Slashdot Mirror
Congressional Report: US Power Grid Highly Vulnerable To Cyberattack
An anonymous reader writes "Despite warnings that a cyberattack could cripple the nation's power supply, a U.S. Congressional report (PDF) finds that power companies' efforts to protect the power grid are insufficient. Attacks are apparently commonplace, with one utility claiming they fight off some 10,000 attempted attacks every month. The report also found that while most power companies are complying with mandatory standards for protection, few do much else above and beyond that to protect the grid. 'For example, NERC has established both mandatory standards and voluntary measures to protect against the computer worm known as Stuxnet. Of those that responded, 91% of IOUs [Investor-Owned Utilities], 83% of municipally- or cooperatively-owned utilities, and 80% of federal entities that own major pieces of the bulk power system reported compliance with the Stuxnet mandatory standards. By contrast, of those that responded to a separate question regarding compliance with voluntary Stuxnet measures, only 21% of IOUs, 44% of municipally- or cooperatively-owned utilities, and 62.5% of federal entities reported compliance.'"
Our power grid is plugged into the Internet? Can't they spend $40 on a Linksys router and call it good?
It sure is a good thing that we've been focusing our efforts on defense, rather than developing sophisticated attack toolkits and releasing them into the wild where they definitely won't get reverse engineered and re-deployed...
Now the terrorists know it, too!
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
How will you defend yourselves against........ yourselves?
10,000 attempted attacks every month.
90,000 spam emails filtered in the same time period.
I guess it's not cool to call spam "tools of the terrorists" yet.
Why bother with complex security measures?
(1) It costs money
(2) There is no measurable profit
(3) There is no measurable increase in productivity
(4) There is no measurable increase in share price
(5) The bozos who make the decisions usually don't understand the issues anyway
Only once the proverbial hits the fan will something be done and even the it will probably be blamed on the power lines sagging onto a tree on a hot day...
Sky highly vulnerable to gravity. Likely to fall any second now..
“He’s not deformed, he’s just drunk!”
I used to work in the industry, most sites are mandated to have air-gaps between their intrenal and external networks.
Zero in on the source of the cyberattack, and end it.
Ummmm... and if the attack originates in a highly distributed bot-net? What about the script-kiddie is on US soil?
Questions raise, answers kill. Raise questions to stay alive.
What about the script-kiddie is on US soil?
The DOD's charter covers domestic terrorism.
Ummmm... and if the attack originates in a highly distributed bot-net?
Then you use more tomahawks, obviously.
What about the script-kiddie is on US soil?
Then you send in the drones.
upon the advice of my lawyer, i have no sig at this time
Zero in on the source of the cyberattack, and end it.
Ummmm... and if the attack originates in a highly distributed bot-net? What about the script-kiddie is on US soil?
Or professionals launching the attacks from script kiddies' compromised machines.
Sheesh, evil *and* a jerk. -- Jade
The report mentions there has not been a single instance of damage caused by cyber-attacks.
There has been damage, however, " the only physical attacks experienced on their systems seemed linked to acts of vandalism and thefts of copper. Most incidents appeared unrelated to terrorism. However, one federal entity that owns a major piece of the bulk power system reported a Molotov cocktail was thrown at a dam."
I have no idea what to think of that.
"First they came for the slanderers and i said nothing."
Your conclusion is probably right, but the decision will be for Congress to give a lot of money to solve, why entrepreneurs and their solutions (and crooks "Decision"), pop-up everywhere. Care should be taken (1), (2) and (4). Not sure I like this proposal, but really in our national interest to do something about it. I vaguely remember reading that our national network are just a hop and a jump from the mower, even without the cyber attacks. By Hi-Tech ITO
At the opportune moment the President of the United States of America will issue an order to destroy the power grids across the contiguous USA and the killing of the executive staffs of the companies in charge. This operation will take approximates 15 minutes to accomplish give pre-positioning of assets.
I worked on some of the software that manages the bidding and load-balancing of the grid that powers much of the US and some smaller portions of the world. I have to say that it, by far, was some of the worst software I have ever seen in my life. Spaghetti like you wouldn't believe.
