Massive Power Outages In Brazil Caused By Hackers

Hugh Pickens writes "CBS reports on 60 minutes that a massive two-day power outage in Brazil's Espirito Santo State affecting more than three million people in 2007, and another, smaller event in three cities north of Rio de Janeiro in January 2005, were perpetrated by hackers manipulating control systems. Former Chief of US National Intelligence Retired Adm. Mike McConnell says that the 'United States is not prepared for such an attack' and believes it could happen in America. 'If I were an attacker and wanted to do strategic damage to the United States, I would either take the cold of winter or the heat of summer,' says McConnell, 'I would probably sack electric power on the US East Coast, maybe the West Coast and attempt to cause a cascading effect.' Congressman Jim Langevin says that US power companies need to be forced to deal with the issue after they told Congress they would take steps to defend their operations but did not follow up. 'They admit that they misled Congress. The private sector has different priorities than we do in providing security. Their bottom line is about profits,' says Langevin. 'We need to change their motivation so that when see vulnerability like this, we can require them to fix it.' McConnell adds that a similar attack to the one in Brazil is poised to take place on US soil and that it may take some horrific event to get the country focused on shoring up cyber security. 'If the power grid was taken off line in the middle of winter and it caused people to suffer and die, that would galvanize the nation. I hope we don't get there.'"

Good luck with that

[thenextstevejobs]

Probably impossible.

As we all should know by now, impenetrable security doesn't exist. What we should probably have is tighter backup power for essential services and places like hospitals, where local redundancy could help in the face of a remote 'hacker' type attack

Places where there is a lot of danger for people without electrical power don't need billions spent on the security of their power systems. They need redundancy, generators in their buildings that could be used to keep people alive, batteries, and common sense.

Oh well, let's spend a bunch of money on fear like we always do.

Re:Good luck with that

[Grishnakh]

As we all should know by now, impenetrable security doesn't exist.

Totally impenetrable physical security doesn't exist, but totally impenetrable electronic security most certainly does. It's quite simple to make something completely immune to hacker attacks over the internet: disconnect it from the internet!

Why the nation's power grid control absolutely needs to be tied into the internet, I have no idea. Maybe someone in the field can enlighten me. But if this is a big concern, it seems like it'd be pretty to eliminate the security threat by not having any control over the power grid exposed to the internet. If someone needs to exercise some control over the system, they have to get in their car and drive to the power plant.

Of course, this wouldn't prevent someone from sneaking in somehow, but that's a far more remote danger than some hacker on the internet (who could be anywhere in the world, and probably not anywhere near your power plant) gaining access.

Re:Good luck with that

[Korin43]

Or we could just not steal a trillion dollars from U.S. citizens and let them spend it on what they want, and then have jobs that are actually in demand created..

Re:Good luck with that

[cetialphav]

As we all should know by now, impenetrable security doesn't exist. What we should probably have is tighter backup power for essential services and places like hospitals, where local redundancy could help in the face of a remote 'hacker' type attack

Places where there is a lot of danger for people without electrical power don't need billions spent on the security of their power systems. They need redundancy, generators in their buildings that could be used to keep people alive, batteries, and common sense.

This isn't about impenetrable security. This is about taking basic precautions about known attack vectors. For example, many of these systems are not fail safe so an attacker can actually cause a generator to physically destroy itself. Since these generators are very specialized pieces of equipment, you don't just go to Home Depot and pick up another one.

It is not enough to protect hospitals, etc. A prolonged loss of power to the northern part of the US in the depths of winter would be devastating. Even with backup power supplies, no one has plans to deal with a month of no electricity.

This isn't about spending money on fear. It is about naively ignoring a threat and hoping it will never happen. We need to find a way to force utility companies to take these threats seriously and the only way to do that is to have financial penalties for lax security.

Re:Good luck with that

[mcgrew]

Oh well, let's spend a bunch of money on fear like we always do.

Terrorists are the least of out worries here in the midwest US. In the winer we have ice storms, in the spring and summer we have storms and wind. An outage caused by hackers probably wouldn't last lomg here, but when a tornado rips through and destroys every utility pole and the equipment hanging from them, it'll take a while to get back on line.

When the tornados ripped through here in 2006, as I walked through the destruction in search of a hot cup of coffee the next day, the thing I thought most was "If Bin Laden saw this he'd give up. No way could a terrorist do this much damage!"

The threat is narural events. The danger from terrorists is minimal.

So...

[CrAlt]

Who thought it would be a swell idea to to hook the grid's computers to the INTERNET?
Did someone surf some pr0n sites on the Win98 powered control computer down at the power plant?

