Massive Power Outages In Brazil Caused By Hackers

Hugh Pickens writes "CBS reports on 60 minutes that a massive two-day power outage in Brazil's Espirito Santo State affecting more than three million people in 2007, and another, smaller event in three cities north of Rio de Janeiro in January 2005, were perpetrated by hackers manipulating control systems. Former Chief of US National Intelligence Retired Adm. Mike McConnell says that the 'United States is not prepared for such an attack' and believes it could happen in America. 'If I were an attacker and wanted to do strategic damage to the United States, I would either take the cold of winter or the heat of summer,' says McConnell, 'I would probably sack electric power on the US East Coast, maybe the West Coast and attempt to cause a cascading effect.' Congressman Jim Langevin says that US power companies need to be forced to deal with the issue after they told Congress they would take steps to defend their operations but did not follow up. 'They admit that they misled Congress. The private sector has different priorities than we do in providing security. Their bottom line is about profits,' says Langevin. 'We need to change their motivation so that when see vulnerability like this, we can require them to fix it.' McConnell adds that a similar attack to the one in Brazil is poised to take place on US soil and that it may take some horrific event to get the country focused on shoring up cyber security. 'If the power grid was taken off line in the middle of winter and it caused people to suffer and die, that would galvanize the nation. I hope we don't get there.'"

Your official guide to the Jigaboo presidency

Congratulations on your purchase of a brand new nigger! If handled properly, your apeman will give years of valuable, if reluctant, service.

INSTALLING YOUR NIGGER.
You should install your nigger differently according to whether you have purchased the field or house model. Field niggers work best in a serial configuration, i.e. chained together. Chain your nigger to another nigger immediately after unpacking it, and don't even think about taking that chain off, ever. Many niggers start singing as soon as you put a chain on them. This habit can usually be thrashed out of them if nipped in the bud. House niggers work best as standalone units, but should be hobbled or hamstrung to prevent attempts at escape. At this stage, your nigger can also be given a name. Most owners use the same names over and over, since niggers become confused by too much data. Rufus, Rastus, Remus, Toby, Carslisle, Carlton, Hey-You!-Yes-you!, Yeller, Blackstar, and Sambo are all effective names for your new buck nigger. If your nigger is a ho, it should be called Latrelle, L'Tanya, or Jemima. Some owners call their nigger hoes Latrine for a joke. Pearl, Blossom, and Ivory are also righteous names for nigger hoes. These names go straight over your nigger's head, by the way.

CONFIGURING YOUR NIGGER
Owing to a design error, your nigger comes equipped with a tongue and vocal chords. Most niggers can master only a few basic human phrases with this apparatus - "muh dick" being the most popular. However, others make barking, yelping, yapping noises and appear to be in some pain, so you should probably call a vet and have him remove your nigger's tongue. Once de-tongued your nigger will be a lot happier - at least, you won't hear it complaining anywhere near as much. Niggers have nothing interesting to say, anyway. Many owners also castrate their niggers for health reasons (yours, mine, and that of women, not the nigger's). This is strongly recommended, and frankly, it's a mystery why this is not done on the boat

HOUSING YOUR NIGGER.
Your nigger can be accommodated in cages with stout iron bars. Make sure, however, that the bars are wide enough to push pieces of nigger food through. The rule of thumb is, four niggers per square yard of cage. So a fifteen foot by thirty foot nigger cage can accommodate two hundred niggers. You can site a nigger cage anywhere, even on soft ground. Don't worry about your nigger fashioning makeshift shovels out of odd pieces of wood and digging an escape tunnel under the bars of the cage. Niggers never invented the shovel before and they're not about to now. In any case, your nigger is certainly too lazy to attempt escape. As long as the free food holds out, your nigger is living better than it did in Africa, so it will stay put. Buck niggers and hoe niggers can be safely accommodated in the same cage, as bucks never attempt sex with black hoes.

FEEDING YOUR NIGGER.
Your Nigger likes fried chicken, corn bread, and watermelon. You should therefore give it none of these things because its lazy ass almost certainly doesn't deserve it. Instead, feed it on porridge with salt, and creek water. Your nigger will supplement its diet with whatever it finds in the fields, other niggers, etc. Experienced nigger owners sometimes push watermelon slices through the bars of the nigger cage at the end of the day as a treat, but only if all niggers have worked well and nothing has been stolen that day. Mike of the Old Ranch Plantation reports that this last one is a killer, since all niggers steal something almost every single day of their lives. He reports he doesn't have to spend much on free watermelon for his niggers as a result. You should never allow your nigger meal breaks while at work, since if it stops work for more than ten minutes it will need to be retrained. You would be surprised how long it takes to teach a nigger to pick cotton. You really would. Coffee beans? Don't ask. You have no idea.

MAKING YOUR NIGGER WORK.
Niggers are very, very averse to work of any kind. The nigger's most

Re:Your official guide to the Jigaboo presidency

Why can't slashdot filter these posts with keywords?

Re:Your official guide to the Jigaboo presidency

[stonedcat]

Are you suggesting censorship? I think the current modding system does the trick in most cases, but if you'd like I'm sure a slashdot.cn can be arranged.

Re:Your official guide to the Jigaboo presidency

[QuoteMstr]

Because the remedy for bad speech is more speech. Censorship is never justified. If a post gives you the vapors, stop reading it. A free society is one where it's perfectly fine to stand on a soapbox and make a fool of yourself. I'd like Slashdot to stay as free as possible.

Re:Your official guide to the Jigaboo presidency

Who would decide which ones are "these posts"? Personally, I think that any pro-linux post should be removed, so maybe I should be the one deciding.

Re:Your official guide to the Jigaboo presidency

[Clover_Kicker]

Why can't people stop biting on lame cut'n'paste trolls?

Re:Your official guide to the Jigaboo presidency

[grcumb]

A free society is one where it's perfectly fine to stand on a soapbox and make a fool of yourself. I'd like Slashdot to stay as free as possible.

By that standard, slashdot is the epitome of freedom. With emphasis on the 'pit'. 8^)

Re:Your official guide to the Jigaboo presidency

I thought 4chan was the pit

Re:Your official guide to the Jigaboo presidency

[ncmathsadist]

You did.

Re:Your official guide to the Jigaboo presidency

[Nikker]

And that is the correct answer!

Re:Your official guide to the Jigaboo presidency

Yes, because being pro-linux is just like being a racist.

Re:Your official guide to the Jigaboo presidency

Your dream is coming true. Slashdot is packed to the rafters with fools.

Re:Your official guide to the Jigaboo presidency

It is

Re:Your official guide to the Jigaboo presidency

...and yet America wonders why the world hates them.

THE TRUTH!! DO NOT MOD DOWN!! +5 INFORMATIVE

Imagine a giant penis flying towards your mouth, and there's nothing you can do about it. And you're like "Oh man, I'm gonna have to suck this thing", and you brace yourself to suck this giant penis. But then, at the last moment, it changes trajectory and hits you in the eye. You think to yourself "Well, at least I got that out of the way", but then the giant penis rears back and stabs your eye again, and again, and again. Eventually, this giant penis is penetrating your gray matter, and you begin to lose control of your motor skills. That's when the giant penis slaps you across the cheek, causing you to fall out of your chair. Unable to move and at your most vulnerable, the giant penis finally lodges itself in your anus, where it rests uncomfortably for 4, maybe 5 hours. That's what using Slashdot is like.

Good luck with that

[thenextstevejobs]

Probably impossible.

As we all should know by now, impenetrable security doesn't exist. What we should probably have is tighter backup power for essential services and places like hospitals, where local redundancy could help in the face of a remote 'hacker' type attack

Places where there is a lot of danger for people without electrical power don't need billions spent on the security of their power systems. They need redundancy, generators in their buildings that could be used to keep people alive, batteries, and common sense.

Oh well, let's spend a bunch of money on fear like we always do.

Re:Good luck with that

[jeffstar]

there's the attitude: There is always somebody out there smarter than you, and there is always going to be a bug or security vulnerability somewhere in the system.

There was an interesting blog in the economist magazine pondering what else could be done with the 680 billion the US spends annually on defense.

While the US has spent a trillion in Iraq the chinese have spent a trillion improving their infrastructure.

Re:Good luck with that

[RiotingPacifist]

As we all should know by now, impenetrable security doesn't exist.

prove it, damn defeatists always claim that a perfect system is impossible. Hire competent workers, guarantee physical security (we are talking about power plants ffs) and audit the system from the bottom. Look at xscreensaver 10 years with 0 security holes, it allong with a host of other programs, show that you can make a system impenetrable!

Re:Good luck with that

Sure, hospitals. But how about normal operations of normal businesses? A 4-day nation-wide outage should cost around 1% of the GDP, and adding generators in every building would cost billions. Seems to me that improving security is a bargain in comparison.

Re:Good luck with that

[maxume]

Much of the point of such talk is that you can't prove it. If I figure out a way to crash the Earth into the Sun, it really isn't going to matter how big of a fence you built, you are going to end up a crispy marshmallow.

Re:Good luck with that

[aaarrrgggh]

It is easy to say that a data center needs its own source of standby power, but there are a lot of industries where a one minute outage causes a six to twelve-hour restart time, and the margins are far too thin to support the additional generation infrastructure.

I know a few people putting in multi-megawatt fuel cell systems, but these have the same restart-time problem that the utility grid has, which is ultimately the problem.

The easiest fix at a utility scale is to increase the amount of spinning reserve so that causing a cascading failure requires control of multiple generating facilities. Once you trip a facility offline, re-start times are just way too long, especially given emmissions controls.

I have trouble believing that the "smart grid" really solves this, although you can do some things with networked protection strategies and more selective load shed.

Re:Good luck with that

[PPH]

So each facility evaluates its energy reliability needs. Some may come to the conclusion that they need higher reliability than what the local utility provides. But today, that's just based on gut feelings. Because there is no reliability or 'uptime' standard to which utilities must adhere. And as a result, there's no marginal price for additional MTBF or grid uptime. So people who think they need better reliability just go out and buy their own genset.

In some ways, this is analogous to servers. Everyone can go out and buy their own box and stick it in a co-location facility. Maybe install a redundant one at a remote facility. But as we (most of us) know, shared servers and virtualization are much more economical ways of allocating and managing server resources. But that works because we can put dollar figures on storage, bandwidth, and db queries.

To date, electrical utilities and their regulating commissions have established simple price structures that map all costs to dollars per killowatt-hour charges. There are no penalties or rebates for power outages based on either duration and/or frequency. And its not likely that utilities and regulators are going to embrace shifting part of the revenue structure from an energy charge to an availability or reliability charge. To do so would alter the consumer's perception of the cost of power and might result in an increase in consumption. For example, where I live (the Pacific Northwest of the USA), the 'fuel' or energy costs are actually quite low. Most of our utilities costs are fixed, for system operation and maintenence. But we are charged (primarily) a fee for energy used. If our bills reflected the true cost distribution, energy conservation would be a thing of the past.

Re:Good luck with that

[TubeSteak]

prove it, damn defeatists always claim that a perfect system is impossible. Hire competent workers ...

And there's your problem right there.
Even the DoD and the CIA still hire the occassional spy and give them top secret security clearance.
If bad actors can't crack the hardware or software, they will always find a problem exists between keyboard and chair.

Re:Good luck with that

[sjames]

Impenetrable security may not exist, but good security and crappy security do exist. We'd rather have good than crappy, but the power companies would rather spend on executive bonuses than on good security.

We do need improved security on SCADA (like making it REALLY separate from the internet and business LANs), but that's not billions in cost. As you point out, backup power is good.

More resiliency in the grid is a big one. If the grid has adequate spare capacity it can tolerate a few sudden losses and can be less tightly coupled in the first place. Given enough added capacity, SCADA can go back to just local control and human operators will again be fast enough to intermediate at the regional level.

Re:Good luck with that

[minorproblem]

Most modern office towers have backup power systems. Better to spend $10,000 on diesel or hydrogen than it is to send a workforce home for the day.

Re:Good luck with that

[tsm_sf]

The real problem is the lack of an appropriate energy storage technology.

Re:Good luck with that

[Nefarious+Wheel]

I have trouble believing that the "smart grid" really solves this, although you can do some things with networked protection strategies and more selective load shed.

The true payback - the ROI for the Smart Grid is expected to be in better profiling of usage so that it can be planned for, so that the generators can be ramped up at the right time and spun down at the right time. This has everything to do with the cost of fuel.

Considering that to handle peak loads, capacity is often run at +100% of actual demand - a number I got directly from a C-level distribution network exec - any corners shaved off that power usage profile amount to a significant saving, potentially $billions. The point is to find out exactly when power usage happens, and until the grid smartens up a bit they're stuck with guesswork and an increasingly expensive fudge-factor.

This is way too many dollars to spend on guesswork, so they want better instrumentation and better information systems and better backhaul networks - the biggest investment in decades for most of these operators - so they can make better use of Fossils of Escalating Cost.

So although the "smart grid" may not completely solve the problem, it's likely to go a long way to minimising outages and saving huge bucks on fuel. Infrastructure money well spent, I hold.

Re:Good luck with that

[Grishnakh]

As we all should know by now, impenetrable security doesn't exist.

Totally impenetrable physical security doesn't exist, but totally impenetrable electronic security most certainly does. It's quite simple to make something completely immune to hacker attacks over the internet: disconnect it from the internet!

Why the nation's power grid control absolutely needs to be tied into the internet, I have no idea. Maybe someone in the field can enlighten me. But if this is a big concern, it seems like it'd be pretty to eliminate the security threat by not having any control over the power grid exposed to the internet. If someone needs to exercise some control over the system, they have to get in their car and drive to the power plant.

Of course, this wouldn't prevent someone from sneaking in somehow, but that's a far more remote danger than some hacker on the internet (who could be anywhere in the world, and probably not anywhere near your power plant) gaining access.

Re:Good luck with that

[Grishnakh]

Instead of spending a trillion on infrastructure, we could have spent a trillion on the space program. It would have provided lots of high-paying jobs to American scientists and engineers, as well as manufacturing workers, created lots of important new spin-off technologies for American companies to capitalize on, and caused an economic boom, which would have resulted in higher tax revenues, which could have been used to improve infrastructure.

Part of that trillion could also have been spent on new "green" technologies to get us away from dependency on foreign oil, creating new technologies for American energy companies to capitalize on, etc.

The only good thing that can be said for the money wasted on these wars is that a lot of it has gone to American defense companies, paying American engineers, etc. But military technology isn't generally very useful for other things, and American engineers generally waste a lot of time at defense contractors instead of doing useful work. It's not where the best and brightest want to work.

Re:Good luck with that

[murdocj]

And yet, somehow, I'd still rather live in the United States... odd.

Re:Good luck with that

[evilviper]

The easiest fix at a utility scale is to increase the amount of spinning reserve so that causing a cascading failure requires control of multiple generating facilities.

No. The only reason we have "cascading failures" in the grid is because there isn't enough electrical isolation. It's just a giant bus that, when there's a problem, generating plants have 2 choices: shut everything down / just sit back and hope and pray your generators won't be destroyed.

If each major circuit / sub-station had just a bit of smarts, they could notice the power drop and shut themselves down, instead of trying to disparately to continue getting all the power needed. It's the difference between a few areas blacked-out momentarily, and a brown-out across the whole system, which in-turn risks causing equipment damage, necessitating a whole-system shutdown.

Re:Good luck with that

OR, a fail-open system rather than a fail-closed one. Going dark should be the aberrant condition which the electrical system is built to avoid. The only way to make the lines go cold should be a physical break-down or manual and physical disconnect, not a control system malfunction or hijacking. Sure hackers gaining access to control systems will inevitably cause problems, but the system should be designed in such a way that if you take the high tech controls offline (on purpose or otherwise) the current will naturally flow.

Building the system with those kind of assumptions make it inherently resilient.

Re:Good luck with that

[JWSmythe]

    Sure, impenetrable security exists. Don't put your key infrastructure equipment out on the public Internet. Lax security like that will always end up being a problem.

    I won't say I'm perfect, but I'm also not getting the big bucks that the power companies are.

    I only watched part of they show, but they were talking about a DoD site (I believe) that had a security breach, because someone plugged in a virus infected USB drive. Ummmm, why was someone allowed to attach that in the first place?

    When I ran a big network, the only USB drives that people were allow to attach were provided by me, only for use on the network. They didn't go on personal machines. People didn't bring personal machines in to use on the server network. Then again, all of our servers were Linux, so it really didn't matter. :) I still had the policy in place, just as a good security practice.

Re:Good luck with that

[Korin43]

Or we could just not steal a trillion dollars from U.S. citizens and let them spend it on what they want, and then have jobs that are actually in demand created..

Re:Good luck with that

[Bender0x7D1]

Of course, this wouldn't prevent someone from sneaking in somehow, but that's a far more remote danger than some hacker on the internet (who could be anywhere in the world, and probably not anywhere near your power plant) gaining access.

Unfortunately, that means if someone gets physical access to a remote station there's nothing you can do about it - except having someone drive out to the station and manually figure out what's gone wrong, and then try to fix the situation. I know of at least one dam that is an hour or so away from anyone who could show up and fix any problems. So, if someone were to break in, they could open the gates for at least an hour before anyone could show up and close them. Assuming it didn't take a lot of time for someone to actually notify them the gates were open.

Re:Good luck with that

[Hybrid-brain]

Or we could just do what The Visitors do and simply fix all problems that way.

Re:Good luck with that

Well, to be fair, China spends a LOT more on defense than does the west. In particular, their space program is not civilian, but run by the Military. Likewise, their internal security is really their military turned on their citizens. That alone is equal to what the USA spends on its normal military (not including our current invasions/occupation of Iraq as well as dealing with AQ in Afghanistan/Pakistan/Somalia). In addition, China is now being attacked by AQ, so they are about to get some real surprises. Finally, the CHinese budget is not really known. Most is hidden. Hell, even their total spending is unknown (what they announce is known to be a lie, since it would not even account for 1/3 of what is known to be spent for the last 5 years).

Re:Good luck with that

[Joce640k]

Have you ever lived in another country? (Do you even own a passport?)

Maybe they're not like you see on American TV.

Re:Good luck with that

[cetialphav]

As we all should know by now, impenetrable security doesn't exist. What we should probably have is tighter backup power for essential services and places like hospitals, where local redundancy could help in the face of a remote 'hacker' type attack

Places where there is a lot of danger for people without electrical power don't need billions spent on the security of their power systems. They need redundancy, generators in their buildings that could be used to keep people alive, batteries, and common sense.

This isn't about impenetrable security. This is about taking basic precautions about known attack vectors. For example, many of these systems are not fail safe so an attacker can actually cause a generator to physically destroy itself. Since these generators are very specialized pieces of equipment, you don't just go to Home Depot and pick up another one.

It is not enough to protect hospitals, etc. A prolonged loss of power to the northern part of the US in the depths of winter would be devastating. Even with backup power supplies, no one has plans to deal with a month of no electricity.

This isn't about spending money on fear. It is about naively ignoring a threat and hoping it will never happen. We need to find a way to force utility companies to take these threats seriously and the only way to do that is to have financial penalties for lax security.

Re:Good luck with that

[rinoid]

Uh, in what made up world?
http://www.globalsecurity.org/military/world/spending.htm

We can't go improvin' our infrastructure now, that'd be socialist and SCARY

And we can't rely on our socialist defense now can we? That'd be socialist and SCARY too... Oh wait.

Re:Good luck with that

[Sir_Lewk]

Last I checked China still does not have a bill of rights so yeah, I think I can safetly say I would still prefer to live in the US.

Now that's not saying I wouldn't prefer to live in a different country more then the US, just that it sure as hell wouldn't be China.

Re:Good luck with that

[CrazyJim1]

Are we better off spending money assaulting terrorists where they live, or would we be better if we built more skyscrapers? I think no one knows.

Re:Good luck with that

[RightwingNutjob]

It's perfectly possible. It's called an air gap. If you still want centralized control of a remote substation, don't do it over the public internet. That's not as bad as it sounds in terms of costs, because if you're the power company, you already own a completely independent set of cables to said substation. Now the hacker has to get out of his mom's basement and climb a utility pole to hack you.

Still worried about the possibility of remote hacking from a guy who spent too much time climbing trees in his childhood? Again: airgap. The only bits that should flow between the data transciever in the substation and the actual critical hardware shouldn't flow directly. Observe below:
[Command/Control Center] -----dedicated line-----[Rx/Tx Computer]---Low BW Link----[Local Control Computer]----Hardware

The local control computer, which should be locked up in the substation with a big steel door on it should have internal software interlocks in it that reject bad input from the physically separate transceiver unit. By physically separate, I mean really physically separate, as in one wire per bit for commands and one analog channel for values. Possibly optical lines if we're paranoid about RFI. Now, in order to hack that one substation, the hacker has to physically break into it. At which point we're back to the vulnerability inherent in any distributed dumb system.

I take cash or check.

Re:Good luck with that

[Chris+Mattern]

Last I checked China still does not have a bill of rights

Actually, they do. However, their bill of rights reserves to the state the power to "reform traitors and counter-revolutionaries." In other words, the Chinese Communist Party grants you the full spread of rights...unless, of course, you disagree with it.

Re:Good luck with that

[dgatwood]

Look at xscreensaver 10 years with 0 security holes, it allong with a host of other programs, show that you can make a system impenetrable!

That's a joke, right? An app that takes no input from anywhere (except trivial password input) has no security holes? Really? That's like a building with no windows and only one door just large enough for a cat being safe from burglars. :-)

Re:Good luck with that

[aaarrrgggh]

Ten years ago when I last toured an ISO's command center, they were able to project load to within 0.5% 24 hours in advance. Granted, spinning reserve was higher back then, but the fundamental logic hasn't changed much.

So I am lost as to what the smart grid is actually supposed to do, aside from a fancy version of automated demand-response. It wouldn't be fast enough to actually function as "protection".

Re:Good luck with that

[klui]

A bill of rights don't mean jack shit if it's not being enforced. talk to people who were arrested during the GOP convention last year.

Re:Good luck with that

[camperdave]

It wouldn't be safe from cat burglars.

Re:Good luck with that

[aaarrrgggh]

Sorry, but the intelligence built into the protective relays is pretty robust. The problem is that we isolate elements to protect that element. This strategy is predicated on a single action not having a cascading effect-- namely having sufficient spinning reserve that generation capacity is not overloaded. The same holds true for major transmission lines, but increased spinning reserve helps to add generation capacity closer to the load.

The alternative, which we do for campus-scale systems is to have means to quickly isolate blocks of load well downstream of the generation and transmission topology. We build failure-on-failure, so we know that if communications links are severed 25% of the load will drop.

The problem is that there are finite limits to how well this scales; latency is critical. You have to ensure that all communications are viable all the time. This is the challenge I have with the "smart grid" talk; deep load pickup/shed capabilities are interesting from a scheduling perspective (flatting demand profile), but do very little in emergency response.

Re:Good luck with that

[Your.Master]

I'm suddenly curious at whether, statistically, this use of the word steal garners as much commentary as the copyright infringement use of the word steal does, on slashdot.

Re:Good luck with that

[mlts]

Maybe it might be for the best to have SCADA controlling systems airgapped, or at the least, if people want reports from the systems, have locked down machines that poll them and then copy the results to another network. You could have two boxes on separate networks that communicate text solely through a serial cable (no PPP or SLIP, just data passed as a stream through the cable from the inside box to the outside one. Perhaps even cut the RX+ and RX- lines going to the inner box for maximum security) to ensure the inside box doesn't get rooted. This is slow (serial isn't the fastest of all protocols, but it is simple), but it will take someone with physical access to compromise such a setup. I have used similar configurations for secure syslog dump hosts (one box would take syslog dumps, then pass them via a serial cable to another box that is not connected on any network. This way even if someone rooted all boxes, he or she couldn't touch the last syslog dump.)

Maybe these days, two boxes connected via serial and one machine just parsing the other's serial output stream with a glorified tail -f going to whever (web pages, databases) may be not the epitomy of high tech connectivity, but it ensures that a blackhat from offshore isn't going to cause a BLEVE that takes out several city blocks.

Re:Good luck with that

Amusingly it is all about management. Of course it is.

Unless you keep a separate control station on each operator's desk that is completely cut off from internet you will have the potential of such a security hole. Most systems are not made that way for a reason. Cost.

I have too much inside information on some norwegian systems and I've intentionally left out some details but here goes....

The main control system of an oil rig is run on a token ring network (infi90, Bailey Controls product).

