Hackers Have Infiltrated the US Power Grid's Control Networks

davidwr writes: A security researcher and the Associated Press are reporting that hackers have infiltrated many of the United States' power grid networks. "About a dozen times in the last decade, sophisticated foreign hackers have gained enough remote access to control the operations networks that keep the lights on, according to top experts who spoke only on condition of anonymity due to the sensitive nature of the subject matter." Exfiltrated data included engineering plans and other non-public information that could aid an attacker later, as well as account credentials. Multiple companies were affected, but one of the more notable ones was the energy provider Calpine. "Circumstantial evidence such as snippets of Persian comments in the code helped investigators conclude that Iran was the source of the attacks. Calpine didn't know its information had been compromised until it was informed by Cylance, Kerr said."

Re:Karma is a bitch

[phishybongwaters]

The US? I think you mean Israel and the US. When we found Hebrew in the code it certainly didn't come from Jewish Israelis but when we find Persian in there it's definitely the Iranians.

Not too difficult

[RobinH]

This isn't too difficult. A couple years ago you could go to Shodan, search for well-known industrial automation equipment providers like Phoenix Contact, and try to find their devices with embedded web servers that someone has connected to the internet. Start clicking on IP addresses. Make sure you don't mess with anything you find. One interesting find was some of the big windmill turbines with real-time monitoring and everything. People installing this stuff really don't understand what they're doing.

Re:Not too difficult

[khasim]

That's one of the reasons why I'm having trouble believing TFA. There isn't much skill needed to crack most organizations I've seen.

Anyway, from TFA:
1. Guy working on thing for A notices that A has been cracked. ok
2. Guy tracks crack back to open FTP servers. ok
3. Guy finds lots of other stuff on open FTP servers. ok
4. Guy does magic to find next time malware attacks someone. um, not ok

Before Wallace could dive into the files, his first priority was to track where the hackers would strike next - and try to stop them.

He started staying up nights, often jittery on Red Bull, to reverse-engineer malware. He waited to get pinged that the intruders were at it again.

Months later, Wallace got the alert: From Internet Protocol addresses in Tehran, the hackers had deployed TinyZbot, a Trojan horse-style of software that the attackers used to gain backdoor access to their targets, log their keystrokes and take screen shots of their information. The hacking group, he would find, included members in the Netherlands, Canada, and the United Kingdom.

So Iranian "hackers" in Canada deploy malware via Tehran servers?

And unless he uploaded a hacked version of their malware to those cracked FTP servers ... how did he know?

Maybe he moved one of his cracked machines to a "honey-net"?

But then, why would any competent crackers deploy from servers in Iran? Particularly if they live in Canada and elsewhere?

This reads more like fear-mongering. IRAN IS ATTACKING US! BE AFRAID! EVIL IRANIANS! (and some canadians).

Re:Not too difficult

[aaarrrgggh]

Really it is a lot more complicated than that. I was speaking to a vendor last week, and asked about how they do spanning tree within their system for redundant network links to their engine controllers. "Oh, we program a couple little DIN rail switch ourselves and provide a single network handoff to the building." While I am sure they can figure out the basics, security is hard enough that without dedicated people and systems you aren't going to defeat a committed attacker.

Solid security is very hard when dealing with any kind of interconnected system. It gets even harder when you need different systems to have their own IOT crap without RADIUS authentication or the like.

Re:Karma is a bitch

[fustakrakich]

Well, speaking of Israelis, they have a much longer history of spying, etc against the US than Iran. This story sounds more like regular war time propaganda

I call BS.

[mea2214]

Anonymous so called "experts" and all these examples read like a plot from the TV show "24" lead me to a hypothesis that this story is complete and utter BS or more likely propaganda to increase some governmental budget that benefits from cyberwar funding.

Re:I call BS.

[angel'o'sphere]

You are wrong on all regard and have no clue what the 'internet' is.

given the internet's propensity to not be operational when there are power issues
As long as the power plants run, the IP networks connected to it run. If there is any rest of the internet alive is irrelevant.

Power companies may have exposed some of their automation equipment inadvertently, but in general they totally understand the risks here and are taking steps to be careful.
Yes an no, in general the traffic is simply not routed into the public internet.

but I'll be willing to bet this is behind reasonable levels of encryption and it doesn't really matter to the safe operation of the system, only the efficient operation of it.
And you would lose that bet.

The internet, at least locally, is not very reliable so the power distributors have their own networks and back channel routes they use to manage their distribution networks.
No idea what you mean with reliable. Yes, they have their own communication lines. They power them themselves and have fallback power. They run them on IP, or TCP/IP or on propriety protocols. They are connected to the companies WAN usually, but usually not routed into the public internet.
They are mostly not used to control, but to monitor. Power plants and the connections to transportation grids are run _mannually_ like on a Carrier where there is a captain, there is dispatcher on a power plant. However one dispatcher might control several plants, so he has those under remote control and is steering them with IP protocols.
The machinery that connects a plant to a grid, is controlled from plant side. Usually on a manual command given at that side. There is usually no way at all to disconnect a plant remotely from a grid. Or to connect it to another one.
The information that at a certain time the plant should change its output or its grid connection might be sent via internet technologies, the execution is done manually, and trust me: the people doing that usually have enough clue to know if such an 'order' makes sense (or not).

