Slashdot Mirror
How Vulnerable Is Our Power Grid?
coreboarder writes "Recently it was divulged that the Brazilian power infrastructure was compromised by hackers. Then it was announced that it was apparently faulty equipment. A downplay to the global public or an honest clarification? Either way, it raises the question: how vulnerable are we, really? With winter and all its icy glory hurtling towards those of us in the northern hemisphere, how open are we to everything from terrorist threats to simple 'pay me or else' schemes?"
I have always believed that if something is networked, it can be subject to unauthorized access. I hope I am wrong.
"I'm just here to regulate funkiness."
Hijacking the power grid and forcing entire states to pay ransom or suffer brownouts? Such a thing has never happened before!
http://en.wikipedia.org/wiki/Death_Star_(Business)
Suppose someone holds the nation's power grid hostage and then wants payment? So, why doesn't the government simply pay them, then track them down for assassination and release photos of their bullet ridden corpses? Would certainly discourage any copy-cat crimes. Somali pirates too.
Just a thought...
Speaking of Brazilian power failures, Brazil had another major power failure yesterday. Power from the Itaipu dam was cut off, which apparently put millions of people in the dark as it generates something like 14GW. Itaipu blames the Brazilian grid, meanwhile Brazilian officials aren't sure what it was, but are protesting any idea that it was sabotage/hacking. Paraguay and Uruguay also get power from Itaipu and were similarly affected.
http://www.cnn.com/2009/WORLD/americas/11/11/brazil.blackout/index.html
Please let me know from what nationality a poster to Slashdot actually believes his is the only one represented on this website..
A bigger threat than terrorists is arbitrary government restriction on competition in the electric grid, which is what led to the rolling blackouts in California.
In any case, this winter could be bad - probably a good time to get a generator.
than the current local power monopolies? We are already in a "pay me or else" scheme which threatens lives and leaves us with this vulnerable infrastructure in the first place. And, unlike the "terrorists", the power companies have the cojones to stand before Congress and admit the control systems are vulnerable, the transmission grid is old and failing, the expected load in the next 15 years can't be handled and then claim its not their problem, its too expensive and the government needs to pay for it. As if they aren't taking enough on the front end from the consumer, they want more off the back end too.
Sickening.
I don't know about the connectivity of power stations/substations, but I've seen quite a few that appear very vulnerable to physical damage by virtue of location (eg. Not enough space between fence and components, or down an embankment from a quiet unlit street. Seems like it wouldn't take much more than a steel bar and a good arm to cause some pretty spectacular fireworks and a whole lot of repairs.
http://en.wikipedia.org/wiki/Northeast_Blackout_of_2003
If we can't get a reliable grid even without thinking about terrorists and hackers, then how secure do you think it could be? If one link in the chain can cause a widespread blackout, not very secure at all.
I've been living in São Paulo for over 9 years. I was without electrical power for a few hours last night.
The timeline on this is pretty entertaining. On the 7th, there were a bunch of stories saying the 2007 blackouts in Brazil were caused by crackers (the articles say "hackers"). On the 9th, there were strong denials all around, accompanied by stories saying that no, the 2007 blackouts were caused by "sooty insulators." On the 10th, Brazil suffered a blackout much worse than the ones in 2007. That looks to me like crackers saying "sooty insulators? We'll show you sooty insulators!"
By the way, power failures are normally abrupt, but the one last night was not. I usually go from lights to no lights almost instantaneously, but last night, the lights were flickering for a while. After a few minutes, I thought it was going to stabilize, because my compact fluorescents stayed on while my UPS beeped a lot to tell me it wasn't getting enough juice. The larger fluorescents in the kitchen couldn't start, but the compact fluorescents gave me some light in the living room.
"It is nice to know that the computer understands the problem. But I would like to understand it too." --Eugene Wigner
I'm writing from the UK, so no matter what happens to *your* power grid, it won't affect *our* power grid.
Before you can get a sensible answer, you need to learn to ask a sensible question.
In any event, *your* power grid has already proven to be incredibly vulnerable to everything from single points of failure to social engineering for profit (Enron) so, quite frankly, worrying about the vulnerability of *your* power grid to hacking is like wondering about the vulnerability of a shiny new laptop left unattended on a car front seat to hacking... you have other issues to need to address first.
It is like wondering how vulnerable *your* road bridges and infrastructure are to hacking, while completely ignoring the fact that they are falling down by themselves due to lack of maintenance.
http://slashdot.org/~GuyFawkes/journal
we need justification to nationalize the power company's.
