Slashdot Mirror

← Back to Stories (view on slashdot.org)

DHS Mistakenly Releases 840 Pages of Critical Infrastructure Documents

Posted by Unknown on from the someone-inverted-the-black-lines dept.

wiredmikey (1824622) writes The Operation Aurora attack was publicized in 2010 and impacted Google and a number of other high-profile companies. However, DHS responded to the request by releasing more than 800 pages of documents related to the 'Aurora' experiment conducted several years ago at the Idaho National Laboratory, where researchers demonstrated a way to damage a generator via a cyber-attack. Of the documents released by the DHS, none were related to the Operation Aurora cyber attack as requested. Many of the 840 pages are comprised of old weekly reports from the DHS' Control System Security Program (CSSP) from 2007. Other pages that were released included information about possible examples of facilities that could be vulnerable to attack, such as water plants and gas pipelines.

50 comments

  1. Yeah, right by slapout · · Score: 2

    "Mistakenly" Sure...

    --
    Coder's Stone: The programming language quick ref for iPad
    1. Re:Yeah, right by Anonymous Coward · · Score: 0

      everyone should know a honey pot when they see one....

    2. Re:Yeah, right by Anonymous Coward · · Score: 0

      They are just begging a terrorist to do something, so they can justify their existence.

    3. Re:Yeah, right by houghi · · Score: 1

      This should have been Edward Snowdens defence: "Oops!"

      --
      Don't fight for your country, if your country does not fight for you.
  2. These don't seem "critical" by timrod · · Score: 5, Informative

    From what the article shows, it seems like a lot of this information is public knowledge - where substations and water plants are and how they operate. Pretty much everyone in my town knows where the local substations are, and it doesn't take a genius to know that an attack that disables or destroys a substation would have a massive impact on the people living there. None of these documents appear to be classified, which means they don't contain anything that DHS was afraid of the general public knowing.

    It would be a different story if these were classified documents containing things like the floor plans for nuclear plants and gaps in security at said plants that could actually be useful in an attack, but this seems like a non-story other than that DHS's FOIA officer got lazy and just CTRL+F'd for "Aurora" and blindly copied anything with that word in the name.

    1. Re:These don't seem "critical" by Mr+D+from+63 · · Score: 4, Funny

      Yes, I think the article would more aptly be entitled, "DHS Releases Documents that Weren't Requested".

    2. Re:These don't seem "critical" by Anonymous Coward · · Score: 1

      To be fair, that in itself is news too.

    3. Re: These don't seem "critical" by Anonymous Coward · · Score: 0

      They just confused aurora with the 2007 one http://www.cnn.com/2007/US/09/26/power.at.risk/

    4. Re:These don't seem "critical" by X0563511 · · Score: 1

      The documents aren't critical. The infrastructure it refers to is.

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    5. Re:These don't seem "critical" by Anonymous Coward · · Score: 0

      There is much that is NOT public knowledge.

      For example, which breaker does that medium voltage motor connect to? What point index numbers must I use to command that breaker? How many milliseconds on and milliseconds off must I send the command to end up 120 degrees out of phase? What kind of out of phase protection relay is in service?

      Utilities are caught between a rock and a hard place. On the one hand, they have to document where the money is being spent. There is no way to hide a large spinning asset. On the other hand, they should not publish a roadmap on how to break stuff. These large assets can be destroyed with a few carefully constructed commands.

      That said, there are extremely few people with sufficient intimate knowledge and a combination of experience and skill in both embedded systems, protocols, and IT, as well as industrial engineering, control systems, and SCADA who can leverage such information to actually damage something. The other mitigating factor is that unless you're a foreign terrorist or nation state, there is very little motivation to destroy utility assets. There certainly isn't much money in it.

      That's why, although I wouldn't actually sleep soundly, the release of this information is not an immediate disaster.

    6. Re:These don't seem "critical" by k6mfw · · Score: 1

      Pretty much everyone in my town knows where the local substations are

      maybe remove these from maps both printed and Google? Yes it's ridiculous but I'm sure these ideas are kicking around. I read someplace that shortly after 9-11, some cities removed addresses of fire department stations because they felt if terrorists knew where these are they can disrupt first responders.

      --
      mfwright@batnet.com
    7. Re:These don't seem "critical" by sumdumass · · Score: 1

      You are correct, it does sound ridiculous. However, a lot of things sound that way in today's world.

      Maybe the FBI and NSA couldn't use the monitoring they are doing on Americans to find people looking for this stuff in some attempt to find a terrorist cell so they released them to narrow down their search (either by looking closer at those who download it or those who don't but searched for it previously).

