Smart-Grid Control Software Maker Hacked

tsu doh nimh writes "Telvent, a multinational company whose software and services are used to remotely administer and monitor large sections of the energy and gas industries, began warning customers last week that it is investigating a sophisticated hacker attack spanning its operations in the United States, Canada and Spain. Brian Krebs reports that the attacker(s) installed malicious software and stole project files related to one of Telvent's core offerings — OASyS SCADA — a product that helps energy firms mesh older IT assets with more advanced 'smart grid' technologies. A follow-up story from Wired.com got confirmation from Telvent, and includes speculation from experts that the 'project files' could be used to sabotage systems. 'Some project files contain the "recipe" for the operations of a customer, describing calculations and frequencies at which systems run or when they should be turned on or off. If you're going to do a sophisticated attack, you get the project file and study it and decide how you want to modify the pieces of the operation. Then you modify the project file and load it, and they're not running what they think they're running.'"

smart grid

stupid vendors.

Re:smart grid

[TWX]

I am tired of the use of characteristics that don't seem to apply being applied by marketing staff.

Clearly "smart" doesn't apply.

Re:smart grid

I don't understand why it doesn't apply. Are you implying that OASyS SCADA isn't "smart" because Telvent was hacked into? Or that the "smart grid" isn't because it's assets can be misused? Or...?

Re:smart grid

[Dr+Max]

So if something can be hacked it isn't smart? So smart phones should have been called slightly more powerful feature phones. Carrying on with that, you can hack a human with magnetic fields http://www.livescience.com/438-remote-controlled-human-sensation.html so none of mankind could be considered smart either.

Yep, better be the last nail in the coffin..

They won't be installing any of this technology on my property.

Maybe in 10 more years, but I don't trust them to do their jobs effectively, and without violating my rights as both a person and a citizen of this country.

Re:Yep, better be the last nail in the coffin..

[TWX]

If they come out to change the meter housing you really won't have a choice. You realize this, right?

It's either smart meter or else no service.

Re:Yep, better be the last nail in the coffin..

[Beardo+the+Bearded]

I love my smart meter. My electric bill is half what it used to be.

Of course, that was after I installed my own software on it, but hey, fuck em they're a power company.

Re:Yep, better be the last nail in the coffin..

[GameboyRMH]

You're right, but you could firewall off your appliances from communicating with the grid using some kind of line filter and/or or battery bank. You'd lose efficiency but gain security and privacy.

pissed off sysop?

That sounds very technical which means inside knowledge - someone pissed of a sysop

Obvious what this is.

The attackers will produce a cascading failure in the electrical grid that brings down the entire North American power grid. A few additional well timed physical attacks, and we're back to the bronze age for the foreseeable future. Food stocks will quickly run down, as will supplies of petrol. The government will attempt to exert control, but without food and as the situation deteriorates, most of the soldiers will go AWOL to try to get home to help family. Soon, the dying begins. Roving bands of robbers gradually coalesce into gangs ruled by small time warlords, and eventually regional rulers who hoard the remaining food, fuel, and ammo. The few isolated people who planned ahead and who have escaped into their countryside shelters are systematically hunted down, plundered, and given the option to swear fealty to the new regime or be dispatched. Huge fires sweep through most large cities and pollute the atmosphere with soot. Winter soon sets in early due to the reduced sunlight penetrating the atmosphere, and is the harshest one in generations. Eventually, as the winter ends and spring sets in, over 75% of the population is either dead or close to it. Suddenly, armies of foreign soldiers appear at our shores, and before long all of the remaining Americans are conscripted and forced to farm the still fertile fields of America's breadbasket for meager rations, which is still better than starvation and death.

Re:Obvious what this is.

[localman57]

The attackers will produce a cascading failure in the electrical grid that brings down the entire North American power grid.

Frankly, I'm surprised we haven't had this happen already. It always blows my mind when there's some massive cascading power failure across mulitple states, and people are somehow relieved that it wasn't terrorism. Just a normal failure. How the fuck is a system that just collapses all by itself better than one that has to be pushed to collapse?

It seems to me that instead of fucking around with underware bombs and shit, our enemies might get a lot better cost return with some iron spikes, aluminum wire, and some helium filled weather balloons. Giant transmission lines in the middle of the desert are virtually impossible to defend, and are already stressed to the breaking point when it's hot across the nation. All they need is a little push...no complicated cyber-hacker-shit required.

Re:Obvious what this is.

[CanHasDIY]

Dude - you should totally make that into a short story; 'twould be a good one.

Re:Obvious what this is.

[Columcille]

And someone will make some lame tv show about the whole thing.

Re:Obvious what this is.

I really have only two questions.

1. Will raiding parties sent out by the regional rulers be stuck with muzzleloaders (except badass officers; badass officers always get teashades and autopistols)?

2. Will cute-but-surprisingly-asskicking-and-unsurprisingly-obnoxious girls cut the buttstocks off crossbows to make one-handed, but implausibly imbalanced, weapons? And maybe lose the stirrup, too; that serves no useful purpose...

