Slashdot Mirror

← Back to Stories (view on slashdot.org)

Smart Grid Computers Susceptible To Worm Attack

Posted by timothy on from the when-the-lights-come-on-again dept.

narramissic writes "Researchers with security consultancy IOActive have created a worm that could quickly spread among Smart Grid devices, small computers connected to the power grid that give customers and power companies better control over the electricity they use. '[The worm] spread from one meter to another and then it changed the text in the LCD screen to say "pwned,"' said Travis Goodspeed, an independent security consultant who worked with the IOActive team. In the hands of a malicious hacker, this code could be used to cut power to Smart Grid devices that use a feature called 'remote disconnect,' which allows power companies to cut a customer's power via the network. The robustness of US power networks has been a hot-button issue after a technical glitch in 2003 caused a cascading power failure in the eastern United States and Canada that affected 55 million people."

8 of 98 comments (clear)

  1. Glitch? by Scrameustache · · Score: 4, Insightful

    It wasn't a glitch, it was negligence! Cheap cost cutting measures, enabled by foolish deregulation: Trees were not trimmed around critical power lines, the lines were cut by falling branches, and then a cascading failure spread through the grid.

    --

    You can't take the sky from me...

  2. Asinine by Samschnooks · · Score: 3, Insightful

    Should one of these security bugs be made public, it wouldn't just be dangerous, it would also be expensive, costing utility companies big money as they went back and retrofitted their buggy systems, Pennell said.

    Let me get this straight. Pennell wants the bug to kept undisclosed because it will be too expensive for the utilities to fix. Yet, someone whose clever, maybe those folks who hacked into the grids in other countries, may do it to the utilities here in the US; which will be vulnerable because the bug is "too expensive" to fix. Meaning, that the grid is vulnerable and subject to the damage that everyone is afraid might happen since the bugs exist. I guess if the bugs are kept secret, no one else is capable of discovering them because nobody is as smart as the researchers?

    OooooooKaaaaay. Riiiiiiight.

  3. Re:If you build it... by hort_wort · · Score: 2, Insightful

    Yeah, I think at this point a hacker going into it is doing a service. Showing the vulnerabilities of a system before it becomes critical to the country in a few years is a good thing.

  4. Nothing to see here, move along... by dtmos · · Score: 4, Insightful

    This is non-news.

    There is no single "Smart Grid" device technology. At present there are many proprietary solutions from many different vendors, each using different communication protocols, computer hardware and firmware, and security methods. Each one of these vendors has its products in a very, very small fraction of the utility meters in the nation, most of which, of course, have no Smart technology at all. So the fact that these guys found one architecture vulnerable to a particular stack-overflow attack is bad for the vendor(s) that use it, but not indicative of an approacing nationwide catastrophe.

    Smart Grid system standards are under development, however, and those doing the development are exceedingly aware of the need for high security. The IEEE, for example, recently started a Smart Grid standardization effort, P2030, and the IEEE 802.15.4g Smart Utility Neighborhood Task Group effort is already underway. Since the utilities lose revenue -- potentially all revenue, plus destruction of capital assets -- if their equipment is cracked, they are very much a part of these standard development activities, and security is of constant concern. (There will undoubtedly be an industry consortium tasked with reviewing implementations of these standards.)

  5. Re:lazy engineering by TubeSteak · · Score: 2, Insightful

    Another problem that would cause much more harm to the companies than to users is if the worm instructed power meters to register less power consumption. I see a large black-market arising, if someone figures out how to write this exploit.

    I miss the days when hackers were just doing things for lulz.
    Society would be better off with merry pranksters breaking things because they want a big splash and lots of attention. And usually, the bigger the splash, the sooner the fix.

    Organized criminals, exploiting the same flaws, want secrecy and this is bad for society.

    --
    [Fuck Beta]
    o0t!
  6. Frightening by MobyDisk · · Score: 2, Insightful

    Many of these devices are already deployed and it would be too dangerous to make the bugs known.

    and:

    Should one of these security bugs be made public, it wouldn't just be dangerous, it would also be expensive, costing utility companies big money as they went back and retrofitted their buggy systems, Pennell said.

    I love how they think that not releasing this information makes them safe. This is truly scary: Not like some Internet Explorer exploit on a user's desktop - this is the power grid! Someone is telling us that a remote hacker can take-over the entire power grid, and the companies are not going to stop everything and fix it? Holy crap that's negligent!!!

    It will be a heck of a lot more expensive to NOT fix this, than to fix it.

    (Yeah, I know, "preaching to the choir")

  7. Re:lazy engineering by reboot246 · · Score: 3, Insightful

    Good luck finding a working payphone.

  8. Re:This shows the weakness of anything centralized by dtmos · · Score: 2, Insightful

    I think you'll find the control problem, whether centralized or distributed, is orders of magnitude more complex than you envision. The hard part isn't the economic part, it's the electrical part: Maintaining a constant amplitude (i.e., voltage), frequency, and phase over a large (both in geographic area and node order) network, with limited ability to transfer power from one point to another, is a very difficult problem -- especially when one has limited control over the applied load, and limited generating capacity. Not to mention all the problems with reactive power due to the uncontrolled nature of the loads (frequently inductive) and the phase delays that occur over distance. Much more information is needed besides "quantity produced vs. consumed."

    The "can not get what is not there" option is amusing to utilities. The more common name for this option is a "brownout" or "blackout" and, even if only local, they typically result in nastygrams sent to relevant regulatory bodies, political officials, and the press. They are therefore to be avoided. From an engineering standpoint this is typically achieved by finding someplace where power is available, and making it available where it is not. This requires a network of transmission lines. The second major headache of utilities today (and related to their first headache, lack of generating capacity to meet their growing loads) is that the transmission system frequently is operating near peak capacity and, during the peak times (usually July afternoons in the US), it is getting more and more difficult to get sufficient electricity to the right places to avoid the "can not get what is not there" option.