Sure they could just impose standards like they do with handling waste material and safety. But the government just simply knows better. hence they must seize them so they can run them better then the evil private sector that just wants to expose the public to avoidable hacker attacks and black outs.. which will cause pandemic size deaths in the heat of summer.....
please take note i have a hint of sarcasm in here
...I would also be very worried about the fact that you use suspended power wires even inside many of your larger cities (check out Miami, f.e. - sheesh!), as opposed to dug-down cabling. In the particular country I live in (one of the scandinavian ones), there isn't a single suspended wire in any city, outside the fenced high-voltage transformer station areas. Havoc can wrought inside city limits, without an arsenal, in ways easier than hacking your grid.
Most countries in South America [leaving more advanced countries like Brazil and Uruguay outside the group] are plagued by inneficient mantenaince and/or corruption so inspectors turn a blind eye at problems. In Argentina, in any warmer-than-usual day the power fails in highly populated cities. Or someone steals some kilometers of high-voltage copper cable trasmitting enegy to those places. It is almost normal.
If you believe in gun rights then you support terrorism in the US
Could someone please mod down this flamebait moron?
The lower 48 CONUS actually has 3 power grids, not just a singular grid. They are the:
Yes, Texas *is* like a "whole 'nuther country", it even has its own separate power grid.
Who are you talking to? Even if slashdot is physically hosted in the US, its the middle of the night there. We're all over here right now:
http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=europe&sll=37.0625,-95.677068&sspn=22.094127,56.513672&ie=UTF8&hq=&hnear=Europe&z=2
Global village etc. Get with the times.
It's easy to secure everything. Put security checkpoints on every bridge, tunnel, road, port, airpot, intersection, everywhere. Have bio-id issued and tagged to everyone and everything who is circulating or communicating with any national device, entity or person. Require this bio-id of all interchanges of all kinds. It worked fairly well in the USSR, and they had only papers and radios. If that's not in your script for the future, well, otherwise, the other best option is to invest in education.
Build your own energy sources from scratch. http://otherpower.com/
Speaking as a controls engineer for a major utility contractor, the control systems for power plants are completely isolated from the internet... it's common sense. There are security consultants out there feeding FUD to the public about the vulnerability of these control systems to viruses planted (either knowingly or unknowingly) by plant personnel. Well, if someone had intimate knowledge of the software AND close ties to the operators AND really thought that bringing down the plant would be a good way screw everyone over, despite the fact that when things go wrong, all valves and systems return to a fail-safe position, AND once the software was re-installed, everything is easily restarted...
Yeah, I guess it could happen. As far as the grid is concerned, I'm *guessing* that a lot of people were influenced by the same method of thinking.
Look, if anyone really wants bring down the power grid, we should be worried about a physical attack WAY more than an electronic one. I just can't conceive of how our systems are as vulnerable as people say they are.
If you believe in gun rights then you support terrorism in the US
Go fuck yourself.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
I would say that threats to the power grid tend to be overstated.
a) Power grids in the USA are regional affairs, so, the worst that can happen is one section of the country might get whacked.
b) Power companies frequently operate their own private physical networks for control... at least, that's the way it was in the early 2000's when I was into it. Our company had built their own private fiber optic loop.
c) Extremely critical stuff is done with a phone call by people that know each other. Like, "turn the generator off", is something done not so automatically.
d) There are loads of incompatible stuff out there in the field for remote control and SCADA. So, if you could go out there, and tell every customer to turn off all their equipment, remotely, you'd be so rich from just building a product that could do that, you would not want to go to jail, when you could be a billionaire. Just reading a power meter has dozens of protocols, formats, etc, and many of them are actually just wired up with a dumb phone line.
It's not impossible, I'm sure.. but, its not like hacking into a machine knowing that its running either Linux / Apache or Windows / IIS and going from there. All these pieces of embedded equipment have their own stuff, and the knowledge tends to be very specialized.
This is my sig.
Ice storms can often make tree branches break onto powerlines and in extreme cases have put enough ice on the power lines themselves to make them sag to the ground and bend telephone poles. Missouri and Oklahoma, a couple of years ago had one of the worst ice storms in 20 years. Followed by a few days of serious work to repair them and almost a year worth of clean up from all of the destruction that the ice made. Looking at the scene after the event it looked like a hurricane had hit. I doubt America is in big trouble. There is no way to mount a serious DDOS attack without removing anonymity and making yourself a target by physically connecting to the grid. Americans can deal with a few days of power failure. Nature itself has already put us in a position to be ready for grid failure.
Why do everything have to do with terrorists? It's ridiculous from an outsider's point of view, especially after the point has been made over and over again ad nauseam.
And you can as well mod me -1, Un-American if you wish.
Colorless green Cthulhu waits dreaming furiously.