This loop is connected to a gateway that hooks it up to a redundant ethernet network. ("Control Network")

This control network is again connected to an OPC gateway that connects it to another redundant ethernet network ("client/server")

This client/server network is connected to a firewall which routes some ports from the outside to the inside.

The outside network is an internal network of BigOilCompany.

Through yet another firewall this network is connected to the office network of BigOilCompany (still a fairly secure network).

Through their main firewall the office network is connected to the internet.
Why is it all connected? Because when shit happens you want to be able to get the right people connected fast as hell. You also want to be able to share data between systems. It is a highly complex system after all!

Technically speaking the control network is connected to the internet. There -is- a potential for a cracking attempt here.. Very unlikely as you would have to pass through at least 3 firewalls of different brands (no single vuln can do it that way).

As for the power issues I would point out that all the various switching stations, power plants, transformer farms etc have to be very closely connected for regulating the load and production of power. If something bad happens (like a blown transformer) you dont have all that many seconds to reroute power before you end up with a cascade failure. "Isolated" systems dont do that well. They can of course disconnect themselves to protect the hardware but that would -cause- a cascade ;)

So... This is a whole lot harder to do that you'd think. Just something to think about.

Re:Good luck with that

Fuck the bill of rights, the inherited spirit of the British Magna Carta was what made America special. That tradition is gone now, probably forever.

Re:Good luck with that

And by that you say goodbye to public infrastructure such as public transportation systems, road networks, police and fire departments, sanitation, etc... Of course the US doesn't need that and of course the public sector always takes good care of that need.

Re:Good luck with that

[shutdown+-p+now]

Just build skyscrapers in Iran. Terrorists will flock there like flies to shit, and you kill two rabbits with one stone (er, skyscraper)!

Re:Good luck with that

[jeffstar]

the point was imagine the public transport (rail, roads,etc), health care, the U.S. could have had with that 680 billion. or even just a fraction of it...

Re:Good luck with that

[SeaFox]

As we all should know by now, impenetrable security doesn't exist. What we should probably have is tighter backup power for essential services and places like hospitals, where local redundancy could help in the face of a remote 'hacker' type attack

Places where there is a lot of danger for people without electrical power don't need billions spent on the security of their power systems. They need redundancy, generators in their buildings that could be used to keep people alive, batteries, and common sense.

We could also just decentralize the power grid so it isn't possible to crash the entire system by screwing around with one utility company. With many smaller independent companies the compromised system could be isolated and only a small number of customers would have interrupted power.

Such a feat would be a great side benefit from adopting more renewable energy sources, having a collective metropolitan area served by several small solar/wind/hydroelectric stations interspersed geographically within the area, rather than a big traditional power plant outside of town. Not to mention higher efficiency from less line transport to the customer.

Re:Good luck with that

[1s44c]

Probably impossible.

As we all should know by now, impenetrable security doesn't exist.

Maybe not. But a good first step would be to not connect critical infrastructure to the internet.

Re:Good luck with that

[lul_wat]

I've been to the north of China, and I can tell you it's not good. Not environmentally, socially, or technically good. By my western standards.

Re:Good luck with that

[mlts]

This is probably the most sensible thing I have read about passing information from a secure (read, compromise on the segment BAD) network to a less secure one such as an internal LAN. Using a dedicated line that passes the raw data without having an IP stack means that the box on the less secure side can do nothing except inject large amounts of garbage or random data down the dedicated line in hopes of filling up a hard disk or jamming a buffer. Even if this is done, it would at most cause a crash on the secure box, which would be immediately detected. True compromise of that box and getting on its network is still impossible by known means, or physical access.

The problem that is faced with that solution is marshalling the data to fit over the pipe, spitting it over the dedicated link, and the computer on the less secure network side unmarshalling it, and getting it to the appropriate places for reports, queries and other things that the PHBs require.

Re:Good luck with that

[vtcodger]

This may sound like an incredibly dumb idea, but if you don't hook stuff to a network, it is remarkably difficult to attack it from the network. Is it maybe, just barely, possible that there are portions of the national infrastructure that should NOT be connected to the internet?

Re:Good luck with that

It isn't necessarily on the Internet. SCADA systems are accessible via ISDN, X.25 and even radio/wireless. Don't make the mistake assuming that attackers' only venue is the Internet.

The simple fact is that regular security assessments run by an independent entity with vested interest in infrastructure security are required; this includes physical and electronic security. In fact separating security into distinct domains is a mistake - attackers don't, so why should we?

Re:Good luck with that

[tjstork]

gine the public transport (rail, roads,etc), health care, the U.S. could have had with that 680 billion. or even just a fraction of it...

You could say the same with health care for the uninsured.

Re:Good luck with that

[AmiMoJo]

The point is that you can make systems much, much harder for people to break in to. Like, for example, not connecting critical control computers to the internet or a phone line where they can be hacked.

Re:Good luck with that

[dvorakkeyboardrules]

I'm suddenly curious at whether, statistically, this use of the word steal garners as much commentary as the copyright infringement use of the word steal does, on slashdot.

Since most /.ers are college students or live in their parents' basement (and in either case don't pay income taxes), probably not. :P

Re:Good luck with that

[mcgrew]

Oh well, let's spend a bunch of money on fear like we always do.

Terrorists are the least of out worries here in the midwest US. In the winer we have ice storms, in the spring and summer we have storms and wind. An outage caused by hackers probably wouldn't last lomg here, but when a tornado rips through and destroys every utility pole and the equipment hanging from them, it'll take a while to get back on line.

When the tornados ripped through here in 2006, as I walked through the destruction in search of a hot cup of coffee the next day, the thing I thought most was "If Bin Laden saw this he'd give up. No way could a terrorist do this much damage!"

The threat is narural events. The danger from terrorists is minimal.

Re:Good luck with that

[V+for+Vendetta]

Or we could just not steal a trillion dollars from U.S. citizens and let them spend it on what they want, and then have jobs that are actually in demand created..

You mean more fast food restaurants and hence jobs that earn so little, no one can make a living from?

Re:Good luck with that

[mcgrew]

The US isn't like you see on American TV either.

Re:Good luck with that

"We need to find a way to force utility companies to take these threats seriously and the only way to do that is to have financial penalties for lax security."

That already happened... It's called NERC CIP. http://www.nerc.com/page.php?cid=2|20

I predict that 5 years from now /. will tell us the Berlin wall is coming down... *yawn

Re:Good luck with that

Are we better off spending money assaulting terrorists where they live, or would we be better if we built more skyscrapers? I think no one knows.

The question is pretty much bullshit since we arent really "assaulting terrorists where they live" in the first place. The war in Iraq has as much to do with stopping terrorism as Slashdot has to do with losing ones virginity.

Re:Good luck with that

[hesaigo999ca]

No, what we should do is force more people to have solar powered alternatives to energy, also providing with extra unused wattage, so that in a failure situation, segregating the power grids to their local areas which in turn had plenty of its own producing juices to maintain a working level, could help reduce such possibilities, but again, the government isn't taking this seriously enough to push incentives across the board to all home owners to adopt the new technology.

Imagine that we had such worries about what time we used our washers or dryers or even air conditioners.
Imagine also how much less demanding on the grid it would be should such a situation arise, they could cut here or there to limit the damages, send crews to fix the problem or restart their servers whatever the cause, and then rejoin the main grid.

Re:Good luck with that

[mcgrew]

We'd rather have good than crappy, but the power companies would rather spend on executive bonuses than on good security.

Or infrastructure, customer service, repairs, or anything else. Ameren lays off 50, gives outs to 100 more

Amerin already has the highest rates and poorest service than any other company in Illinois. Luckily for me Springfield's power company is owned by the city. We have the lowest electric rates and best dependability in the state.

In March 2006 two strong F2 tornados hit here (almost F3) and I was without power for a week. A single F1 hit the East St Louis area that June, and they were without power for a month.

If that's socialism, I say bring it on! There is no free market in utilities, and IMO they should all be publically owned like CWLP.

Re:Good luck with that

[elrous0]

"We need to find a way to force utility companies to take these threats seriously"

Unfortunately about the only way to do that would be to nationalize the U.S. electrical infrastructure. And if you tried that, you're going to have over two hundred Republicans, the entire staff of Fox News, and a bunch of DINO Democrats in Congress screaming bloody murder, beating their chests, flagellating themselves, screaming "KARL MARX! KARL MARX!," and calling for the impeachment of Barack Obama for high treason.

Re:Good luck with that

Then again, all of our servers were Linux, so it really didn't matter.

What are you trying to say? That Linux is super-secure or unhackable or something? I have certainly heard plenty of people make similar claims.

But working at a tech in a datacenter, where most racks were rented to web hosting companies, I saw (speaking with the engineers when they would come in and grab a crash cart) plenty of Linux boxes getting 0wned by skript kiddies. It was a routine occurrence.

Re:Good luck with that

How about we just make the terrorists not hate us the most (so they attack someone else) by quit invading counties on a whim (or to finish a daddy's war).

How about we become isolationist like we were in the 30's after the last big freeze on the economy. Hell, back then we didn't even have huge megacorps bilking money from people for their oversized underpowered power grids (they just bilked money on a smaller scale and regionally).

Re:Good luck with that

If ISPs ran on the business plan that electric utilities do, you would need to have 4 ISPs to hope that at least one might be working at any one moment.

If electric utilities ran on the business plan that ISPs do, you would need to pay 3x the amount for the same power you use now, but you would have at least 2 separate lines to your business fed from different substations (some businesses do this now, and they pay more for it too).

Re:Good luck with that

[ubercam]

Grishnakh didn't say it shouldn't be on a network, just not one connected to the Internet.

A private network that is completely disconnected from the Internet would still allow for remote control of the various generating stations while also simultaneously shielding it from remote hackers. One would have to gain physical access to a facility, or somehow physically tap into the network, but even that can be mitigated somewhat by encrypting everything that goes down the pipe.

I'm almost 100% sure that power companies that predate the Internet already have some kind of control network in place that also predates the Internet. An example that I'm familiar with is Manitoba Hydro. Hydro and MTS (phone company) jointly built the first microwave network in 1969 to be able to remotely control distant and isolated dams all over the province from Winnipeg and to carry telephone, television and radio services to the north. They completed a second system in 1977 (for redundancy). I know a guy who was heavily involved way back in the day in automating some of the older stations to be remotely controlled, and also installing and maintaining the microwave towers/base stations. As far as I can tell, Hydro has replaced the microwave network with a 1140km fibre link, and I believe MTS has been using fibre for phones for a few years at least. I'm not sure anyone is still using the microwave network, but the towers are definitely still around. Maybe they're keeping it active in case of a fibre cut or something.

Re:Good luck with that

[interploy]

Probably impossible.

As we all should know by now, impenetrable security doesn't exist. What we should probably have is tighter backup power for essential services and places like hospitals, where local redundancy could help in the face of a remote 'hacker' type attack

Not probably. There is a universal rule: "If it can be made, it can be unmade."

Redundant systems independent (or even interdependent) of the grid would be the best course of action from a common sense standpoint, but sadly it isn't practical in terms of profit. First they have to figure out who's going to pay for the generators, then the maintenance, then retrofitting the buildings (if it's even possible), etc. etc. It'd be the same thing as what's going on with GPS-based navigation for airlines: a vastly improved, practical system built on proven technology with no one willing to pay for it.

Re:Good luck with that

[Lord+Ender]

Impenetrable security doesn't exist, but it is far far cheaper to have a team of dedicated IT security auditors, analysts, and pen testers than it is to carpet the continent in backup generators. You don't have to have perfect security, just enough to make it not worth an attacker's while.

Re:Good luck with that

[Lord+Ender]

You clearly don't work in IT security. Viruses come in on thumb drives, iPods, etc.. You don't need to be on the internet to have malware rip through your network.

Re:Good luck with that

[PPH]

If ISPs ran on the business plan that electric utilities do, you would need to have 4 ISPs to hope that at least one might be working at any one moment.

That's not unheard of in some larger facilities. Two separate lines from different providers into the data center. Heck, I've still got dial-up to back up the community WiFi service.

If electric utilities ran on the business plan that ISPs do, you would need to pay 3x the amount for the same power you use now, but you would have at least 2 separate lines to your business fed from different substations (some businesses do this now, and they pay more for it too).

Multiple feeds (for other than load reasons) is rare. Incredibly rare. I used to work for the local power company. When we were asked by a hospital for two services on different circuits fed from two different substations, we provided it. Some years later, to accommodate load changes, we switched the circuits around.Now, the hospital's services are fed from the same circuit. But the hospital got smart and installed their own co-gen power plant.

The moral of the story is that there are no laws or regulations obliging a utility to meet any reliability standards. Some implementations (like the two circuit design) might provide better reliability. But if those two substations are fed from the same transmission loop, and the highest outage probability is the loss of that loop (transmission is overhead, substation circuits are underground in my area), then it doesn't really matter. And once you have paid for that (pointless) redundancy, the utility is free to reconfigure its system to suit its needs. There are no mandatory performance standards with which one can evaluate the probability of loss of one service, or both services simultaneously, which would allow one to evaluate the economics of a redundant service vs backup power.

Re:Good luck with that

[shankarunni]

Totally impenetrable physical security doesn't exist, but totally impenetrable electronic security most certainly does. It's quite simple to make something completely immune to hacker attacks over the internet: disconnect it from the internet!

Which was exactly my instant reaction when I saw the story. The real problem, as mentioned by Congressman Langevin, is that most of the power providers are small private operators that swim in murky waters. They like the "convenience" of having their billing systems, control systems, and the secretary's network resources all on the same network ("easy to administer with one sysadmin", I suppose), and "just put a firewall" to protect the key systems.

Profit is everything when the profits tend to be razor-thin. It's the middlemen that make most of the money, not the producers.

Of course, our defense infrastructure isn't immune to this, either. The easiest "break-ins" are apparently by just leaving around USB keys in the parking lot, and depending on unsuspecting and greedy people picking them up and sticking it into their laptops or desktops to see what's on it (and whether they can nab it for themselves..)

Re:Good luck with that

why the hell you connect these systems to Thee Internets ???

Re:Good luck with that

[JWSmythe]

    Ya, I know that any box can be hacked. You just don't run into the trouble of someone putting a USB drive on your Linux machine, and it getting a virus. :)

    I'm sure you already know, most *nix boxes that are exploited are because the owners did something stupid. They didn't properly secure their machines, or they didn't keep up with the patches. I know of some machines that were exploited, because they ran SSH on port 22, and they set the root password to "password" before shipping them to the datacenter. They had the intention of changing the passwords before they went into production use, but it was frequently a month or two between the time they were put online, and the time someone bothered to do something with the box.

    Good security would say to only run the necessary services, and only allow those services to be connected to by trusted networks. Additionally, and public facing software should be properly audited for security considerations. I an always amazed that some people think that putting in something like passthru("$_REQUEST[query]"); would be ok. Heck, I've even see people include files with stupid stuff like $template = `cat $_REQUEST[filename]`;, which is easily exploited with something like "myuri.php?filename=foo; rm /etc/passwd". It's not the fault of the OS for stupid developers putting stupid code up.

Re:Good luck with that

[Korin43]

My point was imagine how much of things people actually want we could get for $680 billion. If you need the government to take people's money by force to pay for something, it's obviously not that important to people.

Re:Good luck with that

[Korin43]

Yes since the vast majority of our government money goes to infrastructure. It's not like we're blowing it all on the War on Muslims, the War on Drug Users and the War on the Economy..

Re:Good luck with that

[jeffstar]

i hear what you're saying. don't take people's money off them and let them spend it or invest it as they see fit.

What do you think everyone would have bought with that money? I think it is $6.8*10^11/350*10^6 americans is $1,900 per american.

not an insignificant amount of money! a months rent, your books for a year at school, a shitty car...or I suppose investment in a company which may or may not be involved in providing infrastructure, health care, whatever.

I like the idea of small government where ever possible, but there must be some things that only governments have the resources for and can assume the risk.

Re:Good luck with that

[evilviper]

You have to ensure that all communications are viable all the time.

We have guaranteed, near-instantaneous communications built into all electrical systems ever built... It's called VOLTAGE. If you know what it's nominally supposed to be, you can easily determine whether the system is underloaded, optimal, overloaded, etc, and to what extent...

Re:Good luck with that

The danger from terrorists is minimal.

You should not be saying things like that, you know. If what you say would be true, which it obviously isn't, then how would the powers that be secure funding and judicial support for their various projects and activities in the name of national security?

Why don't you love your country?

Are you not a patriot?

Do you hate children and kill kittens too?

Re:Good luck with that

[BoothbyTCD]

You are correct in that it is more or less equally silly.

Re:Good luck with that

[garwain]

I'm set. I survived 3 weeks during the quebec ice storm of '98 with only minor annoyance. I have a disel generator, 500 gal of disel on hand, a freezer full of food, and about 50 cords of wood on hand... then again, this is just general supplies since I heat with wood, and have a farm, so I need the disel, anyway, and the generator is needed for anything more than a 2 hour power failure to ventelate the barn., If I run out of food, I can always butcher a cow or hog...

Re:Good luck with that

[trevinlovett]

The threat is narural events. The danger from terrorists is minimal.

that is super true... i live in Missouri and nobody worries about anything except tornadoes.

Re:Good luck with that

[Nefarious+Wheel]

So I am lost as to what the smart grid is actually supposed to do, aside from a fancy version of automated demand-response. It wouldn't be fast enough to actually function as "protection".

Ok, let's add another reason, because "Smart Grid" means more than just smart meters. A good 'nother reason is encouragement of alternative forms of energy production, such as wind, home/small business microgeneration capability (PV or MicroCHP).

In the latter case, this means adding enough data processing capacity to backhaul networks (essentially LANS running in parallel to electricity delivery) to allow the networks to read net +/- usage and pay users for any surplus power pushed back into the grid (at least one pilot program augured because they insisted on a flat rate structure - that won't wash). Electricity network infrastructure developed a half-century or so ago didn't mostly accommodate this in their business model, and the hardware isn't there to read it.

Newer infrastructure often includes this and older infrastructure needs retrofit to allow it. Australian distribution network operators believe the better power usage profiling will pay for the lot, but distributed generation is something the public and the government regulators are pushing them to do. Either way, nobody in the electricity industry here ("nobody" defined as 0 out of 24 C-level execs we recently interviewed) believes that upgrading our infrastructure to understand and accommodate changing usage profiles isn't critical to providing flexible, scalable power to people who are demanding better use of the generating capacity we have and the alternatives they're being forced to have a look at.

They're looking at the biggest expenditure in decades in an expensive industry, and the intitiatives that fit under the "Smart Grid" umbrella are part of this overall modernisation. They're also very tightly regulated - can't tie their shoes without a water tight business case, so the money justification is being looked at very carefully. Giant analogue meters filling a wall a'la Fritz Lang just ain't the shizz any more.

Umm, looking at the above, I should admit - I am indeed an industry shill. But I'm a well informed one, and this is neutral spin.

Re:Good luck with that

"Why the nation's power grid control absolutely needs to be tied into the internet, I have no idea"

Why you think that this is true I have no Idea ?

Re:Good luck with that

[dpilot]

> We have guaranteed, near-instantaneous communications built into all electrical systems ever built... It's called VOLTAGE.

We have another guaranteed, near instantaneous mechanism built into all electrical systems ever built that confounds VOLTAGE readout... It's called CAPACITANCE. Not necessarily capacitance as in those little tin cans that leak and destroy your motherboard, but (I'll call it) effective capacitance, that can include rotating stuff. In fact, elsewhere in this topic there have been numerous references to rotating storage.

I once spoke with a co-worker who did one of his co-ops in a steel mill. His descriptions of high-power management were fascinating to a chip designer. But the salient point to this thread was what happened when power was cut. They had so much moving mass in the place, that when the power was cut the motors turned into generators, and you could have gone minute+ without seeing the lights start to dim. His description of high-power circuit breakers was pretty neat, too.

In addition, there are other concerns like phase and power factor that are of critical importance, and can muck with a simple voltage measurment. Simple, it ain't.

Re:Good luck with that

[murdocj]

Yeah, I've travelled fairly extensively. Talked to people who lived in East Germany before and after reunification, and they had some interesting points about how in some ways life got worse after the wall came down. So I understand that there's more than what's on Fox News. I'd still prefer to live in a country where I don't have to worry that expressing my political views is going to get me an indeterminate jail sentence.

And I love how I reply to a post that compared the USA and China and get modded as a Troll... nice job.

Re:Good luck with that

[Grishnakh]

Hacking into these things is a lot more challenging than hacking into something from over the internet, especially if you're some guy sitting in North Korea. For instance, if your system is only available by radio, and uses a frequency that requires local proximity, then that makes it effectively impossible for, for instance, some kid in China to hack in. It raises the bar tremendously, locking out all but the most determined and best-financed hackers.

To bring up a car analogy, it's the same thing with car security methods. Most of them are only effective against casual or low-budget thieves, but that's ok, because that's the biggest threat. No matter what kind of alarm system you have or security measures you take, your car is still probably vulnerable to being towed away. And if you try to block your car in with other cars or behind a locked gate, some thieves with a large helicopter could still steal your car. But since the number of car thieves with helicopters is probably zero, security measures which overlook this attack vector are still perfectly sufficient.

Re:Good luck with that

[murdocj]

I forgot to mention my long time friend who grew up in Hong Kong, married a woman from mainland China, and recently came back from a couple of month vacation in China. Lots of interesting stories about visiting relatives, seeing tourist attractions, the economic boom. Other stuff, like how it was way easier for him as an American to get from mainland into Hong Kong than for his wife, a Chinese citizen. So yeah, I'm pretty well informed.

Re:Good luck with that

[kd5zex]

There was an interesting blog in the economist magazine

Not to pick nits, but since it was in a magazine wouldn't it be an article or a column?

America?

Mike McConnell says that the 'United States is not prepared for such an attack' and believes it could happen in America.

This is news to me, so Brazil is NOT in America?

Re:America?

[Mitchell314]

It's not in *an* America, it's in the other one.

Sort of like if I have 2 coins that add up to $0.30 and one isn't a nickel, the other coin is.

Re:America?

[VirginMary]

I think you're confused about the English language! "In America" certainly includes any country in either North or South America. You're probably US American and went to a horrible "school" and therefore can be forgiven. ;)

Re:America?

[nomadic]

I think you're confused about the English language! "In America" certainly includes any country in either North or South America.

English is defined by customary usage. If you said "In America" to 100 English speakers, MAYBE one would include any other country than the US. If you're lucky.

Re:America?

[Waffle+Iron]

"In America" certainly includes any country in either North or South America

We do not use the term "America" as a geographical set of the continents "North America" and "South America". Similarly, we don't say that someone is in "Dakota", because that territory no longer exists. We always say "North Dakota" or "South Dakota".

However, "America" *is* commonly used around the world as an abbreviated form of "The United States of America".

Re:America?

[VirginMary]

However, "America" *is* commonly used around the world as an abbreviated form of "The United States of America".

Not where I'm from, which is Germany. I always took it, and still take it, as a form of US American arrogance or at least myopia or self-centeredness.

Re:America?

[Nefarious+Wheel]

(checks wallet)... I have 30 cents here and neither coin is a nickel. Both show Betty Windsor Junior on one side, and one has a platypus on the other. What strange country are you from that doesn't have the Queen on your coins? Or platypese?

Barbarians.

Re:America?

[Kingrames]

Here we call it Murca.

Re:America?

[Grishnakh]

WTF? Why does some moron have to bring this up on here every time an American refers to the USA as "America"?

Someone please mod this troll down.

Re:America?

[soundguy]

Speaking of arrogance, how did that whole "master race" thing turn out for you?

Re:America?

[c_forq]

What do you call people from the U.S.?

Re:America?

if they can type United States once, why... Why would you be switching from that to America in the same sentence?

Re:America?

[pdabbadabba]

The only people I have ever met who would agree with you who live in latin America. I understand that they (you?) are irritated that the US has taken over the name of two entire continents, but that has nothing to do with the actual meanings of words. Sorry. On the other hand I have never met a single native English speaker (from the US, Great Britain, or elsewhere) who would agree with your view on the meaning of the word "America" in the English language.

Re:America?

[VirginMary]

Personally I was born in 1959 and had nothing to do with that whole "master race" thing. As far as things working out for Germany, I guess we're doing rather well. Last year we were the export world champion ahead of China. This year China may just beat us but we'll still be way ahead of the US, and even more so on a per capita rating. So, thanks for asking! :) I don't know how old you are, but I am wondering how you feel about all the atrocities your ancestors have perpetrated on American Indians, blacks and other minority groups and how you feel about all the racism and the internment camps for American citizens of Japanese descent during the 2nd World War. Or whatever your ancestors in Europe or wherever they came from might have done. Or all your raving lunatics that they show on German news, that compare your president to Adolf Hitler etc.

