Slashdot Mirror
At How Much Risk Is the US's Critical Infrastructure? (csoonline.com)
itwbennett writes: There is growing evidence that intrusions into the power grid and other critical infrastructure by hostile foreign nation states are real and happening. But there's "much less agreement over how much of a threat hackers are," writes Taylor Armerding. "On one side are those – some of them top government officials – who have warned that a cyber attack on the nation's critical infrastructure could be catastrophic,"writes Armerding. Others are crying FUD, including C. Thomas, a strategist at Tenable Network Security, who got some attention when he argued in an op-ed that the biggest threat to the U.S. power grid not a skilled hacker, but squirrels, are crying FUD. Who has it right? Agreement seems to coalesce around two points: 1) the cyber security of industrial control systems remains notoriously weak and 2) hostile hackers will improve their skills over time. So, while we haven't reached "catastrophe" yet, a properly motivated terrorist group could become a cyber threat.
If you dont vote for trump. Trump builds roads and streets, and makes china pay for it.
Because the former is WAY greater a threat than the latter.
SJW's don't eliminate discrimination. They just expropriate it for themselves.
Once again, much ado about nothing. You still cannot take down a power grid with a penetrated monitoring network. Every one of these automated systems has a human being staring at an analog gauge to back it up.
But they aren't very organized. Once they set up a twitter feed, or at least unionize, I'll start being concerned.
Is a lack of funding after 30 years of minimal tax cuts for workers and massive tax cuts for the folks at the top. Look at Flint Michigan.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
I live in Washington DC. The power goes out regularly because the power lines are overhead and not buried. Arguably DC is a "critical" city in the US. Yet we all survive. The country probably does better when DC is out of commission, like it will be next week with the big snow storm coming. You still need to pay your tribute on time, I mean taxes.
Before all the puerile ignorant juveniles arrive with their "OMG Critical infrastructure should never be connected to the intertubes!!!!!" bullshit, I'd just like to say that there are MANY reasons why critical infrastructure needs to be connected to other critical infrastructure. Generation needs to talk to Distribution. Distribution needs to talk to Billing. Billing needs to talk to Finance. If you think that the grid could be run as a million disparate disconnected pieces of infrastructure then I've got news for you. It could not. The power surge resulting from everyone turning off their TVs at the end of the Superbowl would take half the substations out, and it would take weeks to recover. This of course won't affect Patriot's fans as much until after the presentation. :)
Its not a bout giving up freedoms - its about power companies being lazy and not password protecting their equipment
no matter how good it is, it is human nature always wants to make things better
OMG Critical infrastructure should never be connected to the intertubes!!!!!
Squirrels don't work in groups. A single squirrel will not take down an entire power station. Been there, seen that. They can't even take down a single local transformer completely. Had one get killed behind my house. No problem... until it rained and the corps got wet again - then the power would fluctuate until the water vaporised. The power company wouldn't come during storms for obvious reasons, and during the other times it passed all the tests. It took several neighbors talking to the service men to go up the ladder and examine the transformer from above to see the squirrel.
So now we know how poor the information is being presented.
Stop making critical systems available online.
I work in the industrial control world, some anecdotal things to share...
I've seen access to PLC's running critical water structure completely available via a web browser from anywhere in the world...since fixed. There is movement to close all these holes but the industrial control world moves very slow. It's very conservative, thinking "if it ain't broke, don't fix it" with the definition of broke being physically destroyed. It's easy to be critical of them for this but industrial controls are typically running infrastructure or manufacturing equipment, shutting down either of these for upgrades is very costly.
It also doesn't help that many people doing controls are electrical engineers or technicians who don't understand network technology well and doesn't communicate with the IT department.
Many companies understand that they don't understand and just refuse to put their machines on a network, unfortunately they are missing out the benefits of capturing data about their process, remotely view and troubleshooting faults, etc.
This is the real danger.
My networks and hosts are constantly being probed and scanned by Chinese and other sources. It's a real risk. But, the grid should be disconnected form the internet. If it is, and usually that is the case, then physical risks are the only real risks. Furthermore, physical attacks will have limited geographic scope, so meh.
Neither hackers nor squirrels. Physical attacks have already happened in California. A relative few attacks coordinated to occur simultaneously on multiple power stations would do the trick.
I can't remember where I saw it, but in a story about EMPs the author noted that the components that are used to build the transmission stations are only manufactured by one or two companies overseas. The build time on these components is 3-5 years. They don't have spares sitting around.
And that they use the same password on all devices if they do use a password.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
What's this "US Infratstucture" Thing you keep talking about? :-)
SCNR
We suffer more in our imagination than in reality. - Seneca
Wait until we get squirrel hackers. Then we're in trouble.
