Slashdot Mirror
How Vulnerable Is Our Power Grid?
coreboarder writes "Recently it was divulged that the Brazilian power infrastructure was compromised by hackers. Then it was announced that it was apparently faulty equipment. A downplay to the global public or an honest clarification? Either way, it raises the question: how vulnerable are we, really? With winter and all its icy glory hurtling towards those of us in the northern hemisphere, how open are we to everything from terrorist threats to simple 'pay me or else' schemes?"
I have always believed that if something is networked, it can be subject to unauthorized access. I hope I am wrong.
"I'm just here to regulate funkiness."
Hijacking the power grid and forcing entire states to pay ransom or suffer brownouts? Such a thing has never happened before!
http://en.wikipedia.org/wiki/Death_Star_(Business)
Suppose someone holds the nation's power grid hostage and then wants payment? So, why doesn't the government simply pay them, then track them down for assassination and release photos of their bullet ridden corpses? Would certainly discourage any copy-cat crimes. Somali pirates too.
Just a thought...
Speaking of Brazilian power failures, Brazil had another major power failure yesterday. Power from the Itaipu dam was cut off, which apparently put millions of people in the dark as it generates something like 14GW. Itaipu blames the Brazilian grid, meanwhile Brazilian officials aren't sure what it was, but are protesting any idea that it was sabotage/hacking. Paraguay and Uruguay also get power from Itaipu and were similarly affected.
http://www.cnn.com/2009/WORLD/americas/11/11/brazil.blackout/index.html
A bigger threat than terrorists is arbitrary government restriction on competition in the electric grid, which is what led to the rolling blackouts in California.
In any case, this winter could be bad - probably a good time to get a generator.
than the current local power monopolies? We are already in a "pay me or else" scheme which threatens lives and leaves us with this vulnerable infrastructure in the first place. And, unlike the "terrorists", the power companies have the cojones to stand before Congress and admit the control systems are vulnerable, the transmission grid is old and failing, the expected load in the next 15 years can't be handled and then claim its not their problem, its too expensive and the government needs to pay for it. As if they aren't taking enough on the front end from the consumer, they want more off the back end too.
Sickening.
I don't know about the connectivity of power stations/substations, but I've seen quite a few that appear very vulnerable to physical damage by virtue of location (eg. Not enough space between fence and components, or down an embankment from a quiet unlit street. Seems like it wouldn't take much more than a steel bar and a good arm to cause some pretty spectacular fireworks and a whole lot of repairs.
I've been living in São Paulo for over 9 years. I was without electrical power for a few hours last night.
The timeline on this is pretty entertaining. On the 7th, there were a bunch of stories saying the 2007 blackouts in Brazil were caused by crackers (the articles say "hackers"). On the 9th, there were strong denials all around, accompanied by stories saying that no, the 2007 blackouts were caused by "sooty insulators." On the 10th, Brazil suffered a blackout much worse than the ones in 2007. That looks to me like crackers saying "sooty insulators? We'll show you sooty insulators!"
By the way, power failures are normally abrupt, but the one last night was not. I usually go from lights to no lights almost instantaneously, but last night, the lights were flickering for a while. After a few minutes, I thought it was going to stabilize, because my compact fluorescents stayed on while my UPS beeped a lot to tell me it wasn't getting enough juice. The larger fluorescents in the kitchen couldn't start, but the compact fluorescents gave me some light in the living room.
"It is nice to know that the computer understands the problem. But I would like to understand it too." --Eugene Wigner
I'm writing from the UK, so no matter what happens to *your* power grid, it won't affect *our* power grid.
Before you can get a sensible answer, you need to learn to ask a sensible question.
In any event, *your* power grid has already proven to be incredibly vulnerable to everything from single points of failure to social engineering for profit (Enron) so, quite frankly, worrying about the vulnerability of *your* power grid to hacking is like wondering about the vulnerability of a shiny new laptop left unattended on a car front seat to hacking... you have other issues to need to address first.
It is like wondering how vulnerable *your* road bridges and infrastructure are to hacking, while completely ignoring the fact that they are falling down by themselves due to lack of maintenance.
http://slashdot.org/~GuyFawkes/journal
Please let me know from what nationality a poster to Slashdot actually believes his is the only one represented on this website..
We all make assumptions.
Speaking as a controls engineer for a major utility contractor, the control systems for power plants are completely isolated from the internet... it's common sense. There are security consultants out there feeding FUD to the public about the vulnerability of these control systems to viruses planted (either knowingly or unknowingly) by plant personnel. Well, if someone had intimate knowledge of the software AND close ties to the operators AND really thought that bringing down the plant would be a good way screw everyone over, despite the fact that when things go wrong, all valves and systems return to a fail-safe position, AND once the software was re-installed, everything is easily restarted...