To be clear, it wasn't the code that actually ran the grid, but it told the grid the optimal way to run at certain times.
Bug fixes were "fixed" by - how to say it - filtering existing code. We weren't allowed to change existing code, we had to write stuff on top of bugs to fix them. I will say that it took about six months for even the simplest code to make it into production. Very thorough testing at least. If you like to work slow, that was the place.
Big interests are going to cause us all disaster! They will plug the entire system into the internet so that the boss can watch the power grid dashboard from his cell phone or tablet while in her jammies at home (possibly while creating and sending lightning bolts to the special other). That there are critical systems plugged into the 'net for kiddies to game is not the only disconcerting thing here though. The big interests will shout bloody murder when someone wants to connect their solar panel/wind charger network to the grid (allowing them to put excess power into the grid and get paid for it). "NO!" they cry, "We sell power to customers! Customers don't sell power to us!" They might install slightly larger systems so that instead of just satisfying their own needs, they can provide power to others and get paid for it. It could even keep a local part of the grid up while all others around them suffer power failures. Its not hard to get parts of a grid in sync later either. Years ago I had a computer that could take its entire clock sync (memory, the processor, main bus, everything from an external outside source). You could send a sync signal to a grid so that local grids lock phase with an external grid (the main grid). But they don't do that either. I'm not exactly a tree hugger, but I am big on using local resources and being self reliant. If you could be for putting power into the grid, it could solve the vulnerability of the grid. Germany allows it. No one in North America does.
Read it an weep, I'd be sacked if ever I did that, yet their network admins seem to think it's an 'improvement':
"Grid operations and control systems are increasingly automated, incorporate two - way
communications, and are connected to the Internet or other computer networks. While these improvements have allowed for critical modernization of the grid, this increased interconnectivity has made the grid more vulnerable to remote cyber attacks."
So they took a critical system and connected it to every hacker and script kiddie on the planet, knowing that botnets endlessly test every IP address for vulnerabilities. And they complain about botnets testing the stuff THEY CONNECTED to the internet! WTF.
It's a case of incompetent sysadmins, couples to a self serving 'cyber-war' agenda on behalf of the people who should be advising them to disconnect them from the internet!
Out here in "flyover country" we have storms, tornadoes, lightning, wind, ice, and snow. Power outages, while not all that common, are just something we have to deal with. I see big diesel or natural gas generators outside every government building and most businesses. A lot of homeowners I know have their own portable generators. When storms come through someone inevitably loses power, it happens. It can take a few hours to get fixed, in rare and extreme cases it can take days. Life goes on.
What kind of damage could a cyber attack on the electrical grid do? It will be inconvenient certainly. Just this last Monday I had to take a minor detour around some downed power lines while driving to work. On Tuesday the roads were clear and the power back on as far as I could tell. Other than a handful of people in Oklahoma that had travel difficulties it seems everyone went to work on Monday where I work.
I'm just trying to imagine the damage that a successful cyber attack on the power rid might cause. Then I try to imagine that damage as compared to weather out hear in the Great Plains. If people here were even told it was a terror strike then would anyone believe them? How would people act differently?
I'm sure that there are means to harden the power grid from cyber attacks but they would either be prudent also for natural disasters or overkill for such a small risk,
There is already a large number of natural gas generators around here. I'm not sure how much but it sits idle for long periods of time until needed. Data centers are equipped to sell any excess to a utility. There are spares for all kinds of gear. There are a lot of windmills to help along.
If the big boys, nuclear and coal, have to go down then it could take days to come back up. Once they are back to full steam then we know our troubles are over.
What should I be worried about?
I am armed because I am free. I am free because I am armed.
Zero in on the source of the cyberattack, and end it. If it's just a script kiddie, maybe you use a Tomahawk instead.
They are talking about Stuxnet. You want to fire tomahawks at Washington and Tel Aviv? I don't think the government is going to go for that idea.
