Utilities Racing To Secure Electric Grid

← Back to Stories (view on slashdot.org)

Utilities Racing To Secure Electric Grid

Posted by Soulskill on Tuesday February 19, 2013 @11:59AM from the shouldn't-they-have-done-this-5-years-ago dept.

FreeMichael61 writes "In the latest episode of Spy vs. Spy, China rejects accusations it's hacking U.S. companies to steal IP or bring down the grid. But there's no doubt the grid can be hacked, CIO Journal's Steve Rosenbush and Rachael King report. Industrial control networks are supposed to be protected from the Internet by an air gap that, it turns out, is largely theoretical. Internal security is often lax, laptops and other devices are frequently moved between corporate networks and control networks, and some SCADA systems are still directly connected to the internet. What security standards actually exist are out of date and don't cover enough, and corporations often use questionable supply chains because they are cheaper."

113 comments

Min score:

Reason:

Sort:

Best Nerdcore Band Name Ever by Jah-Wren+Ryel · 2013-02-19 12:00 · Score: 3, Funny

Theoretical Air Gap!

--
When information is power, privacy is freedom.
1. Re:Best Nerdcore Band Name Ever by ColdWetDog · 2013-02-19 12:25 · Score: 3, Funny
  
  Well, I, uh, don't think it's quite fair to condemn a whole program because of a single slip-up, sir.
  
  --
  Faster! Faster! Faster would be better!
2. Re:Best Nerdcore Band Name Ever by Ol+Biscuitbarrel · 2013-02-19 13:20 · Score: 2
  
  Thank you, General Turgidson, that will be all.
it always baffles me by gTsiros · 2013-02-19 12:07 · Score: 5, Insightful

... why are mission critical devices connected to the internet
sure we know that the weakest link is the meatware, not the hardware, but still...

--
Looking for people to chat about multicopters, coding, music. skype: gtsiros
1. Re:it always baffles me by Anonymous Coward · 2013-02-19 12:25 · Score: 1
  
  TFA answered this. It stated:
  "The production systems are supposed to be kept off line... so they aren’t vulnerable to viruses distributed via the Internet." followed by, "...these air gaps can be hopped if the two systems use common computer peripherals such as... USB sticks..."
  He is saying not connecting these to the internet is not enough.
2. Re:it always baffles me by Beardo+the+Bearded · 2013-02-19 12:38 · Score: 5, Interesting
  
  They aren't supposed to be online, no. What you have though is the desire to do remote monitoring. One of the SCADA systems I used had an email module so you could get an email when things got all fucked up. That's a super awesome feature to have on a mission critical device.
  "Hey, Beardo, it's Loader 1. Probably nothing to worry about, but sensors picked up a fluctuation in the output. Last time this happened the system crashed hard. Yeah, I know you're in a movie. Come check on meeee."
  Now if this was up to me, and I know it's not, I'd build that module with an optoelectronic relay so it can send messages but be physically incapable of receiving them. Of course that does limit the usefulness, I can't send back messages, but I could call the place and let the night crew know there's a problem (if they aren't already aware) and how to mediate it.
  
  --
  
  ---
  ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
3. Re:it always baffles me by Puff_Of_Hot_Air · 2013-02-19 12:47 · Score: 4, Informative
  
  ... why are mission critical devices connected to the internet
  sure we know that the weakest link is the meatware, not the hardware, but still...
  They aren't, at least, not directly. They are however generally connected at various points to the "business" network which is connected to the Internet (people gotta email). The literal air gap is largely fiction. The business network is hacked, then some vulnerability exploited in the bridge points or routers (it's a network of networks!). Why connect the SCADA to the business network at all? To get the data out to do reports, send email alarms etc. in theory this data exporting should be secure. Problem is that who is hacking your SCADA system? It's not the usual suspects; there is no money in it and the barrier of entry is too high for the script kiddies. It's other countries wanting to perform espionage. How the hell do you protect against that? Look at stuxnet, I mean really look at how that took down the centrifuges. Governments have resources that the average hacking group simply doesn't (or SCADA group). They also have no reason to reveal a compromised system. There could be sleeper, targeted, custom malware sitting on every SCADA server in the US, just waiting for the a time where it will be useful to activate. It's a brave new world!
4. Re:it always baffles me by gTsiros · 2013-02-19 12:48 · Score: 1
  
  fair enough... ... no connectivity either, or at least tightly controlled connectivity.
  
  --
  Looking for people to chat about multicopters, coding, music. skype: gtsiros
5. Re:it always baffles me by dave562 · 2013-02-19 14:07 · Score: 3, Interesting
  
  If the SCADA system is architected properly, remote monitoring is done via a Historian server that does not have the ability to affect the control systems.
  I helped setup a Honeywell system to run a power plant in central California. My job was to architect the network piece of it. The hardware itself was completely mirrored in a typical master / slave relationship so that if the master failed, the slave was completely synchronized and could pick up the load.
  There was a hardware firewall in between the production network and the Historian. The connection between the two was one way so that the it could report historical data for reporting purposes.
  The corporate network connected to the historian via an IPSEC/AES-256 VPN connection. The switch fabric was redundant and the firewall used dual-homed, active/passive connections to mitigate against the potential of a switch failure.
6. Re:it always baffles me by UltraZelda64 · 2013-02-19 14:19 · Score: 1
  
  The question then becomes: Why the hell are mission-critical systems connected to business networks that are themselves connected to the Internet? Surely the government could quit blowing our taxes on dumb, pointless shit for just long enough to get any hardware and technicians required to completely segregate these critical systems from any "business" network that may be connected to the Internet or vulnerable to malware hopping from some employee's USB flash stick? The idea that such critical systems could be exposed to such malware is disturbing... what business does anyone have plugging some random USB drive into a mission-critical system? Why are these systems not protected better in the first place?
7. Re:it always baffles me by drinkypoo · 2013-02-19 14:24 · Score: 3
  