When the man who most stands to profit from the paranoia and FUD publicly states that it's all an overblown load of shit, then I fucking guarantee you that it is an overblown load of fucking shit!
I suspect Tenable was very unhappy with him for that article. It flys in the face of their marketing strategy.
P.S. For those that don't know, Tenable is the company that developed from the venerable assessment and security testing software Nessus. C. Thomas knows what's what.
They handled this sort of surge issue before the internet, it only makes things easier/more efficient.
Just because it is cheaper does not man you should do it, and if it is not worth building a low bandwidth network to do it over then it is not worth it. Every networked point is a weakness, putting them live on the internet exposes that weakness, if your endpoints are reprogrammable that is a far more serious weakness. A single event could wipe years off the "savings" you make by doing this even without accounting for the number of ways that people will suffer that have nothing to do with the power companies profits. Worse even if viruses and deliberate state actors are left aside If your grid depends on the internet to work then you have a circular dependency.
"There is growing evidence that intrusions into the power grid and other critical infrastructure by hostile foreign nation states are real and happening."
Just who in their tapdancing-jesus-christ mode connects their critical infrastructure directly to the Internet?
Time to disconnect it in case it gets hacked...
Surly any a tech could turn up a router interface then someone could dial in perform what ever then when finished call back to turn the port off.
Now to connect you need to now the support phone router and port and the dial up number.
If it is that important.
"The biggest risk is squirrels."
Do these people not understand that these two statements are not contradictory? Does anyone here understand that? The question "who is right" is trivial to answer. Both are.
A cyber attack could be catastrophic, albeit rare. And squirrel outages, due to the comparatively high rate of occurrence combined with the level of damage, are a bigger risk.
New law Critical Infrastructure parts must made in USA / other non China places / or at very least have no overseas coders in the mix / full code review with the US GOV.
Better to do it now then later by force of martial law.
As some one whose worked in industrial automation (PLCs and their ancillary products) the infrastructure is most definitely at risk. The only thing keeping terrorism at bay is the technical knowledge necessary to mess with it. Engineers at power stations are old farts, and they like things a certain way, the old way. PLCs communicate to other machines in the field using ancient serial protocols, proprietary back planes, and discreet data points. As Rockwell and Siemens and etc decide they need to wake up to the real world however they are putting more of their data over ethernet, but security is an afterthought, and there's your problem. They are designing security into newer protocols, I actually worked on something called DNP-3, and that specification does have an encryption layer in it. I come on to add AES-256 to an existing implementation. Again, afterthought. The effect out in the field of course is that new impl. will cause disruption, consuming devices will need to be upgraded, and etc. That costs money. And so on. Its rarely the case that one simply needs to add a password to an existing infrastructure. Even if that is all that's needed, it usually will still have a cascading effect.
Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
I work with lots of serial-to-Ethernet stuff, various gateways, etc. in an industry with a lot of old technology. The truth is that the vendors of this stuff make it easy to set up, open access by default, and almost never updated. Patches for known things like ssh vulnerabilities or kernel bugs take months. What often happens is some lowest-bid contractor is hired by the utility company to implement control systems, leaves them wide open and the company has no idea how to secure them.
Remember Windows XP SP2? This was the first client OS update after Microsoft started acknowledging security issues. Before that, the firewall was off and everything was on by default, including remote access to system files and services. That was a pretty big shift - before this, very little in the way of security hardening was done because the goal was to make it as easy as possible to use the system. The same thing probably has to happen for these SCADA vendors and other "magic Ethernet converter" device manufacturers to make it difficult to access things remotely by default.
Just considerer effect of combining ubiquitous radio devices with poor security (eg. routers) with software defined radios.... remote Denial Of Service at least.
answer is:
VERY at risk.
Like all infrastructure, management and budgeting is done on a by crisis basis.
The rest of the time it is ignored to make the numbers look good and keep the bonuses flowing.
As shown a few years ago a simple software bug in an operator room led to a breakup, which led to a cascade failure https://en.wikipedia.org/wiki/... read the sequence of event. You may not even need a big emp, a few well placed C4 charge on important transformer and equipments in the power network may be enough as this above demonstrate.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
"a properly motivated terrorist group"
As opposed to what, a lazy one? Do they have motivational away days for the team to get them all fired up?
I want a list of atrocities done in your name - Recoil
There are a good number of countries that wish the US ill will. Few of them have the means for direct military conflict and all are an ocean away. They have very few ways they can directly attack the US, short of a 911-style incident. We are also in economic competition with our "friends". Malicious hacking is one of the few available avenues, with a relatively low barrier to entry. It's also more difficult to prove who launched the attack or even to prove that it wasn't a "rouge individual" versus a government-sanctioned attack. Cyber attacks are not a question of "if", but a question of "when" and "how bad".