The Brazilian power grid is *our* power grid to many posters
If you believe in gun rights then you support terrorism in the US
Although this is flamebait, it's not entirely untrue. It is however an argument in favor of personal gun ownership in my book. You know how they call suicide bombers cowards and terrorists? Well, I call cruise missile launchers cowards and terrorists. Terrorism is just a word, and it's basically used by governments to describe the only type of military attack remaining to a disadvantaged group. If you can afford to launch a cruise missile and blow someone up 2,000 miles away then you're the dominant power, but if you have to strap explosives to people then you're the terrorists.
The standard argument for gun ownership is that an armed populace is the only possible antidote to fascism. It applies here, as well. It's pretty hilarious that you're going on about this so soon after Guy Fawkes day. Were you saving it?
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
If you believe in gun rights then you support terrorism in the US
That one is going to let some Al-Qaeda people confused.
If you believe in free speech then you support racism.
If you believe in freedom of sexuality then you support paedophiles.
If you are against the death penalty, you're a communist.
If any of the above seem reasonable to you, do your country a favour and continue to not vote.
Finally had enough. Come see us over at https://soylentnews.org/
I live in brasil, never heard anything about cracker being responsible for the blackouts in espirito santo in 2007. to tell the truth, the first time i heard about it was on the web a few days ago, reading blog posts about the 60min report.
the minister of energy and the national system operator (the office that controls our power grid) already denied the "information" from the 60min show.
IMHO, it's just another piece of typical american fear-mongering, probably aimed at selling some incredibly expensive, over-complicated and completelly unecessary "technology" to the government.
more here (in portuguese).
disclaimer: estadão is a reliable, reasonably unbiased brasilian news agency.
What ? Me, worry ?
Didn't you guys get Obama's memo? There is no such thing as terrorism - only human-caused disasters. Please report to the Ministry of Truth (http://www.whitehouse.gov/) for sensitivity reprogramming.
You did not read carefully enough. There is still terrorism. There is no Muslim terrorism.
If the worry is about failure of the grid and how that will damage YOU personally - why don't you, in the Open Source Spirit - generate your own power?
Solar PV, Wind, even your own gas powered generator. Such will keep you in good stead when ice storms, high winds or even small airplanes take out the local power lines.
I live in Rio Grande do Sul, in a region where we have smaller power dams that supply more than enough energy for us to keep running without Itaipu, and I must say it was quite interesting to follow everything from here in real time. I was chatting with a friend of mine from Rio de Janeiro, and we were about to play some Mario Kart online, when suddently she sends me an SMS in 22:14 telling me "You're not gonna believe it, but the entire city of Rio de Janeiro has no energy. Even the Cristo Redentor doesn't have any light, and I've never seen that happen in my entire life!". A few minutes later she comes back online using her notebook and a 3G modem, retwitted the infos I sent her to her friends, and following my suggestion took a couple of pictures of what she was (un)able to see.
I then called her and she proceeded to tell me about how chaotic things were on the streets, that basically the traffic was jammed, all buildings nearby had people locked inside elevators and she could hear the cries for help, and until 5 minutes after the blackout all cellphone lines were jammed too. I then kept following the news on portal websites and Twitter and reported back to her in real time to let her know what was happening and how big things where, although she had already contacted friends throughout the country and kind of knew the places that were online and the ones that weren't.
I must say it was quite an experience to follow things in real time and inform someone right there about it, and I guess she was "thrilled" about it too, even though she's afraid of the dark. :(
Here are the photos she managed to take:
- http://img137.imageshack.us/img137/1382/foto1jm.jpg
- http://img81.imageshack.us/img81/5272/foto2b.jpg
If you believe in gun rights then you support terrorism in the US
It's pretty hilarious that you're going on about this so soon after Guy Fawkes day. Were you saving it?
The proximity to Guy Fawkes is totally coincidental. What I was pointing out is that you don't need any fancy high tech methods to take down the US power grid, all you need is some accurate shooting out of insulators in remote areas where no-one can observe you et voila one dead network in as fast a time as you can take 10-20 shots. And putting armed guards along the power grid in those areas is impossible,
Given the propensity of the US administration to declare various items as being the hallmarks of terrorism (IE liquids on planes) I was attempting to use sarcasm to point out the FUD of this whole situation. However I am saddened by the knee-jerk response of the kiddies who can't seem to think things through, and the fact that I feel like I actually have to explain my comment.
I am Slashdot. Are you Slashdot as well?
Can you imagine what the military would have done to one of their officers during the Cold War if they'd discovered that he had repeatedly tried to contact the Soviet embassy? Our leaders' suicidal embrace of diversity at any cost disgusts me.
Only recently has there been any concern whatsoever given to securing the thousands of SCADA links that monitor and control our electrical grid. The protocols are extremely basic, and anyone with a small amount of radio knowledge could easily override the point-to-point radio links commonly in use.
