US Electricity Grid Reportedly Penetrated By Spies

phantomfive worries about a report in the Wall Street Journal ("Makes me want to move to the country and dig a well") that in recent years a number of cyber attacks against US infrastructure have been launched over the Internet: "Cyberspies have penetrated the US electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials. The spies came from China, Russia, and other countries, these officials said, and were believed to be on a mission to navigate the US electrical system and its controls. The intruders haven't sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war."

Re:Why are they on the internet?

[MichaelSmith]

The systems I work on are typically airgapped, but there is a constant push from users for some access to the internet. A user might need to access meteorological information, and the simplest way is to go online to get the data. Another user might need to refer to work instructions on the corporate intranet, but the intranet gets you to the internet anyway. Like it or not, the internet is working its way into many types of work and many people are starting to expect it to be available.

Re:Why are they on the internet?

I actually do work with these exact systems. I have yet to install a system in a control room that had net access to the operator consoles or even the operational servers. These computers - yes, running Server 2003/8 or XP Pro - are patched to the latest and greatest before they leave our shop, but once on-site should never, ever, ever interact with the Internet.

That being said, the PI data servers are designed to be a go-between for the internal secure network, and the rest of the world so the data logging can reach those who need it. Not only does the PI server have security protocols built in, but is required to be installed in a DMZ with full firewall protections, and in some cases a dedicated leased hard line to an off-site office.

So, to summarize, no, the Op stations, the Op servers, should NEVER be connected to the Internet, and we do out best to disable any way of the operators even getting to the OS level, but there are times and reasons that you need to hook the internal network (through full security measures) to the outside world.

Re:Quite so...

[gclef]

Close, they're drumming up support for S.773 and S.778. These bills are designed to give the executive the power to control the security of vital parts of the internet. If they can show that these vital parts of the net are compromised, and therefore risking America, they have an easy talking point when lobbying congress members.

The Attention is Healthy

[anorlunda]

The WSJ article was apparently triggered by a letter sent by NERC (North American Electric Reliability Council) to its members. I think it shows a healthy development of security digging down to yet another layer of depth.

Forget the major computers in the major control centers. That's what everyone thinks of first. At that level it is becoming like the Indians and athropologists in the Grand Canyon. For every utility cyber worker there seems to be 30 government gumshoes and overseers looking over their shoulders. One would expect no aspects of security to be neglected at that level.

The NERC letter refers to devices at a lower level. Primarily, what the industry calls "protective relays" in substations. From 1888 to a few years ago these functions were really done with electromechanical relays. Now, many of them have been replaced by digital equivalents on a one-by-one basis. In a household analogy, it is like the difference between a central electric control computer for the house, as compared to a "smart" digital LED light bulb. One worries about the central computer being hacked, but at first blush, not the light bulb.

The problem is that the engineers who deal with this level of equipment aren't used to thinking of these devices like the light bulb instead of like computers in a network. They have not identified many of these low-level devices as "cyber critical". The NERC letter urges utilities to change that culture.

This is an industry that owns and maintains hundreds of millions of diverse pieces of equipment. Every day, some fraction of them are converted to digital. No single study, no single policy can change this infrastructure overnight. I think they are approaching cybersecurity thoroughly and methodically, but it will take time.

Remember Y2K? Roughly the same collection of hundreds of millions of devices were threatened by a common-mode failure (Y2K). It was very analogous to an external cyber attack. The utility industry tackled Y2K, thoroughly reviewed all those devices, and performed flawlessly on the morning of 1/1/2000.

My point? Sure we should worry about cyber attacks on critical infrastructure, but don't jump to the conclusion that no security exists or that nothing competent is being done about it.