      As for first responders, You can always know where first responders are by creating an accident that requires them. After about 10 minutes, attack with stage two. Car bombings in Iraq and other hot spots tend to use this. They send a bomb in close to an area, send another in to blow up, 10-20 minutes later, first responders are on scene trying to save lives and the second bomb goes off,.

    8. Re:These don't seem "critical" by muridae · · Score: 1

      There is much that is NOT public knowledge.

      For example*snip* How many milliseconds on and milliseconds off must I send the command to end up 120 degrees out of phase? What kind of out of phase protection relay is in service?

      360 degrees of phase every 1/60th of a second. 120 degrees is 1/3rd that, so minimum of 1/3 of 1/60 or 1/90th of a second....that would be common knowledge to anyone in the USA who hears 60 cycle hums on electrical lines or as line noise. Whether that would be how long the breaker would need to be off to get the generator that far out of phase, I don't know. But I really want to dig through this paper and see if the person I know who does know how long it takes, and warned the DOE and DHS about it, is mentioned by name.

  3. Does anyone get the impression.. by bluegutang · · Score: 2

    that nothing can be kept secret anymore? Whatever you want not to be exposed, whether diplomatic communications or technical documents or "intellectual property", will eventually reach the internet either by whistle-blowing or human error? And once it reaches the internet, if anyone cares about it then it will be perpetuated forever?

    There are advantages to such a situation, of course, but also disadvantages.

    1. Re:Does anyone get the impression.. by DoofusOfDeath · · Score: 4, Insightful

      that nothing can be kept secret anymore?

      It's hard to say, because in general we don't know about the things that have remained secret. We know the numerator, but not the denominator.

    2. Re:Does anyone get the impression.. by Creepy · · Score: 2

      There is no such thing as whistle blowing in the US, since the US classifies giving classified information to "someone that is not supposed to have it" as treason under the Espionage Act of 1917.

      And it isn't just whistle blowing - the White House recently committed treason by exposing the CIA operative in Afghanistan, for instance (and then said "whoops"). Note that the White House decided not to prosecute itself, just as it chose not to prosecute Dick Cheney and Richard Armitage for the same crime (in Plamegate).

    3. Re:Does anyone get the impression.. by hendrips · · Score: 1

      No, I don't. I get the impression that these documents were freely available, unclassified, public information. Or was DHS really trying to keep the location of that big-ass power substation down the street from me a secret?

    4. Re:Does anyone get the impression.. by K.+S.+Kyosuke · · Score: 2

      This principle used to be called "information wants to be free", but then, people with poor language skills started shouting that information can't want anything.

      --
      Ezekiel 23:20
    5. Re:Does anyone get the impression.. by ewieling · · Score: 2

      My hope is the "do-baders" spend so much time keeping things secret they have difficulty "doing bad".

      --
      I really shouldn't have used someone else's email address for this account.
    6. Re:Does anyone get the impression.. by Anonymous Coward · · Score: 0

      There is some additional information available in the documents that is not readily available to the public (such as total substation capacity or redundancy); however a member of the public with a reasonable background in electrical engineering could probably make a good guess by looking at photographs or estimating measurements. The difference is basically what is easily accessible to the public vs. what would require the analysis of trained professionals.

    7. Re:Does anyone get the impression.. by Bing+Tsher+E · · Score: 1

      'Information wants to be free' is just a badly constructed wannabe-meme similar in quality to Apple's 'Think Different' slogan. Basically, it's the kind of drivel marketing types who dropped too much acid in college come up with.

      Why would anybody claim that the people who point this out have 'bad language skills'?

    8. Re:Does anyone get the impression.. by K.+S.+Kyosuke · · Score: 1

      Because "fortune favors the bold" or "justice is blind" belong to the same category, and nobody objects against those? And I don't think the ancient peoples were dropping acid in college.

      --
      Ezekiel 23:20
  4. DHS better flee to Russia while they still can.. by PortHaven · · Score: 4, Funny

    Er...ya...or something.

  5. Hypocrites.. by Anonymous Coward · · Score: 0

    Do it in the name of whistleblowing, and your treasonous. Do it 'mistakenly', and it's 'OK'. Just an 'oopsie'. What's the fine, or charge, for 'accidentally' enabling the terrorists again? That's right. Nothing!

    Can I get a new Government? Possibly one where incompetence is a disqualification for anything having to do with infrastructure, security, or Civil Liberties?

    1. Re:Hypocrites.. by Anonymous Coward · · Score: 0

      Can I get a new Government? Possibly one where incompetence is a disqualification for anything having to do with infrastructure, security, or Civil Liberties?

      I've seen your country. Pretty soon there would be nobody left to do any of those.

