Smart-Grid Control Software Maker Hacked

← Back to Stories (view on slashdot.org)

Smart-Grid Control Software Maker Hacked

Posted by timothy on Thursday September 27, 2012 @09:52AM from the 21-scadoo dept.

tsu doh nimh writes "Telvent, a multinational company whose software and services are used to remotely administer and monitor large sections of the energy and gas industries, began warning customers last week that it is investigating a sophisticated hacker attack spanning its operations in the United States, Canada and Spain. Brian Krebs reports that the attacker(s) installed malicious software and stole project files related to one of Telvent's core offerings — OASyS SCADA — a product that helps energy firms mesh older IT assets with more advanced 'smart grid' technologies. A follow-up story from Wired.com got confirmation from Telvent, and includes speculation from experts that the 'project files' could be used to sabotage systems. 'Some project files contain the "recipe" for the operations of a customer, describing calculations and frequencies at which systems run or when they should be turned on or off. If you're going to do a sophisticated attack, you get the project file and study it and decide how you want to modify the pieces of the operation. Then you modify the project file and load it, and they're not running what they think they're running.'"

23 of 96 comments (clear)

Min score:

Reason:

Sort:

Obvious what this is. by Anonymous Coward · 2012-09-27 10:03 · Score: 5, Funny

The attackers will produce a cascading failure in the electrical grid that brings down the entire North American power grid. A few additional well timed physical attacks, and we're back to the bronze age for the foreseeable future. Food stocks will quickly run down, as will supplies of petrol. The government will attempt to exert control, but without food and as the situation deteriorates, most of the soldiers will go AWOL to try to get home to help family. Soon, the dying begins. Roving bands of robbers gradually coalesce into gangs ruled by small time warlords, and eventually regional rulers who hoard the remaining food, fuel, and ammo. The few isolated people who planned ahead and who have escaped into their countryside shelters are systematically hunted down, plundered, and given the option to swear fealty to the new regime or be dispatched. Huge fires sweep through most large cities and pollute the atmosphere with soot. Winter soon sets in early due to the reduced sunlight penetrating the atmosphere, and is the harshest one in generations. Eventually, as the winter ends and spring sets in, over 75% of the population is either dead or close to it. Suddenly, armies of foreign soldiers appear at our shores, and before long all of the remaining Americans are conscripted and forced to farm the still fertile fields of America's breadbasket for meager rations, which is still better than starvation and death.
1. Re:Obvious what this is. by localman57 · 2012-09-27 10:20 · Score: 3, Interesting
  
  The attackers will produce a cascading failure in the electrical grid that brings down the entire North American power grid.
  
  Frankly, I'm surprised we haven't had this happen already. It always blows my mind when there's some massive cascading power failure across mulitple states, and people are somehow relieved that it wasn't terrorism. Just a normal failure. How the fuck is a system that just collapses all by itself better than one that has to be pushed to collapse?
  
  It seems to me that instead of fucking around with underware bombs and shit, our enemies might get a lot better cost return with some iron spikes, aluminum wire, and some helium filled weather balloons. Giant transmission lines in the middle of the desert are virtually impossible to defend, and are already stressed to the breaking point when it's hot across the nation. All they need is a little push...no complicated cyber-hacker-shit required.
2. Re:Obvious what this is. by Columcille · 2012-09-27 10:49 · Score: 3, Funny
  
  And someone will make some lame tv show about the whole thing.
  
  --
  I love my sig.
Are 'smart' meters mandatory? by fustakrakich · 2012-09-27 10:03 · Score: 2

Sure hope not. I mean, does every goddamn thing need to be computerized?

--
“He’s not deformed, he’s just drunk!”
1. Re:Are 'smart' meters mandatory? by brianhaddock · 2012-09-27 10:12 · Score: 5, Informative
  
  Lots of utilities are rolling them out right now and big companies who want to keep an eye on their usage patterns demand them. Remember when they used to hand read meters? The guy would open the gate, dodge your barking dog, and write down the meter reading in his little book. Then they moved some to radio transmitting meters where a utility truck simply drove down your street and recorded the readings that were transmitted from each meter. Now they have meters that communicate wirelessly and send the readings to the utility company in at intervals.
2. Re:Are 'smart' meters mandatory? by Spy+Handler · 2012-09-27 10:13 · Score: 4, Interesting
  