For instance, this substation used to have a tower with a microwave SCADA link to Dominion's control point. Combine that knowledge with a little public searching of the FCC site, and you've got the exact frequencies used. It looks like they've abandoned the 10GHz microwave links, but I hope they're using dedicated fiber and not internet-based VPNs or the 950 MHz transmitter that uses 2k00A2D modulation.
Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
If you don't believe in gun rights you support facism in the US.
I'd rather deal with a hypothetical lone nut than deal with actual Soviet style government.
Dude, if it wasn't for non-whites America's military would be what? 1/3 its current size? Diversity isn't just a nice option for keeping America strong, it's basically mandatory.
... here in NY our power grid is blown up by the trifecta of evil: Rats, Squirrels and Wind. If you want to spend trillions securing the infrastructure, make it rodent proof and bury it. (California is on their own -- the "bury it" idea doesn't work too well when the ground moves...)
/~mikeg
It has it's own power grid.
Yep. There has never been crime or terrorism where guns are illegal. Oh, wait...
China. THey not only make the equipment loaded with worms/virus, but have a massive firewall that operates TWO WAYs. If and when they decide to launch an attack on a country or group, they will simply turn their firewall on (which was made with equipment from their country), and then send out worms to deactivate any other firewall that they want to control. The west has taken an attitude that it will not happen, so security is a joke. The fact that the west depends so heavily on MS should speak loudly.
Most power companies have fiber on the high tension lines and their own network. I expect it (mostly) is not accessible from the internet. My concern is the hardware. A few years ago we had a major blackout because of the domino effect of one or two outages. All of the redundancy works in theory but there is no way to test it in the real world unless you have an outage. It's much like the datacenter outages, they never seem to be as redundant as intended.
We have a military so politically correct that when faced with persons that give presentations to upper echelon staff with phrases like "We love death more than you love life", does nothing. End result: 12 people dead, more injured.
We have the TSA that is so fearful of "profiling" people so they feel they must hassle white grandmothers while letting young Muslim men proceed to test the boundaries of airline security.
We have police that do not wish to be accused of "profiling" in any way, so basically give a pass to illegal immigrants driving without licenses while stopping and ticketing others. This continues even in the face of significant numbers of accidents caused by such illegal immigrants.
While it might be illegal to defraud Americans in America, it clearly isn't when it is being done from places like Bulgaria. So we have US-based registrars setting up domains for people with names like "citibank-online.com" and "ebay-online.com" when the purchasor is in places where law enforcement isn't going to bother them. And then we poor Americans all cry about how bank security is so lax. Unfortunately, all of the protections that work in the real world aren't being applied online, so it is easy to steal from people without fear of any consequences.
Face it, we're due for some trouble. If thousands of people die because someone takes out the power grid for a week it isn't because security is lax - it is because the people that are paid to handle security are looking the other way. Intentionally. And no, unlike the guy on 60 minutes when thousands die it will not be a "wakeup call" and everything is magically fixed. It is going to take a lot more than that.
I didn't realize that the world had a single power grid, "our" power grid.
If you believe in gun rights then you support terrorism in the US
Go fuck yourself.
indeed- right in the neck.
Criminals don't get guns legally, shit for brains.
Comment removed based on user account deletion
ComEd / Exelon had a dual grid in 2003 and has been building a lot more lines after that as well.
The system is interconnected, so the rest of the lines go down as a safety measure.
Itaipu is responsible for roughly 20% of Brazil's power, though we have many other plants (not just hydro) in stand by and pretty much all of them interconnected. What happened yesterday was a transmission failure that led to a shutdown. Different from 99, when the reservoirs were empty and there simply wasn't enough power.
No one really knows the cause of it yet, just speculations of two major lines going down.
Yesterday's blackout was pretty scary, nevertheless. I thought it was the aliens for sure, but thankfully the radios still work.
If you believe in gun rights then you support terrorism in the US
That one is going to let some Al-Qaeda people confused.
What I love is how it was a woman with a gun that took out the bad muslim terrorist haha!
Nice strawman. Did the GPP say that the military should only allow whites to serve? No. What the GPP did imply was that applying a racial quota system should not stand in the way of rooting traitors out from within our ranks.
Read the book by William R. Forstchen: One Second After about America after an EMP attack. Our grid (and all our semiconductors) are exceedingly vulnerable.
So, why doesn't the government simply pay them, then track them down for assassination and release photos of their bullet ridden corpses?
Human rights, maybe?
Posting anon since I've already moderated here.
I was also amused by the rabid response your comment generated. And I also think your overall point is valid - how is it that a country so obsessively focused on "security" allows assault rifles, sniper rifles, and other munitions meant strictly for combat to be sold over the counter with only the sloppiest of controls?
Let me ask, what's to stop another gang similar to the 9/11 bunch acquiring (easily and anonymously) a massive arsenal of assault weapons, and fanning out across the country in groups of 3 to target shopping malls during the holiday rush? With minimal planning, I could easily see that resulting in hundreds of deaths if not thousands. Remember, these guys don't care that you'll be prying their gun from the "cold dead hands" just as long as they managed to take several dozen sinners down beforehand.