  There was a hardware firewall in between the production network and the Historian. The connection between the two was one way so that the it could report historical data for reporting purposes.
  What I'm seeing you say is what I'd like to hear, but unfortunately what I'm reading is you were depending on a piece of software on a firewall to be vulnerability-free in order to provide your one-way communications.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
8. Re:it always baffles me by dave562 · 2013-02-19 14:30 · Score: 1
  
  I am relying on the firewall. If someone is hacking a Cisco ASA that is set to default deny, I have bigger problems.
9. Re:it always baffles me by cheater512 · 2013-02-19 15:15 · Score: 1
  
  Even easier. Pull out a RS232 cable to run between a internet connected computer and the SCADA system.
  You can still send detailed alerts and possibly even remotely monitor the site. Just keep it read only and use a teeny tiny bit of quality code and its safe.
  Its using stuff like IP which is the stupid part.
10. Re:it always baffles me by simishag · 2013-02-19 15:44 · Score: 1
  
  I can appreciate your sentiment, but I think it's wishful thinking. We can certainly argue that these devices SHOULD not be connected to the Internet, but the simple fact is that a great deal of them ARE connected, and many that are not "intended" to be connected will end up connected, and those systems need to be designed with that possibility in mind. They are currently designed with no more security than my pull-start lawn mower.
11. Re:it always baffles me by aaarrrgggh · 2013-02-19 17:22 · Score: 1
  
  The alternative to a SCADA system is basically a bunch of stand-alone PLCs. They are heavily used for sub-process control (black-box control), and also for validating the proper operation of the SCADA system. But, to think you can do everything a modern SCADA system does with hard-wired PLCs is disingenuous. The controls become the network.
  It all comes down to economics. You can make a system extremely robust, but you have to start from the smallest component which increases cost by an order of magnitude. How do you protect against a rogue wireless modem in the system? You can fairly easily limit what systems the modem could impact by compartmentalizing dumb serial links that it could attach to without being detected by network equipment, but if it can spoof the right IO there is a good chance it can impact system functionality. Things like modbus just never were designed for security; even some of the more "secure" protocols aren't a dramatic improvement, and they are often not available for all equipment.
12. Re:it always baffles me by Anonymous Coward · 2013-02-19 17:22 · Score: 0
  
  I've worked in many private data centers and it's extremely common to encounter people with physical access to the racks setting up rogue wi-fi networks linked into the most convenient point available thus creating a vulnerability.
13. Re:it always baffles me by Nefarious+Wheel · 2013-02-19 17:30 · Score: 1
  
  TFA answered this. It stated:
  "The production systems are supposed to be kept off line... so they aren’t vulnerable to viruses distributed via the Internet." followed by, "...these air gaps can be hopped if the two systems use common computer peripherals such as... USB sticks..."
  He is saying not connecting these to the internet is not enough.
  It's amazing what security enhancements can be made with a little dollop of silicone glue.
  "Bit o' Silastic in the USB port when you're finished, George..."
  
  --
  Do not mock my vision of impractical footwear
14. Re:it always baffles me by UltraZelda64 · 2013-02-19 17:42 · Score: 1
  
  Like I said, if the government would just quit wasting our tax dollars, the cost would really not be much of a problem. Just look at all the money going into funding a massively failed drug war and an overpopulated prison system, and the money that goes into funding recycling worthless things like plastic and paper. Not to mention our outsourcing of... well, almost everything, out to places like China. And does the government care? Nah... doesn't seem like it. They're only just now starting to open up to the whole cannabis thing... who knows, maybe one day U.S. farmers will once again be allowed to grow "Hemp for Victory" on American soil instead of importing fibers of the crop from China.
15. Re:it always baffles me by west · 2013-02-19 17:43 · Score: 2
  
  ... why are mission critical devices connected to the internet
  Because being connected to the internet saves a *lot* of money. Instead of having to have an entire emergency team on site at all hours, you can get away with a minimal team at nights/weekends, and workers who can, in an emergency, connect from home.
  It takes a very capable manager who can persuade the higher ups that its necessary to continue spending a few millions dollars in wage costs every year to avoid what (at least until very recently) seemed to be a very illusionary threat. Besides, surely with a few precautions like multi-factor authentication, there's no possible way that anyone could break in :-).
  Note, it's even harder if you're bidding for contracts. Try telling prospective clients that the reason your prices are double are because you refuse to enter the Internet age... Especially when those you are bidding against are assuring the customer that they're taking all the necessary precautions.
  It's a sad fact of life that it's rarely worthwhile to spend a lot of money to protect against rare disasters if your competitors aren't doing the same. (Note, normal disaster planning adds a few percent to cost - we're talking about making yourself bullet proof, which may double or triple your costs.) The odds are fairly high that with much higher costs, you'll be bankrupt before the disaster hits, and moreover, if all your competitors are being hit by the same disaster, the general sentiment becomes "no-one could have predicted it" and everyone keeps their jobs anyway.
16. Re:it always baffles me by Anonymous Coward · 2013-02-19 18:11 · Score: 0
  
  Exactly, the guy above is relying on complicated hardware that he assumes is okay. An rs232 with only the TX line connected was all that was needed but he had thousands of dollars worth of hackable cisco goodies.
17. Re:it always baffles me by blackraven14250 · 2013-02-19 18:19 · Score: 2
  
  They're not government owned in the US...
18. Re:it always baffles me by Redmancometh · 2013-02-19 18:27 · Score: 2
  
  "thanks george now we need to order an $800 EROM everytime to update firmware on our PLCs"
19. Re:it always baffles me by Redmancometh · 2013-02-19 18:31 · Score: 1
  
  There is always the physical layer.
20. Re:it always baffles me by nazsco · 2013-02-19 19:03 · Score: 1, Informative
  
  Cut the crap.
  Thereare millions of mission critical things that are online for good reasons.
  Just do it right.
  Assuming,you don't have to do it right,because there's a air gap or anything else the sales guy would say when explaining why you don't have to hire an expensive network security guy will just get you in trouble.
  It's like trusting a car salesman that this car is cheaper because it uses full synthetic oil so you never have to change it again.
21. Re:it always baffles me by firewrought · 2013-02-19 19:11 · Score: 3, Insightful
  