Re:Obvious what this is.

[chill]

Dan Brown, is that you?

Re:Obvious what this is.

[YrWrstNtmr]

Soon, the dying begins. Roving bands of robbers gradually coalesce into gangs ruled by small time warlords, and eventually regional rulers who hoard the remaining food, fuel, and ammo.

Given a large enough and complete enough failure, 'soon' = 48-72 hours.

Re:Obvious what this is.

Ha! Maybe a SPAM email will arrive "Download this app to reduce your power bill!"

Re:Obvious what this is.

[snspdaarf]

Have to be hydrogen. We have a helium shortage, remember?

Re:Obvious what this is.

[cavreader]

"Frankly, I'm surprised we haven't had this happen already"

It hasn't happened yet because believe it or not it is not that easy to do. The U.S. power grid is segmented into three zones with safeguards that prevent an outage in one zone from tripping a blackout in another zone and this makes causing a nation wide blackout extremely unlikely.

Re:Obvious what this is.

Where do the zombies fit into all this?

Re:Obvious what this is.

Battle field nukes whip the populous into shape very quickly.

Re:Obvious what this is.

[Dr+Max]

That's a great story i really enjoyed it. If you want to know the scary truth, a couple of guys with rifles could take the major power stations offline a lot longer than hackers, by simply shooting the insulators on the phases coming out of power stations.

Re:Obvious what this is.

[Neil+Boekend]

That'd be us when there is no power to make coffee.

Re:Obvious what this is.

[rwv]

Just to nit pick... you don't need power to make coffee. Water+pot+fire, coffeebeans+mortar/pestle, and a frenchpress will do the trick quite effectively.

Are 'smart' meters mandatory?

[fustakrakich]

Sure hope not. I mean, does every goddamn thing need to be computerized?

Re:Are 'smart' meters mandatory?

[brianhaddock]

Lots of utilities are rolling them out right now and big companies who want to keep an eye on their usage patterns demand them. Remember when they used to hand read meters? The guy would open the gate, dodge your barking dog, and write down the meter reading in his little book. Then they moved some to radio transmitting meters where a utility truck simply drove down your street and recorded the readings that were transmitted from each meter. Now they have meters that communicate wirelessly and send the readings to the utility company in at intervals.

Re:Are 'smart' meters mandatory?

[Spy+Handler]

Yes because computerizing stuff increases efficiency. Look under the hood of your car, all those chips and sensors are helping your engine make a lot more horsepower for the same amount of fuel than engines from 30 years ago. (Or, same amount of power for less fuel consumption)

What we should really be asking is, does everything need to connect to the internet? And is enabling USB ports on critical systems so that workers can bring infected USB stick from home to bridge an air gap a good idea?

Re:Are 'smart' meters mandatory?

[localman57]

Sure hope not. I mean, does every goddamn thing need to be computerized?

Computers make things more efficient. Which means you can consume more for the same price. If it weren't for the computers, people would have to get by on less. And if there's one thing people hate more than computers, it's getting by on less. So you get what we got right here. Which is the way we want it. Well, we get it. And I don't like it any more than you men.

Re:Are 'smart' meters mandatory?

[Dunbal]

Tell me how efficient they are when the whole grid goes down.

Re:Are 'smart' meters mandatory?

[TWX]

Computers only make things more efficient when the systems architects know how to do their jobs effectively and don't rely on vendors and consultants to do it for them. It's not in the interests of vendors or consultants to save their customer money. It's in their interests to make as much money from the customer as practical, and that can mean everything from selling them equipment that's overspec to selling far more equipment than necessary to excessive costs for setup and configuration that are difficult to determine at the outset of the project.

As problematic as our telephone system has been at times, at least from a bureaucracy standpoint, that Bell did basic research and development in-house and for a long time owned almost everything internally, advances were made and the system functioned very well. The Baby Bells have inherited this legacy, and the biggest cracks have only manifested as they've each independently implemented technologies post-Ma-Bell, like DSL.

If you've had to work with vendors extensively you'd realize what a bane it can be to actually achieving, especially when non-technical persons have the ultimate decision in your organization.

Re:Are 'smart' meters mandatory?

[localman57]

X only make things more Y when the Z know how to do their jobs effectively

That tend to be true for just about any professional combination of X,Y, and Z. Don't you think?

I worked in the power industry while our state was in the throws of deregulation. I know what you're talking about. But this thread isn't about that. And Ma-Bell suffered from the same flaws that the power companies do. Security is not a primary issue to them. During the glory days you're talking about, you could phreak the phone system with a Captin Crunch whistle. That was the state of their security. Today's whistle is just a bit more complicated.

Re:Are 'smart' meters mandatory?

[Ichijo]

Tell me how efficient they are when the whole grid goes down.

100%.

Re:Are 'smart' meters mandatory?

[Mashiki]

They're mandatory in Ontario and as far as I know, the entire province has them installed, so this could get very interesting to say the least. Or until the meters are all updated, well I was always against them to begin with. Our hydro rates have done nothing but increase since they've been installed. Right on track for 22c/KWH by 2016 baby! Gotta love it.

