Slashdot Mirror
Massive Power Outages In Brazil Caused By Hackers
Hugh Pickens writes "CBS reports on 60 minutes that a massive two-day power outage in Brazil's Espirito Santo State affecting more than three million people in 2007, and another, smaller event in three cities north of Rio de Janeiro in January 2005, were perpetrated by hackers manipulating control systems. Former Chief of US National Intelligence Retired Adm. Mike McConnell says that the 'United States is not prepared for such an attack' and believes it could happen in America. 'If I were an attacker and wanted to do strategic damage to the United States, I would either take the cold of winter or the heat of summer,' says McConnell, 'I would probably sack electric power on the US East Coast, maybe the West Coast and attempt to cause a cascading effect.' Congressman Jim Langevin says that US power companies need to be forced to deal with the issue after they told Congress they would take steps to defend their operations but did not follow up. 'They admit that they misled Congress. The private sector has different priorities than we do in providing security. Their bottom line is about profits,' says Langevin. 'We need to change their motivation so that when see vulnerability like this, we can require them to fix it.' McConnell adds that a similar attack to the one in Brazil is poised to take place on US soil and that it may take some horrific event to get the country focused on shoring up cyber security. 'If the power grid was taken off line in the middle of winter and it caused people to suffer and die, that would galvanize the nation. I hope we don't get there.'"
Probably impossible.
As we all should know by now, impenetrable security doesn't exist. What we should probably have is tighter backup power for essential services and places like hospitals, where local redundancy could help in the face of a remote 'hacker' type attack
Places where there is a lot of danger for people without electrical power don't need billions spent on the security of their power systems. They need redundancy, generators in their buildings that could be used to keep people alive, batteries, and common sense.
Oh well, let's spend a bunch of money on fear like we always do.
Long live the BSD license
Who thought it would be a swell idea to to hook the grid's computers to the INTERNET?
Did someone surf some pr0n sites on the Win98 powered control computer down at the power plant?
I have to return some videotapes...
Things like this make me wonder why mission- and life-critical systems are (presumably) set up on Internet-facing systems. Sure, it's cheap, but when the walls come tumbling down like this article implies, cost is a moot point.
I don't see why they can't just buy a phone line for each power station and link to central stations (also with NON-Internet-facing systems) like that.
Most systems here in the US are only secure because they're obscure. Someone who has worked in the industry for more than about a year has enough knowledge to cause some widespread destruction. Up until recently, the emergency broadcast service was only a phone number and modem, with no authentication!
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
Yes, of course! The government has already taken over the banking sector, the mortgage sector, the automotive sector, is about to take over the healthcare sector, so fuck it - the government may as well take over the energy sector as well. I can't wait until they take over food distribution - I've always wanted to know what it's like to stand in line for a loaf of bread all day.
I am not a fan of government intervention either, nor do I like what was done with banking and automobiles. Having said that, this isn't what is being proposed here. If the electric utilities must comply with laws mandating that they meet or exceed a minimum standard of security, this would be much more like the way local Board of Health requires that restaurants handle food in ways that prevent food poisoning. The Board of Health does not own the restaurants and it does not choose their management; it just periodically inspects them and can shut them down if there are egregious violations. Something similar could be worked out for the power companies when it comes to security.
It is a miracle that curiosity survives formal education. - Einstein
If they won't integrate safety systems to protect the system properly from hacker attacks, hit them in the wallet, hard. Pass sound regulation to force them to implement safeguards, require inspections/audits that they are done, not just take their BS word for it.
Yes, of course! The government has already taken over the banking sector, the mortgage sector, the automotive sector, is about to take over the healthcare sector, so fuck it - the government may as well take over the energy sector as well. I can't wait until they take over food distribution - I've always wanted to know what it's like to stand in line for a loaf of bread all day.
The great blackout of 2003, which took out the north east united states and a good chunk of ontario, was caused by deregulation (removing the requirement to clear the branches around the power lines).
Quebec, which has state-owned power (Hydro-Quebec) was not hit hard by that blackout, because it keeps its grid out of phase with those dangerously unregulated parts around it.
Learn the lesson: You can't trust the greedy to run critical infrastructure.