  Why the hell are mission-critical systems connected to business networks that are themselves connected to the Internet?
  Because the functioning of the business relies integrally on both.
  Look... I sympathize with the "air gap" argument, but it's not the mid-90's anymore. Business has been transformed by the ability to connect industrial systems with centralized command centers with payment systems with other companies. It's not for execs to have bullshit ipad dashboards... it's for the business to make operational decisions that will take effect in the upcoming hours/minutes/seconds, to meet contractual and legal obligations, to feed customer- and billing-related systems (no point in running a business if you can't cut a bill, eh?).
  The world's not going back... VPN's, firewalls, segregated networks, etc., etc., but "air gap" won't do it anymore. Data is the lifeblood of business.
  
  --
  -1, Too Many Layers Of Abstraction
22. Re:it always baffles me by AmiMoJo · 2013-02-19 20:35 · Score: 1
  
  Would be better if it just said "loader on fire".
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
23. Re:it always baffles me by Anonymous Coward · 2013-02-19 22:24 · Score: 0
  
  Silly rabbit, nobody updates the firmware on their PLCs. :)
24. Re:it always baffles me by thegarbz · 2013-02-19 23:46 · Score: 1
  
  They aren't, at least, not directly.
  In some cases they actually are, though strictly speaking it's more of a VPN type system. The lines between SCADA, PLC, DCS, etc are extremely blurred these days. You'll find a large portion of SCADA systems aren't actually SCADA at all but rather remotely controlled and managed control systems. They rely a lot of security by obscurity.
  I work at a plant where we control several devices via SHDSL links. The modems have internet facing IP addresses and are connected to a SCADA system at one end and to our distributed control system via a firewall at the other end and speak DNP3 over IP. This protocol like many others has security features added as an afterthought. A DNS in theory should only affect our ability to control the pipeline in this case but I have a worse example too.
  A major operator of air plants around the world is widely known for not having staff on site actually run the plants. Sure the plants are manned but only for maintenance, a few manual duties, startups, and emergencies, but for the most part as soon as the plant has reached steady state the entire control of the plant is handed over to a team in a completely different country!. Again the network here is VPN but even a network encrypted at that layer is still susceptible to things like denial of service. Also god forbid someone with inside information decides to go on the offensive.
25. Re:it always baffles me by adolf · 2013-02-20 00:16 · Score: 1
  
  Without knowing anything at all about SCADA except that it is a thing (or group of things) that exists:
  Real, solid 1-way data connections are entirely possible. As a basic and slow example, RS-232 with only TXD and ground connected will only allow data to go in one direction.
  
  --
  Kid-proof tablet..
26. Re:it always baffles me by Anonymous Coward · 2013-02-20 00:59 · Score: 0
  
  Printers to the rescue! Communist countries have no idea how wasteful and inefficient we can all be, they'll never see it coming.
27. Re:it always baffles me by Taibhsear · 2013-02-20 03:11 · Score: 1
  
  Or they could just use, oh I don't know... let's say some other sort of dedicated communication device. We could call it a "telephone."
28. Re:it always baffles me by jadv · 2013-02-20 03:39 · Score: 1
  
  Yep, USB devices. That's how the Stuxnet virus is believed to have reached its intended targets. Not because a PLC was carelessly connected to Facebook, but through infected thumb drives.
29. Re:it always baffles me by jadv · 2013-02-20 03:47 · Score: 1
  
  I agree with the parent poster. At some point you have to stop needing to have everything under your control and start relying on third-party suppliers. Or did you build your own car instead of buying one because you were afraid that the brakes might have a manufacturing flaw?
30. Re:it always baffles me by Beardo+the+Bearded · 2013-02-20 04:54 · Score: 1
  
  I've done those too. Hooked up an output signal to an autodialler to call myself.
  "Hey Beardo, that loader is all fucked up again. Pick up bananas on the way home."
  The only downside is you can't get data on the fly, just a generic error.
  
  --
  
  ---
  ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
31. Re:it always baffles me by BVis · 2013-02-20 05:06 · Score: 1
  
  Just do it right.
  There are millions of IT folks that would love to do that, but, inexplicably, they are not the people who make the decisions as to what technology to use. Those decisions are frequently made by MBAs/C-level morons who haven't seen a line of code in twenty years, or by the bean counters in Accounting who can barely open Excel. The IT folks just have to clean up after the tremendously bad decision-making that is a result.
  
  It's like trusting a car salesman that this car is cheaper because it uses full synthetic oil so you never have to change it again.
  Not exactly. It's more like trusting your boss to pick out the car you're going to pay for when he plays golf/drinks with/is a frat brother of the car salesman, or he thinks he knows better than you want car you want, despite ignoring what you've asked for (so you end up with a Corolla instead of the Sienna you need to cart around your three kids and two dogs), or just buys whatever is cheapest.
  
  --
  Never underestimate the power of stupid people in large groups.
32. Re:it always baffles me by drinkypoo · 2013-02-20 05:56 · Score: 1
  
  Real, solid 1-way data connections are entirely possible. As a basic and slow example, RS-232 with only TXD and ground connected will only allow data to go in one direction.
  Yes, this is precisely the line along which I am thinking. This is an interface that, barring strange quirks in the serial driver, you're not going to be hacked through. When someone says "it's got a one-way network connection" I say "bullshit". If they say it's got a one-way serial connection or something like that, I can buy that. Even then it's not impossible, merely astronomically improbable that someone can successfully pull off an attack through that channel. And if all you have is the TX connected to the logger's RX and a ground line (as you say) and no handshaking lines or anything, you would almost certainly have to directly mount a hardware attack before you had a chance of affecting anything whatsoever.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
33. Re:it always baffles me by cusco · 2013-02-20 08:37 · Score: 1
  