Re:Are 'smart' meters mandatory?

There's a downside to smart meters though. It's known that old power meters tend to get increased drag as they age. So say you use 1200kw this month, the meter may read as if you had only used 1125kw or so (that might be a bit of a large gap for a lower power use, but you get the idea).

So here's the trade off. Our power bill, three months ago was an actual reading, which was around 900kw or so (guessing). Two months ago was an Estimate, and it was listed as 1600kw. Then last month was another actual reading, and it was 1100kw. Which means we paid a heck of a lot more than needed two months ago (yes the over pay went towards last month, but what if we needed the difference in price for something else two months ago?). With something like this, smart meters do have a huge advantage for the customer.

But as I said in the top paragraph, if you have an older analog meter, sometimes it's better for the end user to keep that old meter vs a new meter or smart meter.

Also, there's a lot of appliances that are now able to work with smart grids. Our new water heater for example is able to (if we had a smart grid here). The power company can send signals down for different pay rate times during the day, allowing the hot water heater to go into a stand by when demand or rates are high, and operate like normal when they are low

Re:Are 'smart' meters mandatory?

[northerner]

Smart meters are a lot less safety critical than the SCADA control systems. Networking smart meters makes a lot of sense. It's desirable to do it right, but if the billing is messed up, it can be corrected. The ability to change the operation of the system needs to very secure in comparison.

Re:Are 'smart' meters mandatory?

[PPH]

One of the major overhead costs of your residential service is (was) reading your meter by having someone drive around in a car, jump out at every few houses and write down the readings.

I guess utilities could offer an option to people who think they'll get hacked or the meters will make their junk fall off: Pay for a meter reader and they'll leave the old analog one on your house.

Re:Are 'smart' meters mandatory?

[flaming+error]

Ok, but I'll probably need your snail mail address.

Re:Are 'smart' meters mandatory?

Yes because computerizing stuff increases efficiency. Look under the hood of your car, all those chips and sensors are helping your engine make a lot more horsepower for the same amount of fuel than engines from 30 years ago.

Well...let's look at it can we? We've changed from: steel frame bodies, to a-frame bodies or unibody designs dropping the vehicle weight anywhere from half to two-thirds. We've changed engine blocks from cast iron or steel to aluminum(or in some cases to ceramic composites). We've dropped radiators from steel or aluminum to plastic and plastic composites. In transmissions we've refined the best of the best the turbomatic series to the point where everyone used it and made it better, shrunk it down, then halfed the weight again. We've dropped metal lines in vehicles switching over to plastic, or poly-composites cutting the weight down even more.

Of course you're going to see increases in efficiency. Cars weigh half or even less of what they did 30 years ago. Not to mention a bulk increase in horse power, the refining of engine components have come from machine smiths to cad lathes cut tolerance failures to almost nil. And being able to do designs by computer to figure out what you're doing to maximize an engine's output without having to over-design made all the difference in the world. Those sensors and computers aren't making a huge difference in horse power. What's making a difference, is the engineering.

Re:Are 'smart' meters mandatory?

[sumdumass]

On demand gas or propane is the best solution for a water heater. The smart grid turning your water heater off is problematic if you are not a 9-5er or had a couple of kids. I can easily run out of hot water on certain days because the damn thing is off and need to take a shower in the cold to save making the kids do the same. God forbid someone starts a load of laundry at the wrong time either.

Well, when I say can, I meant before I change the heater out. Put in an on demand gas system and never run out of hot water. I spend less money to boot.

Re:Are 'smart' meters mandatory?

Your not going to be able to take out the grid by messing with smart meters, you would be lucky to be able to take a house off and they would call their electricity provider who would come and fix it. You lot are what gives the rest of us fighting for rights and privacy the bad name of tin foil hat people.

Re:Are 'smart' meters mandatory?

Are you saying the electrics don't help? You make a valid point, but electronics like vvti are a very big player in efficiency.

Re:Are 'smart' meters mandatory?

[GameboyRMH]

HAHAHAHA you know very little about cars don't you?

Plastic radiators? (end tanks sure, but plastic is shit at conducting heat). Cars lighter now than 30 years ago? (Maybe today's subcompacts vs. old American luxo-barges, but otherwise NO).

Engine technology has advanced greatly but it's had to fight increasing safety regulations which greatly increase the size and weight of vehicles. In the '80s you could buy compact sedans that got 40MPG just like today, but they weighed less. Vehicle weight has been forced up by safety regulations and the safety arms race triggered by the release of SUVs ever since the mid/late 80s.

If you put a modern compact sedan's engine in an '80s compact you'd get way better mileage.

Those chips and sensors DO improve engine efficiency and especially emissions - although that's the only place electronics have done any good in cars.

Re:Are 'smart' meters mandatory?