Competition Good, Monopoly Bad.
Others are crying FUD [...] are crying FUD.
Slashdot, never change.
With federal grants. Now a days we just sorta abandon folks to their fate...
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
It's not like the US hasn't had a shitload of enemies for a long time who would have loved to have turned off the lights. They were willing to fly fucking planes into buildings.
Even your basic basement hacker might have an interest in this, if only for the thrill of knowing you were responsible for a blackout.
Even if you argue that major state actors wouldn't do this until they "needed" it at some crisis moment, that doesn't exclude more generic non-state actors interested in more immediate results.
So why hasn't it happened yet?
The only thing keeping terrorism at bay is the technical knowledge necessary to mess with it.
Doesn't take much technical knowledge to cut cables in an underground vault and shoot transformers with a sniper rifle.
http://www.npr.org/sections/thetwo-way/2014/02/05/272015606/sniper-attack-on-calif-power-station-raises-terrorism-fears
If you're stupid enough to tie your nations (or even commercial/personal) utilities to the internet you deserve a catastrophe. While I can definitely see the advantages to allowing MONITORING over an internet connection those monitoring systems should be physically separated from the control systems through one way data connections. Any equipment changes should be made at the facility in question (preferably) or where absolutely necessary through a dedicated & secured network.
the combined threat from hacking squirrels?
persistent threat with a demonstrated capability to cause blackouts, and there a a LOT of them.
(Just try to keep them out of your bird feeder.)
Even though these little buggers are amazing, I don't see any scenario where they make an organized, system wide attack which takes out a major part of the grid at one time. (Unless the grid has a design flaw where a cascade can still cause the whole thing to go down?) A cyber attack doing this is hopefully lower risk, but seems possible.
Using squirrelly statistics to obfuscate this scenario seems counterproductive.
As someone who has the daily job of making the case for security for my company, I can tell you that its not really laziness. It's an inability to understand and properly assign risk.
Businesses who don't understand risks make poor prioritization decisions.
Most places I have worked at do not complain about security, they just believe they have higher priorities for the time of the various staff and resources we have and don't assign the resources for all of the projects needed. And even I have to admit, it's not very useful to have excellent security for a product that no one is using because it lacks features or capacity. Having said that, it is still something you have to at least plan for build in from the very beginning, even if you don't spend all your time or money on it. Otherwise, you will be playing an even more expensive game of catch-up, which even fewer companies want to do.
Yes, although I would argue that a good number of these things should be designed free of re-programmability and with otherwise limited features, making those IT derived behaviours less necessary. With network delivered firmware updates being source of risk, by converting transient intrusion in a single location into a dispersed long term threat, you probably should need to send an engineer with a USB at least when updating, so why not send them with a ROM (or other part for a fixed system)? most of the costs are the staff time anyway.
Perhaps more critically many people are not responsible, especially when the costs will be mostly borne by them and the benefits by others. As an example politicly motivated "smart grid" and "smart city" projects turn up in the news regularly, if not often, and the designs pretty much assume total internet connectivity. Even if you only do that with the sensor systems when your city relies on the sensors working to be able to function then internet delivered interference can shut it down, and if you use standardised parts may not even happen as a result of deliberate action. To be clear through, although government/terrorist attacks through such (unnecessary) structures represent an entirely new class of disaster thereat, petty vandalism or ransom-ware is probably going to impose more of a cost through these systems in the short term at least
Why is it a matter of assigning risk? Why isn't it just part of "Best Practices"?
We demand no less from our financial institutions(not that they always follow through)
no matter how good it is, it is human nature always wants to make things better
Mostly because it requires coordination and some special skills. The 9/11 terrorists needed to learn how to fly just enough to hit buildings and that required a number of attackers, good organization, and backing. That doesn't mean that the capability didn't exist for planes to fly into buildings for decades, it just wasn't used.
You will also note that hijackings are not a "thing" like they were in the 70s and 80s. 9/11 was both the worst case scenario, and immediately made hijacking much, much harder afterward because hijacking depends on the passengers thinking they have a chance to live if they don't all rush you and take you down. Without that hope of survival, the passengers' fear now becomes what will happen if they *don't* attack the hijackers.
If someone wanted to hit the US power grid and has that capability, they're not going to do it until they can get maximum effect from it, because as soon as it becomes realized as a threat, the grid will not be as simple a target anymore. It will get a lot more secure very quickly. They will get one shot at it.
So to answer your question, lone hackers *can't* make a grid failure happen with their limited capabilities, and state actors will want to keep their target unaware of the actual threat until it is needed, lest the killing stroke be blunted.