  6. ... and slashdot is playing along ... by Anonymous Coward · · Score: 0

    A honeypot by itself won't be attracting any bee

    An advertised honeypot, on the other hand ...
     
      and the involvement of /. says a lot !

  7. this is all by design by Mister+Liberty · · Score: 1

    You see, those dept.'s want even more of your money, and what with terrorists keeping quiet these days and the extremists
    being ID''ed by whether or not they read Linux Journal, the DHS, TSA, NSA and any other acronym that's got the coveted 'S',
    are starting to look pathetic.
    Can't have that!

  8. Re:Why I vote Democrat by Anonymous Coward · · Score: 0

    I'd say about half of these are actually spot on. It would be funny to see one for Republicans and Libertarians too.

  9. This is just naming confusion by Anonymous Coward · · Score: 0

    The requestor obviously was looking for information on the "operation aurora" hacking that occurred in 2010. DHS confused this with the "aurora" vulnerability from 2007 which sought to prove that an ICS attack could break a generator. I think that is all and the 2007 aurora info is long public.

    1. Re:This is just naming confusion by PPH · · Score: 3, Insightful

      Isn't there supposed to be some gov't office or book of code names to ensure that secret project names are not re-used? Someone looks up 'Aurora' and sees that this was declassified years ago. So they upload it to the public site. Whoops.

      I'm doing a study on architecture in New York City. I think I'll call it the Manhattan Project.

      --
      Have gnu, will travel.
  10. Re:Why I vote Democrat by Mister+Liberty · · Score: 1

    I don't know what human condition you suffer from, but I venture one of its symptoms is typarria.

  11. The Department of Hardons for Stasism, WOOT! by Anonymous Coward · · Score: 0

    Gee, shock surprise that the Department of Hardons for Stasiism fucks up like this.
    What does any one expect from a newly formed "law" enforcement that supercedes
    all other "law" enforcement of the land? It's bound to be full of fuckups and n00bs
    who don't know what the fuck they are doing. And this just proves this...

  12. Re:DHS better flee to Russia while they still can. by Anonymous Coward · · Score: 0

    ...in a perfect world.

  13. Oops I did it again ... by CaptainDork · · Score: 1

    Recall the inadvertent Gmail slip, and the doctor SSN fail ...

    Buy then books and send them to school and they bite the teacher.

    --
    It little behooves the best of us to comment on the rest of us.
  14. 4 year old vulnerabilities by Anonymous Coward · · Score: 0

    This documentation relates to vulnerabilities which were presumably identified about 4 years ago, if they haven't already been fixed they SHOULD be advertised to shame those responsible into fixing them. Its disturbing how often society/government cringes at the "unauthorized" release of information instead of the lack of action & accountability that they so often show.

  15. Re:Why I vote Democrat by coldfarnorth · · Score: 1

    I vote democrat to (among other reasons) piss people like you off.

    --
    Lets start refering to The War Against Terror by it's initials. . .
  16. IRS by MouseTheLuckyDog · · Score: 4, Funny

    Were the missing IRS emails in there?

    1. Re:IRS by Ksevio · · Score: 1

      The IRS isn't a critical infrastructure so that seems unlikely. The recently lost ones were on a hard drive that died so it's even more unlikely the DHS stole a copy.

  17. Mistake? Suure... by WegianWarrior · · Score: 3, Insightful

    Step one: Release a bunch of 'critical' documents by 'mistake'.

    Step two: Twiddle thumbs while terrorists / criminals abuse information released in step one.

    Step three: Point to attack in caused by step two, argue that DHS should be exempt from FOI Request because 'national security'.

    Step four: DHS can do anything they like without the public oversight.

    --
    Everything in the world is controlled by a small, evil group to which, unfortunately, no one you know belongs.
  18. Re:Why I vote Democrat by coldfarnorth · · Score: 3, Insightful

    Now that I've got my flip answer out of the way, it's probably best that I don't leave your little talking points unaddressed.
    (UPDATE: Comboman's response is probably wittier and more concise - someone send 'em a gold star please. But I went to the trouble to type all this, so I'm going to post it anyways. It's the internet way.)

    I vote Democrat because I believe it’s okay if our federal government borrows $85 Billion every single month.

    Yup. Years of neglect have left our infrastructure in a sorry state, inherited wars cost money(!), and let's not even talk about the shitpile that was the economy. When Bush II handed over the reins. (A resounding win for Financial deregulation, wouldn't you say?)

    I vote Democrat because I care about the children but saddling them with trillions of dollars of debt to pay for my bloated leftist government is okay.

    This is really the same as the last one, but hey, it's still better than inventing evidence and starting a war that result in the deaths of ~4,500 of our kids, and maiming or otherwise injuring ~32,000 more (and totally ignoring the deaths of tens of thousands of Iraqi citizens as a result of said war).