[tlhIngan]

There's a downside to smart meters though. It's known that old power meters tend to get increased drag as they age. So say you use 1200kw this month, the meter may read as if you had only used 1125kw or so (that might be a bit of a large gap for a lower power use, but you get the idea).

True, because it's mechanical and subject ot all sorts of enviornmental conditions of cold and heat, so they do read slower as they lose calibratoin. Though the power company does swap out meters on a regular basis - usually once a decade or so to bring them back to calibration. Of course, 10 years worth of weather does take its toll on the meter base (it's a socket the meter plugs into), so sometimes it can also burn your house down.

I suppose the most wasteful was our electric meter at the new place was the new digital (non-smart) kind - no mechanical pieces, just an electrical usage integrator that sends a pulse to a counter board. A couple of months later it was replaced with a smart meter. Apparently the design of the digital meters is like that - a power board sends pulses to the digital board which totals up the power consumed.

Is anyone surprised?

Really shouldn't be, since the security holes in these systems have been talked about for years now. The threat is just greater now that utilities are actually installing/using these devices on a much larger scale.
Texas citizens have created quite a stir trying to fight installs there....http://www.bantexassmartmeters.com/

Re:Is anyone surprised?

[localman57]

What's a bantex ass mart meter? I don't want to click it and find out, because I'm fearful it's probably NSFW....

Smart GRID not METER

stop spamming the thread with crying about your smart meters, this is much much bigger than you

Re:Smart GRID not METER

[Neil+Boekend]

Correct me if I am wrong, but doesn't a smart grid require smart meters?

Re:Smart GRID not METER

No! Well yes but not the meters in your house, those can be as dumb as a rock and you could still have a smart grid. The smart grid is about powerload balancing and being able to use intermittent energy sources with limited inefficiency. And also to handle phase compensation automatically and other gridrelated phenomena. So there needs to be sensors and meters that can send data (via a PLC or similar usually) to a SCADA system.

it is small wonder it took them so much time...

[stanlyb]

The main problem is that only the hackers that have not tried to hack their system, did not hack their systems. And the more terrifying truth is that there is not even one vendor with secure solution out-there. I am just amazed of how they even put the word "secure" in there product!!!!

This is a Good Example

[chill]

This is a good example of why the gov't is worried about cyber security for critical infrastructure. Just like there are minimum standards for building and fire safety there needs to be minimum standards for IT infrastructure security.

Re:This is a Good Example

[kiwimate]

Err, not saying that I agree or disagree, but wasn't there a story on these hallowed pages yesterday saying exactly the opposite?

Re:This is a Good Example

[chill]

Sort of. They were saying this isn't enough, claiming an "offensive" component is also needed.

Keep in mind, it was penned by an ex-military guy who just joined a cyber security consulting firm. He's saying we need to change the laws to allow something like a digital version of Blackwater.

It is like he read his first cyberpunk novels and thinks Shadowrun was a good idea for real life.

Inigo Montoya

[guttentag]

...investigating a sophisticated hacker attack spanning its operations in the United States, Canada and Spain... and they're not running what they think they're running.

Sounds like they need a modern-day Inigo Montoya to do their security: <SPANISH ACCENT>"You keep using that software, I do not think you're running what you think you are running."</SPANISH ACCENT> And if the worst happens, he can exact revenge: "Hello. My name is Inigo Montoya. You killed my power grid during a level 85 raid. Prepare to die."

Script kiddies everywhere

are waiting for their newly scripted toyboxes,,,and some of them work for "your" government(s).

What with all the new "smart" grids, meters, self-driving cars, internet enabled devices(including medical), etc, etc,,, there are multiple levels of salivating bastards,,, including those just waiting for new BOFH stories to appear on the subjects.

Keep Banging That War Drum!

[IonOtter]

That's right, keep banging on that war drum. While the leaders are making all the big noise and keeping everyone distracted, the governments and their military are already engaged in full-on, no-holds-barred combat.

We took out 50% of Iran's nuclear capacity with nothing more than a USB stick loaded with Lady Gaga albums and porn.

But at least Iran was smart enough to put an AIR GAP between their critical systems and the rest of the world. We had to rely on a human to use the Sneakernet to infect those centrifuge controllers.

Whoever is behind this, is simply doing Gangnam Style right through the front door.

smart grid, stupid access and control sw

[swschrad]

YOU. DO. NOT. CONNECT. VITAL. INFRASTRUCTURE. TO. THE. INTERNET.

fucking idiots.

guess we better learn to live in the dark again, because these fools and the power companies they blather money out of will put us there yet.

Re:smart grid, stupid access and control sw

[Shoten]

YOU. HAVE. NO. CHOICE.

Telvent is the world's leader in what's known as "ADMS" systems. Advanced Distribution Management Systems. This is, for lack of a better way to put it, the "Smart" in "Smart Grid." By definition, it requires broad and extensive connectivity with many other systems.