  That's fine, until the device that you need to monitor is 27 miles away. Even RS-485 is only good for 4000 feet. Frequently the operator will have to decide that since Input 01 and 03 are live but 02, 04 and 05 are not they need to trip Relay 1F, and the whole mess is located at a power dam that's an hour's drive away and has been snowbound for the last three months (real world example, BTW). One-way comms aren't enough for SCADA, and certainly not serial comms.
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
34. Re:it always baffles me by cusco · 2013-02-20 08:39 · Score: 1
  
  Fine, and how do you open the spillway on a dam that's inaccessible because of flooded roads if you only have one-way comms? SCADA systems aren't just for monitoring, operators need to react to that data as well.
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
35. Re:it always baffles me by cheater512 · 2013-02-20 09:34 · Score: 1
  
  TX isn't necessarily bad with a serial line either for situations that require it.
  You just need a decent chunk of good code to authenticate everything and validate it.
  Plugging it directly in to the internet isn't the right solution pretty much ever.
  Mind you thats only slightly worse than a serial line with dodgy code controlling it.
36. Re:it always baffles me by cusco · 2013-02-20 10:11 · Score: 1
  
  Of course you don't want to plug it into the Internet, but one-way comms aren't anything like an adequate answer either. Serial connections are only good for short distances, even RS-485 only reaches out to 4000 feet. When the relays that you need to be controlling might be in the next county or the next state that's just not going to cut it. I don't think you understand how these systems are used.
  
  The SCADA system that I have been most exposed to covered an entire very large county's utility district. Power dam, water distribution, power generation stations, potable water treatment system, electrical substations, radio towers, microwave relay stations, certain gates, spillways, a fish ladder, intrusion alarms, and backup generators just to start. Monitoring several thousand inputs, with the capability to trigger several hundred outputs, some of which started PLCs on fairly complex independent actions. THAT'S what SCADA systems do.
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
37. Re:it always baffles me by cusco · 2013-02-20 10:16 · Score: 1
  
  Why in the world do you think 1) the private corporations that run our energy infrastructure should get our tax dollars to fix their security issues, or 2) the private corporations that run our energy infrastructure would allow new laws to enforce security to be passed? Even if 2) happens, who is going to enforce it?
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
38. Re:it always baffles me by cheater512 · 2013-02-20 10:22 · Score: 1
  
  Erm you can connect the serial to the internet or private internal network or VPN.
  The point of the serial connection is to limit the attack area.
  No ports, no other services running, nothing excessive which isn't needed to communicate the raw data.
  That was my point.
39. Re:it always baffles me by Jah-Wren+Ryel · 2013-02-20 12:41 · Score: 1
  
  That's fine, until the device that you need to monitor is 27 miles away. Even RS-485 is only good for 4000 feet.
  There are optical data-diodes (yes that is basically the industry term for a hardware unidirectional network connection).
  
  the whole mess is located at a power dam that's an hour's drive away and has been snowbound for the last three months (real world example, BTW).
  Most plants are going to manned. Which makes a manually-enabled 2-way network an option. Only pjhysically power it on for maintenance with a VPN and you've narrowed the vulnerability window down to practically nothing.
  
  --
  When information is power, privacy is freedom.
40. Re:it always baffles me by cusco · 2013-02-20 15:27 · Score: 1
  
  Most plants are going to manned.
  
  Huh? Where? Not in North America.
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
41. Re:it always baffles me by dave562 · 2013-02-22 07:39 · Score: 1
  
  Show me someone hacking through a default deny policy on a Cisco ASA and I will start to worry. Until then, this is going into the "mountains out of molehills" category.
  The other side of the connection (the remote monitoring side, not the SCADA side) is a VPN tunnel with a single IP endpoint and a policy that only allows it to connect to the historian server. So first you'd have to hack the VPN concentrator and convince it to allow you to route traffic to a host that is not defined by the policy, and then you have to hack the ASA to convince it to pass traffic in the wrong direction against a rule explicitly defined to deny that exact behavior. And before you can do that, you have to MitM the WAN connection and convince it that you are the one IP address that is allowed to establish the other side of an IPsec/AES256/SHA tunnel. Because of course you already have the 32 character, randomly generated pre-shared key, right?
Fuck off by Anonymous Coward · 2013-02-19 12:11 · Score: 0, Troll

We get it. We're all in imminent danger. Fuck off already. These shitty fear mongering articles don't even contain any interesting technical information.
1. Re:Fuck off by fustakrakich · 2013-02-19 12:44 · Score: 0, Offtopic
  
  You shouldn't have been modded down. Fear mongering has become very big business in our Post 9/11 World
  
  --
  “He’s not deformed, he’s just drunk!”
2. Re: Fuck off by gTsiros · 2013-02-19 13:00 · Score: 0
  
  he was downmodded for the attitude, not the information.
  if a person can't keep their cool during a discussion they annoy me. I suspect you don't see it very differently.
  
  --
  Looking for people to chat about multicopters, coding, music. skype: gtsiros
3. Re:Fuck off by Anonymous Coward · 2013-02-19 13:06 · Score: 2, Interesting
  
  Half of these articles don't even hide the fact that they're written and promoted by people that are looking for government money to secure infrastructure. Often it's even infrastructure that they own and that they're responsible for. One such person is even named in the first sentence of this article.
  We're all in danger! Quick better make some new laws, imprison a few more people, and find a hero that can protect us!
4. Re: Fuck off by fustakrakich · 2013-02-19 13:12 · Score: 0
  
  Considering the hysteria of the last decade and counting, I find the attitude refreshing. A lot of people need to fuck off, starting at the top.
  
  --
  “He’s not deformed, he’s just drunk!”
5. Re:Fuck off by fustakrakich · 2013-02-19 13:35 · Score: 1
  
  Well, yes, and apparently, telling them to fuck off is uncouth. Who'da thunk... I guess everybody out there is saying, "Just give 'em the money" Somehow that is more "civilized".
  
