh the irony.
irony++
Damn skippy. When I worked as a SCADA dev, we had one (1) machine connected to the internet, in a locked room. If you wanted to move something from there to a machine on the LAN, you did it by burning CDs, and the culture (rather than just the 'procedures') was genuinely against installing anything that wasn't absolutely necessary. Nobody outside of IT had admin access to their desktops.
That was our dev house procedures though. As you say, it all falls apart on the production systems. Once customers started using commodity Windows boxes, it was all over. We found one production box where the night watchman had hacksawed off the padlock on the back, opened it up and installed a sound card so that he could play games on it, presumably by plugging an optical drive in for the duration. It was pwoned by his warez and needed a brain wipe. Quis custodiet ipsos custodes?
If you were blocking sigs, you wouldn't have to read this.
And there were weapons of mass destruction in Iraq.
If the system's not on the internet until the bad actor deliberately makes a link for the purpose of sabotage, it is then only sabotage.
It it was that trivial for someone to hook it up to the Internet then the system design was probably bad in the first place.
They're not all hooked into the Internet. However, the command and control centers for a lot of these
utilities ARE all pretty much hooked into the Internet- and if the substations and plants aren't on
the Internet, with the poor security planning and even poorer design of the SCADA systems as a whole,
they might as well be all on it hot without even a firewall to hope to protect them.
But, you're definitely not alone in your thinking. Not by a longshot.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Isn't it, though?
But who's having the fun and games at WHOSE expense, hm?
The CIA wasn't kidding when they released the info. I'm surprised it's come out this soon
because there's no good answers in sight for at least 6-12 or more months. It's much worse
than the Y2K story- and it only became a fizzle because of some serious efforts on the
parts of people to catch most of the issues.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Am I the only one who stops reading a post as soon as there's an egregious grammatical error like that? It really undermines the credibility of someone trying to sound intelligent.
Do not fold, spindle or mutilate.
Sure it's a republic, as opposed to a monarchy.
But it's also a democracy, as opposed to a dictatorship.
More precisely, it's a representative democracy, as opposed to a direct democracy.
Republic means that it's not led by a hereditary monarch — as opposed to a monarchy where there is a hereditary monarch.
Democracy means that the people of the country either make the laws and the government decisions, or elect representatives who make the laws and the government decisions — as opposed to a dictatorship where the people have no say (or have practically no say).
Representative democracy means that you vote for representatives who make the laws and govern — as opposed to direct democracy where the people make the laws and/or govern.
It's abundantly clear that the US is a republic and a representative democracy.
It's a weak democracy, since it's a two-party system where it's mathematically extremely difficult for any but the two ruling parties to come to power, but that only makes it weak, it's still a democracy.
Why do some people get this weird illusion that republics are not democracies? Are you under the impression that Britain having a queen makes it more democratic than the US? Or do you give these words completely different meanings?
I find it unsettling and worrying that some people are so badly informed about something so very important. The school system must be terribly bad in your country.
Terrorists can't threaten a country's freedom and democracy. Only lawmakers and voters can do that.
Sure. But once the Internet gets its claws into a system, it's impossible to make it let go. The system users are infected by the Internet, and no matter how much the admins do to disconnect the system, the users will find a way to reconnect. The Department of Defense has spent years trying to separate their secure networks from the Internet, but there are still people emailing secure documents to their Hotmail account so they can work on it at home.
Les Miserables Volume 1 now up with my reading of
Are you implying he didn't?
Terrorists can't threaten a country's freedom and democracy. Only lawmakers and voters can do that.
Making it difficult for a trusted saboteur to do so is quite difficult. To keep costs and reliability reasonable, you have to use standard equipment and protocols, which means it can be connected to the Internet. Even if you aren't supposed to have an Internet connection in the same building, a saboteur could arrange one -- or even just a dialup connection.
Even in a facility designed to be secure, a saboteur could do it. Sure, he's going to have to run cables through a wall to do it, but assuming he's in IT, that's not too hard.
Lol actually yeah I do (people who are adamantly against smoking but still use weed) but I was also just saying it jokingly :) Also some people who just want to mix it up. Pot cookies for example, and the person who doesn't smoke makes pot quiche O_O I agree with you though, smoking is bad. Plus there's vaporization as well. That's not cheap or natural, but it's not unhealthy either.
and what cities are they talking about?
I tried looking for those cities, but found nothing.
Don't fight for your country, if your country does not fight for you.
Let's go one stage further and call it what it most likely is: another CIA false flag operation.
...and why no thinkofthechildren tag?
I come here for the love
I'm not sure if you're joking there - if you are, well done, you got me.