Re:America?

Do you mean English speakers in the US or in the UK? Because perhaps those "Americans" are just pretentious or ignorants. Since probably yuo were not raised in "another americna country" perhaps you dont find this ambiguous usage idiotic as i do.

Re:America?

[VirginMary]

What do you call people from the U.S.?

Myself, I call them U.S. Americans but then I've been known to be very specific and picky which serves me well in my chosen profession as a computer programmer! ;)

Re:America?

[pdabbadabba]

So, let me get this straight, you, a native speaker of German (if I'm understanding your background correctly) think your understanding of the "real" meaning of English words is superior to that of a whole hoard of native English speakers on Slashdot?

I'm pretty sure that any native speaker of English, regardless of where they are from, would find it natural to simply call the U.S. "America." This is indubitably true in the language most here are writing in, US English. This may well be a symptom of our latent (or not-so-latent) self-centeredness, but this has nothing to do with the underlying facts regarding the meanings of words; "America" in US English (and, I'm pretty sure, UK English, though this is really beside the point) most certainly does primarily mean "The US" regardless of the possibly-ugly psychological reasons for it.

Re:America?

[VirginMary]

Then this must be wrong?

Re:America?

[pdabbadabba]

A very good question. Somehow I doubt an answer will be forthcoming...

So maybe I can help: "Amerikaner?"

Re:America?

[pdabbadabba]

Yes, insofar as it fails to capture actual usage. Though I would point out that what I claim to be the most common usage is indeed listed as #3. My only quarrel with the entry is in its ordering.

Re:America?

Would that be United States Americans, United State's American, or United States' American?

Re:America?

[VirginMary]

http://www.merriam-webster.com/dictionary/america. Also, according to several of my many U.S. American friends, my English is noticeably superior to that of the average U.S. American speaker. From what I understand, I wouldn't have been allowed into a German university with the typical lack of understanding of English grammar that is common in U.S. American high school graduates. When I was studying towards my doctorate in physics at the University of Oregon, I once had a competition with another graduate student, a native speaker, concerning the usage of grammar in English. From what I recall, it was a close call, but I won the competition. That was almost 20 years ago. I am fairly certain that my English skills have improved since then. I make most of the silly mistakes that native speakers make but, I make them in order to fit in and I am still keenly aware of them, when I make them! Examples are using "is" when it should be "are" or "me" when it should be "I", or "who" when it should be "whom." The last one may only be required in British English, I am not sure...

Re:America?

[4D6963]

"In America" certainly includes any country in either North or South America.

No, you 2 euro-cent troll, that would be "In the Americas". "In America" or "En America" or "En Amérique" all refer specifically to the USA.

Re:America?

[pdabbadabba]

I know you probably won't believe me, but I feel I should give you a friendly warning: to any native speaker of English, particularly of US English, you are badly and obviously mistaken. Take it from someone who not only is quite well educated in the english language formally, but who is a native speaker of English who has lived his life surrounded by other native speakers. Your mistake is understandable since english is not your first language, but please, consider yourself corrected.

I want to reiterate that I agree with what you've said about the possibly ugly origins of the usage of the word. But that doesn't change the fact that, to a native English speaker, your views on the meaning of the word "America" are, at best, very revisionary. Worse, using the word "America" in the way you prefer in a conversation with a native speaker will certainly lead to systematic confusion (much like the confusion that sparked this very conversation).

Re:America?

Do you mean English speakers in the US or in the UK?

Both. When English-speakers from the United Kingdom say "America", they're referring to the USA.

Re:America?

[WindBourne]

So, what you are saying is that those in Canada, Australia, India, UK, and America really have no fucking clue about the meaning of our language, while you, a none-native speaker (and an obviously ignorant one), does? What I find interesting is that when I travel to Germany (Frankfurt and Neu-Isenburg) that old co-workers refer to USA as America as well.

Offhand, I would say that you are simply an asshole with a chip on your shoulder and nothing else up there.

Re:America?

[blueg3]

Probably because you don't speak proper English.

(Yes, yes. Like most Americans.)

Re:America?

[blueg3]

In Germany, they call them Amerikaner: Americans.

Re:America?

[blueg3]

There is, in fact, a term for the countries of North and South America, collectively. They're called "The Americas". "America" is the U.S. An "American" is usually, but not always, someone from the U.S. The adjective "American" depends on context (an unfortunate point of confusion).

Re:America?

You must mean 100 U.S american english speakers. Because I damn well know that if you said "in america" to us Canadians, we'd realise we're not the whole world and remember about the other contries that share our landmass.

Re:America?

[ElectricTurtle]

I love how you want to put down people for some standard of intellect while posting something full of spelling typos. Also 'ignorant' cannot be a plural noun. Or were you trying to say 'ignorance'? (Which would be just as bad, not being parallel.) In any case, you have lost all credibility to insult the intelligence of others.

Re:America?

[VirginMary]

"None-native" illustrates my point just fine! Oh, and that's "Dr. Asshole" to you! :)

Re:America?

[VirginMary]

I appreciate your effort in trying to educate me. At this point I am willing to throw in the towel and to concede your point! I would also like to thank you to keep this exchange civil, unlike certain other people... So, in summary, I will mend my "evil" ways from now on and remember to be more accepting of the custom of calling the United States of America simply "America", no matter what the origin may be. Actually, I have many good friends that are Americans! And I usually don't give them a hard time about almost anything. :)

Re:America?

[pdabbadabba]

I'm sure your English is excellent; I don't mean to suggest otherwise. But remember, the point we are debating is not an obscure one to a native speaker of english (particularly in the US); nobody, virtually regardless of education, would use the word "America" the way you do.

That's really all there is to say. But, since you seem to believe that your English is also better than mine, I should point out, for the sake of emphasizing my own credibility, that I am not an "average" native English speaker. I am, rather, a law student at a top-ten American law school. That may not say a lot about my competence in a lot of areas (physics, for example) but it does say quite a bit about my mastery of the English language.

The "who"/"whom" distinction, by the way, is one a lot of people get wrong including, I'm sure, myself from time to time. Fortunately, it is so rarely used (certainly in the US and, I think, the UK as well) that it usually sounds stranger to a native speaker when someone gets it right than when someone gets it wrong; for the vast majority of situations it is unnecessarily formal. (In fact, I can't think of a single situation when it would be desirable to use it; even in a courtroom it would probably just sound pretentious.)

Re:America?

[pdabbadabba]

I likewise appreciate your civility. (Conceding a point is certainly a lost art around here!) I really do mean it when I say (as I've said elsewhere) that your English is very excellent. I know that you aren't seeking my stamp of approval on your English skills, but I want to make clear that I don't mean to criticize your English-speaking ability generally. And you are certainly not the first person I've met who found the "American" usage of the word "American" irritating. In fact, Americans who learn Spanish are always taught to take pains to always call the US "Los Estados Unidos" instead of "America" in order to avoid offending the locals (and they will get offended).

 

Re:America?

[citation needed]

Or is it Wikipedia wrong?

Re:America?

Counting that US is the largest English speaking country, that may make sense. Although they don't seem to do well in geography

Re:America?

I am Canadian. The USA is "America". Canada is a part of "North America", which is a part of the "Americas".

Re:America?

Arrogants?

Re:America?

Speak for yourself. To us Canadians we realize that the common usage of the term "America" refers to the USA and would rather not be grouped into the common term.

If you absolutely MUST group us with Americans at least use the non-offensive "North America" ;)

Apologies to my American cousins, no offence intended :) /Colour, "LEF"tenant, Tim Hortons

Re:America?

[Your.Master]

I'm a Canadian, and I've lived throughout Canada. I have NEVER met anybody outside the Internet who thinks American, in spoken English, means anything other than somebody from the United States of America (North American, maybe, but never "American"). There are a significant portion of them that would be insulted to be themselves referred to as Americans; the rest (aslo a significant portion) would simply be amused.

It's not about not being the whole world. It's about how the language is used. What the hell does your crowd call Canadians, anyway? Can't be "United Statesians", since there's more than one United States in the world.

I assert (based on admittedly anecdotal evidence) that if you ask a random sampling of 100 native born English-speaking Canadians, probably less than 1 and certainly less than 5 would think "American" would refer to anything else but people from the USA.

And I think you know that too, if you're truly Canadian. Although it's a big country, maybe you live in some small enclave where that flies among your friends. I've spent most of my time in the most populous parts of the country. But certainly national television *always* uses American to refer to people from the USA.

Re:America?

As a Canadian, I resent being called American.

I expect the Mexicans aren't too fond of being called American either. Or the Brazilians, or Chileans or....

Re:America?

[ushering05401]

I think you're confused about the English language! "In America" certainly includes any country in either North or South America.

English is defined by customary usage. If you said "In America" to 100 English speakers, MAYBE one would include any other country than the US. If you're lucky.

So what you are saying is it is 'lucky' in this day and age to find another human that both knows how to read and is unwilling to mindlessly redefine terms based on how they hear other people using them? Are you sure you didn't just proclaim to the world that your mind is lazy? That's what it sounds like to me.

Anyhow, by living in University centric towns I meet a large number of English speaking Americans that are from other countries across the Americas. The problem is with the lazy minds of your social circle, and your own lack of precise thinking that has lead you to this +5 modded monument to ignorance and arrogance.

Re:America?

Thank you for including the internment of American citizens of Japanese ancestry in your reply. No one ever includes that. I guess it doesn't have the spice factor that bio warfare on natives or whip marks on a slave's back have. Sure left a mark on those involved, though. Hope the weather is nice where you are.

Re:America?

[1s44c]

What do you call people from the U.S.?

Depends if they have guns with them or not.

Sorry could not resist.

Re:America?

[1s44c]

Don't bait the U.S. American persons. You know they don't believe anything actually exists outside their borders.

Re:America?

[HJED]

As someone posting from Australia and born in England I can say that in my personal experience most people use the word American to refer to someone who is a citizen of the USA, and the word America to refer to the USA.
This is called a colloquialism, look it up.
This is from the oxford dictionary:
American

adjective relating to the United States or to the continents of America.

noun a person from the United States or any of the countries of North, South, or Central America.

Re:America?

[beerbear]

I think he was going for ignoramuses. Ignorami? Err...

Re:America?

[WaroDaBeast]

Actually, the grandparent post is totally right.

First, because English is defined by customary usage: if, for instance, a majority of English speakers start pronouncing a word in a different way, then that pronunciation will become valid after a while. The shift could also occur semantically. The French have the Académie française, the Germans have the Rat für deutsche Rechtschreibung; but for the English tongue, there exist no such academy.

Secondly, one should not forget that language is by no means systematic. Take the word "anti-Semitism," for example. We all know it means "hatred towards Jews." Now, let's decompose that word for analytical purposes:
- anti- means "against"
- Semite means "Semitic-speaking person"
Woah, wait... Arabic — among other languages — is also a Semitic language. So why has the word "Semite" come to specifically designate Jews? For the same reason we call the United States "America" or the Caribbeans, the "West Indies."

So, the bottom line is: in linguistics, pragmatism often wins where logics ought to prevail.

Re:America?

I think you're confused about the English language! "In America" certainly includes any country in either North or South America.

English is defined by customary usage. If you said "In America" to 100 English speakers, MAYBE one would include any other country than the US. If you're lucky.

Like computing, where 100 users, when asked what is an operating system, 95 would answer "Windows". It is just plain wrong, but, it is what most people think.

Re:America?

I have NEVER met anybody outside the Internet who thinks American
Me neither, but the GP is not talking about "American" but "America". I guess you had your mod point from an outraged "American" that believes his country is "America" and not "United States" or "United States of America".

Re:America?

You're a fucking moron.

Re:America?

English is defined by customary usage
As a non-English speaker I would say then, this is a matter of getting accustomed to properly use the words.
When looking for jobs in the US, the websites are unambiguous enough to put "US Citizens Only" instead of "Americans", why being ambiguous (and/or lazy) in any other cases?

Re:America?

[WindBourne]

Yup, I misspelled it. Look through many of my postings and you will find others, since I keep spell checker off.

What I find interesting is that in another posting of yours, you linked to a dictionary def. of America and it out and out said that America referred to USA. IOW, you really are just an asshole looking to troll.

As to getting the doctorate, I have known pleny of PhD's along the way. A number of them are pretty worthless. Just followed the program. IOW, not that impressive to me (or others in the know).

Re:America?

[dvorakkeyboardrules]

I think you're confused about the English language! "In America" certainly includes any country in either North or South America. You're probably US American and went to a horrible "school" and therefore can be forgiven. ;)

No, the phrase that includes any country in North or South America is "en america" (saying it in Spanish, that is).

Re:America?

[thetagger]

The confusion has to do with the fact that "America" means different things in different languages, then people go online and try to correct English speakers. I am Brazilian, here's how it works here:

American (americano) means someone born in the US.
America is a continent. It goes all the way from Argentina/Chile to Canada. It is often subdivided geographically in three parts: South, Central and North America, or culturally in two parts: Latin and Anglo-Saxon America. As far as I know, Americans think of "South America" and "North America" as two unrelated continents, and not as divisions of a larger continent. Also, Mexico is a part of North America, whereas I don't think Americans think of Mexico as part of North America. I have no idea what they call Central America.
United States (Estados Unidos) is the country between Mexico and Canada.

(in Portugal, though, "americano" means "of the American continent". The term for someone who was born in the US is "estadunidense", or "Unitedstatian")

There are exceptions though in Brazilian usage:

You may use "americano" sometimes in a pan-american context. Say, "American peoples" means the peoples of the American continent. This depends on context.
America may mean "The United States" in a mocking way. For example, the media would often talk about "George Bush's America" (a América de George Bush).

You can bet I have seen my countrymen trying to correct Americans online. I think the confusion comes from the fact that America is a proper noun, and people wrongly assume this means it's untranslatable, like people's names. This is obviously not the case. Also, in common usage people speak very sloppily about places that are not their own, which can often offend people's nationalist sensibilities in an international context like the Internet. Hence the confusion.

Re:America?

I hear "America" and I think United States of America.

If instead I had heard...

"The Americas" or "The American Continents" or something similar to that effect...

Re:America?

[WaroDaBeast]

I'm a French speaker myself, but I have a bachelor's degree in English — which is why I know the language better than your run of the mill Frenchman.

When looking for jobs in the US, the websites are unambiguous enough to put "US Citizens Only" instead of "Americans", why being ambiguous (and/or lazy) in any other cases?

That's the whole official versus casual scenario here. Say you're going out with a couple of friends to have a few drinks at a bar downtown. If you tell them to be there at eight, they will automatically understand "8 p.m.," because you know and I know that most people don't go and get drunk at eight in the morning. Now, say you're going to a job interview tomorrow at eight; the paper will either read 8 a.m. or p.m., first and foremost, because you can't guess for sure. Secondly, because it's something official, and official papers are always unambiguous.

Re:America?

[Lord+Ender]

When referring to nationality, "American" means US citizen. When referring to other things, like botany, "american" can mean "new world" in some cases.

guess what's next ?

"'If the power grid was taken off line in the middle of winter and it caused people to suffer and die, that would galvanize the nation. I hope we don't get there.'"

So now I can expect this to happen in the next year. For whatever reason, conspirationist or not : whatever USA dreams (phantasizes), it becomes reality :-/

Re:guess what's next ?

[Yvan256]

Can you guys dream about Canadian currency being valued at 50% when we export and 500% when we import?

Thanks in advance.

Re:guess what's next ?

Can you guys dream about Canadian currency being valued at 50% when we export and 500% when we import?

Thanks in advance.

Well just come over here in mainland Europe :-) I import like crazy (like one third of my revenues) and some of my sources (electronics component brokers) are in Canada. Great and nice people, BTW.

Re:guess what's next ?

[fredklein]

It's possible, but it's also possible to take out the energy infrastructure of the USA with conventional methods.

There's a book 'Barracuda 945' in which an Arab man, brought to England as a youngster, grows up and joins the military, rises in the ranks to Major, and is then sent to Israel on a mission. He is struck by certain events there, and decides to defect to the Arabs. He uses his military skills to make friends, influence people, and rob a few banks, amassing a huge amount of money. He then comes up with a plan to use the Chinese (who owe them for reneging on an arms deal) to buy two Russian nuclear powered subs. He takes one across the pacific to Alaska and launches a few cruise missiles (non-nuke) at the oil pumping stations there, then blows a few holes in an underwater part of the oil pipeline, then goes down the west coast of the USA, blowing up any energy related facilities he can (oil transfer tanks, natural gas power stations, etc). He finally ditches the sub in the (now Chinese controlled) Panama canal. The British and American intelligence agencies are one step behind him the whole way.

Now, even without the nuclear submarine, it would be possible to do that damage conventionally. A few (hundred) pounds of C4, strategically placed, could strike a huge blow to the American energy grid.

Re:guess what's next ?

So now I can expect this to happen in the next year. For whatever reason, conspirationist or not : whatever USA dreams (phantasizes), it becomes reality :-/

Hey! Do you remember that big nuclear war between the United States and the Soviet Union? Oh wait...

Re:guess what's next ?

[ErkDemon]

Enron demonstrated that it was possible for a single employee to shut down a power station remotely, simply by calling the control centre from an Enron office, giving his name and position, and asking politely whether it would be possible for the plant to have an impromptu maintenance shutdown for a few hours please, and yes, he did appreciate that once it was shut down it'd take a while to start it up again.

That's how brokers caused the plant shutdowns that caused the brownouts that allowed Enron to gouge electricity prices in California, by charging for the emergency rerouting required to patch the problems that they'd just deliberately created.

So back in the Enron days, you wouldn't have needed two nuclear subs. Just one guy with a telephone, calling all the power stations in turn and asking each of them nicely if they could shut down at a predetermined time and go into "heavy maintenance" mode, but please not to discuss this with anyone else, because of company confidentiality (or because of security).

BTW, you know how you take out the conventional phone and mobile networks? You don't have to. Once the emergency services see the power stations going down and think there's a coordinated attack, they shut down all the public communications as a security measure. You get that for free. So the Employee tells the plant to shut down as a security measure because the NSA has tipped them off that Something Bad is going down, and for God's Sake not to power up again under any circumstances unless they get a particular codeword (which, of course, nobody else has). All the plants shut down together, a bunch of pre-programmed scare stories break on the net, this seems to support the tale that the employee told about there being an imminent security thing, the phone lines and media communications go dead, and by the time people have worked out what's happened, nobody can get through to the power plants to tell them that they've been conned. And when they do, they don't have the fake password. You then have the local power guys desperately defending their plant from the local enforcement guys who want to turn it back on, and perhaps even sabotaging it if they look like they're about to lose.

Telephones are dangerous things. Hopefully it wouldn't work nowadays, because people are more savvy about such things (and because they remember the Enron tapes).

Re:guess what's next ?

[tuomoks]

You hit the problem for today - the social engineering, how the command hierarchy works and that's much more dangerous than any "computer" virus or whatever. I have worked on nuclear power, stock exchange, banking (even Swiss!), military, public safety, hospital, etc environments and they used to have "fail safes" against this kind of problems - now, today, those "fail safes" are often disabled because of business, profits whatever? And it's scary!

Enron couldn't be possible 20 years ago, at least not in environments, countries and corporations I was working at that time, too tight security / control but today?

Anyhow, back to the original subject, the technology is there - it was there in 80's when I was involved to some nuclear / power control systems. Is the knowledge / will there today is another question. Almost seems that this "maximizing profits" is even accepting the problems (for public) as long as the business can make more?

Re:guess what's next ?

[cetialphav]

Social engineering is a threat, but it really isn't that dangerous because you still have the capability of getting the power system back up and running within a day or so. Social engineering will cause the power stations to go offline in a nice orderly fashion.

A good attack on the power control systems can actually set parameters such that a power generator will physically destroy itself. The 60 Minutes report showed a video of this being done. If that were to happen, you could have large portions of the country with no power generation capabilities at all because every generator is destroyed and getting replacements could take months. Rolling blackouts and brownouts are inconveniences but remote destruction of power stations is exponentially more expensive.

Re:guess what's next ?

[rdnetto]

Sure, but they'll do it from *their* point of view...

Those gosh-darned HACKERS again

Seriously, those golfers will do anything to stay on the course during working hours to get another 9 holes in. And for those people who insist that CRACKERS did this, I don't see how a bunch of southern rednecks even get mentioned in this.

Re:Those gosh-darned HACKERS again

[QuoteMstr]

Yep. We lost the terminology war a decade ago. It's time we deal with it.

Re:Those gosh-darned HACKERS again

Well, in this case it's appropriate. A bunch of guys with hatchets took the whole thing down. Totally legit use of the word.

However, there are a few NFL referees watching footage, making doubly sure it wasn't a "stabbing" motion.

Re:Those gosh-darned HACKERS again

[swillden]

Yep. We lost the terminology war a decade ago. It's time we deal with it.

Whatever. Language is context-sensitive. I have no problem with the media using the term one way while I use it another. For that matter, I use the word both ways, depending on who I'm talking to.

Re:Those gosh-darned HACKERS again

Ok, then... From now on, it's:

Hacker, not cracker.
Hard disc, not PC.
Hard disc, not 3 1/2 inch floppy disc.
Computer, not monitor.
Modem, not network card.
Modem, not router.
Microsoft, not Windows.
Microsoft, not Office.
Internet, not Internet Explorer.

Any other fields we should get rid of the meaning of technical terms at the same time?

So...

[CrAlt]

Who thought it would be a swell idea to to hook the grid's computers to the INTERNET?
Did someone surf some pr0n sites on the Win98 powered control computer down at the power plant?

Re:So...

You still need at least some Internet-facing interface for the power grid, so that the entire network can be controlled, monitored, and the power routed accordingly and efficiently across the country (at least until we get off this terrible grid system w/ something more localized)

Re:So...

[Peter+Mork]

Every time one of these stories hits the Web, I find that I need to explain how control systems end up connected to the Internet (at least in those cases I've heard of). The control system, itself, is NOT connected to the Internet. However, the HR system ends up getting connected to the Internet so that people can fill out their time-cards, etc. Unfortunately, the HR systems are on the same intranet as the control system. So, once an attacker has subverted the HR system, he/she has access to the control system. The only good solution is to run multiple intranets, but this seems rarely to be the case.

Re:So...

> Who thought it would be a swell idea to to hook the grid's computers to the INTERNET?

Dunno.

But right now I'm thinking we should have a Powernet, an internet for electrical network of sorts.

By "we", I mean us Brazilians.

And you, in USA? What do you think?

Re:So...

[turbidostato]

"You still need at least some Internet-facing interface for the power grid, so that the entire network can be controlled"

No, you don't.

Re:So...

When the ISO that's buying power from you needs to tell you the current market price or tell you that you need to start up your generator, or you need to get weather forecasts to predict how much fuel you're going to use tomorrow, you can hardly avoid being on the Internet. You certainly can't have leased-lines between every control room and every entity that each needs to communicate with.

It's just not efficient or practical to not have anything on the grid attached to the Internet.

dom

Re:So...

[aaarrrgggh]

Remote access and e-mail notifications more often drive the internet connections we have seen. When facility engineering is out-sourced, it becomes even more complicated, because there is fundamental conflict in the way the contracts are written-- the Owner might require all security go through them, but they don't allow the facility engineers to be on their network.

Usually you end up with a DSL connection and a "firewall router." Usually it is just a monitoring network, but control seems to creep in more each month.

Re:So...

[4D6963]

Funny, I went to school to become a network administrator, and there I was taught that if you want absolute security between two networks you need to make sure they're physically disconnect.

That's very reassuring to see that no one can be arsed to worry about that when it comes to power plants, which security are an issue of national security. Surely there must be some security regulations there?

Re:So...

[cetialphav]

Surely there must be some security regulations there?

I think that is the whole point of the 60 Minutes report. You would think there would be basic security regulations and penalties for not following them and auditors to check on this. You would be wrong. If we had all of this, there would be nothing for 60 Minutes to report.

Re:So...

I think you'll find every major process or control system is somehow connected to the internet, but for quite different reasons than you think.

So you have a closed loop control system running nothing but a few back end servers.
These are connected to computers running operator screens over the network.
In addition the back end servers are also connected to some asset management server running software used for maintenance.
The engineers will likely want online and live data from this asset management server too.
The engineers will definitely want some access to the internet, or even a global company wide intranet in our case.
Process control groups will likely want statistical data, and access to the internet, however I have seen various implimentations of how such a thing could occur (directly from the control system or through another server that logs control system requests).