  --
  “He’s not deformed, he’s just drunk!”
China tries to crack everything, news at 11 by xiando · 2013-02-19 12:11 · Score: 4, Interesting

Anyone with a web-server will tell you that they are seeing dozens of penetration attempts daily, even right now. I also see this on my home ADSL line. I'm not saying the government there is doing it, but I do know that there is no other country which is attacking everything everywhere this aggressively. I don't have any web pages in Chinese and I wonder if I would be better off just using one of those iptables -j DROP lists who list all IPs in China.

--
9/11: Never forget it was a false-flag operation
1. Re:China tries to crack everything, news at 11 by OhANameWhatName · 2013-02-19 13:09 · Score: 2
  
  I'm not saying the government there is doing it, but I do know that there is no other country which is attacking everything everywhere this aggressively
  I'm not saying that you're contradicting yourself, but you're contradicting yourself.
2. Re:China tries to crack everything, news at 11 by Anonymous Coward · 2013-02-19 13:13 · Score: 0
  
  Yeah, IP's in thailand seemed to be hacking my machine when the great IE zero day flaw was out there. I remember getting cross about the fact that a lot of updates use update services that do not necessarily make it easy to understand if your machine is connecting to a rougue IP, or just an update server. Why can't it be made simple for people to see where there machine is connecting to (and a description of why it is connecting)?
  I can't help thinking that these flaws in OS's or software platforms need to be made more public and clear to people... that if they continue using it they will be vunerable to attack. At least you can disconnect from the internet and wait for updates before going back online. I mean people use computers for more financial purposes now, buying presents and gifts and grocerys. Waiting months or years to patch some expoit without telling the masses, seems to be negligent on behalf of the person responsible for the software.
3. Re:China tries to crack everything, news at 11 by drinkypoo · 2013-02-19 14:27 · Score: 0
  
  I'm not saying the government there is doing it, but I do know that there is no other country which is attacking everything everywhere this aggressively
  I'm not saying that you're contradicting yourself, but you're contradicting yourself.
  I'm not saying that your reading comprehension skills are for shit, but seriously?
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
4. Re:China tries to crack everything, news at 11 by OhANameWhatName · 2013-02-19 17:56 · Score: 1
  
  Arrgghhh, I hate having to explain myself.
  
  I'm not saying the government there is doing it
  You say that, and then immediately follow with this:
  
  there is no other country which is attacking everything everywhere this aggressively
  So either you're contradicting what you just said, you're attempting to imply that the mountains, rivers, fields and rocks of China are attacking other countries or you're drawing no distinction between the people living in China and the 'country' of China. And why would any given person in China be 'China'? Could I fairly categorize all Americans as bone-headed uneducated sloths with 150 TV channels who love their cousins and enjoy a good roadkill stew? .. all because some Americans are like that?
5. Re:China tries to crack everything, news at 11 by DamonHD · 2013-02-20 01:01 · Score: 1
  
  I've seen at least one attack per minute since I took my ISP on-line on the NSF-managed Internet ~1993 (in those days Chile and .vz were the main source IIRC) whenever I've looked. And I still get upwards of ~10,000 SPAM attempts on my mail accounts per day, at least when I could last be bothered to waste the CPU cycles and Flash write cycles to count them. Attacks across the Net are not new. I was the only UK ISP even attempting to protect my own systems with an firewall (which I wrote and we nominally made available http://www.exnet.com/ExFilter/ though I don't think we sold any) for quite some time...
  Rgds
  Damon
  
  --
  http://m.earth.org.uk/
6. Re:China tries to crack everything, news at 11 by Anonymous Coward · 2013-02-20 05:46 · Score: 0
  
  It's the new modus operandi of the "Great Firewall of China":
  1. Aggressively attack every web server in the world
  2. Sysadmins block any petition coming from China
  3. ???
  4. Profit
7. Re:China tries to crack everything, news at 11 by cusco · 2013-02-20 10:59 · Score: 1
  
  It's currently fashionable to blame the Chinese government for every attempted hack across the Internet these days, but people generally forget that "China" encompasses 1/4 of the world's population. That's a frack of a lot of individuals who might be carrying out their own attacks, and a heck of a lot more who haven't secured their computer (or the computers in their Internet cafe or grade school computer lab) and are participating in botnets. At least they're not blaming the phantasmagorical "army" of North Korean hackers any more.
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
The best defence is interdependence by Baron_Yam · 2013-02-19 12:20 · Score: 2, Interesting

China benefits from a functional United States. So long as the benefits outweigh any prize that would remove them in the taking, Americans are fairly safe from Chinese attack.
1. Re:The best defence is interdependence by Anonymous Coward · 2013-02-19 12:53 · Score: 2, Interesting
  
  1: Does china control their military any better than the USSR did?
  2: Mapping out US electrical utilities is a big deal because if you want to disable your opponents energy infrastructure you need to know where all the substations are at. Those are far more vulnerable than the power stations themselves.
  3: Also there are trade secrets to acquire as well as contracts. If you know who they do business with, and you can copy their technology, then you can sell to those companies and make buko bucks doing so.
2. Re:The best defence is interdependence by kheldan · 2013-02-19 12:59 · Score: 2, Informative
  
  China benefits from a functional United States
  "Functional" is a very broad term. Everything could be "functional" and still be wired for demolition (in the virtual sense) at the push of a button halfway around the world, and furthermore laced with failsafes so that any attempt to tamper with it blows it all up in our faces. It could be that way right now and nobody knows it (or is telling us about it). Change the names around and think about it a moment: Someone infiltrates Iran's industrial control infrastructure in this way, and once it's completely irrevocable, issue what amounts to a blackmail notice. If it all worked as designed then Iran has no choice but to give in to any demands made, or have irrecovable damage done to their country. Now make this about the U.S. and China instead..
  
  ..oh, and here comes some dickheads modding me down to "-1, troll" or "-1, flamebait". Yeah, yeah, whatever.
  