Re:I call BS.

[dave562]

This aligns with the one system that I was involved in setting up. A former client of mine was running (and probably still runs as far as I know) a couple of power plants in Central California. The control systems were built by Honeywell. For a small, single turbine plant there were 5 servers. 2 masters, 2 slaves / reporting servers and 1 witness.

Both masters, 1 slave and the witness server were on a private network without internet access. 1 slave was in the DMZ with a uni-directional connection from the secondary master that wrote out reporting data. There was a VPN connection (over satellite because the plants were out in the middle of no where farm country) back to the company's main office. The VPN connected the company office to the DMZ and the reporting server so that people in the main office could see the output of the plant.

Nothing in the setup allowed settings to be changed over the internet. Everything within the plant was run on a dedicated IP network that was air gaped from the internet. The only server that was connected to the firewall was the slave / reporting server. It had 2 NICs. So I suppose in fantasy crazy TV land, someone could have hacked the firewall, hopped into the DMZ, compromised the slave and jumped into the control server where they would have been able to... do nothing, because it was the redundant server that would only have been active if the primary failed.

Keep in mind I set that network up in 2005 for a small, single turbine power plant that generated power by burning green waste (yard trimmings, etc.) I think it is reasonable to assume that 'real' power plants that power thousands of homes and businesses are at least as secure. In my situation, Honeywell told me how to do it. I did not make it up. The vendor had the solution, I was just there to handle the network and VPN.

Re: I call BS.

[bobbied]

Now that's an interesting test idea... Send out your own phishing E-mails and see who clicked on them..

Personally, where I work, all external attachments are removed from any inbound Emails and all attachments from inside are scanned before they are allowed to be sent. Also, all web browsing happens within an isolated virtual machine that is hard coded to only transit corporate's proxy/filters regardless of if you are inside or outside the network. The way you transfer stuff is though an external file transfer server that requires that you login and encrypts the data in transit. It too is able to scan just about everything... Pain in the butt, but effective.

I'm all for trusting folks to do the right thing and train them what that is, but I'm also for making sure they cannot do anything stupid if there is a reasonable way to prevent it.

I wonder

[sgrover]

putting on my skeptical hat here to consider alternate views. One could easily wonder about the "anonymous" nature of this disclosure and how the message is about instilling fear. Who profits? It would be easy to conclude that this is a propaganda release with the aim of softening up the sheeple's perspective to allow for increased budget expenses, or even direct action at the supposed culprits. Blaming a nation-state on flimsy evidence such as what language was used suggests a preconception being reinforced by circumstancial tidbits. Afterall, there can't ever be anyone else in the world that speaks that language, perhaps even within one of the superpowers known to be fairly multicultural. Or those who hirer foreign workers. Yep, a sceptic would be wary of reports like this - even if the infiltration is 100% true.

Re:I wonder

[swb]

One of my questions is, if it could be penetrated so deeply, why hasn't the grid been fucked over by someone by now?

Is it that the "control networks" are less vulnerable than they're made out to be, and that as it turns out a telnet session from someplace isn't enough to actually do any serious sabotage?

The "hackers" involved lack the know-how and expertise to do anything serious (maybe combined with it being hard to use these networks to do anything serious)?

$evil_nations are putting this in their back pocket for some later date when they really need it, like when El Presidente Cruz decides to start carpet bombing Iran over nuclear agreement issues or something. This seems compelling, but then again, all security vulnerabilities seem to have something of a shelf-life -- old equipment eventually gets replaced, software ultimately gets updated, networks change, etc -- the hack you thought you have may not be there when you need it, so why wait to hit the button?

Re:I wonder

One of my questions is, if it could be penetrated so deeply, why hasn't the grid been fucked over by someone by now?

Enron already did.

Made billions for themselves.

Who's most vulnerable to cyber-attack?

[matbury]

The USA has its infrastructure, military, and so much of its business hooked up to and dependent on the internet, you'd think it'd be a priority to make it more secure and stable. Instead, the NSA are doing their best to undermine web security and leave the USA open to attack. What are top secret hacking tools and techniques that only govts. have today are available to corporations and criminal gangs the next and the public/hackers thereafter. We need a more secure, private internet. No backdoors, no unpatched zero-day exploits, no offensive tools to get into the wrong hands, and an end to the cyber-weapons arms race that the USA has started.

Re:China has the right approach

[Ravaldy]

Because China is a morale compass for all of us to follow.

Re:China has the right approach

[Tablizer]

Stop going after the company and go directly after the people that chose to cut corners

Smart slimebags don't leave a trail. They may give a verbal order over the phone or in person, for example, so that there is no email or document trail.

Or ignore warnings, and then later claim that they never saw it or didn't understand it when interrogated. They won't explicitly say "no". The worse you can get them on is incompetence or "light" negligence, which is usually not a criminal offense.