In the old days, power plants...a few big ones...made power. And that power kind of spread outwards in straight lines to substations, and then to homes/businesses/etc. Well, now, smart grid is going into place. So you get more information from the homes/businesses/etc about what power they are using, and you will have more sources...small sources...of power all over the place. The power grid will look more like the Internet...interlaced, routable, managed. But you need a monolithic "God System" to keep track of what's going on, and control the changes that need to be made. Examples of systems that ADMS ties into are AMI, where the connectivity indirectly extends out to literally millions of collectors and meters attached to homes, to wind farms, to solar farms, to hydroelectric turbines, to coal-powered generation facility, and to CT (combustion turbine) generators. Oh, also...substations, protective relay systems...I think I'm forgetting some. Oh! I forgot...your local Balancing Authority, who is responsible for the stability of the larger power grid.

So yeah...this whole "Oh, you just need to air gap it because it's a control system" is ignorant. That hasn't been realistic in the power industry for about a decade now. Before you call a whole industry "fools," maybe you should first learn about how the industry functions, hm?

Re:smart grid, stupid access and control sw

[sjames]

YES. YOU. DO.

All of that calls for a network, but none of it requires the INTERnet. It is a CHOICE (a bad one) To expose that network to the internet.

Re:smart grid, stupid access and control sw

[Shoten]

Actually, it does require the Internet.

Balancing Authority interconnectivity, for example...that's a whole other organization. You think people run dedicated lines that are, in some cases, hundreds of miles long? When you're talking about the really big ones, like WECC, you could be talking about a thousand miles of distance between the ADMS/EMS systems and the Balancing Authority. And the link needs to be reliable. So nope, not an option. If the utility is in a market that permits energy trading, then you also need other interconnections..again, over long distances, and that means the Internet all over again. I do security in the power industry for a living...these systems are never put just on the Internet at a power company, but it's always just a couple of hops away. And nation-state attackers have little trouble hopscotching their way through to the target. The problem isn't the connectivity, it's the lack of good patch management/antimalware/security monitoring systems and processes. And that's pretty much what the problem is when it comes to most breaches.

Look into the following acronyms, and keep digging. After a week of it, you might understand this better.

NERC
ERCOT
PJM
WECC
ERO
NERC-BAL
NERC-CIP
NERC-PRC
NERC-EOP
ISA99

Re:smart grid, stupid access and control sw

[sjames]

We had a power grid before the internet existed, therefor we can have a power grid without connecting it to the internet.

Re:smart grid, stupid access and control sw

The movie "Eagle Eye" shows an interesting application of internet-connected power grid. Maybe singularity tolerance should become a seriously considered quality attribute.

Re:smart grid, stupid access and control sw

[Dr+Max]

Sure you could, but it wouldn't be very efficient, it would cost a lot more to run (for expanding and maintenance you don't need to over compensate as much when you have good data to work with) and it's probably not capable of accepting power back into the grid (from say a residential solar panel); unless of course you built a new network covering the entire country (BIG MONEY $).

Re:smart grid, stupid access and control sw

[sjames]

Backfeeding has been done for a long time in some areas. We would be better off if we would actually overbuild a bit more. There is a great deal of dark fiber out there. You can gather data FROM a control net to the internet using a one way serial connection. The danger lies in allowing commands to flow from the internet to the control network.

You make it sound like the entire grid has been on the internet for all of living memory. The fact is it has run just fine without it until very recently. It isn't even all connected now.

Re:smart grid, stupid access and control sw

[sumdumass]

I had 3 t1 connections connecting 3 buildings in 2 different states together in 2000 and none of it provided internet.

If you can get the internet, you can get communications not on the internet. It doesn't solve all the problems you listed, but isolating control systems and using a VPN to access their networks means you can at least have a front end that has good patch management/antimalware/security monitoring systems and processes. It will just cost more.

Re:smart grid, stupid access and control sw

[Dr+Max]

You could do a little bit of back feeding, but hook up to many solar panels and you'll start blowing up peoples electronics, because to backfeed you need to have a higher voltage than the network and without some one watching the network voltage (lowering it when there is a lot of backfeed) it would easily get too high. Also Substations aren't cheap if you can check the data and see what you have now is fine, then you don't have to build a new one twice the size just because you saw a high max watts reading. Your not reading my comment right if you think that i was saying the grid has always been on the internet, i just said it makes it better (then again i might be biased, as i work for a network). Lots of things worked before the internet (usually with less scams) doesn't mean we shouldn't have it, or that it won't make it easier.

Re:smart grid, stupid access and control sw

[Darinbob]

Much of it is IPv6 but it does not necessarily have to be directly connected to the internet. Maybe at some points there is the grid network and the internet on the same computer or device, and it's those devices that need to be extra secured. The devices on the grid of course need solid security. But a lot of DA and SCADA infrastructure devices are older and may not be designed with security in mind.

Re:smart grid, stupid access and control sw

"smart grid is going into place.. "

right there is the problem

It's a piss poor excuse for not laying control and sensor wire infrastructure inside conduit directly to whatever critical infrastructure "thing" it is you are controlling.

