Slashdot Mirror

← Back to Stories (view on slashdot.org)

Congressional Report: US Power Grid Highly Vulnerable To Cyberattack

Posted by Soulskill on from the industry-strangely-averse-to-voluntary-protections dept.

An anonymous reader writes "Despite warnings that a cyberattack could cripple the nation's power supply, a U.S. Congressional report (PDF) finds that power companies' efforts to protect the power grid are insufficient. Attacks are apparently commonplace, with one utility claiming they fight off some 10,000 attempted attacks every month. The report also found that while most power companies are complying with mandatory standards for protection, few do much else above and beyond that to protect the grid. 'For example, NERC has established both mandatory standards and voluntary measures to protect against the computer worm known as Stuxnet. Of those that responded, 91% of IOUs [Investor-Owned Utilities], 83% of municipally- or cooperatively-owned utilities, and 80% of federal entities that own major pieces of the bulk power system reported compliance with the Stuxnet mandatory standards. By contrast, of those that responded to a separate question regarding compliance with voluntary Stuxnet measures, only 21% of IOUs, 44% of municipally- or cooperatively-owned utilities, and 62.5% of federal entities reported compliance.'"

9 of 124 comments (clear)

  1. You're kidding me by Anonymous Coward · · Score: 3, Insightful

    Our power grid is plugged into the Internet? Can't they spend $40 on a Linksys router and call it good?

    1. Re:You're kidding me by OhANameWhatName · · Score: 4, Informative

      Can't they spend $40 on a Linksys router and call it good?

      You can never spend $40 on a Linksys router and call it good.

    2. Re:You're kidding me by White+Flame · · Score: 3, Insightful

      Stuxnet spread via USB sticks, and successfully 'cyber' attacked nuclear refinement systems that were not on the net.

      These regulations (at least from what I'm familiar with from the nuclear end of things) cover a lot of human & portable equipment policy, and destroy I/O ports in non-connected equipment to try to eliminate potential attack vectors or non-policy human activity that might compromise security. It does go beyond simply unplugging CAT5 cables.

    3. Re:You're kidding me by lightknight · · Score: 3, Insightful

      Not going to happen. The US, and other parts of the world, have been very Marie Antoinette about internet / technology literacy, and the implications of a populous dependent on using said devices where the culture is set to super-apathy mode. They just...they don't care, and the way things are setup, there is no way to make them care, until the inevitable something horrid happens to them, then it's "why can't you guys do anything about this?"

      Consider this: your average secretary for a CEO / Chairman / President of a company may or may not have the technological literacy to know whether or not his / her machine has become infected, and is now sending the VIP's electronic Rolodex / tax returns to some bad people. But the VIP is totally cool with how things are, until some insider breaks his company, or personally targets him. And then it's asking IT / the FBI to track down some people who have had a six month start, and probably swept their tracks right before their big heist. This is how technology illiteracy is killing companies.

         

      --
      I am John Hurt.
  2. After the fertilizer hits the ventilator by aphelion_rock · · Score: 4, Insightful

    Why bother with complex security measures?

    (1) It costs money
    (2) There is no measurable profit
    (3) There is no measurable increase in productivity
    (4) There is no measurable increase in share price
    (5) The bozos who make the decisions usually don't understand the issues anyway

    Only once the proverbial hits the fan will something be done and even the it will probably be blamed on the power lines sagging onto a tree on a hot day...

    1. Re:After the fertilizer hits the ventilator by c0lo · · Score: 3, Interesting

      Why bother with complex security measures?

      (0) We have laws that criminalize the breach of ToS-es, so it's no longer our problem... we have 3-letter-agencies and US Attorney Carmen M. Ortiz to protect us.
      Our mission is not security but to make profits (e.g. externalize costs, avoid taxes, etc; if it would lead to increase profits, we'll even lobby the Congress to repel the Law of gravitational attraction)

      (1) It costs money
      (2) There is no measurable profit
      (3) There is no measurable increase in productivity
      (4) There is no measurable increase in share price

      Only once the proverbial hits the fan will something be done and even the it will probably be blamed on the power lines sagging onto a tree on a hot day...

      FTFY

      --
      Questions raise, answers kill. Raise questions to stay alive.
  3. Very weird priorities by http · · Score: 4, Interesting

    OMNI magazine recently set its archives loose online. Check the January 1989 issue, "The Rules of the Game" (http://archive.org/stream/omni-magazine-1989-01/OMNI_1989_01#page/n17/mode/2up, flip to page 42) for the low tech nightmare. If you think the nation without a power grid would make for a seriously bad month, you lack imagination. Try a seriously bad year, or longer. Pretty much every piece of infrastructure is built with the assumption that electicity is somewhere close at hand.

    The physical infrastructure of the power grid is an infinitely easier target, with gigantic ROI for terrorists or actual enemy agents. The $100,000 you could spend for a good 0-day would be better spent on a few RPGs and some half-decent watches. Network attacks are a fool's errand. If you want to prevent awful things, your money is better spent on guards.

    That OMNI article may be the first "How can I unknow this?" moment of my literate life.

    --
    If opportunity came disguised as temptation, one knock would be enough.
    3^2 * 67^1 * 977^1
  4. Feeding an island is DEADLY. by Ungrounded+Lightning · · Score: 5, Informative

    It could even keep a local part of the grid up while all others around them suffer power failures.

    And that is a BIG no-no. Because it kills linemen trying to fix the outage.

    Those transformers work both ways. Your little generator or inverter gets stepped up to maybe 8,000 or 12,000 volts. Then a lineman who thinks the power is down brushes against a wire (or comes within a quarter-inch of it) and is "burned" - to death.

    Grid-connected inverters with a "sell" feature MUST monitor the network and shut down if they detect islanding - being cut off from the grid, with one or a collection of generators running autonomously. It's perfectly OK to feed power into the grid when it's up (if you're using UL approved equipment, connected according to code, inspected for compliance, and the utility knows you're doing it according to the rules.) It's perfectly OK to have things wired so your equipment still feed your house if the grid goes down, but it MUST cut itself off from the dying or dead grid and stay off until the grid comes back up and stabilizes at the nominal voltage and frequency.

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  5. Re:Protect against stuxnet? by chill · · Score: 3, Funny

    Firewall off 127.0.0.1. Hell, might as well just blackhole the entire RFC 1918 space. Who need 10. networks anyway?

    --
    Learning HOW to think is more important than learning WHAT to think.