  --
  Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
3. Re:The best defence is interdependence by drinkypoo · 2013-02-19 14:30 · Score: 1
  
  Mapping out electrical utilities is not a big deal, it is trivial. It is perfectly legal to drive around the country following power lines and they can find agents who blend in and can claim to be on vacation, looking for property or whatever. If there were a serious danger of attack on us via our infrastructure someone would have done it already because it is so very unprotected.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
4. Re:The best defence is interdependence by camperdave · 2013-02-19 14:49 · Score: 3, Informative
  
  Mapping out electrical utilities is not a big deal, it is trivial. It is perfectly legal to drive around the country following power lines and they can find agents who blend in and can claim to be on vacation, looking for property or whatever. If there were a serious danger of attack on us via our infrastructure someone would have done it already because it is so very unprotected.
  Drive around the country? Google Maps, my friend. You can follow power lines all over the place from the comfort of your living-room.
  
  --
  When our name is on the back of your car, we're behind you all the way!
5. Re:The best defence is interdependence by Anonymous Coward · 2013-02-19 16:15 · Score: 0
  
  What is the problem teasing the control freak... If the grid was decentralize it wouldn't be a problem.
  Put solar panel on each house or power cell in each building and keep the big power station for the industries. It would also be good against wars if each home can be auto sufficient. Oups! it would not satisfy the 21st century God called Economy.
6. Re:The best defence is interdependence by DNS-and-BIND · 2013-02-19 17:34 · Score: 0
  
  Foreign trade is becoming less and less important to China. Besides, Chinese get extremely emotional and do not think rationally when it comes to the topic of America. They become hateful and want to destroy. Sort of like liberals in that sense.
  
  --
  Shutting down free speech with violence isn't fighting fascism. It IS fascism!
7. Re:The best defence is interdependence by crutchy · 2013-02-19 19:06 · Score: 1
  
  Oups! it would not satisfy the 21st century God called Economy.
  it's funny how so many americans think so highly of their "economy"
  won't be long and the american economy will be back to the barter system, and there won't be any need to secure the electricity grid because it won't be running because nobody will be able to afford to pay for it
  maybe i'm a kook, but everyone who calls out economic bubble bursts in advance are kooks before it happens
8. Re:The best defence is interdependence by silanea · 2013-02-19 20:48 · Score: 1
  
  Following power lines on Google Maps? OpenStreetMap, my friend. Some people have already gone to ridiculous levels of detail in mapping things that formerly would have gotten you a quick visit from your friendly domestic intelligence service. With many countries opening up their data this is only going to get worse, or better, depending on your point of view. And it is all - how fitting for the topic discussed in TFA - readily available on the Internet.
  
  --
  Rudolf Hess edited Mein Kampf. He was the very first grammar nazi.
9. Re:The best defence is interdependence by drinkypoo · 2013-02-19 23:21 · Score: 1
  
  Well, no, this ties in with my "someone would have done it already" idea, because they would have done it even before google maps.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
10. Re:The best defence is interdependence by kilfarsnar · 2013-02-20 04:55 · Score: 1
  
  China benefits from a functional United States. So long as the benefits outweigh any prize that would remove them in the taking, Americans are fairly safe from Chinese attack.
  This was my first thought. What possible motive would the Chinese have for wanting to bring down the US power grid? Do they want the value of the dollar to plummet? The US and China are economically interdependent. Sure, they want to spy on us. But everyone spies on everyone these days. This supposed threat is just fear mongering.
  
  --
  "What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
11. Re:The best defence is interdependence by cusco · 2013-02-20 11:02 · Score: 1
  
  If you're in the industry you just go to FERC or one of the industry groups and buy your maps directly from them. They even show things like the capacity of different stretches of power lines, output of power plants, interconnections, map out distribution routes, and the like for you.
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
12. Re:The best defence is interdependence by lennier · 2013-02-21 14:47 · Score: 1
  
  Someone infiltrates Iran's industrial control infrastructure in this way, and once it's completely irrevocable, issue what amounts to a blackmail notice. If it all worked as designed then Iran has no choice but to give in to any demands made, or have irrecovable damage done to their country.
  
  Ah, I see you've lived through a few Microsoft product upgrade cycles.
  
  --
  You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
Paranoia by Anonymous Coward · 2013-02-19 12:34 · Score: 0, Troll

Amercians are so paranoid about socialism and communism. As an outsider looking it it's like a neurosis for your country.
America is the Hegemony of the world, you are the belligerent sabre rattlers, not China. You have released viruses that have taken down other countries power generation systems already.
Stay inside your own fucking country for once.
1. Re:Paranoia by Anonymous Coward · 2013-02-19 12:43 · Score: 0
  
  Yawn.
Happens all the time by Anonymous Coward · 2013-02-19 12:45 · Score: 5, Informative

Do you think that the energy industry is any easier on IT folks than anybody else?
Big dollar consultants instead of trained employees, given full unescorted access because the manager doesn't want to have to sit in the datacenter and escort them to the restrooms and such.
My SCADA datacenter still allows a cleaning crew in unescorted.
And electricians, and HVAC contractors and so on.
I found out they were PAINTING my datacenter the day that my storage started freaking out with heat alarms. Went running downstairs to find the facilities team had left a painting crew in the datacenter to cover all of my cabinets (and vented tiles) with tarps.
So these devices might not start connected to the internet, but a USB key here, a rogue cellular wi-fi bridge there, and some wild stuff can happen.
I've heard of other shops that had their SCADA people upset that they couldn't work from home, so they set up "secret" networks that only they knew about so they could still get in. Secret to their co-workers/management, but easy to find for the people who do that for a living.
Going anon for good reason.
Enron is the only entity to bring down the grid by Anonymous Coward · 2013-02-19 12:47 · Score: 0, Offtopic