In between each of these interconnected networks are various layers of firewalls, and authentrication, however ultimately they are all tied together. If security is lax enough it should be possible to compromise control via the internet.

Disclaimer: I work for a large multinational oil company.

Re:So...

Perhaps a solution would be a box that sits on both networks and only passes queries for payroll and HR uses from the side with the systems to the HR segment? This can be done in multiple ways, either by grabbing data from the systems and forwarding just the HR data across the pipe, to taking the queries.

I still like the two systems connected together via a serial or IEEE1394 connection where one passes a data stream to the other box, so the inside box has no IP stack touchable without physical access.

Re:So...

Thankfully, today they can start using smart phone based HR systems and automate some of the tasks with the help of the RFID tags and nearfield communications. The power companies probably just end up connecting the HR systems with the physical security systems, which might be already connected to the control systems.

Re:So...

[seaton+carew]

Physical or absolute separation of the various networks is a good idea in theory.
In practice, separation is exceptionally difficult to maintain:

1. There's always non-critical data to collect. Long term trends, maybe some environmental data, some trial project for some new tech. This stuff is (quite rightly) kept away from the mission critical networks and usually goes over the internet.
2. The mission-critical guys then find that this non critical data is useful/relevant to what they do. Maybe it's just a weather forecast, something like that. So they end up having access to the non-critical information. It's usually too hard/too expensive to make intangible data sources available through the mission-critical systems (changes are expensive and you don't know what the benfit is until you try it...). So, they'll get access in informal ways. It starts with printouts, then a "separate" screen in the control room, then maybe an info display on their main screen and before you know it, you've started to breach the separation. Still, nothing too disastrous at this point.
3. The next stage is that this extra information proves so useful that the idea of automation comes in. "Hey, look: if we merge this data source with this data source, we can have the system make a decision for us and it'll ease the workload of the mission critical people". At this point, you've now got mission critical data and other data all routed into the same decision box, running *unsupervised*. No-one really knows what's going on (in real time) and this is where the hackers can start to play.

I'm not sure what the solution is. The message is "Don't rely on separation to protect you." It *will* be breached. The day-to-day business processes in a utility will take care of that...

Re:So...

Not competely true... As a reformed controls engineer who used to work at several equipment manufacturers, I can tell you that most of our customers connected their manufacturing/controls networks to the Internet. They did it to allow OEMs, such as I worked for, to be able to connect to the systems for maintenance and troubleshooting. Back in the day, the same customers would provide a dedicated dial-in phone line and modem for this purpose, but they discovered it was cheaper to just plug them all together to one network and route it out to the big outside world

    I can also tell you that most of them were not very secure. There were a few of them that I could connect to and see other traffic on their intranet (such as e-mail and other goodies)

Re:So...

[DarthVain]

Many are connected directly.

I was on several power station tours (Hydro, Solar, Wind) and it seems common that A) the technology is built elsewhere and shipped in (Denmark, California, etc...), and B) the company that built the technology also has remote access to monitor and has the power to make changes when problems occur.

When I saw several of these solutions, on computer, my first thought was, oh wee, its connected to the internet, what could possibly go wrong!

I am sure there is some tight security (or I certainly hope so anyway), but like anything, users being lazy etc... default passwords, security holes, etc...

Considering how vulnerable and tightly interwoven all our power infrastructure is in NA, you don't have to take down a 2GW nuke plant to initiate a catastrophic cascade effect. If someone knows what they are doing, and where the weaknesses are, strategically taking down a couple hundred megawatts say during peak time, may case some real trouble. I can only hope that the people that regulate have taken this problem seriously enough.

Black People

Welcome to Niggerbuntu

Niggerbuntu is a Linux-based operating system consisting of Free and Open Source software for laptops, desktops, and servers. Niggerbuntu has a clear focus on the user and usability - it should Just Work, even if the user has only the thinking capacities of a sponge. the OS ships with the latest Gnomrilla release as well as a selection of server and desktop software that makes for a comfortable desktop experience off of a single installation CD.

It also features the packaging manager ape-ghetto, and the challenging Linux manual pages have been reformatted into the new 'monkey' format, so for example the manual for the shutdown command can be accessed just by typing: 'monkey shut-up -h now mothafukka' instead of 'man shutdown'.

Absolutely Free of Charge

Niggerbuntu is free software, and available to you free of charge, as in free beer or free stuffs you can get from looting. It's also Free in the sense of giving you rights of Software Freedom. The freedom, to run, copy, steal, distribute, study, share, change and improve the software for any purpose, without paying licensing fees.

Free software as in free beer !

Niggerbuntu is an ancient Nigger word, meaning "humanity to monkeys". Niggerbuntu also means "I am what I am because of how apes behave". The Niggerbuntu Linux distribution brings the spirit of Niggerbuntu to the software world.

The dictator Bokassa described Niggerbuntu in the following way:

        "A subhuman with Niggerbuntu is open and available to others (like a white bitch you're ready to fsck), affirming of others, does not feel threatened by the fact that other species are more intelligent than we are, for it has a proper self-assurance that comes from knowing that it belongs to the great monkey specie."

We chose the name Niggerbuntu for this distribution because we think it captures perfectly the spirit of sharing and looting that is at the heart of the open source movement.

Niggerbuntu - Linux for Subhuman Beings.

Hit'em in their wallets

[Bananatree3]

"Congressman Jim Langevin says that US power companies need to be forced to deal with the issue after they told Congress they would take steps to defend their operations but did not follow up. 'They admit that they misled Congress. The private sector has different priorities than we do in providing security. Their bottom line is about profits..."

Exactly right, this is a capitalist society, ran on making money. If they won't integrate safety systems to protect the system properly from hacker attacks, hit them in the wallet, hard. Pass sound regulation to force them to implement safeguards, require inspections/audits that they are done, not just take their BS word for it. If all they give you is hot air and no implementation, fine them millions of dollars, and on a regular basis if needbe til they implement it.

Re:Hit'em in their wallets

[Dreadneck]

Yes, of course! The government has already taken over the banking sector, the mortgage sector, the automotive sector, is about to take over the healthcare sector, so fuck it - the government may as well take over the energy sector as well. I can't wait until they take over food distribution - I've always wanted to know what it's like to stand in line for a loaf of bread all day.

Re:Hit'em in their wallets

[stagg]

But how much energy can congress really expect them to expend defending against imagined threats?

Re:Hit'em in their wallets

[Trepidity]

Well, the energy sector has traditionally been heavily regulated, and works well compared to the huge mess the deregulated banking system made of itself. You do realize that the government took over the banking sector because the bankers failed to run it?

Re:Hit'em in their wallets

[causality]

Yes, of course! The government has already taken over the banking sector, the mortgage sector, the automotive sector, is about to take over the healthcare sector, so fuck it - the government may as well take over the energy sector as well. I can't wait until they take over food distribution - I've always wanted to know what it's like to stand in line for a loaf of bread all day.

I am not a fan of government intervention either, nor do I like what was done with banking and automobiles. Having said that, this isn't what is being proposed here. If the electric utilities must comply with laws mandating that they meet or exceed a minimum standard of security, this would be much more like the way local Board of Health requires that restaurants handle food in ways that prevent food poisoning. The Board of Health does not own the restaurants and it does not choose their management; it just periodically inspects them and can shut them down if there are egregious violations. Something similar could be worked out for the power companies when it comes to security.

Re:Hit'em in their wallets

[Scrameustache]

If they won't integrate safety systems to protect the system properly from hacker attacks, hit them in the wallet, hard. Pass sound regulation to force them to implement safeguards, require inspections/audits that they are done, not just take their BS word for it.

Yes, of course! The government has already taken over the banking sector, the mortgage sector, the automotive sector, is about to take over the healthcare sector, so fuck it - the government may as well take over the energy sector as well. I can't wait until they take over food distribution - I've always wanted to know what it's like to stand in line for a loaf of bread all day.

The great blackout of 2003, which took out the north east united states and a good chunk of ontario, was caused by deregulation (removing the requirement to clear the branches around the power lines).
Quebec, which has state-owned power (Hydro-Quebec) was not hit hard by that blackout, because it keeps its grid out of phase with those dangerously unregulated parts around it.

Learn the lesson: You can't trust the greedy to run critical infrastructure.

Re:Hit'em in their wallets

[cjfs]

Exactly right, this is a capitalist society, ran on making money. If they won't integrate safety systems to protect the system properly from hacker attacks, hit them in the wallet, hard.

This is the fundamental point. Those with the ability to secure the system need to be the ones paying for breeches. Bruce Schneier had several good articles around this point. The main example being banks/credit card companies paying for fraud. If they could just push that onto the customer, there would be far more instances of fraud. Instead, they take responsibility for the whole system and customers are far better off for it.

Re:Hit'em in their wallets

[betterunixthanunix]

Of course, what you libertarians fail to mention is that the banking sector was regulated for decades following the great depression, which had been largely caused by banks, and that we then deregulated the banks, which unsurprisingly led to this current catastrophe. The government has, once again, been forced to clean up after a bunch of private banks nearly ruined the entire country; yes, the government does a better job managing the banking system than the bankers themselves do. Nobody is talking about a complete takeover of the banks, just enough oversight and regulation to prevent them from destroying our economy.

The government regulates the energy sector, and look at what we have: a system that has not imploded on itself, the way the banks nearly did. Sounds like a pretty solid strategy to me -- and given the attacks in Brazil, it sounds like the government should add some new regulations to the list for energy companies, in the interest of national security.

Re:Hit'em in their wallets

[maxume]

Credit card companies push the consequences of fraud onto stores and such. Those stores that choose to accept credit card payments factor the risk of fraud into the prices they charge. The credit card companies do attempt to protect their customers from fraud, but only because they wouldn't make any money if they didn't have any members (they also work with stores to prevent fraud, as they figure it will lead to clearing more transactions).

The credit card companies certainly don't pay for fraud though.

Re:Hit'em in their wallets

[HangingChad]

But how much energy can congress really expect them to expend defending against imagined threats?

There's nothing imagined about any of these threats. They are very, very real. What we know about is scary enough, what we may yet learn could be truly frightening. Maybe you caught that little part in the story where the military is having some of their computer chips made overseas. I wonder how much money you'd think it would be worth to stop four of five of our own Predators and Reapers from bombing US cities? Or a couple nukes going off in their silos? Or all of our refineries melting down at once while the rest of us are sitting around in the dark?

Virtually all our PC's, processors and hard drives are made overseas. By sending all our manufacturing overseas, we may be setting ourselves up for an attack that will make 9/11 look like lunch at Hooters.

We already know what happens when someone whines about imaginary threats...like foreigners taking airline flight lessons.

Re:Hit'em in their wallets

[Gerafix]

And this is why Linux is better than Windows. (mod me up thanks)

Re:Hit'em in their wallets

[Cornwallis]

...not just take their BS word for it. If all they give you is hot air and no implementation, fine them millions of dollars, and on a regular basis if need be til they implement it.

Why not hold the Criminals-in-Congress(TM) to the same standard?

Re:Hit'em in their wallets

[VirginMary]

breeches[brich-iz]

-noun (used with a plural verb)
1. Also called knee breeches. knee-length trousers, often having ornamental buckles or elaborate decoration at or near the bottoms, commonly worn by men and boys in the 17th, 18th, and early 19th centuries.
2. riding breeches.
3. Informal. trousers.
--Idiom
4. too big for one's breeches, asserting oneself beyond one's authority or ability.

Re:Hit'em in their wallets

[inhuman_4]

Thats crazy talk. Here is the solution:

1) It's government regulation that is the problem. If the government would just loosen the regulations a little the power companies would be able to make more money. Then they could spend that money on other things like security, safety, and protecting the environment.

2) We should allow power companies to join the RIAA. Once hackers know they will face life imprisonment for copy right infringement, they will too scared to do anything. While we are at it, why not just give every industrial union (yes that what they are, corporate unions that hassle the government) the power to fuck over the average citizen.

3) As an added bonus, we can pass laws demanding to know what people have plugged into their wall sockets, you know ..... to ahh ...... watch for hackers! This of course only applies to peoples homes (and by people I mean non-rich people), applying this to businesses would make it harder for them to compete.

4) Profit!

Can I get my Republican kickbacks now?

Re:Hit'em in their wallets

[Muckluck]

When you say "Hit 'em in their wallets" You are really saying "Hit ME in MY wallet". The power industry is regulated. Profit is also regulated. Power companies make about 12% above what it costs to produce and distribute power in most markets (depends on the Public Service Commission in your area as to the actual percentage). The NERC (North American Electric Reliability Company) Critical Infrastructure Protection standards were adopted by the Federal Energy Regulatory Commission to partially deal with the problem. Some companies have taken the INTENT of the standards to heart and have implemented them with true security in mind. Others have done everything they can to circumvent the standards. NERC is starting their initial audits right now to see how well individual companies have done. Stay tuned to www.nerc.com to see how your power company fared in the audit...

Re:Hit'em in their wallets

[jo42]

government has already taken over

Welcome to the beginning of The New World Order...

Re:Hit'em in their wallets

[maxume]

You sig would be funnier if it read "...When many people enjoy a delusion...".

Re:Hit'em in their wallets

[Darkness404]

and that we then deregulated the banks,

We did not deregulate the banks. We removed some of the regulation, but we did not deregulate them. You can't do some things half-way and have them not fail. We had too much regulation to make them be fully deregulated and therefore not fail, and too little regulation for them not to fail. We can't know what would happen if banks were fully deregulated because they were not (and don't even bring up the great depression because there was again, too much regulation to be free and too little to be controlled).

The government regulates the energy sector, and look at what we have: a system that has not imploded on itself

Yeah, but a system that is still a pain. Lets see, if I'm unhappy about the level of service of my current utility what are my options? Not a whole lot. If I don't like my bank there are at least 5 within about 5 miles where I live. On the other hand if I don't like my utility company (and for the record I don't) my options are to either move far away and thats about it. Utility companies are inflexible, charge outrageous rates, have low standards of service, and have unexplained long blackouts. I'm confident that a Windows server can have a higher uptime than some utility companies... Just because the electricity is -mostly- on doesn't mean that its a great system.

and given the attacks in Brazil, it sounds like the government should add some new regulations to the list for energy companies, in the interest of national security.

Or you know, how about allowing utility companies to actually compete for prices, service and security. For example, Rackspace is going to do everything in is power to keep their servers online and free of any attacks that might endanger their uptime because there are many hosting companies out there, utility companies on the other hand are free to take their sweet time, its not like their customers can exactly switch to a different company.

Re:Hit'em in their wallets

Not that I disagree that bankers need some regulation, but you must also admit that both the depression and our current mess were precipitated or exacerbated, in part, by policies of the Fed..

Re:Hit'em in their wallets

Auditing and financial penalties are already in place for Cyber Protection of Bulk Electrical control systems. It is called the CIP standards (http://www.nerc.com/page.php?cid=2|20) and allows the government to impose a 1 million dollar per day fine if audits find a Utility out of compliance. Of course, there is still a lot of questions regarding what constitutes "out of compliance"

Re:Hit'em in their wallets

[Gerafix]

Troll? This is /. ! Anti-Windows is auto +1. But to be serious Linux is less prone to hardware exploits than Windows is. Whether by accident or design, I leave that decision up to you.

Re:Hit'em in their wallets

[Afforess]

The problem here is government, not the lack of it. Government created Artificial monopolies with power companies, and are reaping the rewards. If there was a true free market in regards to power, only the best managed, and most secure companies would be hired, and we wouldn't be having this discussion.

Re:Hit'em in their wallets

The government wasn't forced to do this.

In a real free market* these banks would have failed, those foolish with their money would have failed and while it would have been a tough lesson we'd not be under the thumb of big brother and maybe the public would have wised up a bit. Why is it that people like you demand convince over personal responsibility? You act like a life of buffoonery and consumption is a right.


* Funny how those of you who rally for government solutions will use the terms of a free market, such as deregulation, anytime anyone on the face of the planet makes a dime from any effort. By these standards even the most ardent communist and socialist countries are running free markets.

Re:Hit'em in their wallets

[countertrolling]

These bankers, how exactly did they "fail"? And it seems their only "punishment" was a bonus, or a job offer... running the SEC??

Re:Hit'em in their wallets

But how much energy can congress really expect them to expend defending against imagined threats?

Have you been to an airport in the last couple of years?

Re:Hit'em in their wallets

[Alex+Pennace]

The great blackout of 2003, which took out the north east united states and a good chunk of ontario, was caused by deregulation (removing the requirement to clear the branches around the power lines).
Quebec, which has state-owned power (Hydro-Quebec) was not hit hard by that blackout, because it keeps its grid out of phase with those dangerously unregulated parts around it.

Learn the lesson: You can't trust the greedy to run critical infrastructure.

Misleading and incorrect.

1. The article your cited does not state that the blackout was due to deregulation "removing the requirement to clear branches around the power lines." It states, quite clearly, that the main cause was due to a generating plant going offline, then several power transmission lines going offline (or "tripping") due to tree contact. Nowhere does it say that deregulation had anything to do with that sequence of events.

If you assert deregulation lifted a requirement that power transmission line RoW be clear of vegetation, please cite.

2. Wikipedia's summary of the findings is somewhat watered-down. Many other factors went into play, from the lack of situational awareness at FirstEnergy's control center, to reactive power deficiencies, and finally to the violent swings as 10s of gigawatts of electric power sloshed about the northeast trying to find an equilibrium, tripping generating plants and power lines along the way. A full report is available at https://reports.energy.gov/BlackoutFinal-Web.pdf

3. You seem to imply that Quebec's "state-owned" power concern decided to sever its AC links to adjacent areas because it did not want to be taken down with its "dangerously unregulated" neighbors. Are you sure it is because of that? I'm pretty sure that Hydro-Quebec has been its own AC interconnection since well before deregulation occurred.

Re:Hit'em in their wallets

[sjames]

Which is exactly why crypto signatures (available for decades) are not used in credit card processing.

Re:Hit'em in their wallets

[TubeSteak]

Of course, what you libertarians fail to mention is that the banking sector was regulated for decades following the great depression, which had been largely caused by banks, and that we then deregulated the banks, which unsurprisingly led to this current catastrophe.

The straw that broke the camel's back was a 2004 rule change by the SEC which granted 5 companies exemptions to the 12:1 lending ratio.
Four were allowed 30:1 and one leveraged themselves 40:1.
Lehman Brothers, Bear Stearns, and Merrill Lynch all failed.
Goldman Sachs and Morgan Stanley managed not to.

Re:Hit'em in their wallets

[Scrameustache]

The great blackout of 2003, which took out the north east united states and a good chunk of ontario, was caused by deregulation (removing the requirement to clear the branches around the power lines).
Quebec, which has state-owned power (Hydro-Quebec) was not hit hard by that blackout, because it keeps its grid out of phase with those dangerously unregulated parts around it.

Learn the lesson: You can't trust the greedy to run critical infrastructure.

Misleading and incorrect.

1. The article your cited does not state that the blackout was due to deregulation "removing the requirement to clear branches around the power lines." It states, quite clearly, that the main cause was due to a generating plant going offline, then several power transmission lines going offline (or "tripping") due to tree contact. Nowhere does it say that deregulation had anything to do with that sequence of events.

Since you're too busy being pedantic and patronizing to look for this follow-up info, here's the keywords you need: “Utility Vegetation Management Final Report,”

At first glance, Rule 218 seems clear in its intent, but it has historically generated a great deal of
industry discussion regarding what it actually requires. For example, the use of the word
“should” versus “shall” points to its application as a general guideline, not a mandate. More
importantly, Rule 218 does not specifically state that clearances should be “maintained”
between energized lines and vegetation. While some have argued that it can be interpreted as a
“no-touch rule”, the industry has not interpreted it to require that mandatory clearances be
maintained at all times.

You have to FORCE them to do their job right, or else they'll argue that they don't have to, and they'll let their negligent ways cause major inconveniences for millions of people.

Re:Hit'em in their wallets

[Orne]

Close, but you got all of the reasons wrong.

FirstEnergy still had a requirement to remove vegetation under its wires (while "dangerously deregulated") under state deregulation just as it did as a vertically integrated company. The fact that their maintenence crews failed to do so was FirstEnergy's flaw, not deregulation. They were cutting costs, and since there was no oversight from NERC/FERC, they got away with it, just as they did in the years before they were deregulated. Since 2003, NERC has developed an extensive system of regulatory controls and FERC has been given the ability to levy fines to keep compliance.

And besides, the root cause of the blackout was a deadlock in the mainframe at FirstEnergy, where their staff failed to properly recognize that the system was reporting old data as if it were fresh. FirstEnergy had over an hour and a half to take action to correct for the loss of the transmission lines, but instead failed to observe the overloads which eventually resulting in the separation of the load around Lake Erie and the eventual blackout along the PA/NJ border between GPU, PS, and NYISO. The government's report was very watered down on this area.

This might help you understand the root causes, instead of blaming some phantom "deregulation" as the root of all evil.

Oh, and Quebec was isolated from the rest of the Eastern Interconnection (connected only via HVDC ties) in 1990 because of its demonstrated repeated inability to stop cascading blackouts, long long before deregulation hit the scene. Quebec physically could not be affected by the 2003 blackout on the HVAC system.

Re:Hit'em in their wallets

[Alex+Pennace]

In my response, I posted three points. So far, you have only written an incomplete response to one of my points, along with an ad-hominem.

Your citation is valuable. I am unaware of the "Utility Vegetation Management Final Report," nor am I familiar with Rule 218. I will look into it, but I can't say I will reach the same conclusion once I read the whole thing.

In any case, vegetation management was not the sole cause of the blackout. A point that I raised and you dismissed without comment.

Re:Hit'em in their wallets

[sjames]

Nonsense. The banks failed for one reason and one reason only. Their greed was not checked by adequate government oversight. Remove all regulation and you'll find that they will just rip more people off faster all while enjoying their "too big to fail" status.

As for the power company, they have a natural monopoly simply because we can't have 3 or more sets of everything running everywhere. Just how many poles do you want in your yard? I suppose the distribution net could be public with multiple power companies using it, but then we're back to "socialism".

Re:Hit'em in their wallets

[Alex+Pennace]

Oh, and Quebec was isolated from the rest of the Eastern Interconnection (connected only via HVDC ties) in 1990 because of its demonstrated repeated inability to stop cascading blackouts, long long before deregulation hit the scene. Quebec physically could not be affected by the 2003 blackout on the HVAC system.

I am interested in learning more about why Quebec is a separate interconnection, and I have little reason to disagree with your explanation. But I must point out that the first phase of the Quebec-New England HVDC system was finished in 1986, suggesting that the grids were asynchronous before 1990. Can you provide more information?

Re:Hit'em in their wallets

[Grishnakh]

We did not deregulate the banks.

Not completely, but enough to cause the financial mess. The Glass-Steagal act was passed in the Depression to prevent future disasters like that. It worked, until the Act was overturned in 1999/2000 by a Republican congress and Bill Clinton. Then we got a real estate bubble and a meltdown.

Yeah, but a system that is still a pain. Lets see, if I'm unhappy about the level of service of my current utility what are my options? Not a whole lot. If I don't like my bank there are at least 5 within about 5 miles where I live.

Apples and oranges. What do you propose? 10 sets of power lines running everywhere? There's a reason utilities are highly regulated monopolies: because it's simply impractical and absurd to have multiple power companies, multiple (landline) phone companies, multiple cable companies servicing the same areas. They tried this with telephones in the early 1900s in Manhattan and it was a disaster; you can find photos on the internet showing the ridiculous telephone poles with hundreds of wires on them. Maybe you'd like to have dozens of water and sewer pipes running everywhere too.

If you don't like your power company, you're free to buy a generator and make your own power. Part of living in a society means giving up some of your freedoms, and freedom of choice is definitely one of those. You can't choose your government (at least without agreement from your fellow voters), and you can't choose your utilities. Deal with it.

Or you know, how about allowing utility companies to actually compete for prices, service and security.

Compete against who? No one wants dozens of sets of power lines running through their neighborhoods. Stop being idiotic.

Re:Hit'em in their wallets

[Scrameustache]

A point that I raised and you dismissed without comment.

Frankly, the tone of your post made me want to simply tell you to fuck off. If you want better replies in the future, try to be less abrasive.

I didn't say there was one and only one cause of that really big event, and I think you're a twat for implying that this is what I meant. Be happy I was in a good enough mood to give some more information which your reply did not really warrant. How much research and time-spent are you expecting out of slashdot posts? Really? I linked to a wikipedia article relevant to the topic, it had enough info there to lead to the rest I gave later, you should have been able to do that yourself, rather than to blab off about being incorrect and misleading.