    I vote Democrat because I believe it’s better to pay billions of dollars to people who hate us rather than drill for our own oil, because it might upset some endangered beetle or gopher.

    Last I checked, we'd rather reduce our dependence on oil altogether (By jump-starting the wind and solar industries in the US), but big oil and coal has been lobbying like there's no tomorrow to prevent that.

    I vote Democrat because I believe it is okay if liberal activist judges rewrite the Constitution to suit some fringe kooks, who would otherwise never get their agenda past the voters.

    No worries, the conservatives engage in plenty of this too, especially in cases involving the 2nd ammendment and abortion rights (Hobby lobby decision was decided by 5 men who were conservative Catholics).

    I vote Democrat because I believe that corporate America should not be allowed to make profits for themselves or their shareholders. They need to break even and give the rest to the federal government for redistribution.

    Dude, you are crazy. No company should be able to avoid paying taxes through financial sleight of hand, but really, you think GE is paying too much tax for the benefits of being an american corporation? Apple?

    I vote Democrat because I’m not concerned about millions of babies being aborted, so long as we keep all of the murderers on death row alive.

    As opposed to that other party, who preaches the sanctity of life, but is giddy to kill inmates.

    I vote Democrat because I believe it’s okay if my Nobel Peace Prize winning President uses drones to assassinate people, as long as we don’t use torture.

    Guess what? Most humans don't think that anyone should either engage in torture, or send drones to kill other humans. Shocking! One of two is a reasonable start, and we're working on the other one. At least we don't have Bush/Cheny in charge any more, they were fine with both.

    I vote Democrat because I believe people, who can’t accurately tell us if it will rain on Friday, can predict the polar ice caps will melt away in ten years if I don’t start driving a Chevy Volt.

    You do know the difference between climatology and meteorology, right? It's like the difference between socialism and communism (or patriotism and fascism, if you swing that way.) The later is a tiny subset of the former.

    I vote Democrat because Freedom of Speech is not as important as preventing people from being offended.

    Aw, here you're just trying to stir things up. I'm pretty sure the courts have a well-used system in pl

    --
    Lets start refering to The War Against Terror by it's initials. . .
  19. Mysterious "Aurora" attack not so mysterious. by Animats · · Score: 1

    There's nothing mysterious about this. The problem is that if someone gets control of circuit breakers for large rotating equipment, they may be able to disconnect it, let it get out of sync, and reconnect it. This causes huge stresses on motor and generator windings and may damage larger equipment. This is a classic problem in AC electrical systems. A more technical analysis of the Aurora vulnerability is here.

    The attack involves taking over control of a power breaker in the transmission system, one that isn't protected by a device that checks for an in-phase condition. Breakers that are intended to be used during synchronization (such as the ones nearest generators) have such protections, but not all breakers do.

    Protective relaying in power systems is complicated, because big transient events occur now and then. A lightning strike is a normal event in transmission systems. The system can tolerate many disruptive events, and you don't want to shut everything down and go to full blackout because the fault detection is overly sensitive. A big inductive load joining the grid looks much like an Aurora attack for the first few cycle or two.

    There's a problem with someone reprogramming the setpoints on protective relays. This is the classic "let's make it remotely updatable" problem. It's so much easier today to make things remotely updatable than to send someone to adjust a setting. The Aurora attack requires some of this. There's a lot to be said for hard-wired limits that can't be updated remotely, such as "reclosing beyond 20 degrees of phase error is not allowed, no matter what parameters are downloaded."

  20. link to the pdf? by supernova87a · · Score: 1

    Does anyone have a better link to the document to download and view? The browser on that Muckrock site is supremely annoying.

    1. Re:link to the pdf? by Anonymous Coward · · Score: 0

      click the Expand button at bottom. then there will be a link to "Original pdf"

    2. Re:link to the pdf? by supernova87a · · Score: 1

      Thanks so much!

  21. Re:Why I vote Republican by adndgamer · · Score: 1

    I vote Republican because I see absolutely no correlation between lenient gun laws and surging crime rates

    I'm with you on a lot of this stuff, except for this one which is blatantly false.

    "Crime rates have varied over time, with a sharp rise after World War II, before peaking between the 1970s and early 1990s. Since the early 1990s, crime has declined in the United States, and current crime rates are approximately the same as those of the 1960s." (citations in article)

    http://en.wikipedia.org/wiki/C...

  22. Re:Why I vote Republican by Comboman · · Score: 1

    Yes, I was trying to echo the wording of the "Why I Vote Democrat" post as closely as possible (which is also incorrect of course). A more accurate statement would be "surging mass shooting rates".

    --
    Support Right To Repair Legislation.