Slashdot Mirror
Communications Protocol Leaves Power Grid Vulnerable
mspohr writes "The NY Times has an interesting story about a pair of researchers who 'discovered that they could freeze, or crash, the software that monitors a [power] substation, thereby blinding control center operators from the power grid.' These two engineers wrote software to test for vulnerabilities in the control systems of electrical power grids which use a protocol called DNP3 to communicate with sub-stations. They first tested an open source implementation of the protocol and didn't find any problems. They were worried that their software test wasn't adequate so they started testing proprietary systems. The broke every single one of the 16 proprietary systems they tested initially and found nine more systems vulnerable in later testing. They were able to install malware and also found firewalls ineffective. The pair reported this to the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team, I.C.S.-C.E.R.T. and didn't get much of a response. It's scary that our electrical grid is so vulnerable and there doesn't seem to be much urgency to get it fixed. A few patches have been issued, but who knows if the systems have been updated?"
It is not like this is a new issue. Fire all IT managers who were responsible for not doing penetration testing, including the ones at Homeland Security.
If you do NOT hold managers responsible then they are just lifers waiting for their pension!!
I worked for a fellow who'd previously done some work on power grids. He was aware of these problems in 2005 or earlier. I'm pretty sure these problems were also published in the 9/11 comission's report. But I don't think patching holes in power grid controls provides enough theater to keep people scared, so it hasn't been done.
Their first mistake was assuming that the Department of Homeland Security actually cares about homeland security. Department of Homeland Control would be a better, more accurate name.
If history is any guide, the managers of these systems are trying to find ways to prosecute the researchers for their actions. It's fairly standard to classify security testing methods as attacks (since that's in effect what they are), and publishing the problems is generally considered telling the "terrorists" how to attack the systems.
But this is about what should be expected for systems that depend on "security by obscurity". And the managers of such systems rarely reward someone who demonstrates how they've failed.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
So a post saying CIA wanted 9/11 to happen so it's budget would be increased gets modded "Interesting". You mods really need to hang out more on conspiracy nut message boards, you'll find a lot more "interesting" stuff there.
Negative moral value of force outweighs the positive value of good intentions.
So a post saying CIA wanted 9/11 to happen so it's budget would be increased gets modded "Interesting". You mods really need to hang out more on conspiracy nut message boards, you'll find a lot more "interesting" stuff there.
There's nothing nutty about it - it's a proven fact that the government had good, solid intel that a group of mostly Saudi men were planning on hijacking planes and crashing them into buildings. It's also a proven fact that our government did nothing to stop them, and that the budgets and powers of various TLAs see explosive growth (no pun intended) when shit like that is allowed to happen. Contrary to what a lot of people seem to want to believe, the people who run these agencies are not inept, incompetent fools who can't tell their asses from their heads; guys like Patraeus and Clapper got to where they are by being very, very good at what they do.
What I find nutty is how so many people deny the truth, even when it has been covered, extensively, by multiple media outlets.
I guess some folks will believe anything... so long as it's a government agent giving the narrative.
An enigma, wrapped in a riddle, shrouded in bacon and cheese
It is not like this is a new issue. Fire all IT managers who were responsible for not doing penetration testing, including the ones at Homeland Security.
If you do NOT hold managers responsible then they are just lifers waiting for their pension!!
Before you loop that noose over the tree branch, perhaps you should check if this report actually reflects the real world.
TFA simply says the tested software from vendors, not real world installations. This software is in actual use, but that doesn't necessarily mean its running naked on the internet. Most often this is run on private circuits, as most of these installations predate the availability of internet. Even when on the internet, most of these installations use VPN between plants and control centers.
Even those foolish enough to put SCADA directly on the net have already been notified by their trade associations (if not the DHS) to start using off the shelf VPN routers immediately, and that happened months ago.
Contrary to the rantings of Slashdot Experts, these places aren't run by total idiots. Nor do they have the luxury of replacing every SCADA controller in their plants. But they do know enough to use common off the shelf technology to provide reasonable level of security, and probably accomplished this a long time ago simply to make management of their network easier.
Sure, you can scan the net and find some SCADA controllers small water pumps in East Podunk Oklahoma. But they don't control big city plants.
Sig Battery depleted. Reverting to safe mode.
DNP3 functionality will soon (5-10 years) be embedded in grid-tie solar inverters in Canada so the local power company can control them at will on a per-second basis (I'm working with a local college developing this technology right now). Pretty easy access to the communications channel if you ask me. And no, no one seems interested in security.