Engineers at power stations are old farts, and they like things a certain way, the old way. PLCs communicate to other machines in the field using ancient serial protocols, proprietary back planes, and discreet data points. As Rockwell and Siemens and etc decide they need to wake up to the real world however they are putting more of their data over ethernet, but security is an afterthought, and there's your problem..
Security is absolutely NOT an afterthought at power stations. At least not in the US. That's simply flat out wrong. And those old fart engineers know what keeps a plant running reliably, they have very good reasons and experience to have things a certain way. A smart noob would do well to ask the old engineer exactly why they like things a certain way. Now, there are always going to be better ways that come along, but they won't come through ignorance of what has been working well for quite some time.
I would think that the ability to knock out the grid, or parts of it, would be something that wouldn't have a long shelf life.
Components get replaced, security systems change, the people managing it do stuff differently, accounts get removed/added/changed, patches get installed, operating systems change, etc.
Some remote exploits may allow more durable penetration, but I would bet a fair amount just might expire, making maintaining the capability a long-term prospect involving greater exposure and more risk.
[ Vendors ] are designing security into newer protocols...
That's nice... *today*. Well, assuming every protocol someone designs and that someone implements will be free of security flaws... But, "nice today" is not very useful long term.
Imagine, for example, that something is running using Windows XP or a decades old Linux distro. They could have had the best available security when they were built, but they would suck now. A decades old SSH would now be vulnerable.
It seems that historically, sites always end up with some sort of old cruft in existence. As long as you have to account for equipment not being patched or upgraded, the quality of that equipment's security is insufficient. You need layers. Sane physical controls. An architecture of least privilege. You probably want some sort of VPN that has a guarantee of ongoing security maintenance even when everything else doesn't. Even then, the network access should have some of the attributes you'd use in physical controls - you don't let Joe Whoever into just any control room, so *try* to not allow network connection from just anywhere.
Of the above layers, the architecture may be the most important. For example, if it's OK to be air-gapped, that takes a lot of attack vectors off the table.
I'll trust what you have to say after you tell me how many Rockwell Turbo encabulators you have worked on.
https://www.youtube.com/watch?...
Seriously, the west should be going back to having decent security. That means not just govs, but businesses, esp. when they are critical. 20 years ago, we are decent on that. Not anymore. Yet, Russia, China, North Korea, etc are hard core on their security because they still in a cold war mentality.
I prefer the "u" in honour as it seems to be missing these days.
Yes. There are security concerns, and there are risks. However, Critical Infrastructure Protection instituted by NERC, and enforced by FERC isn't really doing much to solve the problems. They create policies that sound good on paper, however are difficult to put into practice, and difficult to prove compliance with. It seems like they're mostly concerned with making money rather than making the critical infrastructure more secure. If the time in man hours that was spent to show compliance was instead spent on actually making our systems more secure we'd be far better off. Additionally, because the economy (particularly the energy sector) is struggling there is hesitance to hire the people necessary to do anything well.
Why is it a matter of assigning risk? Why isn't it just part of "Best Practices"?
Because if it's a low risk low impact item then spending money on it is poor prioritization. There are always more needs for resources than there are resources available.
"From neglect or from hackers?"
The former also makes the latter more likely.
I'd go into more detail, but that would be unwise.
Hackers can only attack things which morons put online.
Or those things which were made accessible or are supplied by an online component.
The real risk is the physical method. If you don't understand that ... good.
-- Tigger warning: This post may contain tiggers! --
> serial-to-Ethernet stuff
Haha, I worked at a company whose bread and butter were devices like that... then they got into payment processing as well.
Products were barely cobbled together by people with not enough time or understanding to make a secure system. I left, and they tried to get me back to do some consulting.. I asked em about what kinds of security testing they do... 'well we use openssl'... hahaha ok... sure.. jesus.
http://www.masturbateforpeace.com/
Israel
Imagine that. :O
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
They are designing security into newer protocols, I actually worked on something called DNP-3
I'm actually highly sceptical of this approach. I grilled one of Schneider's techs who worked on DNP-3 implementation about their long list of security advisories they published over the past few years. I flat out think that people who don't understand security shouldn't be in the business of designing security.
Give me a control system run over a VPN from a dedicated network / security vendor without any further encryption any day. A direct to internet connected device which is difficult to upgrade firmware on and highly dependent on the security skills of a vendor who's never done security is asking for trouble.
This conversation started when we were talking network infrastructure, I mentioned that we put all products behind hardware VPN boxes, and he proudly proclaimed with their DNP-3 protocol we don't need to! I just shook my head.
No, not the country, the film.
There are "terrorist attacks" all the way through the film which are actually decrepit infrastructure breaking down (and are then used as justification for draconian law changes)
It seemed improbable at the time, but it seems we're being primed along that direction.
Perhaps more people should watch it.