Slashdot Mirror
Congressional Report: US Power Grid Highly Vulnerable To Cyberattack
An anonymous reader writes "Despite warnings that a cyberattack could cripple the nation's power supply, a U.S. Congressional report (PDF) finds that power companies' efforts to protect the power grid are insufficient. Attacks are apparently commonplace, with one utility claiming they fight off some 10,000 attempted attacks every month. The report also found that while most power companies are complying with mandatory standards for protection, few do much else above and beyond that to protect the grid. 'For example, NERC has established both mandatory standards and voluntary measures to protect against the computer worm known as Stuxnet. Of those that responded, 91% of IOUs [Investor-Owned Utilities], 83% of municipally- or cooperatively-owned utilities, and 80% of federal entities that own major pieces of the bulk power system reported compliance with the Stuxnet mandatory standards. By contrast, of those that responded to a separate question regarding compliance with voluntary Stuxnet measures, only 21% of IOUs, 44% of municipally- or cooperatively-owned utilities, and 62.5% of federal entities reported compliance.'"
Our power grid is plugged into the Internet? Can't they spend $40 on a Linksys router and call it good?
It sure is a good thing that we've been focusing our efforts on defense, rather than developing sophisticated attack toolkits and releasing them into the wild where they definitely won't get reverse engineered and re-deployed...
Why bother with complex security measures?
(1) It costs money
(2) There is no measurable profit
(3) There is no measurable increase in productivity
(4) There is no measurable increase in share price
(5) The bozos who make the decisions usually don't understand the issues anyway
Only once the proverbial hits the fan will something be done and even the it will probably be blamed on the power lines sagging onto a tree on a hot day...
Zero in on the source of the cyberattack, and end it.
Ummmm... and if the attack originates in a highly distributed bot-net? What about the script-kiddie is on US soil?
Questions raise, answers kill. Raise questions to stay alive.
The report mentions there has not been a single instance of damage caused by cyber-attacks.
There has been damage, however, " the only physical attacks experienced on their systems seemed linked to acts of vandalism and thefts of copper. Most incidents appeared unrelated to terrorism. However, one federal entity that owns a major piece of the bulk power system reported a Molotov cocktail was thrown at a dam."
I have no idea what to think of that.
"First they came for the slanderers and i said nothing."
Actually most of the equipment covered under NERC is custom embedded firmware. An air gap in this case is actually highly effective. In order to install a Trojan you need to access one of about 5,000 computers run by a select few people and trick them into installing a new firmware version on a proprietary system. Firmware updates are fairly uncommon, and take a lot of time with these systems (typically 9600 baud through a serial port). To do this automatically behind the users back would be highly unlikely as it would cause a visual reset condition on the hardware. The hacks that have been implemented primarily target SCADA systems, so if you have no SCADA you have no virtually no issue.
Note that I actually am a contractor that specializes in NERC compliance. The problem is that without SCADA your system is less usable, and requires a lot more direct maintenance (more downtime when something happens).
I would actually be more afraid of a custom bug targeting transmission systems than generation.
There are much bigger issues that need to be addressed here. I can't go into the specifics on this but there are a lot of things that scare me more than computer viruses.
Read it an weep, I'd be sacked if ever I did that, yet their network admins seem to think it's an 'improvement':
"Grid operations and control systems are increasingly automated, incorporate two - way
communications, and are connected to the Internet or other computer networks. While these improvements have allowed for critical modernization of the grid, this increased interconnectivity has made the grid more vulnerable to remote cyber attacks."
So they took a critical system and connected it to every hacker and script kiddie on the planet, knowing that botnets endlessly test every IP address for vulnerabilities. And they complain about botnets testing the stuff THEY CONNECTED to the internet! WTF.
It's a case of incompetent sysadmins, couples to a self serving 'cyber-war' agenda on behalf of the people who should be advising them to disconnect them from the internet!
OMNI magazine recently set its archives loose online. Check the January 1989 issue, "The Rules of the Game" (http://archive.org/stream/omni-magazine-1989-01/OMNI_1989_01#page/n17/mode/2up, flip to page 42) for the low tech nightmare. If you think the nation without a power grid would make for a seriously bad month, you lack imagination. Try a seriously bad year, or longer. Pretty much every piece of infrastructure is built with the assumption that electicity is somewhere close at hand.