Someone go ahead and help me through the "an armed society is a safe society" hypocrisy here, because I don't see it.
At the moment, there's a power struggle around Cyber Security in the Federal government. The consolidation of cyber warfare capability at the NSA is one aspect of that; the other is the desire by the NSA to get control over domestic cyber security as well, which officially (if ineffectively) resides with the DHS at the moment. As a result, there's a blitz of activity, largely headed up with McConnell, towards that end. I saw him speak at the NDIA Cyber Security Symposium in San Diego a couple of weeks ago, and directly asked him (after he gave a long talk saying nothing was being done about the security of the power grid...which is entirely false, as I'll describe below) about his observations related to the regulatory actions being driven by NERC.
So, let me explain that. NERC stands for the "North American Electricity Reliability Corporation." It is a cross-national organization responsible for making sure the lights stay on, basically. It regulates a wide variety of things, including the operation of Balancing Authorities, but the most important thing it does with regard to this news item is mandate IT security controls and measures for what are known as "Critical Assets." In other words, it works a little bit like PCI, but for the power grid. The requirements are known as Critical Infrastructure Protection standards, or "CIP Standards," and there are 9 of them. The penalties for failing to meet these standards are enormous; the standard fine is $10,000 per day per violation, and the max fine is $1 million dollars, USD, per day.
With fines like these, power companies are scrambling to meet these standards, obviously. I've been involved in efforts at several companies throughout the United States, at places where the efforts are of varying maturity and scale. But I have seen first hand that there is a LOT of activity around NERC, and even more pressure being put down on the utilities from NERC. Many companies have taken advantage of a loophole to state that they have no Critical Assets, but that loophole is being closed, and the CEO of NERC has issued a letter to the industry, basically calling the guilty parties out on their abuse of it. Meanwhile, I've seen many major power companies spending millions in the last year alone, working hard to get things in order.
So, it was astonishing to me to hear former DNI McConnell state that NERC wasn't doing anything except blocking when FERC (which is a U.S.-only regulatory body) wanted to make things more secure. Especially since FERC helped create NERC, and eagerly handed over authority to them, so that there'd be regulatory authority across borders. (The power grid's interdependencies know no national boundaries; when the lights went out in 2003, it took down both parts of the US and Canadian grid, together.) I didn't want to argue with the man; the audience was made up of a lot of potential customers, and so that wouldn't exactly have been a winning strategy in terms of the larger picture. But either he was full of shit, or he thought I was talking about the NRC (Nuclear Regulatory Council) when I pronounced 'NERC'.
And then comes 60 Minutes...and there he is, saying things along similar lines. We're super-vulnerable...nothing is being done...hackers did this...hackers can do that. And it's just making me crazy, because there are a lot of people working very hard at this. There's a lot to do, don't get me wrong; most power infrastructure is in need of an IT overhaul. But it's also highly segmented, often airgapped, and the work has begun to secure all of it.
For your security, this post has been encrypted with ROT-13, twice.
Remove the F'ing critical CNC from the fucking internet and then have human monitored entry points only accessible via securely layered authorization procedures using good old fashioned voice circuits to get access authorization and line based modems for actual access for any with a need to access.
Then monitor every fucking thing they do for fucks sake, they do it in china for those using search engines, we can fucking do it for critical infrastructure.
The fucking ridiculous notion that everything and everywhere needs to be connected and unmonitored for convenience is just fucking stupid, its doesn't and it shouldn't be.
The question of grid vulnerability comes up again and again. Every time, it is treated as if the question was novel and never addressed before.
I work in the industry. My view is not that cyber security is being neglected. On the contrary, it seems more like the situation in the Grand Canyon where there were 30 anthropologists for every Indian being studies. Homeland Security and DOE Tiger teams and security auditors swarm like flies around the operations centers. Each of them looks forward to fame and fortune if they expose the one big unaddressed vulnerability.
The most recent fully public test of the grid's vulnerability was the Y2K scare. Many people, including renowned experts such as Capers Jones, figured that there would be no way the grid could survive Y2K without numerous incidents. The actual grid incident count on the night in question was zero. No hacker could conceivably create a more ubiquitous and more diverse cyber challenge to the grid than Y2K.
What about robustness and vulnerability to chains of failures? It is true that regional blackouts do occur. Every incident can be traced to a chain of failures. However, earthquakes, hurricanes and especially ice storms every year challenge the grids with multiple simultaneous failures; sometimes hundreds of thousands of simultaneous failures without triggering cascades. Do you really think that a hacker could think up something more challenging than an ice storm?