And if there is ANY locations that actually can't have a wire, then the radio emission containing the packets needs to have a S.P.A.(Single Packet Authentication) and Firewall system. If the software, firmware, and hardware can't handle being a firewall at the "middle of fucking nowhere control node" Then REAL PEOPLE NEED TO TURN THE COCK SUCKING VALVE, OR SWITCH.

I don't even have a degree, and I know this shit like a kindergarten recess.

What the fuck is wrong with people, is it the degree behind your name that makes you so fucking stupid?

Re:smart grid, stupid access and control sw

If you had read the fucking article, you would know that Telvent's SCADA systems were not infiltrated. Telvent's main corporate network was, and PROJECT FILES (read: source) were stolen. The industrial systems that the software actually controls are just fine (for now).

Also, the main takeaway point of the smart grid is that components are interconnected with other local and NON-LOCAL assets. If you have a good idea for how those assets should communicate without laying our own custom infrastructure ethernet network, I'm all ears.

Re:smart grid, stupid access and control sw

[sjames]

Those are all good reasons why networked controls can improve on the old un-networked system, but there isn't a single objection there that would require connecting that control network to the internet, even indirectly.

I strongly agree that they should use a control network. My objection is to connecting it to the internet. There is no good reason someone in wherethehellisthisistan needs to be able to shed load in the Bronx.

Re:smart grid, stupid access and control sw

[Dr+Max]

and run a separate network to every house, one that runs right next to the internet phone lines? Or maybe we are on a different page, the substations aren't on the internet (maybe the data recording) but all the control is done by a separate (expensive) fibre network connecting them to control; It's not like a smart meter can operate hv switching, your lucky to get relay control on the whole current meters (anything using current transformers the meters have zero control over).

Re:smart grid, stupid access and control sw

[sjames]

SCADA systems are somewhat distinct from smart meters. SCADA does do HV switching.

The 'smart meters' don't currently have access to the internet. The lines that would do that belong to the homeowners. It is unlikely that the homeowner has the legal right to let the power company borrow some bits, even if they are willing.

Smart meters also shouldn't be controllable from the internet.

Re:smart grid, stupid access and control sw

[Dr+Max]

No one is getting access to the scada system without going through private fibre or being onsite. About half of our smart meters have an ip address the rest are using gprs, but most of them don't control anything, and a couple don't do anything audio frequency load control wasn't already doing for a long time (the tech behind how they turn your hot water system on and off, which i think is the 'frequencies' the hacker has stolen in the story).

Re:smart grid, stupid access and control sw

[sjames]

The post I replied to claimed otherwise.

US spooks invoke Chinese Hackers bogeyman ..

"The attack comes as U.S. policymakers remain gridlocked over legislation designed to beef up the cybersecurity posture of energy companies and other industries that maintain some of the worldâ(TM)s most vital information networks"

US spooks using "Chinese hackers" as pretext to increase budget ..

"In letters sent to customers last week, Telvent Canada Ltd. said that on Sept. 10, 2012 it learned of a breach of its internal firewall"

What, pray tell is an ' internal firewall'?

`ecc.exe fxsst.dll niu.dll ntshrui.dll`

Re:US spooks invoke Chinese Hackers bogeyman ..

[stanlyb]

Don't ask, dont tell....

Re:US spooks invoke Chinese Hackers bogeyman ..

[snspdaarf]

That's the firewall that keeps the people just passed over for promotion for the third time from running amok in your servers.

Thursday at 9 on SCTV

[swschrad]

I know how this ends. Chunky (tm) soup warms you up and fills you up. and then Weatherbreak.

ANOTHER. FUCKING. RETARD.

WHO. DOESN'T. HAVE. A. FUCKING. CLUE.

No interconnections = no usage monitoring, no generation monitoring, no billing, no grid interconnects, no fucking power for anyone.

Blowback from Iran

We stated a doctrine a year ago, that a cyber attack equivilant to a military physical attack, could be retaliated against with physical bombs.

What much of the muslim world doesn't realize, is that while we prefer to avoid casualties, and fight smart, if need be, we can -- and do-- rachet up the heat to a level they can't take.

If Iran or Lebanon/Hezb'allah want to atack us, they should be prepared for their countries to be destroyed.

Oh and, Egypt and Saudi Arabia, listen up: you have been placed alert. If you sponsor any more 9-11 style attackers against us, you are going down.
Egypt: listen up. If Romney wins, your country may suddenly become a UN mandate. Saudi Arabia, guess what: once we go in, the money is getting cut off. We will both sieze all the oilfields and you may not get Mecca back, ever. You muslims will be lucky if Jordan gets to control it for a bit. If Romney gets elected, it might get nuked, or, if the neocons have their way, gone over with a fine tooth comb to interrogate everyone and find the local antiamerican ring leaders (basically everyone) and imprison them.

Oh and OIC/Arab League/"Non Aligned Movement" : we consider you guys to be enemies of various degrees. If you fuck with us, we'll blow you up. Just keep that in mind.

