Slashdot Mirror

← Back to Stories (view on slashdot.org)

Communications Protocol Leaves Power Grid Vulnerable

Posted by Soulskill on from the electricity-is-a-luxury dept.

mspohr writes "The NY Times has an interesting story about a pair of researchers who 'discovered that they could freeze, or crash, the software that monitors a [power] substation, thereby blinding control center operators from the power grid.' These two engineers wrote software to test for vulnerabilities in the control systems of electrical power grids which use a protocol called DNP3 to communicate with sub-stations. They first tested an open source implementation of the protocol and didn't find any problems. They were worried that their software test wasn't adequate so they started testing proprietary systems. The broke every single one of the 16 proprietary systems they tested initially and found nine more systems vulnerable in later testing. They were able to install malware and also found firewalls ineffective. The pair reported this to the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team, I.C.S.-C.E.R.T. and didn't get much of a response. It's scary that our electrical grid is so vulnerable and there doesn't seem to be much urgency to get it fixed. A few patches have been issued, but who knows if the systems have been updated?"

3 of 68 comments (clear)

  1. Subject Discussed Years Ago: FIRE THEM! by BoRegardless · · Score: 3, Insightful

    It is not like this is a new issue. Fire all IT managers who were responsible for not doing penetration testing, including the ones at Homeland Security.

    If you do NOT hold managers responsible then they are just lifers waiting for their pension!!

  2. DHS? by reboot246 · · Score: 2, Insightful

    Their first mistake was assuming that the Department of Homeland Security actually cares about homeland security. Department of Homeland Control would be a better, more accurate name.

  3. Re:Subject Discussed Years Ago: FIRE THEM! by jc42 · · Score: 3, Insightful

    If history is any guide, the managers of these systems are trying to find ways to prosecute the researchers for their actions. It's fairly standard to classify security testing methods as attacks (since that's in effect what they are), and publishing the problems is generally considered telling the "terrorists" how to attack the systems.

    But this is about what should be expected for systems that depend on "security by obscurity". And the managers of such systems rarely reward someone who demonstrates how they've failed.

    --
    Those who do study history are doomed to stand helplessly by while everyone else repeats it.