The physical infrastructure of the power grid is an infinitely easier target, with gigantic ROI for terrorists or actual enemy agents. The $100,000 you could spend for a good 0-day would be better spent on a few RPGs and some half-decent watches. Network attacks are a fool's errand. If you want to prevent awful things, your money is better spent on guards.
That OMNI article may be the first "How can I unknow this?" moment of my literate life.
If opportunity came disguised as temptation, one knock would be enough.
3^2 * 67^1 * 977^1
How many of those consist of viruses port-scanning the entire internet looking for a host running the particular version of some PHP admin console they need to infect?
If you can trigger a cascade failure, you could black out a state for days. It's happened by accident before.
It'd have to be an inside job, though. Even if someone outside could compromise the security, only someone with very precise knowledge of how the grid is build could pull off a cascade failure. Not just how it's designed, but how all those really tidy schematics translate to the real equipment - only someone who works with it would know, for example, if a breaker rated for 65A is going to trip reliably at 70A, or that substation 2398-A-49 is located in the middle of Old Man Triggerhappy's ranch and it'll take two days arguing before he'll stop waving his shotgun at the 'trespassers' who need to fix it.
It could even keep a local part of the grid up while all others around them suffer power failures.
And that is a BIG no-no. Because it kills linemen trying to fix the outage.
Those transformers work both ways. Your little generator or inverter gets stepped up to maybe 8,000 or 12,000 volts. Then a lineman who thinks the power is down brushes against a wire (or comes within a quarter-inch of it) and is "burned" - to death.
Grid-connected inverters with a "sell" feature MUST monitor the network and shut down if they detect islanding - being cut off from the grid, with one or a collection of generators running autonomously. It's perfectly OK to feed power into the grid when it's up (if you're using UL approved equipment, connected according to code, inspected for compliance, and the utility knows you're doing it according to the rules.) It's perfectly OK to have things wired so your equipment still feed your house if the grid goes down, but it MUST cut itself off from the dying or dead grid and stay off until the grid comes back up and stabilizes at the nominal voltage and frequency.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Human Machine Interface / Supervisory Control And Data Acquisition. That's the proper name for the central control of a distributed industrial control system. Just one of our licenses controlled a giant automobile assembly plant from a single PC, that if I understand correctly turned out a new pickup truck every fifteen seconds.
If you're going to attack a nation's power grid, you attack that power grid's HMI / SCADA installations. That's easier to do than you think, because remote installations are often controlled via dialup modem, and lots of installations are right on the internet. The people who install this stuff, while generally well-trained by the vendor, are usually industrial engineers who have little understanding of modern security practices.
This company didn't know how to do C++ memory management.
One day a colleague proudly announced that she had found the cause of a memory leak - leaks are disastrous in HMI/SCADA, because the software runs uninterrupted for years on end sometimes - to be a failure to delete a pointer. She checked in a fix that did an explicit call to delete, then reassigned the bug to QA to verify.
Well I filed a bug against her specific fix, then broadcast a short, stern, loud angry email about the importance of smart pointers, not just for memory management, but for all resource management - network sockets and the like. I've worked in a lot of C++ shops, but have been astounded that very few alleged C++ coders know what smart pointers or initialization lists are.
My boss ordered me to stop filing bug reports like that. I resigned not long after. I didn't even give them notice; I sent them a written resignation via email from home, then just stopped showing up to work, not even to pick up the personal possessions I'd brought there. Eventually they packed them up and mailed them to me in a box.
When I interviewed, my future boss told me it was a million-line program that was only half done - a half-million lines of code! - after twenty years of development. I didn't want to drive the company out of business, or tip off the terrorists as to how to crash our industrial economy, so I kept quiet about it for seven years. I figured that if they were going to fix their memory management, seven years ought to be enough. If they didn't, then that program would be riddled with exploits.
Tell them Michael Crawford sent you. I'm posting as Anonymous Coward because I can't be bothered to recover my /. password.
That depends on which government you're talking about, comrade.
Learning HOW to think is more important than learning WHAT to think.
Firewall off 127.0.0.1. Hell, might as well just blackhole the entire RFC 1918 space. Who need 10. networks anyway?
Learning HOW to think is more important than learning WHAT to think.
Take a large helping of 'duh', sprinkle on some crisis mentality, garnished with a little fascism, and served up by a population programmed to trade freedom for security.
We'll nationalize the power grid in less than 20 years.
I want to delete my account but Slashdot doesn't allow it.