Still no reason for putting idiots on the job

[Casandro]

I mean look at SCADA. The whole field seems to be staffed by idiots.
They think that OPC (OLE for Process Control) is a good idea, they still use that, even though the networking component works via DCOM, and it's all Windows only.

I mean a sane person would go and have sensors spit out text. That text can then be easily processed and archived easily. You can even batch process it, if you want.
You can of course, also pour it into some SQL database if you prefer to, but having your primary data as text means that you can easily change your database engine without having to worry about compatibility.

For OPC you need additional software just to be able to archive it.

A simple (non-XML) format also would have the advantage of being easy to parse. You might, for example have a little single line header, having the number of the meter in it. Then you have each line representing a measurement point. First column could be the time in Unix epochs, then a space, then the measurement values. Such a format can easily be parsed, quicker than it can be read from RAM and without the danger of buffer overruns.

Re:Still no reason for putting idiots on the job

[ThreeKelvin]

Sensors that spit out text? Who in their right mind would want that?

SCADA grabs sensor readings from the underlying control system, most likely running on some PLCs, where you have to do calculations on the data in order to feed back control values to the process being controlled.

Now, a PLC is, admittedly, sort of like the general purpose CPU's dumb brother, and the instructions it accepts are rather limited. But, for a number of reasons, they're immensely suited for their task. The single most important one being the ability to safely and easily change a program that is in production. This feature is important because control systems often have to be tuned when they're commisioned, they don't just work out of the box. You have to fiddle with constants in order to get it working, perhaps even change the structure of the control algorithm.

Because we control engineers have to fiddle with the program while it is running, we really don't want to do string to int/float/whatever conversion and the reverse when working on the PLCs. That would just be yet another place where we could scew up horribly, causing a country wide electrical blackout in the proces. It's hard enough as it is, so keep it simple, stupid!

Re:Still no reason for putting idiots on the job

[optimus2861]

Sensors that spit out text? Who in their right mind would want that?

Ignorant IT people who think they know better than control engineers how to design & operate control systems. The rant about OPC was beautiful, in its own ignorant way, and completely exposes the GP as someone who's probably never seen a control system in his life, probably never will see one, and wouldn't have the first clue how to program, troubleshoot, or maintain it.

There's historically been a certain amount of tension between control engineers and IT folks for that very reason; the smartest IT folks are the ones who ask the control engineers what they need to do their jobs, provide it, then stay the hell out of our way. The rest make our blood boil.

Re:Still no reason for putting idiots on the job

[Casandro]

If you cannot get IT working in such critical infrastructures, don't blame the people who are telling you what you are doing wrong.
Besides where is the problem building a PLC sending its output variables as text?
Furthermore, in the example of the company mentioned in the article, the smart meters probably didn't have a PLC connected to them. They were probably small devices with a micro controller.

Again, it's all fine and dandy if you connect your PLCs via a ProfiBus or whatever, but once it involves actual IT, you will have to play by the rules of good IT. (Of course there's a _lot_ of bad IT)

Re:Still no reason for putting idiots on the job

[GameboyRMH]

the smartest IT folks are the ones who ask the control engineers what they need to do their jobs, provide it, then stay the hell out of our way.

Like unsecured access from the Internet or dial-up systems I'm sure.

Re:Still no reason for putting idiots on the job

[optimus2861]

Besides where is the problem building a PLC sending its output variables as text?

Limit switches, solenoids, pushbuttons, motor contactors, relays, pilot lights, current transmitters, modulating control valves, even robotic motion controls -- good luck replacing all that gear with 'smart' versions that now have to understand text instead of simple electrical signals and not losing so much as a millisecond of response time.

I probably ought to give you some benefit of the doubt in that you meant "the PLC's data that passes to/from the SCADA" but you used the word "output" and that has a meaning to control engineers, a meaning you apparently don't grasp since you are quite ignorant on this subject.

So just stop now. Just admit you do not know what you are talking about and move on. It took me years of engineering school, mentoring, and in-field experience to understand my field, and I learn more every day. I really don't have the interest in trying to distill it into a /. comment for you.

Re:Still no reason for putting idiots on the job

[Casandro]

I'm not talking about connecting end switches via text-based protocols. And I never have. I have been talking about "sensors" as in "smart meters". There it makes sense. There you transmit data over some non-closed network. Again, I'm not talking about valves and servos.

Please stop acknowledging my prejudices.

Military-Style internetwork

If they are smart, the "Smart -Grid" will eventually fall under Homeland Security and any contracted entities used to create the IT infrastructure will have to fall under DHS security policy and a secure and non-secure network will be established specifically for National Power Distribution.

Military-Grade Internetwork

[Tempest451]

We all know the US military maintains their own inter-network. I think the same will be needed for a smart-grid and it should fall under Homeland Security.

I'm a PLC and SCADA designer. My thoughts.

(warning: lengthy rant ahead)

I'm an ICA engineer (instrumentation, control and automation) I used to program PLCs and SCADA systems, but now i simply design the architecture of the system, i.e how many PLCs and where, how much I/O on each PLC, how many supervision systems, data interchange, etc. So you could say I’m a “system architect” although we never use that name. I’m an electrical engineer.