OMNI magazine recently set its archives loose online. Check the January 1989 issue, "The Rules of the Game" (http://archive.org/stream/omni-magazine-1989-01/OMNI_1989_01#page/n17/mode/2up, flip to page 42) for the low tech nightmare. If you think the nation without a power grid would make for a seriously bad month, you lack imagination. Try a seriously bad year, or longer. Pretty much every piece of infrastructure is built with the assumption that electicity is somewhere close at hand.
The physical infrastructure of the power grid is an infinitely easier target, with gigantic ROI for terrorists or actual enemy agents. The $100,000 you could spend for a good 0-day would be better spent on a few RPGs and some half-decent watches. Network attacks are a fool's errand. If you want to prevent awful things, your money is better spent on guards.
That OMNI article may be the first "How can I unknow this?" moment of my literate life.
If opportunity came disguised as temptation, one knock would be enough.
3^2 * 67^1 * 977^1
Just to support c0lo's point - all the anti-terrorism/anti-cyberwarfare mandates in the universe aren't worth a sneeze in a hurricane *after* a massivle distributed zombie attack has been initiated. Hell, you could nuke half the planet and the remaining machines would still probably be more than enough to cripple the target. Now maybe the tinfoil hatters are right and 9/11 was known about well beforehand and allowed/encouraged to happen for political reasons. We'd better pray that they are, because physical security is trivially easy compared to cyber-security in the face of the 99% who don't give a $#@! so long as they can have their Bonsai Buddy "helping" them browse the 'net.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
If you can trigger a cascade failure, you could black out a state for days. It's happened by accident before.
It'd have to be an inside job, though. Even if someone outside could compromise the security, only someone with very precise knowledge of how the grid is build could pull off a cascade failure. Not just how it's designed, but how all those really tidy schematics translate to the real equipment - only someone who works with it would know, for example, if a breaker rated for 65A is going to trip reliably at 70A, or that substation 2398-A-49 is located in the middle of Old Man Triggerhappy's ranch and it'll take two days arguing before he'll stop waving his shotgun at the 'trespassers' who need to fix it.
NO its not the power grid that is the problem ...i dunno make the entire electricity grid accessible to a smuck idiot dumb nuts script kiddy....
ITS THE FUCKING RETARDS IN YOUR GOVT THAT ARE YOUR THREAT.....
Who the fuck makes this shit
no fucking really time to get nasty ass on old people that have no fooking excuse to do insane things like
USA should be turned into DIM
DUMB IDIOT MORONS
smarten then fuck up and dont you dare take someones civil rights cause you wankers designed a system that deserves to get bitch slapped to show HOW RETARDED YOU ARE
Heck, I suffered multi-hour power outages several times near downtown Denver over the course of a couple years. Shit happens, people deal with it. So long as nobody manages to blow anything up it's just a nuisance. And an excuse to eat all that ice-cream in the freezer, just in case.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
It could even keep a local part of the grid up while all others around them suffer power failures.
And that is a BIG no-no. Because it kills linemen trying to fix the outage.
Those transformers work both ways. Your little generator or inverter gets stepped up to maybe 8,000 or 12,000 volts. Then a lineman who thinks the power is down brushes against a wire (or comes within a quarter-inch of it) and is "burned" - to death.
Grid-connected inverters with a "sell" feature MUST monitor the network and shut down if they detect islanding - being cut off from the grid, with one or a collection of generators running autonomously. It's perfectly OK to feed power into the grid when it's up (if you're using UL approved equipment, connected according to code, inspected for compliance, and the utility knows you're doing it according to the rules.) It's perfectly OK to have things wired so your equipment still feed your house if the grid goes down, but it MUST cut itself off from the dying or dead grid and stay off until the grid comes back up and stabilizes at the nominal voltage and frequency.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
There sure has been a lot of it lately. Seems like someone wants to justify those internet-tapping datacenters pretty badly and push through more SOPA/PIPA/Whatever other Internet power-grab bills pretty badly.
Human Machine Interface / Supervisory Control And Data Acquisition. That's the proper name for the central control of a distributed industrial control system. Just one of our licenses controlled a giant automobile assembly plant from a single PC, that if I understand correctly turned out a new pickup truck every fifteen seconds.