Otherwise, do you your customers know about this, if not I imagine you could be sued for penetrating their network without permission. How hard is it to provide the option to open a tunnel for you, if the customer asks you to, and until they ask you to stop. I'd be furious if I found out the developers of some random application are connecting my network to some random server on the Internet, which may or may not be secured.
If you're spending hundreds of millions of dollars for a spiffy new power plant, you can afford to hook up all the plants in your region with a private network. It'd actually be pretty cheap if you did it with frame relay.
I'd go so far as to have two separate networks in the plant and block any unknown MAC that plugs into the control network.
One blackout, and you've probably paid for the whole setup for quite some time.
It's mystifying to me that people who plan these things don't think that way. I having a kind of optimistic blindness to potential disasters makes playing around with hundreds of millions of dollars of investment a bit less nerve wracking.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
We are into lying, like, you know... BIG TIME!
We also have secret wars, illegal financing, blackmail, brainwashing, manipulation of the press, assassination, extra-judicial surveillance, detention and punishment. What'd I leave out? Oh, yeah! "Harsh Interrogation". That's just "torture" between us. But I digress. The mainline business is lying - it's like the life-blood of the other operations.
Now trust us on this one: The Internet is extremely dangerous.
Really. You'll have to get on board with us over this one, as we begin to curtail the Internet. I know it's a useful tool for communication. But we'll all have to live with censorship, spying and blockage, to stop an Internet 9/11.
It is most important that you associate political speech and action on the Internet with suspicious motive - even with predilection for terror. We will develop this theme over the next few years, so stay tuned - and stay safe.
Trust us. Would we lie to you?
"Flyin' in just a sweet place,
Never been known to fail..."
I took Econ with a couple guys from DTE's Belle River Power Plant and they told me that 2 out of 3 shifts normally there are only two or three people on site, everything is automated; so there may not be anybody to call.
Apocalypse Cancelled, Sorry, No Ticket Refunds
so if your PHB clicked the button as instructed and entered in the password as given by the help-desk and the application tunneled out instead would that be OK?
Apocalypse Cancelled, Sorry, No Ticket Refunds
The predictable response class, however else you may think of it, actually categorizes as "believing the information out of hand".
The other response is watched more closely for various reasons: to see who's missing screws or needs to be portrayed as such; to see who has anti-U.S. agendas or needs to be accused of such; conversely, to see whether any Americans are intelligent enough to "get it" (the intelligence game or information commodities manipulation), or, to see whether they've made any internal errors of estimation or accuracy.
That's just how the statements are analysed. As for motivation, sometimes these statements are provided to sort of "poke" the public and instigate certain beliefs to become more widely held (or more widely dismissed), and sometimes these statements are released as a form of "noise", or what some people mistakenly refer to as "smokescreening". In an actual smokescreen, some information is used to either obliterate the immediate availability of some other information or draw attention away from it. In the use of "noise", some information is important enough to covert yet valuable enough to keep on the information market, so instead of the information being occluded, it's obscured instead by means of flooding the market with information that's similarly themed (or even just similarly spelled).
So if you, say, go on about the public statement as if it's truthful, or possessed of a genuine concern for the American public's mental and emotional well-being, then you are definitely missing half the truth but might be missing all of it (depending on the motivation).
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
Sometimes the hardest part of being the Mayor is recognizing when the village idiot has his flash of genius.
Apocalypse Cancelled, Sorry, No Ticket Refunds
You'll probably be modded down for being so angry but this is as good a spot as any to talk about 9-11 related movies:
"loose change"
http://www.youtube.com/watch?v=7E3oIbO0AWE
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
Yeah, the naming of the cities is really interesting;
...
Since I was at the SANS Scada conference in NewOrleans and heard the Analyst's presentation.
He did not give out any information on what cities were hit, hell even what continent they were on.
When asked a question about verifying the data he replied
" What ? don't you trust the CIA ? "
The cyber-attacks were the result of cyber-intrusions conducted by cyber-hacker cyber-criminals intent on causing cyber-damage. When caught they will be elligable for cyber-representation by cyber-lawyers for cyber-prosecution. Unfortunately said attorneys will be unable to practice cyberlaw due to the cyber-trademark registered by cyber-lawyer Eric Menhart.
Cyber-lame.
It's true no man is an island, but if you take a bunch of dead guys and tie 'em together, they make a good raft.
This past week I participated in a CyberWarfare table-top exercise being run by DHS and the state government. Our state currently has no policies in place (nor do most other states) and this exercise was a starting point. I found the timing of this particular news item quite fascinating, in that respect.
