Slashdot Mirror

← Back to Stories (view on slashdot.org)

Congressional Report: US Power Grid Highly Vulnerable To Cyberattack

Posted by Soulskill on from the industry-strangely-averse-to-voluntary-protections dept.

An anonymous reader writes "Despite warnings that a cyberattack could cripple the nation's power supply, a U.S. Congressional report (PDF) finds that power companies' efforts to protect the power grid are insufficient. Attacks are apparently commonplace, with one utility claiming they fight off some 10,000 attempted attacks every month. The report also found that while most power companies are complying with mandatory standards for protection, few do much else above and beyond that to protect the grid. 'For example, NERC has established both mandatory standards and voluntary measures to protect against the computer worm known as Stuxnet. Of those that responded, 91% of IOUs [Investor-Owned Utilities], 83% of municipally- or cooperatively-owned utilities, and 80% of federal entities that own major pieces of the bulk power system reported compliance with the Stuxnet mandatory standards. By contrast, of those that responded to a separate question regarding compliance with voluntary Stuxnet measures, only 21% of IOUs, 44% of municipally- or cooperatively-owned utilities, and 62.5% of federal entities reported compliance.'"

3 of 124 comments (clear)

  1. Re:After the fertilizer hits the ventilator by c0lo · · Score: 3, Interesting

    Why bother with complex security measures?

    (0) We have laws that criminalize the breach of ToS-es, so it's no longer our problem... we have 3-letter-agencies and US Attorney Carmen M. Ortiz to protect us.
    Our mission is not security but to make profits (e.g. externalize costs, avoid taxes, etc; if it would lead to increase profits, we'll even lobby the Congress to repel the Law of gravitational attraction)

    (1) It costs money
    (2) There is no measurable profit
    (3) There is no measurable increase in productivity
    (4) There is no measurable increase in share price

    Only once the proverbial hits the fan will something be done and even the it will probably be blamed on the power lines sagging onto a tree on a hot day...

    FTFY

    --
    Questions raise, answers kill. Raise questions to stay alive.
  2. Very weird priorities by http · · Score: 4, Interesting

    OMNI magazine recently set its archives loose online. Check the January 1989 issue, "The Rules of the Game" (http://archive.org/stream/omni-magazine-1989-01/OMNI_1989_01#page/n17/mode/2up, flip to page 42) for the low tech nightmare. If you think the nation without a power grid would make for a seriously bad month, you lack imagination. Try a seriously bad year, or longer. Pretty much every piece of infrastructure is built with the assumption that electicity is somewhere close at hand.

    The physical infrastructure of the power grid is an infinitely easier target, with gigantic ROI for terrorists or actual enemy agents. The $100,000 you could spend for a good 0-day would be better spent on a few RPGs and some half-decent watches. Network attacks are a fool's errand. If you want to prevent awful things, your money is better spent on guards.

    That OMNI article may be the first "How can I unknow this?" moment of my literate life.

    --
    If opportunity came disguised as temptation, one knock would be enough.
    3^2 * 67^1 * 977^1
  3. I used to develop HMI/SCADA. I resigned in protest by Anonymous Coward · · Score: 2, Interesting

    Human Machine Interface / Supervisory Control And Data Acquisition. That's the proper name for the central control of a distributed industrial control system. Just one of our licenses controlled a giant automobile assembly plant from a single PC, that if I understand correctly turned out a new pickup truck every fifteen seconds.

    If you're going to attack a nation's power grid, you attack that power grid's HMI / SCADA installations. That's easier to do than you think, because remote installations are often controlled via dialup modem, and lots of installations are right on the internet. The people who install this stuff, while generally well-trained by the vendor, are usually industrial engineers who have little understanding of modern security practices.

    This company didn't know how to do C++ memory management.

    One day a colleague proudly announced that she had found the cause of a memory leak - leaks are disastrous in HMI/SCADA, because the software runs uninterrupted for years on end sometimes - to be a failure to delete a pointer. She checked in a fix that did an explicit call to delete, then reassigned the bug to QA to verify.

    Well I filed a bug against her specific fix, then broadcast a short, stern, loud angry email about the importance of smart pointers, not just for memory management, but for all resource management - network sockets and the like. I've worked in a lot of C++ shops, but have been astounded that very few alleged C++ coders know what smart pointers or initialization lists are.

    My boss ordered me to stop filing bug reports like that. I resigned not long after. I didn't even give them notice; I sent them a written resignation via email from home, then just stopped showing up to work, not even to pick up the personal possessions I'd brought there. Eventually they packed them up and mailed them to me in a box.

    When I interviewed, my future boss told me it was a million-line program that was only half done - a half-million lines of code! - after twenty years of development. I didn't want to drive the company out of business, or tip off the terrorists as to how to crash our industrial economy, so I kept quiet about it for seven years. I figured that if they were going to fix their memory management, seven years ought to be enough. If they didn't, then that program would be riddled with exploits.

    Tell them Michael Crawford sent you. I'm posting as Anonymous Coward because I can't be bothered to recover my /. password.