Yeah, I guess it could happen. As far as the grid is concerned, I'm *guessing* that a lot of people were influenced by the same method of thinking.
Look, if anyone really wants bring down the power grid, we should be worried about a physical attack WAY more than an electronic one. I just can't conceive of how our systems are as vulnerable as people say they are.
If you believe in gun rights then you support terrorism in the US
Go fuck yourself.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
I would say that threats to the power grid tend to be overstated.
a) Power grids in the USA are regional affairs, so, the worst that can happen is one section of the country might get whacked.
b) Power companies frequently operate their own private physical networks for control... at least, that's the way it was in the early 2000's when I was into it. Our company had built their own private fiber optic loop.
c) Extremely critical stuff is done with a phone call by people that know each other. Like, "turn the generator off", is something done not so automatically.
d) There are loads of incompatible stuff out there in the field for remote control and SCADA. So, if you could go out there, and tell every customer to turn off all their equipment, remotely, you'd be so rich from just building a product that could do that, you would not want to go to jail, when you could be a billionaire. Just reading a power meter has dozens of protocols, formats, etc, and many of them are actually just wired up with a dumb phone line.
It's not impossible, I'm sure.. but, its not like hacking into a machine knowing that its running either Linux / Apache or Windows / IIS and going from there. All these pieces of embedded equipment have their own stuff, and the knowledge tends to be very specialized.
This is my sig.
The lower 48 CONUS actually has 3 power grids, not just a singular grid
Maybe not for long .. check out the Tres Amigos project
I am Slashdot. Are you Slashdot as well?
I live in brasil, never heard anything about cracker being responsible for the blackouts in espirito santo in 2007. to tell the truth, the first time i heard about it was on the web a few days ago, reading blog posts about the 60min report.
the minister of energy and the national system operator (the office that controls our power grid) already denied the "information" from the 60min show.
IMHO, it's just another piece of typical american fear-mongering, probably aimed at selling some incredibly expensive, over-complicated and completelly unecessary "technology" to the government.
more here (in portuguese).
disclaimer: estadão is a reliable, reasonably unbiased brasilian news agency.
What ? Me, worry ?
I live in Rio Grande do Sul, in a region where we have smaller power dams that supply more than enough energy for us to keep running without Itaipu, and I must say it was quite interesting to follow everything from here in real time. I was chatting with a friend of mine from Rio de Janeiro, and we were about to play some Mario Kart online, when suddently she sends me an SMS in 22:14 telling me "You're not gonna believe it, but the entire city of Rio de Janeiro has no energy. Even the Cristo Redentor doesn't have any light, and I've never seen that happen in my entire life!". A few minutes later she comes back online using her notebook and a 3G modem, retwitted the infos I sent her to her friends, and following my suggestion took a couple of pictures of what she was (un)able to see.
I then called her and she proceeded to tell me about how chaotic things were on the streets, that basically the traffic was jammed, all buildings nearby had people locked inside elevators and she could hear the cries for help, and until 5 minutes after the blackout all cellphone lines were jammed too. I then kept following the news on portal websites and Twitter and reported back to her in real time to let her know what was happening and how big things where, although she had already contacted friends throughout the country and kind of knew the places that were online and the ones that weren't.
I must say it was quite an experience to follow things in real time and inform someone right there about it, and I guess she was "thrilled" about it too, even though she's afraid of the dark. :(
Here are the photos she managed to take:
- http://img137.imageshack.us/img137/1382/foto1jm.jpg
- http://img81.imageshack.us/img81/5272/foto2b.jpg
It has it's own power grid.
We have a military so politically correct that when faced with persons that give presentations to upper echelon staff with phrases like "We love death more than you love life", does nothing. End result: 12 people dead, more injured.
We have the TSA that is so fearful of "profiling" people so they feel they must hassle white grandmothers while letting young Muslim men proceed to test the boundaries of airline security.
We have police that do not wish to be accused of "profiling" in any way, so basically give a pass to illegal immigrants driving without licenses while stopping and ticketing others. This continues even in the face of significant numbers of accidents caused by such illegal immigrants.