Repeat after me.
The only succesfull attack on the US power grid was perpetrated by Enron, and it was to make money. They shut down entire sections of the grid to make a profit. There were rolling blackouts not because of 'hackers' but because of Enron. And almost nobody went to jail for it, and alot of the same guys wound up in the subprime mortgage business after Enron went belly up. And most of them never saw any consequences either. They just got richer.
Wake up people. We are doing more damage to ourselves than China could ever dream of. They are simply waiting for us to finally implode (with 14 trillion dollars of debt, it wont take long)
China shouldn't be the concern by Anonymous Coward · 2013-02-19 12:54 · Score: 2, Interesting

The problem comes from the previous generation of smart meter addressing which included broadcast groups and whose keys were managed by the utilities via HSMs. The tech is solid, but when you are dealing with utilities whom have very little real sophistication on the IT side dealing with crypto technologies they don't understand, bad things can and will happen.
Get access to the HSM at the provider, or the smart cards they've backed up keys onto, and you can forge a packet that will trigger a significant number of meters. All that could go away if we simply required truck rolls for turn-offs, but that is the most marketable aspect that drives adoption (that and turning on 8 confusing pricing tiers which they help shift the "blame" for a high bill from the utility charging more to the user who "chose to run that A/C during the hottest time of the day".
Grr.
So when do people lose their jobs... by LoadWB · 2013-02-19 13:06 · Score: 1

...over this bullshit? How many times do we have to hammer into managers and security teams alike that this shit is serious? When do we just start replacing ineptitude with people who give a shit?
Not all companies are equally bad by dreamchaser · 2013-02-19 13:23 · Score: 3, Interesting

One of my clients is a large electric utility. Their security, both physical and for IT systems, is top notch. None of their SCADA systems are online, they do routine and regular audits of all security, and even 'trusted' people like myself have to jump through hoops to get into the Data Center, and are always escorted.
They have really cool doors to get in too. They are like decontamination booths. You step into a vertical tube and wait to be cleared then the tube rotates and opens the other side.
On the other hand, I've done work for other utilities where yes, the cleaning crew goes in through what amounts to an open door, without an escort.
1. Re:Not all companies are equally bad by bcong · 2013-02-20 02:38 · Score: 2
  
  Those doors are called man traps, and they do exactly what it sounds like they do if you are entering an area you are not supposed to.
not just work from home but more remote plants swt by Joe_Dragon · 2013-02-19 13:30 · Score: 1

not just work from home but more remote plants switching / sub stations. Also the control centers need to be able to control all of that or do want to have some at each mid size to big substation 24/7 tied to a phone and control bank? As well a ready to go on call linemen who will drive out to the smaller ones to filp the switches?
power lines have reclosers some kind of wireless links on them.
bailout baby. bailout! by decora · 2013-02-19 13:37 · Score: 1

bailout - its the New Capitalism.
Of considerably greater importance is the race... by Anonymous Coward · 2013-02-19 13:51 · Score: 0

...to secure a large scale carbon-free energy supply. Sadly, few seem interested, or even cognizant of the fact that a secure and abundant energy supply is critical for our prosperity and collective well-being.
Even if we do lose the race, hopefully the Chinese will be willing to sell us thorium molten salt reactors, so that we can maintain some level of society. (and no, renewables and conventional nuclear will never be large scale; far too expensive, and incapable of rapid scaling.)
Meh. by PPH · 2013-02-19 13:53 · Score: 0

Call me when the USA stops digging around in everyone's financial records.

--
Have gnu, will travel.
1. Re:Meh. by Anonymous Coward · 2013-02-19 14:06 · Score: 0
  
  I know it is supposed to be good sport to blame the USA for everything, but they explicitly do not dig around in nearly any financial records at all. Note the lack of regulation that led to a multi-year economic meltdown with no dirty hands to show for it despite having plenty of suspects.
  You are coming off as someone that uses bias and calls it reason.
2. Re:Meh. by PPH · 2013-02-19 15:08 · Score: 0
  
  they explicitly do not dig around in nearly any financial records at all.
  Oh really? If you think this is really aimed at stopping terrorism, keep in mind that the entire 9/11 attack could have easily been funded by some Saudi Prince diverting funds from a good weekend in Las Vegas. The CIA's surveillance won't pick that sort of thing up. This is financial espionage, plain and simple.
  
  You are coming off as someone that uses bias and calls it reason.
  Sometimes one has to, to make a point. Look at the USA's espionage program. Enter the country with a laptop and you risk having it searched. Funny. Terrorists coming in would have empty laptops. The data of interest would be going out. But not if you are looking for bid information from, say Airbus, competing with Boeing. Then your laptop is loaded with pricing data. And that gets scooped up.
  China doesn't need to hack to steal much of our technology. They can just pull one unit off a production line over there before its loaded on a container ship.
  
  --
  Have gnu, will travel.
Internet Air Gap by tokiko · 2013-02-19 13:53 · Score: 1

Mr. President, we must not allow... an Internet air gap!
Outsourcing...what could possibly go wrong? by patmandu · 2013-02-19 14:19 · Score: 1

And I'll give you two guesses where the original coding work was outsourced to...
1. Re:Outsourcing...what could possibly go wrong? by cusco · 2013-02-20 11:10 · Score: 1
  
  For the SCADA systems? Generally Germany, Italy and the US. The last I heard even India bought SCADA software from the US.
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
Re:Nuke China by Anonymous Coward · 2013-02-19 14:22 · Score: 0

Finally a solution.
Mistakes happen by Skapare · 2013-02-19 14:27 · Score: 1

Firewalls are pretty vulnerable. In order to really defend a network, you can never make a mistake. And everybody makes a mistake from time to time And once they are in, they are hard to get out.
Much focus needs to be made on things like well made interfaces and quality documentation that has no ambiguities or errors. Many times mistakes are made because something just wasn't clear enough, and it was interpreted to be something other than what it really is. Security itself is hard in part because of so many parameters and settings. For example some value being entered might be unclear whether it is the name of something, or is being used to search for something, or is being used as a match expression. Some effort also needs to be made in security systems to reduce the configuration complexity. The more complex something is to configure, the more that creates the opportunity for a mistake.