One thing not appreciated is the design criteria. The NERC criteria for blackouts is that blackouts affecting more than 10 million people should not happen more than once every 10 years. Using NYC as a benchmark, it was blacked out in 1965, 1977 and 2003.
The public, on the other hand, thinks erroneously that the grid should be infinitely reliable and that every regional level blackout represents an avoidable failure, and that each blackout reduces confidence in the system.
Ironically, people who live in places with frequent loss of electric service, such as India, adapt so well that it causes minimal disruption. It is a paradox that the more reliable electric supply, the less well prepared the public becomes for outages and the more neurotic they become over hypothetical threats.
There I was, waiting for a loading screen in Age of Dragons saying Beware of power outages! Use F5 to quick-save... when *poof*, my Furman went to extreme voltage shutdown, followed by a massive, unpossibly coincidental blackout.
In the back of my head, EVA stated: LOW POWER. Was the game really this good? Was my base under attack?
Now I have to kill that High Dragon again. *Sigh*.
Hey, this very logic once saved the human race, afterall.
You don't need hackers a couple of guys with rifles could take down the LA grid. A few dozen guys with C4 could take down most of the country for months. Demand is highest in the summer so pick the hottest day of the year for maximum chaos. People don't realize how interconnected the grid is. New york has little local power, a couple of reactors easily cut off, and LA on hot days draws power from most of the west. Lines are easy to take down but max damage are major towers in isolated locations which are hard to repair. We're fortunate terrorist are idiots. Back when I was in LA I did a job where I had to work with the water department. One of the guys casually mentioned that the main water pipes coming into town couldn't be shut off due to the pressure. Translated a charge at the base of the downhill pipe would take it out and it could only be turned off at the source. There are literally thousands of weaknesses of the sort in the country that are poorly guarded. 60 minutes did a report on unguarded chemical plants in major cities. Even the tiny town I come from had a chemical leak from a train that forced half the town to evacuate. The point is a small number of men with minimal hardware could do a lot of damage. A large number of men with decent hardware it's terrifying what could be done. You don't need to nuke a city just take out three oil refineries and we'd be all but be back to horses in months. People forget there's a small refined reserve but most of the strategic reserve is crude oil. Even that won't last all that long. Hackers are an extreme concern because they can strike from anywhere but we need to become less dependent on our national infrastructure and more localized. People can look down on alternative power but it's a major boon to national security. If everyone had solar cells on their roofs a black out might be an annoyance where as now it would cost lives if they timed it well. It's the concentration of our industries that makes us vulnerable. Take out one power plant or the right grid and we're in trouble. Spread that to a hundred mini plants and taking out half a dozen would have little affect.
Do yourself a favor and research the definitions of fascism, soviet style government, and a few others while you're at it. Feel free to come on back here and post some more once you're done.
A few years ago I did a vulnerability assessment for a good size electrical Co-Op in the US. On the whole I was pretty impressed that the level of separation between the SCADA control networks and the corporate or Internet networks was well implemented. About the only significant vulnerability was that a truck bomb would likely take out their control room, and both backup datapaths on their SCADA network.
What's really concerning though is Oil/Gas company networks. I've been involved with a few, and many of them have significant integration and access to SCADA networks from the Internet and internal WAN networks. Being able to accomplish things like controlling Gas flow on pipelines or in gas plants. Possibly even being able to cause equipment failure. While these events wouldn't cause a grid outage, they would cause significant environmental damage, and might effect product flow which could effect prices...
How vulnerable is it? Face it, most SCADA systems are windows based. If you need more of a hint than that you are in pretty strong denial.
Also, there's no way in hell that an archaic infrastructure like the power grid is going to just turn around and run something else overnight. The reasons are simple. Change. Computer security changes things and bases the argument for change mostly on hypotheticals. It's easy for people to shoot it full of holes because you can't prove something 'will' happen.
What's worse, is most places don't even know they are cracked. People think since their system booted fine and isn't acting slow, everything is hunky-dory. malware is getting leaner and systems are getting faster and you don't notice when something is hitting the wire, cpu or disk anymore. We're pretty well f#cked on the power grid.
boycott slashdot February 10th - 17th check out: altSlashdot.org
Wait, you were about to play Mario Kart with a female from another town?
I thought only in the USA could the girlfriend from another town story be used.
Power is overrated, even this computer will work without it. All I have to is unplug this cor
It was pretty scaring in Rio de Janeiro. Traffic lights were gonne, and today I learned that the police had some work to do in a couple neighbourhoods. Subway and trains stopped. I was at home, but suddenly all my food in the refrigerator could spoil, and I had no air conditioning in a freaking hot night. Landline phones were gone, too. The mobile phone from TIM network was not working, but I could make some calls from a phone from Claro (after some atempts). Surprinsingly, I could use use a HSDPA modem and a notebook to have access to the internet. Then I realized it was not happening only in Rio or other cities, but the lights had gone out in half of the country.