If you're going to attack a nation's power grid, you attack that power grid's HMI / SCADA installations. That's easier to do than you think, because remote installations are often controlled via dialup modem, and lots of installations are right on the internet. The people who install this stuff, while generally well-trained by the vendor, are usually industrial engineers who have little understanding of modern security practices.
This company didn't know how to do C++ memory management.
One day a colleague proudly announced that she had found the cause of a memory leak - leaks are disastrous in HMI/SCADA, because the software runs uninterrupted for years on end sometimes - to be a failure to delete a pointer. She checked in a fix that did an explicit call to delete, then reassigned the bug to QA to verify.
Well I filed a bug against her specific fix, then broadcast a short, stern, loud angry email about the importance of smart pointers, not just for memory management, but for all resource management - network sockets and the like. I've worked in a lot of C++ shops, but have been astounded that very few alleged C++ coders know what smart pointers or initialization lists are.
My boss ordered me to stop filing bug reports like that. I resigned not long after. I didn't even give them notice; I sent them a written resignation via email from home, then just stopped showing up to work, not even to pick up the personal possessions I'd brought there. Eventually they packed them up and mailed them to me in a box.
When I interviewed, my future boss told me it was a million-line program that was only half done - a half-million lines of code! - after twenty years of development. I didn't want to drive the company out of business, or tip off the terrorists as to how to crash our industrial economy, so I kept quiet about it for seven years. I figured that if they were going to fix their memory management, seven years ought to be enough. If they didn't, then that program would be riddled with exploits.
Tell them Michael Crawford sent you. I'm posting as Anonymous Coward because I can't be bothered to recover my /. password.
There was a powerful snowstorm that knocked down entire transmission towers all over the province. People were freezing to death, especially people with weakened metabolisms such as the elderly.
I've lived in Maine, Washington, Idaho, Nova Scotia and Newfoundland, so I know what a power outage is like. But if an attack on the grid were intelligently done, you could take out most of the country.
New York City has had two blackouts. My father had a Master's Degree in electrical power engineering, so I know how this usually works. The ultimate cause could be as minor as a failure to trim a tree away from a power line.
It's extremely difficult to run AC power all over both the US and Canada - they're directly interconnected - because we use AC current. If two different generating plants weren't precisely synchronized at the point that their power lines connected, there would be a lot of current flow due to the out of phase voltage, that would melt the power lines or make transformers explode. Many of the electrical substations that the power companies use adjust the phase of the current so that doesn't happen.
If the power goes out in one region, the voltage on its lines will drop to zero. Neighboring regions, if not tightly controlled, will flood that first region with current. They'll get overloaded in turn, then drop out.
This report actually tells that with a few exceptions, the grid is protected in the way that federal regulations require. It then goes on to say that federal regulations are not strict enough. It comes up with "tens of thousands of attacks" where everyone that knows what this is about will know that these are a few standard port scans. If you count every package as a single attack, you'll get into big numbers easily. It claims destruction of tens of thousands of hard drives at an Arab oil company, while in truth, these drives weren't damaged, but the contents of them was wiped or changed due to a large scale virus infection. The company had good backups in place and as far as is publicly known, no significant amount of relevant data was lost. The entire attack did cost a lot of money, but nothing vitally critical was damaged and the company is still in business today. I'm not sure, but I doubt the attack even hindered them pumping or selling a single gallon of oil.
The biggest actual threat the report can come up with is physical damage to large distribution station transformers. To damage these, physical action, not cyber, will have to be taken. This is out of scope of the research and should have been kept out of the report.
There are many good recommendations in the report that will improve resilience and resistance against cyber attacks on the US national power grid. However, the tone and exaggeration of the report will make it hard for professionals to take it seriously and for politicians to "do the right thing" and get the things in place to make the recommendations become true.
I was promised a flying car. Where is my flying car?
I remember an 80's movie called Prime Risk where some girl is working on an ATM hack then realises terrorists are already in the system planning to blow up key data nodes to bring the banking system to its knees. Iliked it because she used an Atari 800/810 disk drive for everything but it was still an OK film from memory.
I want a list of atrocities done in your name - Recoil
- day.
Good thing I don't have either PHP or MySQL installed on my server!
