Slashdot Mirror
Securing the US Electrical Grid
An anonymous reader writes The Center for the Study of the Presidency & Congress (CSPC) launched a project to bring together representatives from the Executive Branch, Congress, and the private sector to discuss how to better secure the U.S. electric grid from the threats of cyberattack, physical attack, electromagnetic pulse, and inclement weather. In this interview with Help Net Security, Dan Mahaffee, the Director of Policy at CSPC, discusses critical security challenges.
The best thing they could possibly do to protect the electric grid is to figure out how to make it not an electric grid. Because right now, J. Random Asshole can get in his pickup truck, drive 50 miles to some tower in the middle of nowhere, and cut it down with tools you can get at any construction supply store. Taking this one tower down would take out power to most of the East Coast.
Or you could simply do nothing, because the power companies are doing a great job screwing things up on their own.
You mean like the big giant blackout a decade or so ago where most of the eastern seaboard went dark?
And they immediately blamed Canada despite it being their own incompetence at running an electrical system and this being known faults they were too stupid/lazy/cheap to correct?
[Besides Snowden] The largest data breach in recent memory was due to an internet connected HVAC system at Target. The electrical grid is a small sliver of the equation, the next decade is going to be a massive shit show.
If you have data that you absolutely positively must have accessible via the internet, set up a dial and point an internet connected camera at the dial.
EMP pulse is not hard - we know the basics of shielding.
Sabotage and weather are however not easily defensible. No matter what we do, we can't provide complete protection, but we can do pretty well.
excitingthingstodo.blogspot.com
They have some pretty sharp folks working on grid security at INL. While I've seen some disturbing government R&D waste in many areas, this is actually one where I have been highly impressed.
Meanwhile, the US grid has been quite reliable overall throughout the years, and the few major events that have caused large disturbances have been analyzed in detail so the preventative measures can be taken.
...keep them off the public Internet.
Anyone who connects these systems to the public Internet is a fucking retard.
There is an error in the summary. It should read "In this post-nine-eleven world, the Center for the Study of blah blah blah...."
Nebulus threats by a lobby group with a nebulus name rarely have anything to do with solving SPECIFIC problems.
These attack vectors have nothing in common, the only thing in common is this CSPC group has defined the target of such an attack as the electric grid.
Yet physical attacks can be against anything, cyber attacks are against networked things, of which the grid should not be on an accessible network. EMP needs a nuke which would be used against military targets, inclement weather is just filler.
What about Sharks with Lasers? Asteroids knocking out power stations? Floods? ....
The book "Reinventing Fire" by Amory Lovins goes into detail in how to make the grid less vulnerable to inclement weather (including space weather). "Finally, letting distributed generators compete and interconnect fairly could nearly eliminate blackout risks by organizing the grid into local “microgrids” that normally interconnect but can stand alone at need (“islanding”). This resilient future, already demonstrated in about 20 experiments worldwide... " http://www.rmi.org/electricity
As we move closer to a world where almost every device is going to be connected to the Internet, how can we mitigate the onslaught of entirely new threats while we're not able to fend off even the most old of attacks?
This fetish to connect everything to the internet is just asinine.
It is not "cool". It is not innovative.
It is just complicating shit because you can and to make something old look new.
If you have critical systems connected to the Internet, you have made a serious design flaw.
Reading the article, it just looks like the industry is looking for grants, tax breaks, and some other poltical favors because TERRORISM!
If my power grid went out you what would happen? Nothing really. My Netflix Breaking Bad marathon would just be interupted.
All the local hospitals have back up generators, emergency health care isn't a problem.
You know, back during hurrican Sandy, my area didn't get any fuel deliveries for almost a week.
we survived and dealt with it nicely, thank you very much. As a matter of fact, many folks got much needed time off from work.
Contrary to what most folks think, we are not a bunch of candy asses that fall apart when our infrastructure fails.
I for one welcome the up and coming War on Weather
Cyber is easy - simply no direct connect to the internet. Anything less is effectively nothing. Anything more is not needed.
That didn't help Iran against Stuxnet or the US DOD against agent.btz.
Though it almost always comes down to $$, there are certainly steps that can and should be taken immediately. A significant grid attack combined with a power plant attack could quickly put the affected metro/region into survivalist panic mode.
Bonus points if the security upgrade process provides a convenient vehicle to modernize for things like solar sell-back ("smart grid"). I've always thought that power should (ideally) be more like decentralized network traffic, able to rout around damage and not dependent on single points of failure. Of course, historically it made zero sense to build a dozen mini-plants in neighborhoods when one big plant 30 miles away was more efficient and palatable. But relatively soon, we're going to be able to coat whole communities in rooftop "power plants", and that's a great thing.