Guy Fawkes is a lousy example of a populace's antidote to fascism. He was a member of a small group of traitors engaged in a religious spat. If their intentions had been noble and they'd had any public support they'd have started a revolution rather than attempting assassination.
Why you you even care to ask the readers? Ask a goddam expert with authority on the matter for Pete's sake!! Hate this bottom-up journalism where the reader has to make the story.
If that's your only 'evidence' of problems, then you are pretty clueless and just parroting the party line. Yes, Windows is vulnerable and can be unstable - that does not mean that any given Windows machine has been cracked and/or is constantly crashing. I'll give and grant that it takes more effort to do so than it should, but it isn't impossible to run a Windows system that is both secure and stable - especially if it's air gapped and comfiguration controlled.
Actually my friend does use TIM, and although we had a couple of voice cut-offs here and there, everything was just fine. Also, she mentioned there were various cases of cars running over pedestrians, and random folks thought something even worse was happening (2012 anyone? :P).
... even if they are accessible remotely, are not accessible over the internet. They're done either over dedicated lines, or via wireless connections that are encrypted, use proprietary protocols, or both. So the real threat isn't terrorists or the Russian mafia - it's your standard inside job. That doesn't mean that the vulnerability isn't there, but it mitigates it quite a lot. There are really only a few people with the capability and access to do this kind of thing, and it's relatively easy to watch over them. Just beware of the disgruntled employee/former employee/contractor.
We're VERY vulnerable to this. Slashdot reported on this a year or two ago - http://domino.watson.ibm.com/comm/wwwr_thinkresearch.nsf/pages/hacking397.html
IBM researchers were able to gain control of the controls of a nuclear power plant from the outside.
GET OUR FUCKING INFRASTRUCTURE OFF THE INTERNET!
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
You live in a delusion created by far right commentators. The TSA profiles (compare how often "suspicious looking" passengers get searched per trip vs white grandmas). The police profile (compare rates of "random searches" and imprisonment for minor offences by race and socio-economic status). Only focusing on "suspicious people" and leaving your honest wholesome law abiding white picket fence self alone only tells the bad people how to get past the gate keepers. There are Muslims of European descent. There are Muslims that can pass for Italian-Americans or Hispanic-Americans. Not to mention that exclusively harassing one group of people, a sub-set of who are criminals, only engenders favor and support for the criminals amongst them. Or the fact that militant Muslims weren't the first people to blow up planes, nor will they be the last.
Given the current tensions over Obama the next terrorist attack in America is likely to be another McVeigh. Possibly carried out by a white grandmother. Or it could be a college aged female animal liberationist who has decided that direct action is the answer.
========
CINC, 4th Penguin Legion
http://domino.watson.ibm.com/comm/wwwr_thinkresearch.nsf/pages/hacking397.html
There's your proof that your engineers are indeed total fucking morons.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
... it would be hard to do that without being detected. Not impossible, but hard. It's impossible to be completely invulnerable to any threat, but I think hacking into electrical control systems like this is sufficiently difficult that you'd be better off worrying about someone else. For example, if your aim was to disrupt electrical power, wouldn't it be easier to blow up one or more of the towers that hold up the high-tension lines coming out of a power plant?
... at least if they pull into any foreign ports. It's against the law to ship in arms this way in many countries, and it's absolutely routine for your vessel to get searched. If you pulled in somewhere and they found these arms onboard, the captain could wind up in the local jail. This is the main reason why arming merchant vessels isn't done these days. Well, that, and the fact that a crew of Malaysians, Pakistanis, Greeks, and Filipinos (to pick a few random places where merchant seamen are routinely recruited from), who probably don't have any weapons training, would be more of a danger to themselves than to any potential pirates.
Mostly, it would be much easier to physically damage the transmission lines than it would be to hack into the control systems. Although control system hacking is sexier (at least on Slashdot), it would probably be smarter to focus on the more likely threats.
... but dude, it's a novel. I'm not really prepared to take that as evidence that I need to be freaking out about this topic quite yet.
because attackers are far more likely the U.S. system. Oh - wait. By "our" you are assuming only Americans read Slashdot.
DCOM enabled in all SCADA systems as of 2005, NY and northeast power outages at time of blaster peak infection... and the 50+ other countries that lost power the same week.
http://archives.neohapsis.com/archives/fulldisclosure/2003-q3/2248.html
im glad yall are talkin about this
Power plants frequently have extensive networks connecting data collectors and Man Machine Interfaces (MMIs) in control rooms and elsewhere. The MMIs are often Windows based and have drivers for Programmable Logic Controllers (PLCs) and other devices. Recognizing that the systems are vulnerable, enlightened engineers keep the plant systems off the Internet except for a few cases... One is the case in which control or supervision has to be remote and the second is when updating software. A third, which I hate to contemplate but it is probably happening somewhere, is that there is a hidden connection for convenience and nobody in authority knows about it.