I'll have to say, I came out with a lot more respect for our utilities after the exercise than when I went in. The utility sysadmin was sitting at the table with me, and his comments gave me every impression that he was quite competent. At least in our state, the SCADA systems are not hanging directly on the internet on upatched Win95 boxes, or anything even close. Nearly all of the SCADA is on private network, and the rest is on leased lines. All of their ICCP (The protocol different utilities use to trade information with each other - really the glue that holds the grid together.) is behind firewalls, and the guy appears to have a basic understanding of the security of all the guys he has to connect to with ICCP, as well as the inherent security aspects of ICCP, itself.
He did speak of visiting another utility, some time back. That utility had been advised to run their ICCP connections through a firewall, so they did. The ethernet cable came into a hole on one side of the firewall box, and that same cable came out through a hole on another side. There! The connection went through a firewall!
As for the table-top exercise, it was quite an interesting thing to participate in. I hope to see what results from having done it.
Though you were modded down for flaimbait, probably because you came across as overly aggressive, you hit the nail on the head. The CIA has often made claims that turn out to be false, but at least they just trade in disinformation; the FBI actually harms Americans directly and confrontationally.
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
I don't know where the hell you got that from, but, dammit, that's my new sig.
Do not fold, spindle or mutilate.
Uh... what was that recent story about the phone companies and their having to replace 17,000+ batteries. Maybe they won't have the batteries around when the lights go out.
CUR ALLOC 20195.....5804M
Suki! It's bedtime, turn off the lights!
Yes mommy!......*CLACK*
That story was about the AT&T U-verse product, AT&Ts version of TV and high speed Internet. The batteries are located in cabinets outdoors usually close to roads. This isn't a traditional switching office backup system. The would also fail if a vehicle accident took it out.
http://www.informationweek.com/news/showArticle.jhtml?articleID=205801087
He may not even have to run cables through walls:
http://images.google.com/images?hl=en&q=external+USB+wireless+modem">External USB wireless modems that use the cell-phone network
Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
One doesn't have to believe in extreme conspiracy theories to smell fear mongering.
Non specific stories like these are not credible. Pity so many people just accept them with no critical thought.
Yep. Hackers will be completely foiled by the obscure method of having to dial up a modem. Only RFC 1149 would provide better security.
I have the logs here to prove it. Still, I seem to have it under control.
That's a funny conception of sovereignty you've got there. Simply, these mercenaries that commit crime in Iraqs jurisdiction should face their laws, their courts unless they say otherwise.
between not wanting to give the "T3RR0R K1DD13Z" any ideas if they haven't already got them, and feeling a need to dope-slap the unimaginative slobs who vote. Fact is, there are so many cheap and easy ways to damage the electrical grid that we can't possibly protect it from sabotage in a remotely cost-effective way.
Thats a good point actually.
Either way, they shouldn't get immunity.
Gone!
I've also gotten the impression that this is something that the CIA themselves may have done on other occasions.
Apocalypse Cancelled, Sorry, No Ticket Refunds
I could see maybe having a website that reported the plant status, or a java applet that displayed in real time, so he could call them on the phone for a talk but I don't think any plant operator would stand for someone off-site changing the operating parameters of a multi-billion dollar power-station he was legally responsible for.
Apocalypse Cancelled, Sorry, No Ticket Refunds
You misspelled "elected".
I don't know either, but it's not original; it does tend to cause one to be a little less likely to engage ad hominem attacks.
Apocalypse Cancelled, Sorry, No Ticket Refunds
I think your wrong, I think the CIA didn't do it, and they know the KGB and the Brits and the Israelis didn't do it and they are a little freaked out about it. If they could point a finger at the Russian Mafia, or the Arab Terrorists, or any of the other usual unfriendly operators, they'd be signing it from the roof tops. They don't have a clue and are worried.
Apocalypse Cancelled, Sorry, No Ticket Refunds
The distinction between how the head of state is chosen and who wields ultimate political power seems to be beyond a lot of people. As does the distinction between an economic systems and political systems.
For example, in certain countries it seems to be widely believed that socialism implies a dictatorship.
"This of course is for Government networks. The US power companies (as are most in Australia) are privately owned, so they don't have to worry about such trivial things as security rules." WRONG! Ever heard of FERC? or NERC? I work as an engineer for a utility and can say, actually about the only thing I will say, is we have very strict guidelines we have to follow. Page after page of them. This goes for anyone putting andthing on the grid... be it generation or transmission/distribution.
"Computers are a lot like Air Conditioners" "They both work great until you start opening Windows"
'One power outage' (not necessarily a city wide blackout).
'Cyber intrusions into utilities' (not necessarily control systems, just typical desktops).
'Cyberattacks have been used to disrupt power equipment. (not power stations, just some remote administered generators somewhere).
'The disruption caused a power outage affecting multiple cities (a single power outage affecting two cities in what way?)
So I read that to mean, that an ISPs electrical supply and back up generators (remote administered) were attacked and people from many cities were not able to use the ISP's services, and not that remote control was gained over an unnamed power station and many large unnamed cities suffered a blackout as a result.