Nothing posted to
It's not that easy. That would only cover (some of) the cyberattack portion of what they want covered. Keeping powerstations off the internet would only do so much against that. Remember how our government took nuclear stations offline overseas even though they weren't connected to any network?
EMPs could be a serious issue that nobody seems to think is possible. Realistically, a very small nuclear device could be turned into a very destructive force by utilizing its ability to produce an EMP instead of a localized explosion. So, a nuke going off in a city would be devastating to that city, sure, but take that same weapon and detonate it high up in the atmosphere and it could instead take out every electronic in the whole US. It would be decades before we could restore power.
Do you mean this BMW? http://www.rmi.org/winter_2014...
We should start by burying all service cables. Period. Protect against terrorism, solar flares and EMP all in one go.
What about the havoc an extremely large nuclear device could cause on the power grid? According to this other Wikipedia article, "In June 2013, a joint venture from researchers at Lloyd's of London and Atmospheric and Environmental Research (AER) in the United States used data from the Carrington Event to estimate the current cost of a similar event to the US at $0.6-2.6 trillion." To put that in perspective, the 2005 United States budget request from President Bush was only $2.4 trillion and the 2013 budget request from President Obama was $3.8 trillion.
...keep them off the public Internet. Anyone who connects these systems to the public Internet is a fucking retard.
Ah, come on. Ever heard of VPN's? They go encrypted over the internet. Just use some reasonable equipment and keep your patches up to date.
Perhaps you mean... Not connected though unencrypted connections to the public internet...
But, most distribution companies DON'T allow this anyway. There might be one or two rural providers who still have dial-up equipment, but the big transmission line operators don't do this and I'd bet are not allowed to by their region's rules. These companies have to live up to some seriously strict standards for how their facilities operate, what and how they report their status and how fast they must respond to commands from their region's grid manager.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Troll much Oh liberal progressive democrat?
Sure, securing the technology side of things is essential but delivering power to people requires most of your infrastructure to be left out in the open... much of it in remote areas and unattended. Quadruple factor authentication, 200 character passwords, and air gaps don't really matter when some guy with a .22 can bring your system down.
What doesn't kill you only delays the inevitable
Invest in the research. They can keep essential services and even small communities operating for days in isolation - plenty of time to get things repaired and reset. They are lower maintenance than generators, so you can put them everywhere.
Yep, I'm aware, just didn't bother to mention that because people will just say "Pfft, that could never happen!" Though, to be fair, scientists don't expect that we're in any danger of a CME causing widespred damage for at least the next decade.
The problem is, it is simple and relatively cheap to prevent an EMP from wiping out our electric grid, but it is very hard to restore it once it has been destroyed by an EMP. Only so many parts are available and the production just isn't there to restore a country of this size for many, many years.
"Somebody ought hand renewable energy a cape and be done with it...." http://grist.org/news/solar-is...
"EMP needs a nuke"
Not necessarily, EMP's can be generated through non-nuclear means. The only issue is that the devices usually have to be fairly large to generate a fairly limited field. There was I believe one instance where a former employee of a bank filled the back of a van with the necessary gear and parked it next to his former employers building and set it off frying most of their computers.
You would be shocked how transaction information is exchanged between transmission operators, generators, load serving utilities and the appropriate regulators.
Tags are exchanged over the public internet. However that is related to power trading, at the operations level it's all irrelevant.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
I suppose any intelligent comment in this thread might be construed as a terrorist threat so ... never mind.
NOT CONNECTING IT TO THE INTERNET!!!!! DIMWITS!!
Yes, I'm well aware of the issues. And I'm also aware that countries all over the world have been running successful grids long before there was a useful internet. It worked. It can still work. This is just laziness and criminal incompetence. But don't let logic stand in the way. Let's make it complicated and even more expensive.
The worst thing they can do is to secure it and then depend upon the security working. Thus the system should be designed so that if it is hacked every other Monday that it can survive. There have been a number of recent (last 20 years) events that have shown that single points of failure can have devastating effects. So make sure that if terrible things happen that a lesser grid can be maintained manually.
A great example of this would be a local grocery store chain's SAP system failed shortly before Christmas(some years ago). They were so dependant upon it that their ability to order stuff and manage inventory was pretty much non existent. So the store ended up looking like some kind of soviet grocery store where the only goods on the shelves were pretty much those that are managed by the distributors themselves; things like milk.
This grocery store hopefully has learned from this and now has some kind of manual backup plan where a store manager can actually phone in his orders and crudely manage the store's needs in the case of another serious computer outage.