While it might be illegal to defraud Americans in America, it clearly isn't when it is being done from places like Bulgaria. So we have US-based registrars setting up domains for people with names like "citibank-online.com" and "ebay-online.com" when the purchasor is in places where law enforcement isn't going to bother them. And then we poor Americans all cry about how bank security is so lax. Unfortunately, all of the protections that work in the real world aren't being applied online, so it is easy to steal from people without fear of any consequences.
Face it, we're due for some trouble. If thousands of people die because someone takes out the power grid for a week it isn't because security is lax - it is because the people that are paid to handle security are looking the other way. Intentionally. And no, unlike the guy on 60 minutes when thousands die it will not be a "wakeup call" and everything is magically fixed. It is going to take a lot more than that.
Actually, I think there are more people here from outside of the US (mainly Europe) than you think. I think it's closer to a 50-50 ratio. And this is why:
Exhibit A) If you look at this poll you'll see that 43% of all voters chose the option "I Use Celsius, You Insensitive Clod!", which would obviously imply that they are not from the States.
Exhibit B) I'm Finnish (been browsing /. actively for a couple of years now) and I know I'm by far not the only Finn lurking around here. Moreover, if you look at, for example, the stories that have something to do with the US healthcare system there always seems to be an abundance of Swedes, Brits, Canadians and (more rarely though) us Finns trying to explain how "socialist healthcare" really isn't such an infernal thing as some of you Americans think it is.
"It is the business of the future to be dangerous" -Alfred North Whitehead
Comment removed based on user account deletion
The question of grid vulnerability comes up again and again. Every time, it is treated as if the question was novel and never addressed before.
I work in the industry. My view is not that cyber security is being neglected. On the contrary, it seems more like the situation in the Grand Canyon where there were 30 anthropologists for every Indian being studies. Homeland Security and DOE Tiger teams and security auditors swarm like flies around the operations centers. Each of them looks forward to fame and fortune if they expose the one big unaddressed vulnerability.
The most recent fully public test of the grid's vulnerability was the Y2K scare. Many people, including renowned experts such as Capers Jones, figured that there would be no way the grid could survive Y2K without numerous incidents. The actual grid incident count on the night in question was zero. No hacker could conceivably create a more ubiquitous and more diverse cyber challenge to the grid than Y2K.
What about robustness and vulnerability to chains of failures? It is true that regional blackouts do occur. Every incident can be traced to a chain of failures. However, earthquakes, hurricanes and especially ice storms every year challenge the grids with multiple simultaneous failures; sometimes hundreds of thousands of simultaneous failures without triggering cascades. Do you really think that a hacker could think up something more challenging than an ice storm?
One thing not appreciated is the design criteria. The NERC criteria for blackouts is that blackouts affecting more than 10 million people should not happen more than once every 10 years. Using NYC as a benchmark, it was blacked out in 1965, 1977 and 2003.
The public, on the other hand, thinks erroneously that the grid should be infinitely reliable and that every regional level blackout represents an avoidable failure, and that each blackout reduces confidence in the system.
Ironically, people who live in places with frequent loss of electric service, such as India, adapt so well that it causes minimal disruption. It is a paradox that the more reliable electric supply, the less well prepared the public becomes for outages and the more neurotic they become over hypothetical threats.
It was pretty scaring in Rio de Janeiro. Traffic lights were gonne, and today I learned that the police had some work to do in a couple neighbourhoods. Subway and trains stopped. I was at home, but suddenly all my food in the refrigerator could spoil, and I had no air conditioning in a freaking hot night. Landline phones were gone, too. The mobile phone from TIM network was not working, but I could make some calls from a phone from Claro (after some atempts). Surprinsingly, I could use use a HSDPA modem and a notebook to have access to the internet. Then I realized it was not happening only in Rio or other cities, but the lights had gone out in half of the country.
You live in a delusion created by far right commentators. The TSA profiles (compare how often "suspicious looking" passengers get searched per trip vs white grandmas). The police profile (compare rates of "random searches" and imprisonment for minor offences by race and socio-economic status). Only focusing on "suspicious people" and leaving your honest wholesome law abiding white picket fence self alone only tells the bad people how to get past the gate keepers. There are Muslims of European descent. There are Muslims that can pass for Italian-Americans or Hispanic-Americans. Not to mention that exclusively harassing one group of people, a sub-set of who are criminals, only engenders favor and support for the criminals amongst them. Or the fact that militant Muslims weren't the first people to blow up planes, nor will they be the last.
Given the current tensions over Obama the next terrorist attack in America is likely to be another McVeigh. Possibly carried out by a white grandmother. Or it could be a college aged female animal liberationist who has decided that direct action is the answer.
========
CINC, 4th Penguin Legion