I run CentOS 5. By default it comes with a desktop GUI, and a modest number of daemons that run right out of the box. I disabled most of the daemons for a few days, to determine whether I really needed them at all, then used yum to remove the packages entirely. I also removed all the GUI software. There's only a few dozen packages installed now, just the bare minimum required for my server to operate.
Lots of hacks are distributed in source code form, then compile the Bag 'O Tricks after being deposited on the victim's box. The Morris worm did that. So I removed all the development tools.
From time to time, I find a completely exposed administrative login page on sites whose owners should know better, such as government agencies. If you must use a web form to log in as the admin, use .htaccess and htpasswd to hide that login page from the search engines!
My first week at Trihedral Engineering, a Canadian HMI/SCADA vendor, I attended a product training course with a Coast Guard vessel's chief engineer. They had our software installed in their ship's bridge, driving PLCs all over the ship.
I also have a friend who is in the US Coast Guard. He's stationed in Alaska, and enforces fisheries regulations. He programs lots of his ship's PLC directly with ladder logic. All these PLCs run independently; there is no central computer as with Canadian vessels. When I told him what the Canadian practice was, he replied that they were all insane because such a system could not be reliable.
The US Coast Guard is a real low-budget operation. That must be the real reason they don't use HMI/SCADA on our vessels. Bart told me that there was no way I could contact him when I was at sea, not even via email. Even the US Navy has Internet on its ships, it's easy to email a Navy man.
What about the script-kiddie is on US soil?
Then you get to tick that last annoying box on the "countries we've bombed" list...
What about the script-kiddie is on US soil?
Then you get to tick that last annoying box on the "countries we've bombed" list...
Yes, it's highly likely that will be the last, but... can it also be the first annoying box on that list, please? Pretty please?
The scriptkiddie infections on american homes (and anyeone abroad, where they will be labelled "terrorist") portscan. That means "try a random machine that can be reached for infecting with the same virus". That isn't an attempt to "bring down the power grid", it's because a virus writer DOES NOT CARE if it tries to portscan the energy secretary's PC, the Linux webserver, the RTOS bespoke controller for the grid, the latter two it is not programmed to infect and therefore are unable to infect). It isn't trying to own them in order to bring the USA's infrastructure down.
Seriously, Die Hard 4 was an enjoyably SILLY movie, but the real damage done wasn't the hollywood idiotic attempts at geek tech terms, but that some silly fuckers in the US government apparently BELIEVE IT WAS A DOCUMENTARY.
Cyber attack is one issue but a small band of people dedicated to messing up power lines could have a dramatic effect as well. It is rather like
Jesse James and an endless string of banks in every direction. People with a tiny knowledge of power lines could destroy quite a few lines with ease.
The implication is that any protest or revolutionary group that has willing members could seriously damage the power supply and create a situation where constant use of troops would be required just to keep lines standing. It requires no equipment or explosives at all to do such things.
Other problems might include people trained to destroy a sewage treatment facility as chaos would result if sewage could not be pumped.
It is always better not to be hated as no matter who you are you are always more vulnerable than you might suspect.
Wish I had mod points. It seems these days that vital computer networks are being run by the criminally clueless and lazy.
Maybe is for that that NATO is now recomending the assessination of hackers, and is very easy to fall into their definition.
That depends on which government you're talking about, comrade.
Learning HOW to think is more important than learning WHAT to think.
Zero in on the source of the cyberattack, and end it.
Ummmm... and if the attack originates in a highly distributed bot-net?
Ummmm, nuke from orbit?
If a single utility is resisting 10,000 attacks a month, then there must be hundreds of thousands of attempts across the entire country network each week.
Since we don't read about the chaos the system overall seems to be reasonably well protected and contradicts the phrase "highly vulnerable".
This is a citation for failure to recognize a joke or troll. This is only a warning. However, future violations will result in immediate sterilization.
Take a large helping of 'duh', sprinkle on some crisis mentality, garnished with a little fascism, and served up by a population programmed to trade freedom for security.
We'll nationalize the power grid in less than 20 years.
I want to delete my account but Slashdot doesn't allow it.