Re:Hit'em in their wallets

[Nefarious+Wheel]

Those with the ability to secure the system need to be the ones paying for breeches.

Really? That sounds like utter pants to me.

Re:Hit'em in their wallets

[Alex+Pennace]

I didn't say there was one and only one cause of that really big event, and I think you're a twat for implying that this is what I meant.

Quoting from your original post:

The great blackout of 2003, which took out the north east united states and a good chunk of ontario, was caused by deregulation (removing the requirement to clear the branches around the power lines [wikipedia.org]).

What exactly did you mean?

Be happy I was in a good enough mood to give some more information which your reply did not really warrant.

To be fair, it was your original post that needed more information. In any event, you raised some points, I raised some counterpoints.

How much research and time-spent are you expecting out of slashdot posts? Really? I linked to a wikipedia article relevant to the topic, it had enough info there to lead to the rest I gave later, you should have been able to do that yourself, rather than to blab off about being incorrect and misleading.

That is disingenuous. I propose that instead of making the reader support your thesis, you should do the work. That seems to be the best way to convince others of your point. And if you aren't trying to convince others, then why are you here?

Re:Hit'em in their wallets

Its not so cut and dry here. The Goverment came to the banks and threatened them to take loans from people that basically should not have got them. They were told that fannie and freddie would back them up. Well, They did until they went broke. Then the banks started to fail. Some banks that didnt want the money were told to take it anyways. Traditionally, The private sector does a much better job than the goverment in running things.

Re:Hit'em in their wallets

[demachina]

"Well, the energy sector has traditionally been heavily regulated, and works well compared"

Well excepting for that Enron/Dynegy/Reliant/Williams thing where they nearly bankrupted California manipulating the electricity market, shutting off power plants to create artificial shortages for example, and FERC mostly sat on the sidelines watching.

And then of course there was oil spiking to $140 a barrel due to market manipulation, though chances are you can probably blame a fair bit of that on Goldman/Citi and other big Wall Street banks manipulating the commodities markets for profit.

Re:Hit'em in their wallets

[Scrameustache]

They were cutting costs, and since there was no oversight from NERC/FERC, they got away with it, just as they did in the years before they were deregulated. Since 2003, NERC has developed an extensive system of regulatory controls and FERC has been given the ability to levy fines to keep compliance.

So I got "lack of oversight" mixed in with "deregulation". You'll pardon, I hope, my mingling of these two related notions under the same umbrella.

As for being wrong, someone already pointed out to you that hydro-quebec wasn't cut apart for their so called failures, but because of the technical nature of their transmission lines, and you'll also note that their failures were due to extraordinary catastrophic events (geomagnetic and ice storms) and not human error, and that they have since taken steps to remedy the weaknesses that allowed these acts of god to mess with our flow of electrons. Which brings me back to my point: We need government oversight (regulation, if you will) to ensure a safe supply, so that only mighty forces of nature, such as the sun's unpredictable eruptions can cause failures, and not mere hackers.

Re:Hit'em in their wallets

[Scrameustache]

And if you aren't trying to convince others, then why are you here?

To share information, you adversarial #@%$@#%$@.

Re:Hit'em in their wallets

[4D6963]

Of course, what you libertarians fail to mention is that the banking sector was regulated for decades following the great depression, which had been largely caused by banks, and that we then deregulated the banks, which unsurprisingly led to this current catastrophe. The government has, once again, been forced to clean up after a bunch of private banks nearly ruined the entire country; yes, the government does a better job managing the banking system than the bankers themselves do.

Hallelujah, and here's why : banks are corporations meant to maximise profits. If you understand that, you'll understand that no one 'drives' them, they drive themselves mindlessly towards profit. Nothing's wrong with it, unless you think that you can let absolutely everything drive itself and hope it never goes off track.

That doesn't work that way, you can't have a complex environment of mindless protagonists driven by the search for profit maximisation and hope everything turns out magically alright. That gives you the kind of complicated situations we had where worthless assets were given an inflated price tags precisely to maximise profits. That's just an example of these mindless corporations driving themselves into the wall, because no one really drives them. The invisible hand isn't guided by an invisible brain. That's why you need the government to keep its hand on the steering wheel, not necessarily to drive the whole economy by itself, but to guard against anything wrong.

Put simply : the government driving the entire economy doesn't work long (see USSR), and letting the economy drive itself works about as long as it takes for it to drive itself into the next wall, which isn't very long either. The solution is to let things run themselves with someone to oversee, set boundaries and make sure nothing goes wrong. That's how the USA worked from FDR to Nixon, and how it works again since '08 Bush.

Re:Hit'em in their wallets

[Alex+Pennace]

And if you aren't trying to convince others, then why are you here?

To share information, you adversarial #@%$@#%$@.

Relax, there is really no need to get nasty.

But I can't support your stance that you were reporting "just the facts" when you clearly stated an opinion along with it. We will just have to agree to disagree on that.

Anyway, this thread has dragged on too far. Don't worry, I have no hard feelings. If it makes you feel better, I asked for clarification for a post attacking yours: http://slashdot.org/comments.pl?sid=1435938&cid=30028312

Re:Hit'em in their wallets

[4D6963]

Virtually all our PC's, processors and hard drives are made overseas. By sending all our manufacturing overseas, we may be setting ourselves up for an attack that will make 9/11 look like lunch at Hooters.

That's the stupidest thing I've ever heard today. Are you really suggesting that Sony would set up a backdoor in its products to take them off remotely and that no one would hear about it long before it could happen? If they do they'll have to find something a bit more discreet than rootkits.

But the point remains it's stupid to say that about companies overseas as if those in the USA were any more worthy of trust.

Re:Hit'em in their wallets

The great blackout of 2003, which took out the north east united states and a good chunk of ontario, was caused by deregulation (removing the requirement to clear the branches around the power lines).
Quebec, which has state-owned power (Hydro-Quebec) was not hit hard by that blackout, because it keeps its grid out of phase with those dangerously unregulated parts around it.

Learn the lesson: You can't trust the greedy to run critical infrastructure.

"In February 2004, the U.S.-Canada Power System Outage Task Force released their final report, placing the main cause of the blackout on FirstEnergy Corporation's failure to trim trees in part of its Ohio service area. The report states that a generating plant in Eastlake, Ohio (a suburb of Cleveland) went offline amid high electrical demand, putting a strain on high-voltage power lines (located in a distant rural setting) which later went out of service when they came in contact with "overgrown trees". The cascading effect that resulted ultimately forced the shutdown of more than 100 power plants."

Deregulation did not cause the blackout.

Quebec, being Quebec, keeps everything it can out of phase with the rest of Canada.

I'm assuming you're from Canada, and most likely Ontario. You have little or no knowledge of the power system. Go to the operators website for the power grid in Ontario and educate yourself. www.ieso.ca

And here is some more information on the blackout

Re:Hit'em in their wallets

[stagg]

How are those things you're listing NOT imagined threats? Listing other paranoid fantasies doesn't make the first paranoid fantasy seem any more threatening. Making computer chips overseas is NOT a gigantic security breach, and there's absolutely no reason to believe that American nukes are going to start exploding in hangers or that Predators will start razing New York. Could be a great Hollywood blockbuster though?

Re:Hit'em in their wallets

[cetialphav]

Their greed was not checked by adequate government oversight.

I'm not sure that more government oversight would have avoided this latest crisis. The key problem is that risk was not appropriately priced. I.e. companies were able to make risky bets without having a clear idea of the risk. Since companies were making tons of money on the risky behavior, it forced other companies to try to match those profits. Since almost everyone was making the same risky bets, when things went south, there were no strong companies around to benefit from the stupidity of others, which is what free markets depend on.

Without an accurate risk model, it doesn't matter how much government oversight is involved. I don't see anything to indicate that any of the regulatory agencies understood the risks that were being taken. I think that better accounting rules that make risky bets negatively affect your financial statements would allow investors to reward companies that can make money without being stupid.

Re:Hit'em in their wallets

[cetialphav]

Those with the ability to secure the system need to be the ones paying for breeches.

The bad thing now is that if you were going to create a risk model for this, the utility companies have very few benefits to gain. If they secure themselves, it will cost them money and lower profits. Since their competitors are not doing this, investors will punish them for being less profitable than everyone else. On top of that securing their infrastructure only reduces their risk; it doesn't eliminate it.

So what happens if they are successfully attacked? If there is physical destruction, they will appeal to the government for relief and they will get it because they are "too big to fail". Most of the costs for a security breach can be transferred to the government so why spend money on prevention? The economics of securing the infrastructure is so bad that the rational decision is not to spend any money on prevention and that needs to be changed.

Re:Hit'em in their wallets

[SuperMog2002]

Even without the threat of you switching, power companies do have an incentive to keep you up as much as possible. Remember that power is not a subscription plan: you only pay for what you use. The longer your power is out, the longer you're not buying their product, and thus the less profit they make.

Re:Hit'em in their wallets

Or just hire crackers to take out their system (in Spring or Fall, so as not to kill people. Then they'll suddenly see the value of security, and spend money on it, and you didn't need to create a bureaucracy branch to handle it.

Re:Hit'em in their wallets

I can think up an attack -in theory- that would be devastating. Remember, this is theory now:

Imagine a chip fab adding some undocumented instructions. Similar to the f0 0f bug, but instead of bringing down the CPU, it allows subsequent instructions to run in ring 0 (on x86 architectures), or supervisor mode (other architectures). Now, all it would take is a single executable that is run in even the most secure jails, and the box is now compromised. Then, it is just a matter of fancy programming footwork from there to wreak all kinds of havoc.

Even if not the CPU, other controllers can cause damage. Keyboard controllers and HDD controllers are computers in among themselves, and a backdoor on the fab level could allow an intruder access in a very subtle manner.

Re:Hit'em in their wallets

[RAMMS+EIN]

``Apples and oranges. What do you propose? 10 sets of power lines running everywhere? There's a reason utilities are highly regulated monopolies: because it's simply impractical and absurd to have multiple power companies, multiple (landline) phone companies, multiple cable companies servicing the same areas.''

It's funny that you and I can see this, yet governments in the USA and western Europe (I don't know about other places) decided to turn exactly these kinds of former state monopolies into private companies. In some cases, they got it right; for the most part, they didn't.

Competition is good. Less regulation is good. But you have to be realistic. There is not going to be any competition if your infrastructure is provided by the same company that uses it, especially if that company is basically given the whole country as a customer base upon creation. You need to split off infrastructure from services, and impose regulation where you can't expect to get the desired outcome through competition.

Re:Hit'em in their wallets

[deepershade]

I have karma to burn so what the hell.
He's right, you were being highly pedantic and confrontational, only barely challenging his statements.
It does give people the impression that, as previously stated, you are a twat.


Mod me down. It'll be a first for me :)

Re:Hit'em in their wallets

Actually places where government owns the phone landlines infrastructure it IS possible for different providers to
buy access (bandwidth) and operate in the same place.
The same for inter-bank communications (in ATMs) that as an *hired* government service,
everyone is treated the same, same fees, and avoids having absolute monopoly in a service that is of national interest...while
government holds the infrastructure and power of decision. (Actually, who owns your street? the land where cables are? how to regulate?)

Power lines are a somewhat different, but for sure with technical expertise someone could devise a similar approach.

Re:Hit'em in their wallets

[chthon]

A bit late to reply, but I hope that it will be read.

European regulations required Belgium to do the following :

Infrastructure (gas, electricity) is owned by one corporation, which is in turned owned for 70% by the community (cities, etc...) and for 30% by the power companies.

Every power company can supply through this network. Currently we have three choices, I think, but the problem stays that Belgium is a small country, and the Groupe Suez in the meantime has bought one of its competitors. It is very clear that they like to keep their stranglehold on the Belgian energy market.

But I DO have the possibility to compare prices and even switch to different suppliers of gas and electricity.

Re:Hit'em in their wallets

Remember Enron?

Re:Hit'em in their wallets

[sjames]

That could work, but the public ownership would be declared "socialism". Not such a big problem in Europe, but our right thinks it's a swear word.

Re:Hit'em in their wallets

[ZekoMal]

Yeah! And then the Russians will team up with the Chinese to secretly build a moon base with a laser beam to destroy America! After all, they don't like us all that much, should we really trust them out in space?

This is high level paranoia. And I do mean high level paranoia. The best part is that if the government actually did invest in all of these extra securities to protect against Hollywood-level attacks, people like you would be the first to line up to say that the Socialist fear-mongering liberal Nazi's are raising our taxes (or the Socialist fear-mongering conservative Nazi's, depending on the cycle and your own personal tastes) for no good reason.

Re:Hit'em in their wallets

[sjames]

Stronger consumer protection laws would have put the brakes on things fast. They were selling people timebomb mortgages.

If anti-fraud were taken seriously, some of those AAA ratings might not have happened. Various regulations on how deeply they could leverage themselves would have helped. Those regulations were amongst the ones that were relaxed just before they set course for the rocks.

Re:Hit'em in their wallets

[dvorakkeyboardrules]

Well, the energy sector has traditionally been heavily regulated, and works well compared to the huge mess the deregulated banking system made of itself. You do realize that the government took over the entire banking sector because certain bankers failed to run the companies they managed rather than let the companies go bankrupt so the assets could be put under better management?

There, fixed that for you.

Re:Hit'em in their wallets

[dvorakkeyboardrules]

Yeah, but a system that is still a pain. Lets see, if I'm unhappy about the level of service of my current utility what are my options? Not a whole lot. If I don't like my bank there are at least 5 within about 5 miles where I live. On the other hand if I don't like my utility company (and for the record I don't) my options are to either move far away and thats about it. Utility companies are inflexible, charge outrageous rates, have low standards of service, and have unexplained long blackouts. I'm confident that a Windows server can have a higher uptime than some utility companies... Just because the electricity is -mostly- on doesn't mean that its a great system.

A little talked-about advantage of having solar panels + battery backup at your home is that you get reliability and close to 100% uptime for your electricity needs. (The entire block could be in a blackout but you have your own power source.)

I'd definitely recommend looking into solar power.

Re:Hit'em in their wallets

[mcgrew]

1) It's government regulation that is the problem. If the government would just loosen the regulations a little the power companies would be able to make more money. Then they could spend that money on other things like security, safety, and protecting the environment.

What fantasy world do you live in? If they made more money they'd spend it on investor dividends and executive pay and bonuses. You were modded "funny" for a reason. I only responded because some here actually believe that tripe.

Re:Hit'em in their wallets

[mcgrew]

Yes, of course! The government has already taken over the banking sector, the mortgage sector, the automotive sector, is about to take over the healthcare sector, so fuck it - the government may as well take over the energy sector as well.

My power company, CWLP, is owned and operated by Springfield's city government. We have the lowest bills in the state and the least downtime. It not only isn't getting any tax money, it turns a profit and helps fund our socialist fire department and socialist police department.

Government taking over health care works in every other country.

As to food, do you have any idea how heavily the food industry is subsidized by the government?

You were marked "troll" because there's no mod for "fucking retarded". BTW, maybe Springfield's power company works so well because this guy runs it....

Re:Hit'em in their wallets

[inhuman_4]

What fantasy world do you live in?

For that post, the neo-conservative one.

If they made more money they'd spend it on investor dividends and executive pay and bonuses.

And lobbyists! Don't forget the lobbyists, the corporate welfare system isn't bribe itself you know. (Or does it?)

You were modded "funny" for a reason.

And overrated, which is in itself funny because my score is only 2.

I only responded because some here actually believe that tripe.

Well not as many as you would think, because I am still waiting for the kickbacks. Or at least a thank you card from Dick Cheney.

Re:Hit'em in their wallets

If all they give you is hot air and no implementation, fine them millions of dollars, and on a regular basis if needbe til they implement it.

The sad thing is, the companies would keep not spending money on security but would wine and dine the state regulators until they were allowed to directly pass on the fines to their customers through tariffs and "temporary price increase".

Hell, I am still paying a "fuel surcharge" that was allowed for natural gas when the price went insane, but that was 1 1/2 years ago! Why is the surcharge still nearly the same, and better yet, why is it still on my bill? (NG prices are back to what they were before the spike, surcharge nearly as high as ever)

Re:Hit'em in their wallets

[mcgrew]

We can't know what would happen if banks were fully deregulated

read a little history, young man.

Lets see, if I'm unhappy about the level of service of my current utility what are my options? Not a whole lot.

Exactly. They are beholden to the shareholders, not their customers. They're a monopoly and don't have to care about their customers. A lot of the financial mess we're in now is a result of businesses that aren't monopolies acting as if they were.

My utility company is owned by the city. If they piss me off I'll not vote for the incumbant mayor (an dthat's happened here before). As a result, we get cheap dependable power.

Or you know, how about allowing utility companies to actually compete for prices, service and security.

And how do you go about that? Have ten different power grids in your town with ten electric companies, all with their own poles and cables? Utilities are a natural monoploly and NEED to be heavily regulated. Actually, natural monopolies shouw be owned by the city or state. It's the only way they can be held accountable to the people who pay them.

Re:Hit'em in their wallets

[4phun]

<quote>
  <p>Learn the lesson: You can't trust the greedy to run critical infrastructure.</p></quote>

What am I missing?
Don't we currently trust them to run the nation's cellular networks?

Re:Hit'em in their wallets

[BLKMGK]

Did you just say the energy sector runs well? Our infrastructure is decaying and dying because no one wants to pay to keep it up. Our power grid needs modernization badly but no one wants to spend for it. We've had how many scandals over cmopanies pulling dirty tricks? You sure this is an example of running well?

Re:Hit'em in their wallets

[Scrameustache]

<quote>

  <p>Learn the lesson: You can't trust the greedy to run critical infrastructure.</p></quote>

What am I missing?
Don't we currently trust them to run the nation's cellular networks?

Are they critical yet? And if so, are they not under the watch of regulators?

Re:Hit'em in their wallets

[bguiz]

the industry has not interpreted it to require that mandatory clearances be maintained at all times.

Sounds familiar...

You have to FORCE them to do their job right, or else they'll argue that they don't have to, and they'll let their negligent ways cause major inconveniences for millions of people.

... Bingo! The exact same thing happened in Melbourne, where the much loathed train network operator (Connex), found that it was not contractually obligated to fix the air-conditioning on its trains when broken. As a result of this, and several other negligences, so many trains got delayed, cancelled and even derailed during summer, that there was a media uproar.

The good thing is that the gov't here did indeed Hit'em in their wallets by fining them $19.5 mill

Completely agreed with parent on "You have to FORCE them to do their job right"!

Re:Hit'em in their wallets

Well, the energy sector has traditionally been heavily regulated, and works well compared to the huge mess the deregulated banking system made of itself. You do realize that the government took over the banking sector because the bankers failed to run it?

Why don't you look up the Gramm-Leach-Bliley Act (aka the Financial Modernization act of 1999), and then tell me that the "bankers" caused the problem. Oh, and while you're at it, look up the formation of FDIC and the moral hazard it creates, along with the government guarantees of mortgages. It's funny how when the government causes the problem, they never actually take the blame for it....instead, its the "free market" that failed. Certainly it had nothing to do with the government removing risk and necessary regulation, nor with the skewed market dynamics that taxes and subsidies create....oh no. It's a failure of capitalism!! (though how can an economy with a central bank really be called "free market"? The market doesn't even set bank's interest rates!)

Re:Hit'em in their wallets

[Interoperable]

Oh, and Quebec was isolated from the rest of the Eastern Interconnection...in 1990 because of its demonstrated repeated inability to stop cascading blackouts

Citation needed. The only information I could find suggested that the Quebec grid is isolated because it operates asynchronously with neighboring grids, not because it experienced a failure in 1989. According to Wikipedia, the main reason the Quebec grid is susceptible to failures is because the power stations are located far from the metropolitan areas out of geographic necessity.

Re:Hit'em in their wallets

They shouldn't use the word 'shall' either, the word 'must' is in order...

So how exactly does this work?

[mirix]

Is there a webpage with a big "turn off generators" button?

Seems to me this should be a physical access, big red button type thing, no?

Re:So how exactly does this work?

[__aaqvdr516]

To answer your question as succinctly as possible.

Yes.

There is actually more than one way to turn them off (safeguards and such), but the actual generator button at my plant is both big and red. Additionally, it's not wired in to the system. The safeguards are also physically wired to cause trips. There are also redundancies built in to ensure those trips and they're hardwired. At best, for the plant that I work at, a hacker could operate a non-critical component. That's assuming they could get through the truckload of security from their end to the control end, which is engineered to be absolutely impossible.

Re:So how exactly does this work?

[Jeian]

You don't have to be as direct as telling the system to shut down. If you can confuse it enough, it might be programmed to shut itself down as a precautionary measure.

(I have absolutely no knowledge of how these systems work, it's just a hypothetical.)

Re:So how exactly does this work?

Is there a webpage with a big "turn off generators" button?

Yes. Rendered in 3D using Silverlight. Only supported on IE. And hosted on IIS on a lone box sitting in the corner of a long-forgotten closet running a release candidate of XP.

Re:So how exactly does this work?

[kalirion]

Don't worry, unless you're logged in as admin, the button is hidden through inline CSS.

Sure it's going to happen...

Protecting against virtual attacks is going to be the next growth industry; at least if defense contractors have anything to with it. The following from cryptome, which I'd link to if there were a way to do that.

A sends:

I was watching PBS with with my daughter yesterday and a cartoon came on PBS Kids that I found a little bit disturbing. The name of the cartoon is "Cyberchase."

Here is a description of it from the PBS Website: "In the world of CYBERCHASE, the dastardly villain Hacker is on a mad mission to take over Cyberspace with the help of his blundering henchbots, Buzz and Delete. But heroes, Inez, Jackie, and Matt, are three curious kids determined to stop him with the help of their cyberpal, Digit. Their weapon: brain power."

http://www.pbs.org/parents/tvprograms/program-cyberchase.html

http://www.reuters.com/article/pressRelease/idUS168619+17-Apr-2009+GNW20090417

Kind of strange a cartoon targeting the pre-school thru early grade school demographic about hackers using their minds as weapons in cyberspace. It was even stranger when it aired again today and I had a chance to see the lead corporate sponsor, Northrop Grumman. Yes, Northrop Grumman is sponsoring a cartoon for kids on Public Television. It adds new meaning to Northrop's Motto "Defining the Future" - defining the future, one young mind at a time, through children's education.

In all honesty I just never thought PBS would have the 4th largest defense contractor in the United States, the maker of B-2 Spirit strategic bomber who helps the U.S. to maintain a safe, secure and reliable strategic nuclear deterrent sponsoring kids' cartoons. Not cool.

Re:Sure it's going to happen...

I've long since stopped trusting anything that comes across PBS, particularly it's news sources. It's been compromised and so has Cryptome, although I'm not sure to what degree. I used to trust them both, but I've seen reasons to doubt them.

I submitted this last week

I submitted it in response to a number of people blowing off the potential hacker attack a few weeks ago. They have already happened and it will get worse. It's the cheapest and easiest way to do damage and get away with it.

Internets...

[Shadyman]

Things like this make me wonder why mission- and life-critical systems are (presumably) set up on Internet-facing systems. Sure, it's cheap, but when the walls come tumbling down like this article implies, cost is a moot point.

I don't see why they can't just buy a phone line for each power station and link to central stations (also with NON-Internet-facing systems) like that.

Re:Internets...

[selven]

That's not the worst. There are stories of medical systems running Windows, connected to the internet, and shutting down at one point because of an autorestart from Windows Update.

Re:Internets...

[Eil]

I don't see why they can't just buy a phone line for each power station and link to central stations

Duh, hackers can hack in through phone lines! Don't you know anything???

Re:Internets...

[Bender0x7D1]

Unfortunately, there is only a finite amount of money that can be spent on these systems. So, if they spend more money securing the control systems, there is something else in the system getting its corners cut.

Do I think securing the control system is important? Yes. Do I think it's the most important aspect of the system? I don't know - it depends on the system. If skimping on security means a company can get $GADGET into one more hospital, or wherever, then maybe it'll save more lives by being there than lives are lost by having the system go down because the control system isn't secured. It could even mean less downtime if remote administration means shorter outages in the course of regular use.

However, if they are skimping on security because they want to pad the bottom line then I wish explosive diarrhea on them.

Re:Internets...

[cetialphav]

Things like this make me wonder why mission- and life-critical systems are (presumably) set up on Internet-facing systems.