--
now we need to go OSS in diesel cars
Re:Nuke China by Skapare · 2013-02-19 14:29 · Score: 1

Then where are we going to get cheap stuff?

--
now we need to go OSS in diesel cars
Simple solution... by msauve · 2013-02-19 14:36 · Score: 3, Interesting

Change those systems from IP to ARCNET (or AppleTalk, or IPX, or ???).

--
"National Security is the chief cause of national insecurity." - Celine's First Law
1. Re:Simple solution... by Anonymous Coward · 2013-02-21 05:12 · Score: 0
  
  how does that stop someone from pluging in a USB stick?
"Racing to secure Electric Grid" by Runaway1956 · 2013-02-19 14:47 · Score: 1

I picture some arrogant fool at a race, who spends several minutes fast walking backwards around the track. When the race is almost won, then he starts running in the right direction.
With luck, the utilities will be back at the starting line before the competition crosses the finish line.

--
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
SCADA Systems Are Connected For a Reason by Anonymous Coward · 2013-02-19 14:56 · Score: 1

By definition a SCADA Master system is connected to any number of remote units spread all over geography. The physical links that make up this network are also extremely vulnerable as encrypted SCADA protocols are as yet fairly rare. For a cash strapped utility with a limited number of technicians, being able to remotely connect to equipment in difficult to reach places becomes very attractive.
Existing Systems... by Anonymous Coward · 2013-02-19 15:50 · Score: 1

are already compromised? Set up new security using compromised systems; it's the long con.
Re:keep it read only: Two wires by Anonymous Coward · 2013-02-19 18:29 · Score: 0

Only connect one data link and ground, and it will be secure. Run a balanced pair if you are feeling fancy. If the receiver can keep up, you don't even need flow control lines. Problem solved.
No by Anonymous Coward · 2013-02-19 19:57 · Score: 0

Could I fairly categorize all Americans as bone-headed uneducated sloths with 150 TV channels who love their cousins and enjoy a good roadkill stew? .. all because some Americans are like that?
No, but that fits my family fairly well.
Posted anonymous, one or two of them might know how to read and actually wander onto Slashdot. Imagine that.
Re:keep it read only: Two wires by allaunjsilverfox2 · 2013-02-19 20:41 · Score: 1

Only connect one data link and ground, and it will be secure. Run a balanced pair if you are feeling fancy. If the receiver can keep up, you don't even need flow control lines. Problem solved.
You could just set a led that blinks when there is something wrong and have a 2 dollar webcam monitor it. If someone manages to force data through a led that isn't configured for such activity, they have won the internet and deserve access.

--
Restore the madness of youth's lechery
Unmanned. by thegarbz · 2013-02-19 20:45 · Score: 2

Because mission critical devices may not be manned. This is a rising trend in remote asset management. It's used extensively in upstream processing and pipelining that is slowly working it's way to downstream.
Heck one large gas ... manufacturer (though it's hard to call air separation "manufacturing") in our country runs all plants remotely. Sure there are staff there, but no one in the control room, no one in front of the computers. The onsite staff are used to bring the plant online and handle emergency cases but as soon as a steady state is achieved the controls are handed over to a dedicated team in another country, who run these almost identical plants all over the world.
Airgap in this case is cutting off control.
Useless by Anonymous Coward · 2013-02-19 22:47 · Score: 0

A 3rd world grid, where the cables are hanging from wooden poles don't need Chinese hackers.
A drunk missing the curb, squirrels, ice rain, snow, a storm, dry-rot or termites do the job quite well.
Re:put down the slants by Anonymous Coward · 2013-02-20 02:51 · Score: 0

Uhm. Yeah. You might want to get back on those meds.
At some point... by mschaffer · 2013-02-20 03:23 · Score: 1

At some point, someone needs to interact with the system, and the system needs to interact with the devices it controls. So, in theory, these systems cannot be completely isolated.
Also, consider that if these systems were isolated with a pure vacuum, it may make the universe fly apart!
http://science.slashdot.org/story/13/02/19/2151238/does-the-higgs-boson-reveal-our-universes-doomsday
as Marvin would say by mschaffer · 2013-02-20 03:27 · Score: 1

It will just end in tears.
lazy and stupid by slashmydots · 2013-02-20 03:39 · Score: 1

Don't put the systems that control the power grid on the internet! Or if you do, make them read-only. If they have to be networked, ever heard of a VLAN? Hell no they haven't because they hire outsourced 3rd party contractors to write this stuff and they don't have to officially deal with it after the check clears. They don't necessarily have to sit there and manage it and deal with the software and control systems on a daily basis. And they certainly aren't the best or brightest programmers, they're just the fastest and laziest. If they were, they'd be working at a better job than a contractor or public company. All we need are people who have the first clue about security to design the control systems for the power grid and we're set.
1. Re:lazy and stupid by cusco · 2013-02-20 11:16 · Score: 1
  
  Oh, yes, a VLAN! Security by obscurity, how very novel!
  
  The SCADA systems themselves are almost never actually on the Internet unless they're running through a VPN tunnel. They frequently are connected to the company's business network though, which for obvious reasons IS on the Internet, which is often the problem. Limiting and securing the link between the SCADA and business network should be the focus, not running around crying "The sky is falling! I need tax dollars to fix my private infrastructure!" which seems to be the real focus of the article.
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
Re:keep it read only: Two wires by Beardo+the+Bearded · 2013-02-20 04:52 · Score: 1

That's what I said, an optoelectronic relay.

--

---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
lol by fazey · 2013-02-20 05:12 · Score: 1

Well, before now it wasnt affordable. All the money is in politics. =x

I also wonder about the quality of engineer they hire when they design these systems. Why arent they behind firewalls with ACLs that only allow a what NEEDS to communicate with it. Why arent there secondary boxes, so they can be patched as 0days come out? Why are they running software that has been reported to be riddled with vulnerabilities?

if you find yourself patching THAT often... its time to find new software written by security minded people.