Slashdot Mirror
US Electricity Grid Reportedly Penetrated By Spies
phantomfive worries about a report in the Wall Street Journal ("Makes me want to move to the country and dig a well") that in recent years a number of cyber attacks against US infrastructure have been launched over the Internet: "Cyberspies have penetrated the US electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials. The spies came from China, Russia, and other countries, these officials said, and were believed to be on a mission to navigate the US electrical system and its controls. The intruders haven't sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war."
Everyone wants money for their projects. Part of getting it is knowing what to sell in your given field. Well, as of late with federal government dollars, national security has been the name of the game. Was more narrow to anti-terror but they are kind losing focus on that. So, it is also no surprise that is what people use to try and get the money, even if what they want really has fuck all to do with it.
For example Consolidated Edison wants to install a super conducting core in for New York's power grid. Reason is the existing grid has load problems and this looks like the best way to handle it, rather than massive amounts of more copper. This is expensive, of course. To the best of my knowledge when this is deployed, it'll be the first super conductor used for commercial power delivery. Means plenty of R&D in addition to the actual costs. Well, sure would be nice if the government would help pay for that... So they got them to.
How? Well they sold it to DHS as an "anti-terror" deal. No idea how this is supposed to be more terror resistant, but DHS bought it and that's what's important. They gave ConEd something like half the money they need for the project.
Now you know that ConEd isn't really doing this as an anti-terror measure, they are doing it as a "grid is overloaded" measure. However, they put that spin on it to get government funding, and it worked. I'm betting this is a similar money grab.
Not necessarily. I've been in the situation where security issues that I warned about, documented, and was refused resources or permission to secure were in fact used against my employer. The Morris Worm in 1988 was a particularly bad example: I had printouts of the management refusals to permit security updates in a locked cabinet to prevent tampering, and my goodness, was I glad I had those. I keep similar files to this day, as a matter of basic self-defense when layoffs are pending and managers are looking for things to blame on our technical people in order to fire them and avoid paying severance bundles.
Blowing all my moderation to reply to this.
Let me make this clear. Putting a critical system on to the internet is pure, stupid, incompetence.
ALL of your "situations" can be solved with a second $399.95 DELL sitting next to the critical workstation. Anyone saying that that is not practical is a blathering moron. I have seen MANY water filtration plants that the Supervisors in charge of the whole operation are so incompetent they put the entire plant's operation system on the corporate or city network. Then we have the low quality SCADA software called WonderWare that is so badly written that the company requests they have direct access to the machines so they can issue fixes faster.
If any mission critical machines are on anything but a sealed private non connected network, the person that designed it is a incompetent idiot that should take the fall for any failures. Gitmo time for whoever approved or asked for interconnection.
I have been appalled at the amount of interconnection I see in really important SCADA systems. I have seen this stupidity in major infrastructure control systems for 14 years now. Typically put here by some asshole manager that wants to "keep an eye" on his guys while he is at home. he get's a workstation (typically the one in his office) set up with a second network card and Pc anywhere or another Remote control system to interconnect the secure to the un-secure. and does it with a stupid windows box. Then the idiot uses it to check email, surf the net,etc... All installed by your friendly company IT slackie After the SCADA installation guys go home.
Every system I looked at that was "secure" typically had one of these bridging computers on it the only way to find the is to do a hard audit of every computer, the rate of finding these security breaches goes up as the age of the installation increases.
Do not look at laser with remaining good eye.
In this case the parent is quite accurate. The truth is our electrical grid security has been dismal for decades. Hackers infiltrating control systems is only the latest discovery. If a foreign government wanted to sabotage our electrical grid it would be shockingly easy to do. 5 to 10 people working together with a few resources could black out the entire west coast for weeks if not months.
Okay, so now they can disrupt control systems from the comfort of their data center. Whoopy do. Yes, fix the data security, but spend the money to make the needed improvements to physical security and redundant infrastructure. Our grid is routinely stretched to the breaking point. There's very little extra capacity. I think of people realized how vulnerable our electrical grid really is, they'd be terrified. The fact electricity is so reliable we take it for granted is testimony to the quality of the people working in the field.
Imagine living in L.A. or San Francisco with no electricity for a week.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
I am a control systems engineer, a member of ISA-99, and a contributor to several other standards on industrial control system cyber security.
The parent post is what SHOULD be done in a recently installed system. I can tell you from experience of dealing with other infrastructure (not the electric grid) that it isn't always that way. There were many systems installed around Y2k that are still in service. And most of you will remember that back then very few people took security seriously. Back then it was all about compatibility. Security wasn't even an issue. The big issue was SHARING the data.
Control systems and SCADA have long working lives ranging from ten to twenty years. The reason for this is because the field I/O validation cost is significant. It dwarfs the cost of the software, the control center, and all that lovely flashy stuff you're so used to seeing. Updating a configuration is very expensive, not just in validation costs, but also training costs, for miscellaneous costs such as review of operating procedures, control system narratives, and so forth. This is why many are forced to keep their systems isolated in the hope that by doing so, things will somehow stay secure.
But these days, that's no easy feat. Nearly every company has a contingent of data surfing desk jockeys with enough authority and enough dream-weaving synergy talk to push for interconnections. That's when things get very ugly.
The problem isn't that they want the data. The problem is that they want the data IN REAL TIME. Most of the time these idiots say the term though they do not understand the implications or even what it means. And that's how the exploits get started.
There are solutions. There are relatively secure methods for moving data in and out of a SCADA system. But they need careful review by people who know both the industrial side of things (to identify what is at risk) and the IT side of things (to know what the potential vectors could be). And the number of people with that kind of expertise is extremely small. We're talking about hundreds or maybe a thousand such people world-wide.
There simply aren't enough people to train the trainers who will train the trainers. And so, we're stuck with the status quo until we can build a community of cross trained people who understand industrial processes, control systems, and IT large enough to handle this situation.
I know many of you probably think you have it bad in the office IT business. And it is. Just know that there is far more truth in the Homer Simpson character than you'd ever dream of...
Nearly fifty percent of all graduates come from the bottom half of the class!