No one is stupid enough to intentionally setup critical systems on an internet facing network. What happens is that there ends up being some link between the secure and externally facing networks. This could be due to network misconfiguration or transferring a laptop from one network to the other or accidentally plugging something into the wrong network. It takes a lot of work to guarantee that things are properly segregated and the utility companies just don't want to do that.

Re:Internets...

You would be surprised on how may critical systems end up on Internet accessible networks.

First, companies *hate* security. It's expensive. It gets in the way of people "doing their jobs". It requires meetings that are not on the golf course. It gives zero ROI because an attack warded off gives zero income. In fact, unless laws are passed with actual consequences for security, there is absolutely zero interest in it.

Second, companies don't believe they will be hacked. They believe that their SCADA system doesn't need secured because no hacker can guess their IP address. They believe because they are small, they are not locatable by the blackhats so feel free to show their clients the HTTP address of their control ends.

Third, companies underestimate blackhats. They assume because they are not running Windows, that their boxes can't be jacked. Of course this is BS, but the old school sysadmins who used to scream at the UNIX vendors for some sort of fix this quarter have left IT for greener pastures, and instead, most companies have commodity MCSEs who have zero clue about SANS and workarounds in real time. The so called "100% secure" OS X machine that sits on the backend can be rootkitted. Even Solaris and AIX are not pefect, but time has hammered most of the obvious bugs out of them.

Fourth, companies don't see past the next quarter. So, if it gets sales the numbers, by all means stick the control head on the DMZ, or on the external network. Maybe it might get locked down next FY, and doesn't happen.

Fifth, even a breach won't teach people to lock down. A breach happens over the Internet, so a company might install higher security HID badge readers so they can assure their customers and shareholders that they did something. Even though nothing relevant was locked down. Or they might require 10 digit passwords changed every 15 days, stuff that is pure show.

Want to know how to get a company to give a shit about security? Regulate them with laws that have teeth. PCI/DSS has done more for credit card processing security than all the whining from customers and shareholders put together. The shotgun barrel of HIPAA actually makes hospital and medical-related places actually do something. Until regulations are put in place about security and actually have nasty punishments (prison terms), they will be ignored. Sarbanes-Oxley actually made companies actually have an E-mail policy and be concerned about breaches and due diligence in protecting attacks.

Re:Internets...

I don't see why they can't just buy a phone line for each power station and link to central stations (also with NON-Internet-facing systems) like that.

You can and they do.

A short haul line is often called a dryloop, or when ordering it is best to be described as an "alarm circuit" (trust me). You have 2 wires (hopefully (should be) twisted pair), between points A and B, maybe a mile or so. Hook Mr. Short Haul modem to it and go. Of course, the telco will not know of any failures on this line (not hooked to CO eq, it's just a bridged connection), so any issues you have with it (including the bailing wire used to string the line) are very hard to get serviced (see: Act of God).

Two of the more common long distance varieties are called "leased line" and "frame relay". (anyone still use ISDN?). The benefits are very secure data path (especially with leased line), and guaranteed bandwidth availability (leased is 100%, frame is usually 50% full speed of connection). The problems are they can cost more than a T1 connection to the internet (especially in rural areas), and they are a single point of failure line (sometimes frame relay will survive a line cut, but a leased circuit is literally a dedicated line between points A and B).

Re:Internets...

are very hard to get serviced (see: Act of God).

That should read:
are very hard to get serviced (see: Benevolent Act of God).

Security

[Renraku]

Most systems here in the US are only secure because they're obscure. Someone who has worked in the industry for more than about a year has enough knowledge to cause some widespread destruction. Up until recently, the emergency broadcast service was only a phone number and modem, with no authentication!

Re:Security

[barik]

I concur. Airports are the same way, and still this way. Many are running standard PLCs like Allen-Bradley or Modicon. They are connected directly to a modem line with no authentication. So grab yourself a copy of RSLogix or Unity Pro, dial into these places, and have fun modifying the ladder logic and wreak havoc on the airport as all bags get re-routed to who knows where. I've seen the same issues with power plants and water treatment facilities.

The only upside is that the modem line isn't hooked up all the time these days. It's usually just when they need someone to dial in, and then a worker at the facility will go and hook up the line.

Re:Security

[cptdondo]

Most of the systems are controlled by PLCs. Most PLCs to this day have no access control whatsoever. Some of the attempts at "security" I've heard for PLCs are salesguy technobabble. (The password is stored on the PC being used to access the PLC; the PLC retrieves the password FROM THE PC in order to verify the validity of the user. No shit, this is what a major vendor told me.)

A kid with a laptop with the right software, a modem, and knowledge of a few phone numbers could take out significant infrastructure.

Re:Security

[Falconhell]

wreak havoc on the airport as all bags get re-routed to who knows where.

Is that not standard airline practice?

Hell the bags might end up at the right place for once.....

Re:Security

[Renraku]

A kid with a length of chain and a potato gun could also take out some significant infrastructure in the power industry. Physical security is important as well.

Re:Security

[cptdondo]

Hehe... Back when I was in the Air Force, we had a squirrel shut down the entire base for 8 hours. S/he crawled into the main power station, and committed suicide across the breakers, blowing up a good chunk of the station and about 100' of main feeder line.

Today no doubt the press would have whipped up frenzy about a "possible terrorist attack" with artistic renderings of the squirrel in mufti....

Re:Security

[TubeSteak]

Hehe... Back when I was in the Air Force, we had a squirrel shut down the entire base for 8 hours. S/he crawled into the main power station, and committed suicide across the breakers, blowing up a good chunk of the station and about 100' of main feeder line.

Today no doubt the press would have whipped up frenzy about a "possible terrorist attack" with artistic renderings of the squirrel in mufti....

Ask and ye shall receive

Re:Security

[cptdondo]

broken link! The name sounds enticing.... SquirrelJihad!

Re:Security

[Dudibob]

Presuming this is it http://media.photobucket.com/image/Squirrel%20Jihad%20photo/amhiggins1891/SquirrelJihad.jpg

Nostalgia

[stagg]

Awfully reminiscent of the hysteria that took place in the 80s, when the FBI and media were convinced that hackers were going to "crash the grid," launch a nuclear attack or god knows what other heinous crimes. The cost to the freedom of their own citizens, and the financial expenditure on all of this hysteria seems awfully prohibitive compared to the actual risk.

Re:Nostalgia

[Telvin_3d]

The cost to the freedom of their own citizens, and the financial expenditure on all of this hysteria seems awfully prohibitive compared to the actual risk.

To be fair, almost no amount of prevention could begin to equal the cost of a truly major event like a significant amount of the US power grid being down for more than a brief flicker.

Re:Nostalgia

[blueg3]

I relish every day my freedom to perhaps one day be without power, along with everyone else on the eastern seaboard, for a few days because the energy companies so love their profits!

Re:Nostalgia

[stagg]

The power grid IS being pretty damn fragile. Not because of terrorists, but because of under funded infrastructure and other cheapness/sloppiness on the part of those self same companies. You don't need terrorists for that apparently. ;)

Re:Nostalgia

[28.stick]

Agreed.
The guys at CBS may also explain how those hackers built the lightning generator that burned down the transmission towers in Macae and Campos.

Re:THE TRUTH!! DO NOT MOD DOWN!! +5 INFORMATIVE

Imagine a giant penis flying towards your mouth, and there's nothing you can do about it. And you're like "Oh man, I'm gonna have to suck this thing", and you brace yourself to suck this giant penis. But then, at the last moment, it changes trajectory and hits you in the eye. You think to yourself "Well, at least I got that out of the way", but then the giant penis rears back and stabs your eye again, and again, and again. Eventually, this giant penis is penetrating your gray matter, and you begin to lose control of your motor skills. That's when the giant penis slaps you across the cheek, causing you to fall out of your chair. Unable to move and at your most vulnerable, the giant penis finally lodges itself in your anus, where it rests uncomfortably for 4, maybe 5 hours. That's what using Slashdot is like.

Any penis that manages to get in my mouth is going to be bitten off. Problem solved.

What short memories these "experts" have

If the power grid was taken off line in the middle of winter and it caused people to suffer and die, that would galvanize the nation. I hope we don't get there.

That already happened, you moron. And nothing has been done to fix it because repairing infrastructure isn't sexy enough to get politicians elected.

Re:What short memories these "experts" have

August is no where near the winter that will cause people to suffer and die. IIRC, the outage was caused by it being too HOT for the current flowing through some lines. And I do vividly remember that outage, and how hot it was that day...

Re:What short memories these "experts" have

Parent's point still stands, as you would have realized if you read the Fatalities section.

Granted, it may not be the hundreds or thousands that would have perished if that had happened during the winter, but there were still a few deaths in this incident.

You need SCADA security

[Nefarious+Wheel]

I work for a company involved in SCADA systems that control half of Australia's water supply and a fair bit of the country's power grid.

SCADA networks have evolved, out of convenience, to coexist with existing LANS and thus progressively have become more dependent on TCP/IP protocols, thus becoming (rather by default) Internet-enabled.

Vulnerabilities are to some degree covered by the RTU programming, which has built in safeguards against doing wrong things. But it's not impossible for a dedicated hacker to create a bit of havoc, and this point is not lost on our client base. Our clients are actively investing now to isolate SCADA networks from the Internet, because safety has to overrule operational convenience. Work is going on now, and the door is fast closing on this avenue of attack.

It's all about SCADA. Little intelligent valves in little steel boxes attached to a lot of industrial plant. It's automation, true, but there are rather a lot of eyes watching it.

Re:You need SCADA security

That's all very well, but what about the implications of terrorists getting hold of a CIP device!!!!!!!!!!!!!!

Re:You need SCADA security

[Sulphur]

Do you mean that the checksum needed to authenticate a Remote Terminal Unit (RTU) is transparent from the internet?

Re:You need SCADA security

[jeffstar]

most of the control protocols have no authentication built into them either, in fact none of the ones i've worked with. maybe the newer ones do?

Re:You need SCADA security

[barik]

I'm not aware of any that do? Off the top of my head I can think of CIP, Modbus, Ethernet/IP, Profibus, ProfiNET, DeviceNet, and CANOpen and none of these have any authentication. At best, some of these like CIP have security through obscurity, but others like Modbus are completely known specifications.

Re:You need SCADA security

[rubycodez]

hey, while you're spending money to do that, why not also spend the small chump change it would take to harden our grid against EMP and geomagnetic disturbances?

Re:You need SCADA security

I suppose the addresses and data formats of the registers are not public for all devices as some require NDAs for that information whereas other manufacturers just publish it, while some times it also gets posted when it shouldn't.

At the end of the day, those networks aren't meant to be connected to public networks but in practice it is quite possible that the modbus serial is now modbus IP and is on the same LAN as who knows what or has a poorly configured firewall between it and the internet.

Re:You need SCADA security

[lennier]

"to harden our grid against EMP and geomagnetic disturbances"

We could do that, yes. Wait and let the terrorists bring their nuclear weapons and once-in-a-century solar flares to us.

Or we could take bold preemptive action by blowing up the sun.

Re:You need SCADA security

[twostix]

Then again I could just take my $2000 plasma cutter, $500 generator and $6000 hilux and head up into the mountains and take down three or four high voltage towers and kill power to about 8 million people for a week or more and be home before nightfall. Just in time to laugh at all of you while you scream in hysteria demanding quadzillions be spent on protecting over hyped "attack vectors".

Talk about not seeing the forest for the trees...

But as long as it's protected by fancy sounding acronyms it appears the white shirts are satisfied.

Re:You need SCADA security

[qzak]

I work in SCADA on water / wastewater systems in the US. With few exceptions, all systems we deal with are completely isolated from the Internet. However, the number of exceptions is increasing these days as more people want to view their plant data in the office and tie into their business systems. This trend means I have a tougher job (as automation engineers know much less about IT security, since we didn't have to before).

Re:You need SCADA security

[rubycodez]

actually, destructive flares that disturb the geomagnectic field enough to cause major disruptions are far more common than once a century. We've had those at least every 20 years.

Re:You need SCADA security

[SlashSim]

Then again I could just take my $2000 plasma cutter, $500 generator and $6000 hilux and head up into the mountains and take down three or four high voltage towers and kill power to about 8 million people for a week or more and be home before nightfall.

Dude, a $1000 4x4 pickup and $400 bucks for an oxy-acetylene torch rig would do the trick.

Heck, you can get tanks small enough to pack around on a mountain bike or in a backpack.

Or just use a rifle on the insulators.

There is nothing complicated about it, fortunately, few, almost none at all, people wish to create this kind of havoc. If terrorists were as common as portrayed, I'd not be able to to post this.

Please do secure the computer systems that control the power grid anyways -- please. I need power for my computers.

It's all good

> 'I would probably sack electric power on the US East Coast, maybe the West Coast and attempt to cause a cascading effect.'

No worries, I'm in the Midwest, go right ahead.

Otherwise summarized as:

[Fluffeh]

Unsecure infrastructure networks vulnerable to internet based attack.

Movie at 10.

Re:Otherwise summarized as:

[v1]

Unsecure infrastructure networks vulnerable to internet based attack.

Movie at 10.

Movie Postponed due to power failure.

Re:Otherwise summarized as:

[Goffee71]

Yep, and that move was Die Hard 4.0

USA is a crapflood from Illuminati nowdays.

If somthing bad happens, it's because whoever warned anyone about the breach earliest is the one that caused the breach. No different than how Operation Northwoods applies to 9/11 Trade Center bombings.

Hackers don't take down power supplies, crackers in Government made those flaws apparently to guaruntee their jobs progress in a new power grab. Same idea, different day.

Re:USA is a crapflood from Illuminati nowdays.

On the off chance that you are not just trolling, you aren't going to get through with arguments like that. You are pointing out a very real form of tax payer welfare for government contractors but wording it in a way that no one will hear.

Try the following:

1. Never use the word Illuminati. Ever.
2. Unless you are recruiting for something, only use the format 'Operation [op-id]' in the company of people who also use the format 'Operation [op-id]' when speaking with you... And only then if you trust them.
3. Never say what hackers do or don't do. How the fuck would you even know? The answer is simple: You don't.

And there it is. In absence of a well-formed /. post related to the dangers of large-scale implementations of critical infrastructure being handed over to profit-oriented corporations we have a little primer on conspiracy communication 101. Hope it helps, keep fighting the good fight or trolling forums, whichever you are up to.

Re:THE TRUTH!! DO NOT MOD DOWN!! +5 INFORMATIVE

[turing_m]

Any penis that manages to get in my mouth is going to be bitten off. Problem solved.

Be careful you don't bite off more than you can chew.

Hand in Hand along the path

'They admit that they misled Congress. The private sector has different priorities than we do in providing security. Their bottom line is about profits,' says Langevin. 'We need to change their motivation so that when see vulnerability like this, we can require them to fix it.'

And yet when the RIAA/MPAA deceive in the name of profit its all about protecting jobs, yes jobs - not the mansion.

Why?

[CrAlt]

If you have transmission lines running from point A to point B then why cant you just string a data line right below the transmission lines? You already own the right of way. You already have the towers/pole line ran. Compared to the cost of a big high tension line the cost of a little data line would be nothing.

Re:Why?

i think running data lines near strong power lines will result in a huge percentage of lost data due to interference

Re:Why?

If you have transmission lines running from point A to point B then why cant you just string a data line right below the transmission lines? You already own the right of way. You already have the towers/pole line ran.

You don't. Transmission owners are not grid operators. There are lots of different entities out there; a transmission owner is different from a generator, and neither of them is an ISO/RTO.

Re:Why?

[Falconhell]

Why would one not use fibre optics, to avoid such interference?

Re:Why?

[pitterpatter]

why cant you just string a data line right below the transmission lines?

Why bother? You already have the high tension line. Run the data on that. Physical security against most attackers is built in by the numerous volts sitting on the line already, and by the redundant network already in place. IT security should be no worse than you already have on the internet, and you should be exempt from attacks by casual hackers because they don't have easy access. Concerted attacks by dedicated evil-doers are another matter, because anyone can gain access. but the evil-doers are going to be a problem anywhere.

Re:Why?

[Clover_Kicker]

Yes, if only someone would invent a way to transmit data using light, maybe over a long fibre of some transparent material...

Re:Why?

[A+beautiful+mind]

Why bother? Just use the Internet. Banks run transaction traffic through the internet, of course heavily encrypted, with proper integrity protection and certificates. It's entirely possible to do this securely, the global economy already depends on this capability.

There is no need to reinvent the wheel, the power companies should just be using proper compartmentalization techniques to dig some trenches between the internet and their systems.

Re:Why?

Which costs more to implement?

Re:Why?

[whoever57]

If you have transmission lines running from point A to point B then why cant you just string a data line right below the transmission lines? You already own the right of way. You already have the towers/pole line ran. Compared to the cost of a big high tension line the cost of a little data line would be nothing.

That's fine until some PHB realizes that they have a massive amount of spare bandwidth and decides to sell it......

But seriously, they could set up a VPN using MPLS (or some other equivalent technology) at the telecom company level and the systems would not need to be accessible from the Internet. Then the attacker would need to break into the telecom company network first.

Re:Why?

[aaarrrgggh]

Transmission protection relays will usually have a fiber optic link to establish distance to fault, direction of fault, and a number of other issues. This protects the transmission line.

The generation station might have two or three transmission lines coming out of it. If it needs to shed load, it will dump one of those lines. But, the ISO (independent system operator?) coordinates all the generators, so you are likely to have the same load just moved to the other two lines. Ultimately, this forces the generator to shut down completely.

What you could theoretically do is automate the role of the ISO to coordinate generation and demand in real time. If you need to shed 5% of the load, it is very hard to do it right now in real time. That is the failure that most of these attacks try to hit, as it is easy to cause a cascading failure if transmission is limited.

Re:Why?

[A+beautiful+mind]

These are orthogonal questions. You'd still have to do this even if someone rolls out their own lines.

Re:Why?

[DigitAl56K]

That's a great idea. Except when lines fall or circuits get shut down etc. you might loose communications with your control system.

Re:Why?

[dingram17]

Maybe in the USA all the generating companies own the powerlines too, but elsewhere in the world where there is no longer any vertical integration, the generators are all by themselves, with no links other than the public ones they pay for. Too many managers like to look at what is happening at the power stations from their desk. IT are not too interested in running a separate network with separate PCs, so it all goes on the corporate network. We have eight power stations, spread out over 3000+ km. Communicating between them and the three office locations is a challenge.

Re:Why?

If you have transmission lines running from point A to point B then why cant you just string a data line right below the transmission lines? You already own the right of way. You already have the towers/pole line ran. Compared to the cost of a big high tension line the cost of a little data line would be nothing.

Because NO data would get thru. And it would create a safety hazard. There are already enough documented cases of running data lines in the same conduit with power mains. It doesn't work.

Analogy: Ever notice that when you are waiting at a stop light and the sun is behind it, it's REALLY difficult to see the light change? That's because the light energy from the sun exceeds the light energy from the traffic light. It's the same way with running cables together - the EMI from the power mains exceeds the energy from the signal.

Fiber optics? Sure.
I'll tell you what. When a car crashes into the pole, why don't you climb up there and repair the break.

Re:Why?

[swillden]

Which costs more to implement?

Stringing many miles of additional wire costs more, particularly since the fact that the power company owns the wire doesn't do anything to eliminate the need for proper protection of data or authentication of commands delivered over it.

Re:Why?

I have been told by an older person in the electrical trade that control signals can be sent over the actual transmission lines eg. broadband over power lines, and it has been done for several decades.

Re:Why?

[SuperMog2002]

Control signals can be sent over the transmission lines, but I'd hardly call it broadband. It is extremely low bandwidth. It does have its uses, but the power company can often achieve much faster and more accurate diagnostics over a bigger pipe.

Re:Why?

[Bazer]

You know what I think would happen if they did that?
They'd sell the left-over bandwidth.
It's already been done with phone and cable.
Even train companies sell bandwidth nowadays.
We live in a time where everyone with a piece of string or spectrum does networking services.

Re:Why?

[seaton+carew]

Because when the line breaks/falls down/gets struck by lightning, you lose your vital communications right when you most need them.

It's usually a good idea to have the control channel physically separate from the thing you are controlling...

Re:Why?

[Starvingboy]

Often, they do when installing new lines. A lot of this stuff is REALLY old, and nobody want to touch it because if it breaks, you have to spend a LOT of money to update the entire thing.
Also, it is often cheaper to just get the circuit from the phone company.

Re:Why?

[Rich0]

That's a great idea. Except when lines fall or circuits get shut down etc. you might loose communications with your control system.

And that is why for critical systems you need humans in the loop.

I always scratch my head a little when I see articles about Naval destroyers that can operate with only 12 people on board. I have to wonder what they plan on doing when they get hit by a shell and you end up with a 1" seam with water pouring in. If you had 100 guys to run damage control it would probably be a non-issue. With only 12 people on board even a small leak is going to be a big problem. Sure, you could easily evacuate those 12 people and not risk too many lives, and that is a viable option if a destroyer costs $1M, but if it costs $1B you're going to want to try to save it.

Automation is great for saving costs, but it never will be able to deal with emergencies as well as having a staff of trained people on-call. When we're talking about the national electric grid, I think we can afford to have a few engineers around.

Re:Why?

New high tension line, now has fiber optic cable inside

Re:Why?

[Placido]

Or maybe... maybe we could transmit data over the electricity grid by using a higher frequency to piggyback 0s and 1s on the carrier? ;) Oh wait a minute...

Like we'd respond that well

[DoofusOfDeath]

'If the power grid was taken off line in the middle of winter and it caused people to suffer and die, that would galvanize the nation. I hope we don't get there.

If 9/11 was any indication, our national response would be characterized by...

• NSA snooping into all of our computers, and "state secrets" claimed whenever we tried to invoke the 4th Amendment in court.
• A few massive, no-bid contracts by the Federal Government which achieve almost nothing of value.
• RIAA/MPAA sleezeballs capitalizing on it in ways I don't even want to contemplate.
• Possibly an insane (think Sarbanes-Oxley) amount of red tape added to many computer installations in the country.
• Republicans and Democrats somehow finding a way to blame each other for this, deadlocking the Legislature for a while, and then in some kind of last-minute spasm, pass an appaling bill to just have the appearance of doing something.

Only in my wildest fantasies would such an attack mobilize the country to have a rational, balanced cyber-security posture.

Re:Like we'd respond that well

Don't forget about starting a couple of wars in random third-world countries just to look "tough" (or to benefit your buddies running various energy companies).

Re:Like we'd respond that well

Yeah, Afghanistan attacked as a random third world country meant to make the US look tough. Their name was practically pulled from a hat.

Think what you want about the US or George Bush but, given the circumstances, Afghanistan was handled as diplomatically as it should have been if not a little more.

Re:Like we'd respond that well

[lennier]

"RIAA/MPAA sleezeballs capitalizing on it in ways I don't even want to contemplate."

When you install photoelectric panels, you're BURNING our fossil fuel industry!

Passive home heating is like passive smoking: IT KILLS! Insist on genuine 2000 Megawatt active air conditioning from a certified generation station.

You wouldn't steal a car... so why build a windmill? Just because all your friends are doing it doesn't make it right!

Firewood is BOLSHEVISM!

Re:Like we'd respond that well

[Improv]

S-O doesn't strike me as an insane amount of red tape.

Re:Like we'd respond that well

[CyprusBlue113]

And Iraq... ?

Re:Like we'd respond that well

Not completely random. Afghanistan is in the part of the world where one would expect to find a Saudi Arabian citizen, and could be invaded without actually pissing off Saudi Arabia (the ones with the oil).

Re:Like we'd respond that well

Funny how you question a poster who brings up a really legitimate point but give a pass to a poster who made claims that aren't in line with any form of logic. Chalk another victory up to Slashdotters who refuse to acknowledge that there is more going on than a meme can explain.

Re:Like we'd respond that well

[dbet]

You forgot: lying to the public in order to invade a nation that had nothing to do with anything.

Re:Like we'd respond that well

[CyprusBlue113]

You explained it exactly, I'm not going to bother with people that don't at least make the effort to include any form of reality in their positions, but will spend the effort to have meaningful discussions with people who show some spark of inteligence. The concept is similar to avoiding any News Corp establishments for meaningful information, or discussion.

California power embargo of 2000/1

[0WaitState]

'If the power grid was taken off line in the middle of winter and it caused people to suffer and die, that would galvanize the nation

So the enron-organized power embargo hitting california in the summer of 2001 is now being recognized as terrorism? The central valley and inland empire areas hit 100+ degrees most summer days. Wonder how many elderly died, or had their lifespans shortened due to heat stress during the rolling power outages.

