Slashdot Mirror

← Back to Stories (view on slashdot.org)

Feds Offer $20M For Critical Open Source Energy Network Cybersecurity Tools

Posted by samzenpus on from the won't-somebody-please-think-of-the-energy-supply? dept.

coondoggie writes "The US Department of Energy today said it would spend $20 million on the development of advanced cybersecurity tools to help protect the nation's vulnerable energy supply. The DOE technologies developed under this program should be interoperable, scalable, cost-effective advanced tools that do not impede critical energy delivery functions, that are innovative and can easily be commercialized or made available through open source for no cost."

7 of 56 comments (clear)

  1. wire cutters by Anonymous Coward · · Score: 3, Insightful

    easy - a pair of wire cutters and firing of those responsible for hooking up naively coded devices to untrusted networks.

  2. 20 million government project? by trdtaylor · · Score: 5, Funny

    "interoperable, scalable, cost-effective advanced tools that do not impede critical energy delivery functions, that are innovative and can easily be commercialized or made available through open source for no cost."

    Choose two.

  3. Re:Hmm... I can do this for a fraction of the cost by stewsters · · Score: 3, Funny

    The quantity drop down only goes to 30. We are going to need a few more if we are going to secure our infrastructure in a timely manner.

  4. Gov't Response by alostpacket · · Score: 4, Funny

    1) Interoperable
    2) Scalable
    2a) Cost-effective
    2b) Advanced
    2c) Does not impeded critical energy functions
    2d) Innovative
    2e) I.) Easily commercialized
    2e) II.) Or, made available through open source
    2d) No cost.

    Per your request ID (#42865935), we have met your requirements and expect work to implement the product to commence immediately.

    Cordially ruling in your best interest,
    - The Government

    (at least now we know what "step 2) ????" is)

    --
    PocketPermissions Android Permission Guide
  5. Re:Hmm... I can do this for a fraction of the cost by Art+Challenor · · Score: 3, Insightful

    Comments of the type "just don't connect to the Internet" are a little short-sighted. Much of the energy, water, wastewater, etc. etc. infrastructure is remote. Think substations, liftstations, pumpstations, smart switches, etc. etc. For some of these a dedicated network may make sense, but there's a huge cost saving in using the existing networking buildout, ie the Internet, to monitor and indeed control these types of facilities. Many of these are small, a controller, something that does something (pump, switch, whatever) and a small amount of monitoring.

    Securing this IS a challenge, espeically since the vast majority of the equipment used in these facility was (and continues to be) designed with no inherent security, but having someone drive to a remote facility to check it, or install an end-to-end custom network is a much bigger project and is simply not possible - taxpayer would (rightly) object to the cost.

    There are many other situation where there is a solid "business case" for having an asset connected to the Internet, remote maintenance, tracking, etc. Not necessarily as critical, but would still benefit from a secure solution.

  6. Re:Silver Bullet Bargain by bill_mcgonigle · · Score: 3, Informative

    These guys are asking for the silver bullet to solve any cyber security problem in any system from any threat. The reward:, a measly 20 million.

    It's a government contract - you don't actually have to deliver. /snark

    But, yeah, for $20M my company could coordinate one hell of a automated crypto system (hardware & software) to layer on top of SCADA gear that would protect it from unauthorized use and of course it would be open source. I can think of a dozen grants that need to happen immediately on various open source networking and crypto software packages to make them better suited for the task. It would not be perfect (it cannot be) but it would be tremendously better than the status quo and it would all be free for deployment on commodity hardware or from an ecosystem of willing cooperators.

    The trouble is, the requirements for government contracting self-select for companies that can't even do the paperwork for less than $20M.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  7. Two Words: Air Gap by rsagris · · Score: 3, Insightful

    Seriously: water, power, and other critical utility infrastructure providers are not a low density/low volume market. There are large enough economies of scale such that there should really be no discussion here. There should be a separate physical network for these industries.

    Air gap the network, heck, develop and mandate totally new hardware interconnects to ensure some moronic PHM or more likely brain dead network admin isn't physically capable of connecting COTS hardware to SCADA hardware.

    There is absolutely no reason for any of this stuff to be directly accessible to the public internet, the utility provider can very well have some data diode http://en.wikipedia.org/wiki/Unidirectional_network/ to provide metering information on the public internet side, but there absolutely should be no bidirectional links between the command and control network and the public internet

    There would be no astronomically expensive software validation necessary if these industries were mandated to require Hardware level compartmentalization, which funnily enough a custom hardware solution would be orders of magnitude cheaper and deployable now rather than some pie in the sky (never going to happen) software based solution that the "Tube" worshiping ludites in Washington think can actually be created

    -RS