The same with the grid. Ideally they set some sort of minimal functionality emergency plan whereby humans can crudely manage the system as opposed to a system that either works perfectly by computer or doesn't work at all.
But I worry far less about hackers and far more about system design failures and Carrington events.
If NSA has installed weaknesses and/or back doors into most commercial hardware and software globally, then everyone, Al Qaeda, as well as power companies, use the same stuff.
Ask any security manager. He'll tell you that we must assume that bad guys will eventually learn how to exploit those weaknesses and/or back doors, leaving us highly vulnerable to attack.
The Cyber Command wing of NSA has the responsibility to assure that they can successfully attack any enemy, any time. They can not know now who that future enemy might be. Therefore, the only way they can be assured of accomplishing that mission is to make sure that no computer, no IT operating anywhere on the planet is really secure. I fear that they are planting the seeds by which bad guys can attack the power grid in the future.
I reckon "inclement weather" will turn out to be the most disruptive force on electricity production and supply. Firstly, drought will starve coal, gas, and nuclear power stations of the huge amounts of water they need to run at all. Secondly, warmer water in water sources may make cooling less efficient for nuclear power stations (and possibly a danger in some cases). Thirdly there's a higher and growing risk of extreme weather events; floods, flash floods, droughts, tornados, hurricanes, and ice-storms. Just think of the more recent extreme weather events but more extreme and more frequent.
Frankly the expense of protecting long lines is prohibitive. A person with a tiny bit of knowledge can disrupt power lines with ease.. Most people who commit such acts are pretty stupid and will get caught but a few do understand how to do such thin gs who are not so stupid.. They could be big trouble for all of us. Train rails have the same issue. Lots of exposure in remote areas makes them an easy target. Drones could be a big help in this matter.
Oh, if the lone single supplier of electricity is gone, than all of the United States has no power and all civilization grinds to a halt!!! Ok, that's a bit of hyperbole, but really if you have 100 power suppliers for the entire US, then you have 1 supplier for every 3 million people. Any single disruption, and you have a crisis. That's stupid. I know it goes against corporate power suppliers, but just having panels on your roof (especially in the south), goes a long way towards energy security. Even if it can only supply 10% of the power you need (and it truth, rooftop panels can probably supply more like 75%), but at least if the power is cut by terrorists or storms or whatever, you aren't helpless and hopeless. I remember people asking for my advice prior to Y2K (I worked as a system administrator for first responders in a city of 1.5 million during Y2K and 9/11). I went to see and event in a small town, and they were asking about power for Y2K, and I asked what their current power situation was, and they said the *normal power* was occasionally intermittent because they were a small town at the end of the line. I said that generators were good, but with solar and wind you don't have to rely on getting gas. Local generation is good, but 1) it has to be available when you need it and 2) diversifying as much as possible is best (put your eggs in different baskets, Power lines, gas powered backup generators, wind with batteries or pump water to a large tank with a turbine for generating power on demand and also solar. Do all of them, and then it takes multiple acts of God (or man) to take you down. Anything else and you are still ok.
Its coming. The mother of all false flag operations is at the door. tHEY have been planning this for years now.
Design the grid in such a way that devices (solar generators, wind generators, storage like your hyped elecrical car) can plug on and off. Allow anyone to build his own grid. That way, you can easily detach your own local grid when the "Big Bad Grid" has been compromised. Off course, this means getting the control OUT of the hands of monopolistic companies and governments must somehow grow a facilitating mindset. Mind you, control is still necessary, but it does not need to come from technical dinosaurs.
Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
Joe Biden is a square shooter. Joe Biden for 2016!
If our Power grid a necessity? Of course, unless you really want to go back to the 1800s. But if you asked most Americans to live in that era they would die. Can the control of the grid be protected? Yes, but any control platform that you are not in the same room with, is vulnerable to someone gaining access to the controls. Can we protect against EMP? Yes, if we know exactly WHEN to turn of all the power to all devices in the EMP footprint area. Can we shield everything against EMP impact? Yes, but you don't want to pay for that TV, Radio, refrigerator, or microwave once it has been EMP hardened. And you probably don't even want to have to pick any one of these items up, unless you lift weights for a living. Can we protect against physical attacks on the grid? No. Too much of the hardware is exposed and accessible by the really determined. "Close" works in horseshoes and hand-grenades, and transmission towers that are leaving a distribution station. You don't have to fight your way in to blow up the station. Just go away from the distribution station a few miles and take down the towers, that will do exactly the same thing other than destroying the machinery with in the station. And if you do enough of those attacks you will ultimately bring the entire grid down for an extended period of time. Millions upon millions will die of exposure, starvation, dehydration, etc. And Millions will be killed in the fighting over what little electric power generation is left.