Connect your SCADA units to the Internet through VPNs running on embedded hardware. There, all it too was one sentence ...
ps: Stuxnet only runs on Microsoft Windows ...
AccountKiller
Zero in on the source of the cyberattack, and end it.
Ummmm... and if the attack originates in a highly distributed bot-net? What about the script-kiddie is on US soil?
Still not a problem...and here's why: things change when it becomes about nations. Espionage doesn't have an IP address, and neither does terrorism. Countries are already quite used to using a wide variety of both tactics and sources of information to find out who is behind a certain act even when those who commit the act take technical measures to mask their identity, nationality, and location. If anything, the connected nature of cyber attacks makes it easier to track them, even though you cannot trust that the IP address that's sending you X packets is actually located in the same nation as the aggressor. But even without that, you have signals intelligence and human intelligence which are incredibly effective at uncovering the source of enemy operations, among other things. When a guy in a small company gets hacked, he usually can't figure out who did it because these tools aren't available to him. But if the national power grid comes under concerted siege? Yeah, you bet that we'll figure out who is behind it using every tool available to us as a country.
For your security, this post has been encrypted with ROT-13, twice.
Thanks for telling everyone, ya jagoff.
I read a book by Tom Clancy once that ended with a plane crashing into the Capital Building....years later we had 9/11. I have recently read several books that had subplots of the Chinese hacking our infrastructure. Power, Water and Nuclear. It seems to me that fiction can be turned into reality someone really grabs an idea... It almost makes you want to buy a generator and a pallet of water.... History has shown us that the U.S, Government is reactive not proactive to these type of problems.
I thought that Slashdot IS immediate sterilization!
What you should be worried about are the things they don't think about (usually because someone says it's impossible). What happens to a turbine if power is input and no power is output? Often they spin out of spec and can destroy themselves. So target plants to destroy the generators themselves. Those are harder to repair/replace, and take out enough, and you'll have rolling blackouts for months.
Learn to love Alaska
This is a citation for failure to recognize a joke or troll. This is only a warning. However, future violations will result in immediate sterilization.
Unnecessary punishment. This is slashdot -there is no procreation going on anyway.
Look back up at my post, now look back down, you're on the Internet. Now look back up. I'm a signature.
No Industrial Controller should ever be connected to the internet. This security problem applies to all Manufacturing, Chemical, Pharmaceutical, and Power industries.
When multiple sites need to be connected, they should use a Serial Dial-up or Leased Line connection or a VPN bridge that cannot respond to any Internet requests that do not originate from the VPN. DDOS attacks against the VPN nodes should only be able to disconnect the controller networks at which point a fallback Dial-up connection will take over.
Industrial Controller networks should look like this:
remote PLC/PID -- Firewall -- remote HMI/SCADA/Historian -- Firewall -- VPNbridge -- Internet -- VPNBridge -- Firewall -- HQ HMI/SCADA/Historian
An industrial Controller network should generate an severe error alert if any internet site is reachable.
I don't see a down side of that solution . . .
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
The ugliest humans I have ever seenugly on the inside type are in congress. And I give no quarter to anything that comes from there. After anything they say has been reviewed then we will see what is really going on.
Anyone have an idea how many H1B employees are spies?
This "Cyber" buzzword sounds über-cool, I have to admit it.
Very 80's and 90's cool with all these Tron guys and Wargames (the movie).
But WTF? We are in 2013 already, who the heck still believes that you can "attack" a WAN or a network that's not even on the internet from the internet?
It's the new "War On Drugs" making a problem were it didn't exist and in this case the threat itself is so vague and abstract that the common people has no way to know even if any halfwitted IT guy can tell it's all plain bullshit.
It's the same bullshit as when "Anonymous took down the VISA and Mastercard networks" (It happens that I was working back then at the RBS): Nothing was taken down, these networks are value added networks that are not connected to the internet (they are, via payment gateways. but that's another story), there is no way a botnet can affect these, no matter how "cyber".
Or... rethinking it, it's not the new "War On Drugs", it's the new Tooth-fairy, the Cyberfairy!!!
-- 29A the number of the Beast
everything turned out ok