The bad news is that people have a habit of bringing in their own laptops, connecting them to the Internet at home or even at work, and ultimately connecting them to the network. Immediately, trojans of all sorts can be transferred to the plant assets and, if they are connected to the Internet for remote supervision/operation, a cracker owns them a few hours later. Security is seldom taken seriously enough, and in the press to get work done, shortcuts are inevitable. As a result, our power grid can probably be taken by anybody who has the patience to target the assets with specific attacks. Phishing at power companies and contractors, finding techies on the Internet and attacking their home machines, penetrating the MMI software vendor sites, and various forms of social engineering can all be used.
Probably the only saving grace is that many sites are never connected to the Internet, many sites have well enforced security regulations, and focused attacks to crack into sites are a lot of work without a lot of revenue. It is probably much more profitable to spam some phishing attack than to try to penetrate power plants. When somebody with the skills dislikes us enough, the grid will go down. period.
Now, solar storms can also take down the grid and we have done nothing to protect our power distribution system from major magnetic storms. Protection is simple and fairly straightforward but it costs money and requires coordination. Basically we need the ability to take down the grid in an orderly fashion, place bypasses/shorting bars on the critical transformers and wait for the storm to arrive. After it passes, just bring the grid back up. With 24-96 hours of notice from our solar observation satellites, it is eminently practical to achieve this. While crackers can take down a plant or two, a magnetic storm can destroy major transformers for which there are no replacements. Power will be down for months and maybe a year or more. A major magnetic storm is a virtual certainty but we will cruise on the ragged edge of fate until it hits.
I write software for a company that deals in building controls middleware that recently branched out in to end-user power management software for buildings. Not so long ago, we engineers had a rather fierce battle with the CTO over precisely this point. He insisted that a critical feature of the software had to be the ability to control arbitrary building controls via an unsecured, public-facing web service. The fact was lost on him that, should all of a medium-sized building's controls be cycled simultaneously, the local grid could very well collapse. Eventually he was overridden, but barely. Rest assured that the engineers are not, in fact, complete morons. Just the executives.
WHO FUCKING CARES ?
No hacker just a Homer Simpson in the control room
You know how they call suicide bombers cowards and terrorists? Well, I call cruise missile launchers cowards and terrorists.
I think the distinction lies not in ability but intent. We do not send cruise missiles 1,000 miles just to land in a crowded disco. I won't deny that these things happen by accident sometimes; however, it is never our mission to specifically seek out and destroy civilian targets based on the likelihood of maximum death, injury, and terror.
Dropping a bomb on an insurgent camp probably does cause terror among the insurgents, but those insurgents represent a threat. Drunk dancers in a bar in Mali represent a threat to no one but their own dignity.
That is the difference.
-b
No offense, but I've stopped responding to AC's.
If I have to explain this, it is too late
Today, the ships are registered to flags of (corrupt) convenience, and,
the pirate, holding an RPG-7, would have shown his passport to a CNN reporter team and the UN-HCR,
and turns out to be 14,
the guys with the AK-74's are only 13 and are all AIDS orphans, and had a deprived childhood, so
we can expect a media frenzy and Congressional hearings just after anyone under the US hegmony turns a
30mm Bushmaster cannon on one of their boats and kill the lot.
If you bring serious arms on anything except a Navy Ship, you need to be careful, but, finally any large cargo
ship can run down a small boat RPGs notwithstanding.
..why does critical infrastructure need to be accessible remotely over the network? The computer systems for sensitive installations like this ought to be physically isolated, and all terminals accessing them secured properly. Let the sys admin or whoever works on them physically go to the power station/nuclear plant etc. Then we'll only have social engineering to worry about.
"..One hosts to look them up, one DNS to find them, and in the darkness BIND them."
I've worked at a company installing the new energy meters in a country in Europe (doesn't matter which). These new meters are being installed all over Europe and most, if not all, versions are fully remote controllable. The COTS system we installed is commonly used for these kinds of systems. The system is useless and there is absolutely no security thinking. Even being a rather unskilled black-hat (like most of us, I have had my hacking days in my youth, but most of my knowledge in the area seems rather outdated nowadays) I would still be able to shut down the power for at least 300,000 customers, from my laptop sitting at a random café. If I also e.g. changed the passwords on the meters randomly, etc, I estimate it would take multiple months for them to restore all power. What strikes me is that the government has _no_ formal demands for security or safety of the systems. Systems with the ability to switch on and off power are safety-critical, and should be treated as such! (And no, I'm not going to describe the system in any detail or say anything about it's technical nature.)