Re:California power embargo of 2000/1

"Who run bartertown?"

apparently Enron.

Re:California power embargo of 2000/1

[mcgrew]

So the enron-organized power embargo hitting california in the summer of 2001 is now being recognized as terrorism?

The corporatti have killed more innicent non-combatants (mostly workers) than all the terrorists put together. That's why they started OSHA; the corporatti cares less than the Taliban whether or not you live or die.

My grandfather went four stories down an elevator shaft because Purina was too cheap to put door on the elevator. Jack in the Box killed kids with poison hamburgers, that one guy's peanut operation killed dozens last year with filthy, poisoned peanut products. That chicken plant burned all its workers to death in the eighties because they chained the fire doors shut to keep the workers from stealing chicken parts. Ford let Pintos explode for ten bucks a car. Google for more.

Terrorists? I'm more worried about my employer.

Re:California power embargo of 2000/1

[Technician]

For anyone who cares, the biggest causes are listed in the wikipedia article.

http://en.wikipedia.org/wiki/California_electricity_crisis

The article is heavy on the consumers not curtailing use of cheap power. On the flip side is the utilities faced with rising fuel costs and price fixing by the state of California found it a good time to shut down the more expensive to run plants to cut their losses. It costs more to produce electric power when you have to fire up the ineffecient plants to supply the peak demand.

Peak demand was not curtailed by consumers due to the cheap power and peak demand was not met by the utilities who refused to bring up ineffecient plants to meet the needs in the heatwave.

This is the outcome of government telling industry it must produce a product at a fixed price while the cost of supplies goes up.

Obama is going to control the cost of providing health care. Expensive to provide services are going away when this happens. Private industry has no other choice. Expect it.

Those who don't learn from history are condemmed to repeat it.

humm

all this comes from a retired person with nothing better to do with his time then to try and get on 60 mins. im guessing he also is one of the people who calls technical support saying that his wireless signal keeps getting stolen by the Russians that are in submarines in the lake what his house backs on to.

Naive Population

[spyder-implee]

You are extremely Naive if you believe this garbage. Blaming bandits for the shortcomings of the government is one of the oldest tricks in the book.

Re:Naive Population

[upside]

The government is just a corporate sock puppet, and blaming the government is one of the oldest tricks in the corporate handbook.

1) Lobby for deregulation
2) Profit
3) Shit hits the fan
4) Blame the goverment
5) GOTO 1

Well, Duh!

[zmollusc]

Obviously the evil terrorist hackers would have to attack the electricity distribution via the control centres on the internerd, the power companies long ago stipulated that all pylons and power poles be made of adamantium and be guarded 24/7 so there is no feasible way to attack the wires strung all over the fricken country.

Re:Well, Duh!

[michael_cain]

The "Secure Grid 2009" security game run by DHS for senior policy makers identified the very high voltage transformers at the ends of those links as the weakest point. These are so large (250 tons and up) that they can only be moved by rail, along lines with sufficient clearance. For the most part, there are no spares and replacements require at least weeks and possibly months to build and transport. Physically, most would be damaged sufficiently to fail if rammed with a garbage truck at reasonably high speed, and many are in positions where such an attack is possible. A dozen such strikes, done at close to the same time, could conceivable take out much of the power supply for a state the size of Ohio for a period of several weeks. Within several days, millions would be without water, sewage treatment, or reliable sources of food.

Re:Well, Duh!

[blueg3]

Destroying individual wires isn't nearly as effective, safe, and anonymous as taking out SCADA systems over the Internet.

No Security

Up until recently, the emergency broadcast service was only a phone number and modem, with no authentication!

The CATV company I work for had a crazy insecure ebs system. It was these ancient boxes in the head ends that just watched for a carrier on a certain freq in the return path. Once it saw any carrier it would flip over the EBS system and all the audio on our analog channels would go down. This carrier came from another dumb box that was in the main head end. That box was triggered by a unsecured phone line and all you needed to do was know the number to it. All anyone needed to spam 250K customers was a telephone.

The whole system looked like it was built by some ham radio op with parts from RadioShack in the 1980's.

We only got rid of this system LAST YEAR after some prankster with a signal generator figgered out how to trigger one of the dumb boxes. We now have a new system with scrolling text across the screen and clear audio... though I wouldn't be surprised if it was just as half assed as the old system.

Im posting this AC because coworkers know my /. nick :)

Re:No Security

Up until recently, the emergency broadcast service was only a phone number and modem, with no authentication!

The CATV company I work for had a crazy insecure ebs system. It was these ancient boxes in the head ends that just watched for a carrier on a certain freq in the return path. Once it saw any carrier it would flip over the EBS system and all the audio on our analog channels would go down. This carrier came from another dumb box that was in the main head end. That box was triggered by a unsecured phone line and all you needed to do was know the number to it. All anyone needed to spam 250K customers was a telephone.

The whole system looked like it was built by some ham radio op with parts from RadioShack in the 1980's.

We only got rid of this system LAST YEAR after some prankster with a signal generator figgered out how to trigger one of the dumb boxes. We now have a new system with scrolling text across the screen and clear audio... though I wouldn't be surprised if it was just as half assed as the old system.

Im posting this AC because coworkers know my /. nick :)

But - those old CATV over-rides (ours was a General Instrument "Com-Alert") WERE built in the 80s, with relays in the mods and processors to switch video and audio sources when a closure to ground was detected across the twisted pair tied to terminals strips. The systems were old, the requirements were old, hell CATV is old tech to begin with!
 

Is this a cover...

[mathfeel]

for some kind Hollywood-style heist underway?

Die Hard 4.1

Can't believe it wasn't even tagged about this.
COME ON PEOPLE!

Re:THE TRUTH!! DO NOT MOD DOWN!! +5 INFORMATIVE

I don't know WTF you were getting at but I laughed my ass off :)

Northeast Blackout of 2003

[ErkDemon]

You spend the money in such a way as to make the system generally more robust, not just against terrorist attacks, but also against acts of nature, disgruntled employees, criminal extortion, and sheer human idiocy.

A lot of US infrastructure has been desperately vulnerable for years. How many terrorists would it take to black out fifty million people in North America? Apparently zero.

Remember the Northeast Blackout of 2003 ?
If the reporting was accurate, that affected 55 million people across eight US states (and Ontario), and was caused by a lightning strike
Getting the grid rebooted seemed to involve a hell of a lot of grief.
If the reporting wasn't accurate (and we go down the "conspiracy theory" route), then maybe the hypothetical attack has already happened, back in 2003.

So which idea's the more scary? That we lost the Northeastern grid in 2003 through malicious intervention, or that it simply failed and "dominoed" all by itself after some nasty spikes in Canada?

Re:Northeast Blackout of 2003

So which idea's the more scary? That we lost the Northeastern grid in 2003 through malicious intervention, or that it simply failed and "dominoed" all by itself after some nasty spikes in Canada?

How about neither, since the problems did not originate in Canada at all.

http://en.wikipedia.org/wiki/Northeast_Blackout_of_2003

Re:Northeast Blackout of 2003

[Amnenth]

Remember the Northeast Blackout of 2003 ?

...That we lost the Northeastern grid in 2003 through malicious intervention, or that it simply failed and "dominoed" all by itself after some nasty spikes in Canada?

Hey, don't blame us. The article you referenced (link fixed) pegs the domino effect as starting from within Ohio.

Re:Northeast Blackout of 2003

[ErkDemon]

Oh, okay. Trees.

Old news. NERC CIP

The regulations (triggered by the massive blackout of a few years back that was actually an electical issue, not a computer hacker incident) called NERC CIP are intended to deal with this issue.

http://www.nerc.com/page.php?cid=2|20

W

Liberals

[similar_name]

More liberal regulation. Doesn't everyone know that capitalism is best for us? Those that control the energy industry seek money and that in America is a worthwhile goal in and of itself. Money fixes everything. After all our money says 'In God We Trust'. It's practically blessed. The golden calf is god.

I haven't been modded troll or flamebait in a long time, just thought I'd try it out.

Hmm...

[parabyte]

Reading this article, I was thinking this security guy is exaggerating and playing down at the same time.

First of all, in the U.S. many companies use so much crap when it comes to IT that it makes me sick, so everything is possible. However, I think it is much more probable many systems will blow up on a large scale without any malice involved, but just due to incompetence and negligence.

At the same time this guy admits the U.S. is actively preparing and maybe even conducting cyber-warfare against other countries. I don't know how to comment on that. If all countries would stick to cyberwarfare instead of dropping bombs, this would not be *that* bad.

The talk about stolen intellectual property and trade secrets is mostly bullshit. Any business that requires a great deal of secrets to be kept is not sustainable anyway. The future belongs to companies who need very few secrets, if any at all, and are quite open about most aspects of their business. Secrets tend to get out sooner or later anyway.

For mission critical software the quality standards should not be very high, but insanely high. And when the life of people is on the line, software alone should never be able wreak havoc. Unfortunately there are too many people out there who don't have a clue and are just happy when things work. The only get wiser when after the shit hits fan a couple of times, but then they overreact. Professionals should have more courage and never let hazardous systems become operational.

However, I don't see a chance that most of those responsible for the bottom line would voluntarily invest in security and safety unless they are forced to do so, either by law, or by shitstorm.

p.

why can the hacks do somefun like unlocking all ch

why can the hacks do something like unlocking all channels in a cable system?

I think if some one where to hack in the power system and set all bills to $0 then you will see a big move to lock the system down.

Fear Mongering $$$ + Power

[clyde_cadiddlehopper]

There is no cost of inciting fear in the public. And fear brings huge opportunities for money and influence. How do we impose a cost on fear mongerers? Ooooh... how about a tax on Fox News, Rush Limbaugh, and 60 Minutes? Justice at last.

a naive sounding question

[ncmathsadist]

What are we thinking, connecting these secure locations to the Internet? This seems the height of folly to me!

Re:a naive sounding question

[joocemann]

I agree. There should be an airgap between the internet and these kinds of things. Or maybe it is time to move them over to one of the other networks that exist that are airgapped (physically disconnected) from the internet.

From Experience

Having worked at a utility in an IT consulting position I've had some experience supporting/implementing the control systems for a reasonably large scale SCADA system.

What I've come across is the people running/maintaining the SCADA system often don't have a Security/IT background, they have an electrical engineering or similar background. This can often make discussions about firewalls - TCP/IP and routing challenging. On top of this, most of the guys (and it is guys) involved are older, engineering types with the culture and communication differences that that implies. They are often very reluctant to let IT in to their systems to assist. Workstations/servers are often not visible to standard IT management processes like patch management and antivirus because of inter-group politics.

We run into the classic security vs. usability argument. More security often makes it more difficult for them to do their job (at least for them) and is also much harder to implement, maintain and troubleshoot.

A lot of systems have historically been serial and have migrated over to IP gradually. This has often been done without adequate planning and analysis, resulting in a system that is deemed successful because it works, not because it is secure.

Money as always is a factor. I know for a fact the enhanced security version of the SCADA solution was NOT installed, as it was too hard and too expensive and as a result was put off until later.

In our case, all the devices and RTUs out there come in over a private network, NOT the internet. This traffic is in the process of being encrypted with IPSEC. The weak point is and will always be the client devices or terminals. Remote access to these is the achilles heel of any system. Having such systems completely separate should be a requirement, but is often put aside in the name of usability for workers to get access from home, or the ability to access the internet from the control PC.

The requirements for criticial infrastructure exists and has done for some time, ISO27002 and NERC have a huge number of requirements. Good luck finding a utility that complies with all of them.

A horrific incident may be the catalyst to have changes made. But in the meantime it's down to money, silos and politics.

Re:From Experience

[Animats]

Right. A big problem is that 75% of US utilities use a protocol called DNP, which has been around since 1990 and has no security whatsoever. DNP is often transported over IP networks, ones which are hopefully not connected to the Internet. There's a secure version of DNP, with cryptographic authentication (not encryption) but it was only standardized last year and is still in test.

DNP is a master/slave system; there's a "master station" which makes all the decisions, and slave devices which report and obey. It's not really very distributed. That's a relatively simple situation to secure, and even that isn't widely implemented. Systems where there are multiple nodes making decisions don't fit the DNP security model well.

Here's a worrisome diagram. Windows machines on a LAN which can get to a power company's SCADA network, connected to the Internet through McAfee Firewall Enterprise Edition boxes.

Re:From Experience

[RAMMS+EIN]

``We run into the classic security vs. usability argument. More security often makes it more difficult for them to do their job (at least for them) and is also much harder to implement, maintain and troubleshoot.''

I've never understood that argument. If your system isn't at least somewhat secure, you have to either constantly check on it, install patches, etc. or risk it being compromised. How is that usable?

To me, it's about the same as building a bridge out of whatever you have lying about in the vicinity. "Look! It works! We can walk on it, see? Take that, you bunch of whining engineering types with your expensive designs and complex calculations." Then, one day, the wind is a little stronger than the day the bridge was built, and it collapses.

We don't build bridges that way. We shouldn't build computer systems that way, either. If it's not strong enough to survive in the Real World, it's not a usable system.

Re:From Experience

They are often very reluctant to let IT in to their systems to assist. Workstations/servers are often not visible to standard IT management processes like patch management and antivirus because of inter-group politics.

Maybe because IT cant just "assist". They want to take control of the whole situation. They will not be satisfied with "patch management and antivirus", they will also want to apply nonsense AD policies to the machines and also forbid engineers from having Administrator access to the machine.

I have watched, over the years, several SCADA implementations where IT people tried to get involved. At exactly 100% of times the IT department made a complete fool of themselves. They managed to convince themselves that the Engineers that were building the system were too damned stupid (comparing to them, the super-duper-geniuses with corporate-desktop-management-superpowers) to have Administrative powers or even work without stupid "I agree with the IT policy" logon messageboxes and scripts that completely screwed up most automation software packages.

Re:From Experience

Insecurity through economy. For when RS485 just isn't convenient enough...

Re:Fear Mongering $$$ + Power

[east+coast]

How do we impose a cost on fear mongerers?

Can the government tax itself?

It's odd that you speak of fear mongering, power and money in the same breath but look to the government as a solution to these problems.

Independent System Operators

[eldurbarn]

The Independent System Operators (ISOs) exercise real-time control of the grids. I can't speak for others, but I do know how the New England ISO does things. Yes, there's a lot of automation... but the entire system is designed to have a "man in the loop". Add to this the fact that there are two completely independent systems for monitoring the Area Control Error (ACE) (the amount by which generation doesn't match load) and you get a situation where a hacked system would become very obvious, very quickly.

The uber-emergency last ditch ACE monitor is an un-networked box that monitors analogue signals sent to it over microwave relays. As of today (as far as I know) you can't hack a box that you cannot connect to.

Yes, it's possible for a cyber attack on an ISO to create a measure of chaos, a degree of frustration and a burning desire to "get rid of" that hacker, but these men and women are dedicated professionals and they engage in a process that has been honed and refined over the last few decades. I shan't say that it's impossible, but I honestly believe that it would be highly unlikely that meddling in the data stream (SCADA) or accessing the control computers would bring about massive failures.

For that sort of thing to happen, you need a perfect storm of failures.
 

Re:Independent System Operators

[jeffstar]

microwaves can be jammed and fibre can be cut, will the communications network become just as critical to the operation of the power grid as the generators and transmission lines themselves!

Why are controls connected?

[jhoegl]

It is interesting to me that controls are connected to the internet. There is no logical reason why. They used to do this for decades without the internet, why now? If its to connect multiple power companies... VPN with selective routing rights. Specific terminals should be setup for only power grid use. If some lameass is bored with his job give him something else to do or setup another terminal with internet. Cost of security fix? PPpffttt... a few computers and some networking. Ill bet the total cost would be under 100k, and that is generous.

Re:THE TRUTH!! DO NOT MOD DOWN!! +5 INFORMATIVE

Nice, one of the funnier trolls I've seen in a while...

Internet is Perfectly Save as a Bearer

[omb]

OK, this another stupid meme:

1. Physical security of your systems, you must not make stupid assumptions; vide FortHood.

2. Over wide areas, connectivity security is paramount, and, because of its military origins it is designed for that; TCP connections are hugely resilient to network failures.

3. You are responsible for your own data, and if it, and your control system is important, you need a VPN. The Internet provides robust resialiance, your VPN must deal with data security, and if you can co-factor the APIs that is good. YOU take responsibilities for communication failure (and provide technical mitigation) and you also need to ensure your data is SECURE and can't be HACKED&#160;into. That means strong and effective enterprise security management encouraged by putting the CEO in jail if his company is negligent.

If the power grid is so vulnerable, why hasn't...

[swb]

...it been taken out in the U.S.?

If there's a dozen guys pissed off and zealous/brave/willing/stupid enough to hijack planes and fly them into buildings, surely there's 100s more pissed off guys with m@d sk1llz who could do this, and wouldn't be held back because it's not a suicide mission, and doesn't directly burn thousands to death in an ensuing fire and crash.

And I'd wager that hacking the power system is probably a decidedly less resource-intensive activity than even small-scale physical attacks (bomb/gun/kidnapping/etc), the participants can engage in almost total anonymity, and there's no messy explosives/weapons to buy or store or get caught with. All this means its something that even a lone crank could pull off, opening the doors to a whole panoply of groups with gripes, including or especially all manner of domestic crackpots. You don't need Al Quaalude or zillions of dollars or a complex intelligence network.

Forcing the grid offline and in a way that kept it down/brain damaged for any length of time over 48-72 hours, especially if it was widespread, would have such a cascading effect and probably spawn anarchy. At a minimum billions lost, thousands killed, possibly riots or widespread civil disorder. Katrina times 9/11. So the effect would be substantial and easily deniable, making it the kind of thing China or Russia or any other competitive major power might want to do just to fuck with the Americans and keep them off balance.

Yet it hasn't happened here or Western Europe or most modern Asian countries. Why?

Why these systems are connected to the Internet

[Tweezer]

I know all the comments are about to come flooding in that these systems should be air gapped from the Internet, but that isn't practical in today's environment. These systems need to be indirectly connected to the corporate networks, because the data is valuable to the companies. Much of this is due to deregulation. Since deregulation electric utilities no longer operate as islands with their own generation, transmission and customers. Since nobody liked monopolies in the energy industry, the pieces aren't necessarily owned by the same companies anymore. Energy is also bought and sold in a market environment with prices changing all the time and the information is exchanged over the Internet. If you want to see the current Megawatt Hour (MWh) prices in the midwest check out http://www.midwestiso.org/page/LMP+Contour+Map+(EOR). Needless to say air gapping isn't practical in today's environment.

Re:Why these systems are connected to the Internet

That is crap. It is practical, it just requires someone dumping the data to a DVD by running a download script, spinning around in their chair, and plopping the DVD into another computer to run an upload script.

God forbid.

Re:Why these systems are connected to the Internet

[Tweezer]

If this could be done every 4 seconds for hundreds of thousands of data points you might be correct. Unfortunately I don't know of a system that could do this at any speed close to what is required. The speed required doesn't even allow for relational databases, because Oracle, SQL etc can't handle the inserts at the rate required. Here http://www.osisoft.com/software-support/what-is-pi/Architecture.aspx is a typical architecture for this sort of thing. There are multiple layers of firewalling between the control networks and corporate networks, but any company that were to go the air gap route would be bankrupt shortly. These are real-time systems and the markets can change very quickly.

and the attack stopped

just because the hacker didn't have an UPS...

How Long?

How long until the power companies are entirely run by the government? I know, I know, they practically are, but the second a terrorist, or a hacker wants to have fun, people will be screaming bloody murder that the government should have control. The practical side of me says that a power company would want to protect their assets, but most people seem to think that this means the government should protect that for them. Is there anything the government can do to increase security without taking away control from these corporations? Or should we just make the transition now to complete government control while the attacks havn't happened?

This is not an accident

[crf00]

No there's still more things to do, we still need to blow up the nuclear reactor and shut down the backup grid system. In five minutes, I'll tear that whole goddamn building down. Tonight is not an accident. There are no accidents. We have not come here by chance. I do not believe in chance. When I see three objectives, three captains, three ships. I do not see coincidence, I see providence. I see purpose. I believe it our fate to be here. It is our destiny. I believe this night holds for each and every one of us, the very meaning of our lives.

goes good with popcorn

[Eil]

'If I were an attacker and wanted to do strategic damage to the United States, I would either take the cold of winter or the heat of summer,' says McConnell, 'I would probably sack electric power on the US East Coast, maybe the West Coast and attempt to cause a cascading effect.'

Oh yeah, well if I were an attacker, I would build a gravity weapon so powerful that it would pull the moon out of its orbit and crash it into the earth.

OR I would create a poison so potent that just a few drops of it in any lake would kill everyone within a 5-mile radius.

OR I would plant thermonuclear bombs in the capitals of the 10 largest cities in the U.S. and detonate them all at once.

See, Mike McConnell? It's easy to invent terrorist movie plots. If they gave out awards for Most Creative Terrorist Strategies That Would Never Work, you all all of your three-letter agencies would win first prize every time.

Part of it has to do with

[kilodelta]

The SCADA systems. Some genius decided to write a TCP/IP stack for SCADA and then put an ethernet port on the damned things. And what did the utility companies do but hook em' up to an IP network. Not very smart.

Re:Part of it has to do with

[viralMeme]

US blackout was computer related

"The W32.Blaster worm may have contributed to the cascading effect of the Aug. 14 blackout, government and industry experts revealed this week"

Rare SCADA vulnerability discovered - May 2008

SCADA Systems Vulnerable to Hackers Feb 2004

this really a 2012 paln to save the power grid by

this really a 2012 plan to save the power grid by turning it off for a some time and save it by having it off when the em field go nuts.

There's one solution that always works: AIRGAP

[ancient_kings]

That's right you dumb mutha-humpers, you do NOT connect critical infrastructure to the internet. PERIOD. Do this any you'll see the amount of "attacks" go to ZERO. This is all hype for certian defense companies to rape the US Government out of the tax-payers money. AIRGAP critical infrastructure and all your worries will be gone permenantly. THE END.

NERC CIP

[fungaw]

Electric utilities are already being required to beef up security. The North American Electric Reliability Corporation (NERC) has a fairly extensive set of mandatory compliance standards for "Critical Infrastructure Protection (CIP)." I don't know why this was omitted from the story. If you don't comply with the standards, you're subject to some heavy fines. Go search on 'nerc cip' and see how there's a whole cottage industry of consultants gearing up for this.

Re:NERC CIP

I've spent a significant portion of the last year doing just this, getting local utilities up to the NERC CIP compliance standards.

The good news is that many places take this serious. The bad news is the cascading affects one or a small handful of even small local utilities can have on the whole system. Power distribution is not my area of expertise, IT security is, but I understand this is a very challenging area. You can't just put a "power firewall" in between utilities the way things are bought and sold non-stop and usage is up/down all the time.

Another problem many systems have is that if they were to lose power, they don't have the ability to start back up. You can't "turn on" a generation plant without power, and if the grid connecting you to other utilities is all down, how to you get going? This requires "black start" locations that can start without any external power. Guess what, most generation plants don't have this, as it costs more money for something that is "never needed", and when does the grid ever fail?

Yet another problem we face is that many small utilities are run by boards who are locally elected, and often by a population that knows nothing about running utilities or who is qualified and elects equally unqualified board members to make the financial decisions.

Obvious solution

[Mr.+Freeman]

"We need to change their motivation so that when see vulnerability like this, we can require them to fix it.'"

Why the hell is this so hard to figure out? Hold cooperation responsible for the negative effects caused by their negligence. Power going out because a skilled hacker found an exploit that the best security experts couldn't find is one thing. But power going out because the IT dept. at the power company decided that they didn't need to take basic security measures is another, that's negligance.

If people die because the power went out and the power went out due to negligence (i.e. some 15 year old managed to ssh into the power plant and fuck everything up because the root password was "password") then charge the company with criminally negligent homicide.

We don't need some special, new incentive to get companies to protect the public interest. We just need to remove all of the immunity we've given the companies. The only question we have to answer here is why the fuck did we give companies immunity from the consequences of their actions?

Re:Obvious solution

because those companies paid some major money to lobby for it.

I, for one, welcome our corporate masters! Wait... you can welcome something thats already here right? I mean, I'm not being rude by chiming in late?

Re:Obvious solution

[mcgrew]

...charge the company with criminally negligent homicide.

Can you point to a single time that's ever happened? Even when that chicken plant that had its fire doors chained shut to keep the workers from stealing chicken parts burned down and burned 25 people to death, the guy who actually chained the doors shut only spent two years in prison.