So, yeah, internet evil, everybody guilty, must be watched, must be probed, need more money and power(sic) now.
Unless of course they are talking about the ineptitude of the US military and their inability to manage the Iraqi electrical supply (oh yeah, that's somebody else's fault).
Chaos - everything, everywhere, everywhen
Yup, you have to admit that there has been a whole lot of bullshit thrown around regarding terrorism and security. I have to wonder what this red herring is meant to distract us from noticing.
What with ReadID being rammed down our throats, it's just a matter of time before we all get chipped.
I have mod points. The reign of terror begins now.
It is no coincidence that Tom Donahue released this information during a SANS security conference in New Orleans. Demonstrating the legitimacy of SANS relationship with the CIA.
Do I remember something about the screw-ups at a few major banks and brokerages getting some very nice severance packages for their mis-deeds? Seems like either way we have been had!
For checking status, there's no need to be connected directly to the internet. Have the internal computer network pipe status signals via an omni-directional serial cable to an Internet-connected server that outputs status and pretty graphs. Hell, if you wanted to eliminate the physical connections altogether you could do it via radio or short-range infrared signals. If your Internet server gets compromised, the worst that can happen is a hacker seeing the vitals of your plant. A security risk still, but certainly mitigated versus a full connection.
Since the goal of a power system is to be up, the creation of a control to bring it down seems counter-productive. Then to take that control and make is available over the Internet is extreme. While a need to shut down might exists, it should be a local phenomenon, and not a remote control. The problem is a situation where one person can control a system with such huge impact. Perhaps it should take several people with adequate authentication to perform the deed.
I'm not a big fan of all this, but customer care is a huge money sink, and this has proven to have saved at least $20,000 per year to the department. I admit, the ethics do bother me, but anything that reduces the number of hand-held walk-throughs is okay.
Actually, I knew Mute was the wrong spelling but it was the only thing that the spell checker I have would allow. Strangely it allows "th" instead of "the" and several other issues. But it is the only one I have so I'm stuck with it.
State of California Auto Dismantlers' Association? I don't see the connection to this story...
www.scada1.com
All 19 hijackers were known terrorists 09-10-2001. Lack of FBI intelligence does not justify warrantless wiretaps..
The article just states: "power and utility industry, a CIA analyst last week said cyberattackers have hacked into the computer systems of utility companies outside the United States and made demands, in at least one case causing a power outage that affected multiple cities." http://seattletimes.nwsource.com/html/nationworld/2004135058_hackers20.html>Seattle Times Article Anyone have any better sources?
Of course...
Dial-up is no more secure then internet. I know quite a few people who used to run war-dialers to find modems. One of them discovered a mysterious computer that behaved unlike anything ever seen before. A couple of days after he experimented with the reset command, he learned that he shut down an entire airport for an afternoon!
No, I will not work for your startup
Actually I was being pretty grim by saying "fun_and_games". I find it pretty disturbing. This is the sort of thing that should be top priority of those responsible: regional, state and national leaders everywhere.
Bitter and proud of it.
no kidding, no kidding. What could the dude at home know that the dude in the plant doesn't? This remote control is just the next level in dumb micromanagment.
but if they had this website control the plant remotely, I guess a phonecall is less responsible... a bit
frankly, the way the world tends to work, some employees will definitely take these orders from some bosses. There are some real fools and real clowns running around out there, taking and giving orders for no reason at all.
I call bullshit. You have a line powered cable modem, or a line powered DSL modem? Meaning it gets power from the cable from the provider and not from an AC adapter plugged into the socket that just lost power? Maybe you omitted something, maybe you are trying to sell DSL. Something smells...
Someone, somewhere, did something that caused power outages. I'm glad the CIA is on top of this and providing useful information.
This article could apply to Northern California a few weeks ago. This tree haxored my local power grid by using the extremely clever, falling on top of the lines DOS exploit. I'm just left wondering how it tried to extort money.
The software is supposed to work for you and not the other way around. Isn't there an option to turn off the spellchecker?
I see even classic Slashdot is now pretty much unusable on dial up anymore.
I imagine there is but, I'm afraid MY spelling would be worse yet without it. I'll admit that I need the spell checker.
A few years ago, I screwed the spell check up and somehow crossed a German language dictionary into it. It took the better part of 2 months to figure out how to remove it. Since then, I just take what they give me and hope it is enough. Evidently it wasn't.
It was probably the Pi symbol in the corner of the screen that gave it away.
...and somehow crossed a German language dictionary into it. It took the better part of 2 months to figure out how to remove it.Well, at least that's not as long as it took to get them out of Paris. :-)
I see even classic Slashdot is now pretty much unusable on dial up anymore.