Internets...

[Shadyman]

Things like this make me wonder why mission- and life-critical systems are (presumably) set up on Internet-facing systems. Sure, it's cheap, but when the walls come tumbling down like this article implies, cost is a moot point.

I don't see why they can't just buy a phone line for each power station and link to central stations (also with NON-Internet-facing systems) like that.

Re:Hit'em in their wallets

[causality]

Yes, of course! The government has already taken over the banking sector, the mortgage sector, the automotive sector, is about to take over the healthcare sector, so fuck it - the government may as well take over the energy sector as well. I can't wait until they take over food distribution - I've always wanted to know what it's like to stand in line for a loaf of bread all day.

I am not a fan of government intervention either, nor do I like what was done with banking and automobiles. Having said that, this isn't what is being proposed here. If the electric utilities must comply with laws mandating that they meet or exceed a minimum standard of security, this would be much more like the way local Board of Health requires that restaurants handle food in ways that prevent food poisoning. The Board of Health does not own the restaurants and it does not choose their management; it just periodically inspects them and can shut them down if there are egregious violations. Something similar could be worked out for the power companies when it comes to security.

Re:Hit'em in their wallets

[Scrameustache]

If they won't integrate safety systems to protect the system properly from hacker attacks, hit them in the wallet, hard. Pass sound regulation to force them to implement safeguards, require inspections/audits that they are done, not just take their BS word for it.

Yes, of course! The government has already taken over the banking sector, the mortgage sector, the automotive sector, is about to take over the healthcare sector, so fuck it - the government may as well take over the energy sector as well. I can't wait until they take over food distribution - I've always wanted to know what it's like to stand in line for a loaf of bread all day.

The great blackout of 2003, which took out the north east united states and a good chunk of ontario, was caused by deregulation (removing the requirement to clear the branches around the power lines).
Quebec, which has state-owned power (Hydro-Quebec) was not hit hard by that blackout, because it keeps its grid out of phase with those dangerously unregulated parts around it.

Learn the lesson: You can't trust the greedy to run critical infrastructure.

Re:Those gosh-darned HACKERS again

[QuoteMstr]

Yep. We lost the terminology war a decade ago. It's time we deal with it.

Re:Your official guide to the Jigaboo presidency

[QuoteMstr]

Because the remedy for bad speech is more speech. Censorship is never justified. If a post gives you the vapors, stop reading it. A free society is one where it's perfectly fine to stand on a soapbox and make a fool of yourself. I'd like Slashdot to stay as free as possible.

Why?

[CrAlt]

If you have transmission lines running from point A to point B then why cant you just string a data line right below the transmission lines? You already own the right of way. You already have the towers/pole line ran. Compared to the cost of a big high tension line the cost of a little data line would be nothing.

Like we'd respond that well

[DoofusOfDeath]

'If the power grid was taken off line in the middle of winter and it caused people to suffer and die, that would galvanize the nation. I hope we don't get there.

If 9/11 was any indication, our national response would be characterized by...

• NSA snooping into all of our computers, and "state secrets" claimed whenever we tried to invoke the 4th Amendment in court.
• A few massive, no-bid contracts by the Federal Government which achieve almost nothing of value.
• RIAA/MPAA sleezeballs capitalizing on it in ways I don't even want to contemplate.
• Possibly an insane (think Sarbanes-Oxley) amount of red tape added to many computer installations in the country.
• Republicans and Democrats somehow finding a way to blame each other for this, deadlocking the Legislature for a while, and then in some kind of last-minute spasm, pass an appaling bill to just have the appearance of doing something.

Only in my wildest fantasies would such an attack mobilize the country to have a rational, balanced cyber-security posture.

Re:America?

[nomadic]

I think you're confused about the English language! "In America" certainly includes any country in either North or South America.

English is defined by customary usage. If you said "In America" to 100 English speakers, MAYBE one would include any other country than the US. If you're lucky.

I disagree with the military... I am brazilian...

[jorlando]

The blackout in 2005 was a human failure. One transmission line went down, the team recovering that line made a mistake and instead of activating the repaired line disabled the backup line. Result: 3 states withou electric power.

The blackout in 2007 was due a circuit breaker shutting down one line, the same happening after in the backup line, that could manage the excess load (this happened during peak hours, 5 p.m. during a working day).

Ok, these are official explanations and the blackouts may have been caused by evil hackers but, in this case, the brazilian government made an excelent job holding that information for years, leaking now thanks to an american former military that may have some vested interest spreading fear.

2 cents..