  Yes because computerizing stuff increases efficiency. Look under the hood of your car, all those chips and sensors are helping your engine make a lot more horsepower for the same amount of fuel than engines from 30 years ago. (Or, same amount of power for less fuel consumption)
  What we should really be asking is, does everything need to connect to the internet? And is enabling USB ports on critical systems so that workers can bring infected USB stick from home to bridge an air gap a good idea?
3. Re:Are 'smart' meters mandatory? by localman57 · 2012-09-27 10:15 · Score: 2
  
  Sure hope not. I mean, does every goddamn thing need to be computerized?
  Computers make things more efficient. Which means you can consume more for the same price. If it weren't for the computers, people would have to get by on less. And if there's one thing people hate more than computers, it's getting by on less. So you get what we got right here. Which is the way we want it. Well, we get it. And I don't like it any more than you men.
4. Re:Are 'smart' meters mandatory? by Dunbal · 2012-09-27 10:23 · Score: 3, Insightful
  
  Tell me how efficient they are when the whole grid goes down.
  
  --
  Seven puppies were harmed during the making of this post.
5. Re:Are 'smart' meters mandatory? by TWX · 2012-09-27 10:35 · Score: 3, Insightful
  
  Computers only make things more efficient when the systems architects know how to do their jobs effectively and don't rely on vendors and consultants to do it for them. It's not in the interests of vendors or consultants to save their customer money. It's in their interests to make as much money from the customer as practical, and that can mean everything from selling them equipment that's overspec to selling far more equipment than necessary to excessive costs for setup and configuration that are difficult to determine at the outset of the project.
  
  As problematic as our telephone system has been at times, at least from a bureaucracy standpoint, that Bell did basic research and development in-house and for a long time owned almost everything internally, advances were made and the system functioned very well. The Baby Bells have inherited this legacy, and the biggest cracks have only manifested as they've each independently implemented technologies post-Ma-Bell, like DSL.
  
  If you've had to work with vendors extensively you'd realize what a bane it can be to actually achieving, especially when non-technical persons have the ultimate decision in your organization.
  
  --
  Do not look into laser with remaining eye.
6. Re:Are 'smart' meters mandatory? by Ichijo · 2012-09-27 10:57 · Score: 2
  
  Tell me how efficient they are when the whole grid goes down.
  
  100%.
  
  --
  Any sufficiently unpopular but cohesive argument is indistinguishable from trolling.
Re:Is anyone surprised? by localman57 · 2012-09-27 10:26 · Score: 4, Funny

What's a bantex ass mart meter? I don't want to click it and find out, because I'm fearful it's probably NSFW....
Re:Yep, better be the last nail in the coffin.. by TWX · 2012-09-27 10:29 · Score: 3, Informative

If they come out to change the meter housing you really won't have a choice. You realize this, right?

It's either smart meter or else no service.

--
Do not look into laser with remaining eye.
Re:Yep, better be the last nail in the coffin.. by Beardo+the+Bearded · 2012-09-27 10:41 · Score: 4, Funny

I love my smart meter. My electric bill is half what it used to be.
Of course, that was after I installed my own software on it, but hey, fuck em they're a power company.

--

---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
This is a Good Example by chill · 2012-09-27 10:49 · Score: 4, Insightful

This is a good example of why the gov't is worried about cyber security for critical infrastructure. Just like there are minimum standards for building and fire safety there needs to be minimum standards for IT infrastructure security.

--
Learning HOW to think is more important than learning WHAT to think.
1. Re:This is a Good Example by kiwimate · 2012-09-27 13:15 · Score: 2
  
  Err, not saying that I agree or disagree, but wasn't there a story on these hallowed pages yesterday saying exactly the opposite?
Inigo Montoya by guttentag · 2012-09-27 10:49 · Score: 4, Funny

...investigating a sophisticated hacker attack spanning its operations in the United States, Canada and Spain... and they're not running what they think they're running.
Sounds like they need a modern-day Inigo Montoya to do their security: <SPANISH ACCENT>"You keep using that software, I do not think you're running what you think you are running."</SPANISH ACCENT> And if the worst happens, he can exact revenge: "Hello. My name is Inigo Montoya. You killed my power grid during a level 85 raid. Prepare to die."
smart grid, stupid access and control sw by swschrad · 2012-09-27 11:08 · Score: 4, Insightful

YOU. DO. NOT. CONNECT. VITAL. INFRASTRUCTURE. TO. THE. INTERNET.
fucking idiots.
guess we better learn to live in the dark again, because these fools and the power companies they blather money out of will put us there yet.