It's ok to kill if you're a corporation. Hell, you can even kill children with impunity, look at Jack in the Box.

Re:Obvious solution

[Alex+Pennace]

Does http://en.wikipedia.org/wiki/The_Station_nightclub_fire count?

Interesting choice of words

'If the power grid was taken off line in the middle of winter and it caused people to suffer and die, that would galvanize the nation.'

Yes, if the hackers also managed to cover the nation in a bath of hot zinc..

As a Rhode Islander, I apologize

[Gothmolly]

For electing such a statist douchebag. Our little armpit of New England has only 2 industries - welfare and prostitution, and our elected Gestapo is always looking for more.

Stupid.

[jaygridley]

There is no reason for the grid to be connected to any public data network. Period.

Re:Stupid.

[jeffstar]

ah so you would like to pay extra on your electricity bill for a separate, coast to coast, nationwide fibre optic and microwave data network which exists everywhere there is electricity?

They are making it worse

[mikep554]

I follow a number of security-focused mailing lists, and about once every two or three months someone posts something like this: "Help! The plant mangers at $CRITICAL_INFRASTRUCTURE_SITE where I work want to have all the formerly air-gapped SCADA systems accessible via a web browser from any internet-connected PC so they can check the plant status from home, on vacation, while at conferences etc. I haven't been able to talk them out of it, can anyone help with a better argument?"

What reasoning do your propose to people who's response to the argument of "if we are hacked, the loss of life and bankruptcy of our company will come back to you" is met with "you IT guys are too paraniod"?

Until people start going to jail, profit and convenience will trump everything else.

Smart grid makes it more exposed to hacking

[George_Ou]

Smart grid makes it more exposed to hacking. If we're talking about the ability to manage major appliances such that they can be spread out so that we can put a higher load on the grid without overloading it, imagine if someone broke into that system and did the opposite by synchronizing usage. Coupled with the fact that loads are even higher, it's a perfect storm for melting down parts of the grid which would take a long time to repair. During that time, people who are most vulnerable (the elderly) would die.

Re:Smart grid makes it more exposed to hacking

[Vancorps]

Or you build in multiple redundancies with systems that have to agree in order to make such an important change. Also, who said this network had to be Internet accessible? Maintaining physical security is pretty easy in comparison to Internet security and that is mostly all that would be required. You would probably want to throw in multi-factor authentication and decent encryption just in case a facility did actually get compromised.

This thought that there are tons of super hackers out there is ridiculous too. It's amazing the abilities attributed to secret government agencies and lone hackers of extraordinary skill. There will come a time when these skills are not seen as magic and people will take sensible approaches to security.

Re:Smart grid makes it more exposed to hacking

We can't even get ONE reliable system much less two systems that are redundant.

As for Internet access, who said anything about Internet access? You don't need Internet access since you've got a system right inside your home connected to the smart grid. Moreover, even the non attached systems are indirectly accessable over the Internet if you VPN into a powerplant and then terminal server over to the main control system.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:If the power grid is so vulnerable, why hasn't.

[cptdondo]

>

Yet it hasn't happened here or Western Europe or most modern Asian countries. Why?

Well, at least where I work, we no longer allow modems to be attached to any equipment. This is a huge cost item; that means we have to fly in a tech with a laptop for several thousand dollars when something goes down instead of allowing the factory to dial in on their modem.

We choose to do this as we are a "major" target - a medium sized public utility. I would guess many of the smaller utilities don't have the resources to do this. So it's a question of targets; if someone was to study the network, they could identify a weak small utility that could bring down a larger utility that would then cascade to a major failure down the line. I'd guess it hasn't happened because the outcome is uncertain and not guaranteed; our operators are pretty damn good at taking care of upstream failures.

Wayyyy OT but...

[Maestro485]

Learn the lesson: You can't trust the greedy to run critical infrastructure.

Kind of makes you wonder why health care isn't considered critical infrastructure.

(I know this is way OT, but that quote made me think. I never thought about health care being "critical infrastructure" before. If health care was treated like electricity or gas we wouldn't need all this goddam political drama.)

Mod away!

Re:Wayyyy OT but...

[Scrameustache]

Learn the lesson: You can't trust the greedy to run critical infrastructure.

Kind of makes you wonder why health care isn't considered critical infrastructure.

(I know this is way OT, but that quote made me think. I never thought about health care being "critical infrastructure" before. If health care was treated like electricity or gas we wouldn't need all this goddam political drama.)

Mod away!

Yeah... hard to find a leeway to "hackers will doom us all" in there, but I agree. Society needs to have ways to ensure that what it needs will stay available.

I find that a mix of free enterprise and government oversight is the best approach. If you go all government, it gets bogged down, if you go all free market, it gets pilfered.

Honestly, does this still work?

[MattGWU]

McConnell adds that a similar attack to the one in Brazil is poised to take place on US soil and that it may take some horrific event to get the country focused on shoring up cyber security. 'If the power grid was taken off line in the middle of winter and it caused people to suffer and die, that would galvanize the nation. I hope we don't get there.'"

"That's an awfully nice power grid you've got there. Be a shame if something were to happen to it. Maybe you should look into some security. Before it's too late."

Another allegorical bogeyman to add to the list of things about to destroy everything we hold dear. This whole 'scare us into action' thing is getting tedious. Is it a sad look into our current state of affairs that people in charge don't seem to think we can be reasoned with on an intelligent level to the point where they have to take a page out of "ACT NOW!! Call within the next TEN minutes or you may miss out! Operators are STANDING BY!" book of marketing? Hey, guess what.....you NEVER miss out! They just want you to *CALL NOW* because they don't trust your lazy ass will remember by the end of Springer. You ever have to listen to daytime TV for a day or two? I did when I was painting the hallway outside an elderly gent with failing hearing apartment and let me tell you, if you listen to the ads a certain way, those guys do NOT take a very high view of their target demographic. But it must work, like so many things, or they wouldn't do it, and our government wouldn't sit up and take notice. On the other cynical hand, if we're all such panicky idiots, shouldn't they space these things out more? Getting a backlog of nonspecific stuff I'm supposed to be terrified of.

Finally, can a 'cyber-terror' attack be 'poised'? "Hacker Leader, the attack is poised and ready." "Good work, all that's left is to press 'enter'. When the time is right. Which isn't for a while. I don't know when, just not now." "Cool. Halo?" Then...how do they know? "Security Leader, there have been numerous probes and break ins around the periphery of the power grid system. What should we do?" "Nothing....yet...." "Cool. Madden?"

If we know an attack is 'poised' we know that something happened that presumably is being used to stage some larger event when the Hacker Leader and his Evil Hackers get bored of playing Halo. In the meantime, put down Madden and upgrade that OpenSSL or reimage that box they were poking around on (and THEN upgrade that OpenSSL or whatever it was they used to get in). The general public, of course, don't know this, so the scare tactic works, and for some reason, we as a society have grown rather accustomed to people talking down to us and trying to appeal to our better judgment through nonspecific threats of bad things that are about to happen.

I disagree with the military... I am brazilian...

[jorlando]

The blackout in 2005 was a human failure. One transmission line went down, the team recovering that line made a mistake and instead of activating the repaired line disabled the backup line. Result: 3 states withou electric power.

The blackout in 2007 was due a circuit breaker shutting down one line, the same happening after in the backup line, that could manage the excess load (this happened during peak hours, 5 p.m. during a working day).

Ok, these are official explanations and the blackouts may have been caused by evil hackers but, in this case, the brazilian government made an excelent job holding that information for years, leaking now thanks to an american former military that may have some vested interest spreading fear.

2 cents..

Re:If the power grid is so vulnerable, why hasn't.

[blueg3]

The systems are vulnerable compared to their value. They're still not easy to take down -- but they have egregiously poor security compared to how important it is that they remain working.

fff

Show Your Memories with Your Favorite Chuck Jones Characters
 
Sponsored by Chuck Jones Galleries

fff

Predicted. In '79. By a Nixon administration felon

[LandGator]

http://web.archive.org/web/20060221022525/http://www.liddyshow.us/mustread11.php Read that, and tell me GGL didn't have a functioning brain cell or two.

Re:If the power grid is so vulnerable, why hasn't.

[cetialphav]

Yet it hasn't happened here or Western Europe or most modern Asian countries. Why?

Because no one has tried to do it. My car has never been stolen. It is not because I have a super secure system on it; it is because no one has tried. Anyone who knew what he was doing, could drive off in that thing in 30 seconds. On September 10, 2001, many people would have said that if our planes were so vulnerable to being hijacked and being used as missles, how come no one had done it? After all, Al-Qaeda had been attacking us in various places for years.

I would imagine that there are governments that have the knowledge and capability to launch an attack on our infrastructure, but there is no reason to do this. The US is a major trading partner with everyone who would have this capability so there is nothing to gain right now. There probably are not a lot of non-government groups that have the knowledge and capability necessary for this kind of attack, but that might change one day.

The US should only be accessable by the US

Here is a clue. Put up a firewall and only allow access to US addresses by US addresses. It's not perfect, but outsiders would definitely have a harder time accessing the systems. GeoIP (xtables-addons) and iptables, it's what I use, and I'm not in charge of the grid.

Slashdot is slow

[michaelhawk]

I've seen these stories floated on other sites for days now.

INFRAGUARD

[dziman]

http://www.infragard.net/

"InfraGard is an information sharing and analysis effort serving the interests and combining the knowledge base of a wide range of members. At its most basic level, InfraGard is a partnership between the FBI and the private sector. InfraGard is an association of businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile acts against the United States. InfraGard Chapters are geographically linked with FBI Field Office territories. Each InfraGard Chapter has an FBI Special Agent Coordinator assigned to it, and the FBI Coordinator works closely with Supervisory Special Agent Program Managers in the Cyber Division at FBI Headquarters in Washington, D.C.

While under the direction of NIPC, the focus of InfraGard was cyber infrastructure protection. After September 11, 2001 NIPC expanded its efforts to include physical as well as cyber threats to critical infrastructures. InfraGard’s mission expanded accordingly."

Bruce Willis will sort it out

[Bazman]

Or has nobody here seen Die Hard 4?

Re:If the power grid is so vulnerable, why hasn't.

[jeffstar]

it's really quite impressive that the grid stays up as much as it does. there is a trade off between cost and uptime, it is probably an exponential relationship and we're already at 99.9999% uptime, so how much more is that extra .0001% worth?

Not the first CyberWar attack --- won't be last.

[PGillingwater]

This certainly isn't the first Cyber War attack. I've written about some of these attacks in my blog, http://security-risk.blogspot.com/. Here's an extract:

        * In 2004, Thomas C. Reed, an Air Force secretary in the Reagan administration, wrote that the United States had successfully inserted a software Trojan horse into computing equipment that the Soviet Union had bought from Canadian suppliers. Used to control a Trans-Siberian gas pipeline, the doctored software failed, leading to a spectacular explosion in 1982.

        * Crypto AG, a Swiss maker of cryptographic equipment, was the subject of intense international speculation during the 1980s when, after the Reagan administration took diplomatic actions in Iran and Libya, it was widely reported in the European press that the National Security Agency had access to a hardware back door in the company’s encryption machines that made it possible to read electronic messages transmitted by many governments.

        * According to a former federal prosecutor, who declined to be identified because of his involvement in the operation, during the early ’80s the Justice Department, with the assistance of an American intelligence agency, also modified the hardware of a Digital Equipment Corporation computer to ensure that the machine — being shipped through Canada to Russia — would work erratically and could be disabled remotely.

Re:If the power grid is so vulnerable, why hasn't.

Because Joe Sixpack would realize it and demand that said systems would be made secure.

The blackhats don't want to do major havoc yet, for fear that businesses get a clue and airgap the juicy stuff. Instead, the clued crackers are just waiting for a more apt time to strike.

One possible thing that can happen is the outages would be combined with a military action by another country. An example would be a massive power outage in the US as you describe, then China immediately "annexing" Taiwan. By the time the US fixes the power mess, Taiwan would be completely occupied, and I'm almost certain that the US won't risk a nuclear exchange for it, no matter what treaties are in place.

Re:If the power grid is so vulnerable, why hasn't.

[RAMMS+EIN]

Because security through obscurity actually does work.

If all security vulnerabilities anywhere affecting the grid were publicly known, I am pretty sure we'd see outages more often. Forget malicious attackers, there are misguided souls who think this kind of thing is fun.

Of course, if these vulnerabilities were publicly known and being exploited, they would also be addressed.

As it is, my money is on "it's not secure, but the people who know the ways in aren't talking, and are ethical enough not to exploit the system themselves." That's how security works almost everywhere I've been to.

Anonymous Coward

From the OP : "We need to change their motivation so that when see vulnerability like this, we can require them to fix it."

This is why public utilities should be just that, public, and operated for the public good, not private profit.
Then the motivation would be the default, not economic sanctions or penalty.

Re:If the power grid is so vulnerable, why hasn't.

And I'd wager that hacking the power system is probably a decidedly less resource-intensive activity than even small-scale physical attacks

I'll take that bet. Hacking a power system is decidely more resource-intensive & technologically challenging. This is the real-world, you can't hack a gibson while getting your nuts licked.

"Hackers?"

[oPless]

Oh wait ... you mean *crackers*

Gotchya!

Government interference

[miketheanimal]

When oh when will people realise this is the sort of government interference that is simply not needed. This is exactly the sort of problem that the free market will resolve. If this sort of attack ever happens, people can simply vote with their dollars and buy their electricity from another supplier. Then the generating and distribution companies will actually have to do something rather than get away with claiming that they are doing something.

Re:If the power grid is so vulnerable, why hasn't.

[VShael]

Yet it hasn't happened here or Western Europe or most modern Asian countries. Why?

Because the enemies you keep hearing about, are neither as a numerous nor as powerful as your government would like you to believe.

It suits the agenda of those in power, to have a public who are so shit-scared about terrorists, that they will accept any indignity, any intrusion into their lives, any loss of freedom... just to make the terrorism fear go away.

Re:If the power grid is so vulnerable, why hasn't.

[dkf]

We choose to do this as we are a "major" target - a medium sized public utility. I would guess many of the smaller utilities don't have the resources to do this.

OTOH, a smaller utility is more likely to be physically located close to the systems they need to maintain, making access that way less of a problem. It's the medium-sized utilities that have the real problem; they're geographically distributed and big enough to be "interesting" targets, but not so large that they've already taken proper steps to lock things down right (e.g., they might not have a full time digital security office).

Whether the utility is public or private makes little difference here, other than to the reasons for not running things as well as they should. The net effect is about the same.

Can someone tell me why ?

[Latinhypercube]

Can someone tell me why would anyone want to hack a power station ? Fun ? War ?

Re:Can someone tell me why ?

[cheros]

Damage for whatever motive. Economic, to cause damage to local economies by, for instance, causing food supplies to defrost or for industries to fail or as the result of blackmail that didn't work, revenge to get back to some neighbour, council or government or plain malice like people breaking windows and spraying graffiti.

The problem is that there is still SCADA kit out there that can be disabled with one single network packet and it will then fail in an undetermined state (you can't predict how it will fail). The problem with those devices is that you can't reset them by simply resetting them - most of them need reprogramming before they will work again. In addition, over time some bright spark (pardon the pun) came up with the idea to switch the base OS for those control systems from Unix to Windows, and it's only been over the last few years that anti-virus was finally an accepted add-on.

In some cases, network gateways perform the anti-virus function so the original installaion is left untouched as it works and is stable. That does, however, leave an insider threat risk - any engineer with an unclean laptop can accidentally nuke the plant..

Build it and they will come? (n/t)

Build it and they will come?

Re:If the power grid is so vulnerable, why hasn't.

[ext42fs]

For the same reason why there's still no massive MS-windows PC destruction: to control them has more value than to destroy them. And how would you brag about such an act of vandalism without getting into trouble?

"False flag" operation?

[Type44Q]

Numerous posters have already pointed out how easy it would be to make these systems more secure, so easy in fact that it's a non-issue. My instincts tell me that this 'hacker attack' was a false-flag op; anyone know if the Brazilian government's been making the same efforts as ours to justify increasing their control of the Internet?

Re:I disagree with the military... I am brazilian.

[seaton+carew]

You may well be right.

This is the first time I've heard any major outage blamed on "hackers".
Ususally such blackouts are caused by combination of lack of investment and/or lack of knowledge (but that's another argument).

Is there any evidence whatsoever that hackers were involved?

Multi-level security desktops

However, the HR system ends up getting connected to the Internet so that people can fill out their time-cards, etc. Unfortunately, the HR systems are on the same intranet as the control system. So, once an attacker has subverted the HR system, he/she has access to the control system. The only good solution is to run multiple intranets, but this seems rarely to be the case.

Multilevel security (MLS) is here today and works in many situations:

http://en.wikipedia.org/wiki/Multilevel_security
http://blogs.sun.com/Stephen/entry/trusted_jds_screenshots

Just because your low-security network has been compromised doesn't mean it has to spread over to your high-security network.

Re:this really a 2012 paln to save the power grid

Terrence McKenna just broke mach three in his grave.

Why have these systems on the internet?

[kannibul]

Such a simple solution...keep at least 1 staff person there (3 shifts) and have a computer that connects their desktop system to where-ever it needs to go - but leave the systems that manages the critical systems off the internet...100% hacker proof. There is plenty of room in a profit-margin to employ someone to sit there and watch a screen.

Re:Why have these systems on the internet?

[kannibul]

Sorry, minor clarification - keep the systems off the same network as their desktops - I realize there is a trend towards IP-based management, but, in that instance, it's pretty simple - keep the networks seperate. Sure sucks for doing RDP to a desktop-controller computer, but, for the sake of security and "insurance" against unauthorized access, it's the best method.

Re:If the power grid is so vulnerable, why hasn't.

[kannibul]

There was an ice storm here in Oklahoma a few years ago. Power gone for 3 days for a few people, up to 3 weeks for some unlucky ones. Most averaged around a week without power, in the middle of winter. From what was reported, there wasn't any increase in crime. Everyone was screwed, criminals too. After the batteries ran out for cell phones (towers too), there was little to no communication. The worst things that happened were people stealing generators left unattended. There was a lot of tension "in the air" at places that did have power, but, in the end, it was calm, quiet, and pretty damn boring.

Fashion from here,nike jordan shoes,coach,gucci,

[huangzhixian1204]

In order to meet the Thanksgiving holiday, this site hereby release Thanksgiving gift, that is, gift, our web site is http://www.coolforsale.com/ [coolforsale.com] [coolforsale.com] Nike Air Jordan(1-25)/Jordan Six Ring/Jordan Fusion/Nike Shox/Air Max/AF1/Dunk shoes, coach,gucci,lv,dg,ed hardy handbags, Polo/Ed Hardy/Lacoste/Ca/A&F ,T-shirt welcome new and old customers come to order.

joy oh joy

[CHRONOSS2008]

my account is still here
OH well
any MORON that puts govt sensitive data, controls of ANYTHING near on or accessable to the interent deseves to get it slapped
in fact deserves to get the man in charge slapped

fucking noobs

cyber bullshit ..

[viralMeme]

There is little hard evidence in the 'report' as to what caused these outages in Brazil. And given that since at least 2003, the US administration has been well aware of the dangers of putting control equipment on the Internet, why are they still doing it? This whole cyberscare story is yet another pretext for getting more funding.

Authorities blame human error for Jan.1 blackout - Brazil

A power cut .. was caused by a combination of technical and human error .. when two of the four lines running from the Cachoeira Paulista substation - between Sao Paulo and Minas Gerais states - to Rio de Janeiro failed. A third line was switched off because of the low consumption on what was a public holiday, and the system operator accidentally disconnected the fourth line

Re:cyber bullshit ..

[rodrigo1979]

Wired story reports blackout was caused by sooty insulators, not hackers http://www.wired.com/threatlevel/2009/11/brazil_blackout/

Re:If the power grid is so vulnerable, why hasn't.

> Forcing the grid offline and in a way that kept it down/brain damaged for any length of time over 48-72 hours, especially if it was widespread, would have such a cascading effect and probably spawn anarchy. At a minimum billions lost, thousands killed, possibly riots or widespread civil disorder. Katrina times 9/11. So the effect would be substantial and easily deniable, making it the kind of thing China or Russia or any other competitive major power might want to do just to fuck with the Americans and keep them off balance.

Not at all. We had a roughly weeklong poweroutage in northeastern NA. You know what happened? I listened to some radio, had something nice to drink, and enjoyed the first really nice night sky from my balcony. Sure, things were a bit of a mess in terms of getting gas, access to bank accounts, the lack of water, etc. But overall, people had positive things to say about it.

Former military are persona non-grata to me

[e-scetic]

Former generals and admirals receive their talking points from the Pentagon and White House.

If you believe McConnell, you're a first class sucker of the message machine

Re:If the power grid is so vulnerable, why hasn't.

[cdrguru]

In rural and suburban areas, this can work. For 500 people in an apartment building with no heat and nowhere to connect a generator, this means probably 400 people die. Multiply by the number of apartment buildings in Chicago, New York or Boston.

Modern cities do not do well without electricity, as was shown as far back an 1965.

Does that mean local terrorists like Enron also?

How can they protect against US traders who game the system like Enron did?

http://www.marketwatch.com/story/enron-caused-california-blackouts-traders-say?siteid=mktw

Phantom congestion

"What we did was overbook the line we had the rights on during a shortage or in a heat wave,'" one trader said. "We did this in June 2000 when the Bay Area was going through a heat wave and the ISO couldn't send power to the North. The ISO has to pay Enron to free up the line in order to send power to San Francisco to keep the lights on. But by the time they agreed to pay us, rolling blackouts had already hit California and the price for electricity went through the roof."

Only idiots down coms in an emergency

In an emergency you want more, not less communications. More people will be killed by not being able to communicate then ever will by some stupid policy to shutdown communications emergency. Even if the "bad guys" are using the coms to coordinate.

Notice that only the people with "assured communications" ever put this forward as a good strategy. But guess what, your wives and children will not have access to the "safety radios" and they will be SOL.

redundancy

[delvsional]

In areas that are cold enough to require heat to survive, Electricity is not allowed to be the only source of heat. You must have a backup such as propane or a woodstove. I'm not sure but I think its part of building code. If you think people are going to die from the cold, you, like the congressman, are misguided.

So, that's where inspectors come inbetween ...

[freaker_TuC]

.. for all mission critical systems, atleast a periodic inspection could do wonders ..

I've finished studying in electrical systems myself and got an extensive background in the ICT sector, also around security. I can't blame anyone to not be fully integrated with the newest technologies. Only for programming PLC controllers there are different softwares over the years which technicians have to deal with, where system security wouldn't be their cup of tea but rather of someone who knows what he is doing.

Next to that, the market sells small embedded devices, which could easy be integrated in existing infrastructures firewalling the entire network off the mission criticol network..

Why exactly DOES a mission critical circuit need to have access to the Internet in the first place? I've mentioned it before on another site; would you like to have your pacemaker hooked up over the Internet? Would you feel safe with that ?

Brings me back to my opinion, inspectors could come inbetween and professional twained people (maybe a nice bloom in the IT industry there?) could fix where things need to be fixed, else these systems should not be considered safe.

NOT

[klui]

http://www.wired.com/threatlevel/2009/11/brazil_blackout/

Cause was bad insulators according to Brazilian government regulators.

But I'm sure US government officials will say it is possible and they'll need an internet "patriot" act real soon or else the sky will fall.

Re:NOT

[NeoStrider_BZK]

prophetic: We faced a new blackout yesterday. Almost the entire country got dark (and some parts of Paraguay too - as usual, we screw it big time with them) and then again there was a talk about hackers. This always get me angry , but at least my sister got it right (she's a lawyer) even before I needed to explain anything.

Re:If the power grid is so vulnerable, why hasn't.

[Dresi]

In some countries the powerlines are used as intranet for the power companies. It is hackfree for the most part.

Re:If the power grid is so vulnerable, why hasn't.

Yet it hasn't happened here or Western Europe or most modern Asian countries. Why?

For the same reason there have been no suicide bombings in the US.

Scary, huh?

Re:I disagree with the military... I am brazilian.

[jorlando]

No. There is no evidence of hackers attacking the grid. The only news regarding that hyppothesis appeared only after the CBS article.

By the way, yesterday (oct-10) around 10:30pm there was a new blackout affecting the brazilian south western states.

Again the same stations from Furnas (the electricity transmission company for the region) were affected. These stations use capacitor banks from ABB and are (were?) the only of this kind in the world for 735kV.