You can't take the sky from me...
Because the remedy for bad speech is more speech. Censorship is never justified. If a post gives you the vapors, stop reading it. A free society is one where it's perfectly fine to stand on a soapbox and make a fool of yourself. I'd like Slashdot to stay as free as possible.
Up until recently, the emergency broadcast service was only a phone number and modem, with no authentication!
The CATV company I work for had a crazy insecure ebs system. It was these ancient boxes in the head ends that just watched for a carrier on a certain freq in the return path. Once it saw any carrier it would flip over the EBS system and all the audio on our analog channels would go down. This carrier came from another dumb box that was in the main head end. That box was triggered by a unsecured phone line and all you needed to do was know the number to it. All anyone needed to spam 250K customers was a telephone.
The whole system looked like it was built by some ham radio op with parts from RadioShack in the 1980's.
We only got rid of this system LAST YEAR after some prankster with a signal generator figgered out how to trigger one of the dumb boxes. We now have a new system with scrolling text across the screen and clear audio... though I wouldn't be surprised if it was just as half assed as the old system.
Im posting this AC because coworkers know my /. nick :)
Enron demonstrated that it was possible for a single employee to shut down a power station remotely, simply by calling the control centre from an Enron office, giving his name and position, and asking politely whether it would be possible for the plant to have an impromptu maintenance shutdown for a few hours please, and yes, he did appreciate that once it was shut down it'd take a while to start it up again.
That's how brokers caused the plant shutdowns that caused the brownouts that allowed Enron to gouge electricity prices in California, by charging for the emergency rerouting required to patch the problems that they'd just deliberately created.
So back in the Enron days, you wouldn't have needed two nuclear subs. Just one guy with a telephone, calling all the power stations in turn and asking each of them nicely if they could shut down at a predetermined time and go into "heavy maintenance" mode, but please not to discuss this with anyone else, because of company confidentiality (or because of security).
BTW, you know how you take out the conventional phone and mobile networks? You don't have to. Once the emergency services see the power stations going down and think there's a coordinated attack, they shut down all the public communications as a security measure. You get that for free. So the Employee tells the plant to shut down as a security measure because the NSA has tipped them off that Something Bad is going down, and for God's Sake not to power up again under any circumstances unless they get a particular codeword (which, of course, nobody else has). All the plants shut down together, a bunch of pre-programmed scare stories break on the net, this seems to support the tale that the employee told about there being an imminent security thing, the phone lines and media communications go dead, and by the time people have worked out what's happened, nobody can get through to the power plants to tell them that they've been conned. And when they do, they don't have the fake password. You then have the local power guys desperately defending their plant from the local enforcement guys who want to turn it back on, and perhaps even sabotaging it if they look like they're about to lose.
Telephones are dangerous things. Hopefully it wouldn't work nowadays, because people are more savvy about such things (and because they remember the Enron tapes).
Eric Baird
just because the hacker didn't have an UPS...
You hit the problem for today - the social engineering, how the command hierarchy works and that's much more dangerous than any "computer" virus or whatever. I have worked on nuclear power, stock exchange, banking (even Swiss!), military, public safety, hospital, etc environments and they used to have "fail safes" against this kind of problems - now, today, those "fail safes" are often disabled because of business, profits whatever? And it's scary!
Enron couldn't be possible 20 years ago, at least not in environments, countries and corporations I was working at that time, too tight security / control but today?
Anyhow, back to the original subject, the technology is there - it was there in 80's when I was involved to some nuclear / power control systems. Is the knowledge / will there today is another question. Almost seems that this "maximizing profits" is even accepting the problems (for public) as long as the business can make more?
The blackout in 2005 was a human failure. One transmission line went down, the team recovering that line made a mistake and instead of activating the repaired line disabled the backup line. Result: 3 states withou electric power.
The blackout in 2007 was due a circuit breaker shutting down one line, the same happening after in the backup line, that could manage the excess load (this happened during peak hours, 5 p.m. during a working day).
Ok, these are official explanations and the blackouts may have been caused by evil hackers but, in this case, the brazilian government made an excelent job holding that information for years, leaking now thanks to an american former military that may have some vested interest spreading fear.
2 cents..