Hackers Have Infiltrated the US Power Grid's Control Networks

davidwr writes: A security researcher and the Associated Press are reporting that hackers have infiltrated many of the United States' power grid networks. "About a dozen times in the last decade, sophisticated foreign hackers have gained enough remote access to control the operations networks that keep the lights on, according to top experts who spoke only on condition of anonymity due to the sensitive nature of the subject matter." Exfiltrated data included engineering plans and other non-public information that could aid an attacker later, as well as account credentials. Multiple companies were affected, but one of the more notable ones was the energy provider Calpine. "Circumstantial evidence such as snippets of Persian comments in the code helped investigators conclude that Iran was the source of the attacks. Calpine didn't know its information had been compromised until it was informed by Cylance, Kerr said."

Not too difficult

[RobinH]

This isn't too difficult. A couple years ago you could go to Shodan, search for well-known industrial automation equipment providers like Phoenix Contact, and try to find their devices with embedded web servers that someone has connected to the internet. Start clicking on IP addresses. Make sure you don't mess with anything you find. One interesting find was some of the big windmill turbines with real-time monitoring and everything. People installing this stuff really don't understand what they're doing.

Re:I call BS.

[dave562]

This aligns with the one system that I was involved in setting up. A former client of mine was running (and probably still runs as far as I know) a couple of power plants in Central California. The control systems were built by Honeywell. For a small, single turbine plant there were 5 servers. 2 masters, 2 slaves / reporting servers and 1 witness.

Both masters, 1 slave and the witness server were on a private network without internet access. 1 slave was in the DMZ with a uni-directional connection from the secondary master that wrote out reporting data. There was a VPN connection (over satellite because the plants were out in the middle of no where farm country) back to the company's main office. The VPN connected the company office to the DMZ and the reporting server so that people in the main office could see the output of the plant.

Nothing in the setup allowed settings to be changed over the internet. Everything within the plant was run on a dedicated IP network that was air gaped from the internet. The only server that was connected to the firewall was the slave / reporting server. It had 2 NICs. So I suppose in fantasy crazy TV land, someone could have hacked the firewall, hopped into the DMZ, compromised the slave and jumped into the control server where they would have been able to... do nothing, because it was the redundant server that would only have been active if the primary failed.

Keep in mind I set that network up in 2005 for a small, single turbine power plant that generated power by burning green waste (yard trimmings, etc.) I think it is reasonable to assume that 'real' power plants that power thousands of homes and businesses are at least as secure. In my situation, Honeywell told me how to do it. I did not make it up. The vendor had the solution, I was just there to handle the network and VPN.