--
if this is supposed to be a new economy, how come they still want my old fashioned money?
1. Re:smart grid, stupid access and control sw by Shoten · 2012-09-27 12:53 · Score: 4, Informative
  
  YOU. HAVE. NO. CHOICE.
  Telvent is the world's leader in what's known as "ADMS" systems. Advanced Distribution Management Systems. This is, for lack of a better way to put it, the "Smart" in "Smart Grid." By definition, it requires broad and extensive connectivity with many other systems.
  In the old days, power plants...a few big ones...made power. And that power kind of spread outwards in straight lines to substations, and then to homes/businesses/etc. Well, now, smart grid is going into place. So you get more information from the homes/businesses/etc about what power they are using, and you will have more sources...small sources...of power all over the place. The power grid will look more like the Internet...interlaced, routable, managed. But you need a monolithic "God System" to keep track of what's going on, and control the changes that need to be made. Examples of systems that ADMS ties into are AMI, where the connectivity indirectly extends out to literally millions of collectors and meters attached to homes, to wind farms, to solar farms, to hydroelectric turbines, to coal-powered generation facility, and to CT (combustion turbine) generators. Oh, also...substations, protective relay systems...I think I'm forgetting some. Oh! I forgot...your local Balancing Authority, who is responsible for the stability of the larger power grid.
  So yeah...this whole "Oh, you just need to air gap it because it's a control system" is ignorant. That hasn't been realistic in the power industry for about a decade now. Before you call a whole industry "fools," maybe you should first learn about how the industry functions, hm?
  
  --
  
  For your security, this post has been encrypted with ROT-13, twice.
2. Re:smart grid, stupid access and control sw by sjames · 2012-09-27 15:22 · Score: 2
  
  YES. YOU. DO.
  All of that calls for a network, but none of it requires the INTERnet. It is a CHOICE (a bad one) To expose that network to the internet.
3. Re:smart grid, stupid access and control sw by Shoten · 2012-09-27 15:48 · Score: 3, Insightful
  
  Actually, it does require the Internet.
  Balancing Authority interconnectivity, for example...that's a whole other organization. You think people run dedicated lines that are, in some cases, hundreds of miles long? When you're talking about the really big ones, like WECC, you could be talking about a thousand miles of distance between the ADMS/EMS systems and the Balancing Authority. And the link needs to be reliable. So nope, not an option. If the utility is in a market that permits energy trading, then you also need other interconnections..again, over long distances, and that means the Internet all over again. I do security in the power industry for a living...these systems are never put just on the Internet at a power company, but it's always just a couple of hops away. And nation-state attackers have little trouble hopscotching their way through to the target. The problem isn't the connectivity, it's the lack of good patch management/antimalware/security monitoring systems and processes. And that's pretty much what the problem is when it comes to most breaches.
  Look into the following acronyms, and keep digging. After a week of it, you might understand this better.
  NERC
  ERCOT
  PJM
  WECC
  ERO
  NERC-BAL
  NERC-CIP
  NERC-PRC
  NERC-EOP
  ISA99
  
  --
  
  For your security, this post has been encrypted with ROT-13, twice.
4. Re:smart grid, stupid access and control sw by sjames · 2012-09-27 16:43 · Score: 2
  
  We had a power grid before the internet existed, therefor we can have a power grid without connecting it to the internet.
5. Re:smart grid, stupid access and control sw by sjames · 2012-09-27 17:58 · Score: 2
  
  Backfeeding has been done for a long time in some areas. We would be better off if we would actually overbuild a bit more. There is a great deal of dark fiber out there. You can gather data FROM a control net to the internet using a one way serial connection. The danger lies in allowing commands to flow from the internet to the control network.
  You make it sound like the entire grid has been on the internet for all of living memory. The fact is it has run just fine without it until very recently. It isn't even all connected now.
Re:Still no reason for putting idiots on the job by optimus2861 · 2012-09-28 00:28 · Score: 2

Sensors that spit out text? Who in their right mind would want that?
Ignorant IT people who think they know better than control engineers how to design & operate control systems. The rant about OPC was beautiful, in its own ignorant way, and completely exposes the GP as someone who's probably never seen a control system in his life, probably never will see one, and wouldn't have the first clue how to program, troubleshoot, or maintain it.
There's historically been a certain amount of tension between control engineers and IT folks for that very reason; the smartest IT folks are the ones who ask the control engineers what they need to do their jobs, provide it, then stay the hell out of our way. The rest make our blood boil.