I work on water treatment plants: My PLCs control how much chlorine /ammonium sulphate/etc goes into your water, what is the correct UV dose, among a myriad other things.

And I'm starting to get tired of this wave of scaremongering that started when stuxnet came out.

As I see it, in general, people with a BS in CS or CE don’t have a clue of how industrial systems work. When I was at university getting my EE degree, the CS people often said “we computer scientist are so important! We design the computers that run your electrical networks and your water and gas systems.!!”
Well, you don’t. We EE and ICA-E have been designing that for the last hundred of years. We only started to use PLCs in the seventies as a cost saving measure, but we could go back to the relay boards if we wanted. In fact, the ladder PLC programming resembles relay board design) And scada systems came next as replacement for the expensive and time consuming control panels.

The “hacker gets into plant” scenario so used by Hollywood scriptwriters never happened, until the US government assembled a massive group of world class experts, and by getting the manufacturers Microsoft, Siemens and Vacon on board. I’d say that one occurrence on 40 years, and that occurrence having behind the force of the world’s biggest superpower, it’s a pretty good security record.

And know what? Stuxnet spread all over Iran, and despite of that, reports indicate that uranium enriching it’s increasing. So it’s debatable if stuxnet achieved its ultimate objective or not. All that we know is that the US is back to the good old-fashioned method of killing nuclear scientists.

So leaving international politics aside and going back to our humble water plants. I’ll try to shed a little light on how these things work.

You know what would happen if somebody gets into a plant and blows up all the computers and network gear on the control room? I’ll tell you: nothing. The plant would keep running since the code that controls the machines is residing in the PLCs, and the PLCs are in one cabinet on the MCC rooms. All that would happen is that the operator would have to move his fat ass and actually go to the HMI on the MCCs if he desires to change a setpoint. SCADA machines are dumb machines, used for data visualization and logging, and setpoint changing only.

Now, what would happen if somebody blows up all the PLCs? Or worse, if someone breaks into the MCC room with a field programmer and changes the code of any of the PLCs?.

At best, the machines simply stop and that means that the operator has to go to the local control panel and change some some switches from “remote” to “manual”. And at worst, there are these things called the wired interlocks. No matter how you change the code, It’s impossible to damage a motor by overheating, or run a pump dry, or have the run-to-supply pumps running If the water is out of parameters.

Of course you could bypass the wired interlocks, but then you need the key to the MCC room, the key to the cabinet, a complete set of blueprints, a multimeter and a screwdriver. By this point you need physical access to the site, and I’d say its way easier to damage the machinery itself than the hardware controlling it.

However, since stuxnet came out, all the IT security companies have suddenly realized: “new market!!!” “we can now sell our crap to these hapless industrial clients!” “hundreds of unprotected ma

Re:I'm a PLC and SCADA designer. My thoughts.

And sorry for my bad English, not a native speaker as you can see.

Are you kidding, dude? I didn't even notice the errors until you said something in that last sentence. That was better than 99% of native so-called English speakers can write -- kudos on a great explanation. I'm ready to revamp my business to focus on water utilities, just so I can hire you.

You can't necessarily get there from here.

We had a power grid before the internet existed, therefor we can have a power grid without connecting it to the internet.

That's logically invalid, you know. But ignoring that, there's a bigger problem.

You're asking for distributed generation under distributed authority. That is the opposite of what your elected officials and their corporate masters have spent a hundred years converging on; you cannot have what you're asking for as long as you also want things like "laissez faire capitalism" and "a totally free market" and "national currency" etc. You're talking about what the much-derided (on slashdot, anyway) greens want - dirty hippy philosophy, oh noes!

Only a strong regulatory force (like, for instance, the social structures that reduce the murder rate, which include a complex mesh of interlocking local, federal and international laws, customs, and institutions) can prevent the consolidation of control of energy resources under a single controlling entity or an essentially monolithic group of entities. That regulatory power is what the post-Reagan world calls "Evil Big Government over-regulation" - forcing wealthy entities to do things for the common good, despite the fact that they can become even more wealthy by acting solely for short-term self-interest (see "greed is good" and "tragedy of the commons" if you aren't a Randroid).

If you let the zaibatsus run the power grid, it will be networked. It's the only way they can do it, because the corporations themselves are effectively a centralized control system.

Re:You can't necessarily get there from here.

[sjames]

If a thing has existed, it is possible. That's perfectly solid logic unless you can point out any existent but impossible things.

Hacks Chinese ??

Suspicion is that hacks are from Chinese source. Meanwhile here in Canada we ar GIVING the Chinese CONTROL of our infrastructure, no hacking required,
    Huawei has telecom projects with Telus, Bell, SaskTel and WIND Mobile. Telus has just signed a $250-million contract to provide the Canadian military with secure voice and data services worldwide.
Chinese state company CNOOC’s $15-billion bid for Nexen, a major Canadian oil and gas company. That will most likly go through.