Slashdot Mirror
At How Much Risk Is the US's Critical Infrastructure? (csoonline.com)
itwbennett writes: There is growing evidence that intrusions into the power grid and other critical infrastructure by hostile foreign nation states are real and happening. But there's "much less agreement over how much of a threat hackers are," writes Taylor Armerding. "On one side are those – some of them top government officials – who have warned that a cyber attack on the nation's critical infrastructure could be catastrophic,"writes Armerding. Others are crying FUD, including C. Thomas, a strategist at Tenable Network Security, who got some attention when he argued in an op-ed that the biggest threat to the U.S. power grid not a skilled hacker, but squirrels, are crying FUD. Who has it right? Agreement seems to coalesce around two points: 1) the cyber security of industrial control systems remains notoriously weak and 2) hostile hackers will improve their skills over time. So, while we haven't reached "catastrophe" yet, a properly motivated terrorist group could become a cyber threat.
If you dont vote for trump. Trump builds roads and streets, and makes china pay for it.
Because the former is WAY greater a threat than the latter.
SJW's don't eliminate discrimination. They just expropriate it for themselves.
But they aren't very organized. Once they set up a twitter feed, or at least unionize, I'll start being concerned.
Is a lack of funding after 30 years of minimal tax cuts for workers and massive tax cuts for the folks at the top. Look at Flint Michigan.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
I live in Washington DC. The power goes out regularly because the power lines are overhead and not buried. Arguably DC is a "critical" city in the US. Yet we all survive. The country probably does better when DC is out of commission, like it will be next week with the big snow storm coming. You still need to pay your tribute on time, I mean taxes.
Its not a bout giving up freedoms - its about power companies being lazy and not password protecting their equipment
no matter how good it is, it is human nature always wants to make things better
OMG Critical infrastructure should never be connected to the intertubes!!!!!
Squirrels don't work in groups. A single squirrel will not take down an entire power station. Been there, seen that. They can't even take down a single local transformer completely. Had one get killed behind my house. No problem... until it rained and the corps got wet again - then the power would fluctuate until the water vaporised. The power company wouldn't come during storms for obvious reasons, and during the other times it passed all the tests. It took several neighbors talking to the service men to go up the ladder and examine the transformer from above to see the squirrel.
So now we know how poor the information is being presented.
I work in the industrial control world, some anecdotal things to share...
I've seen access to PLC's running critical water structure completely available via a web browser from anywhere in the world...since fixed. There is movement to close all these holes but the industrial control world moves very slow. It's very conservative, thinking "if it ain't broke, don't fix it" with the definition of broke being physically destroyed. It's easy to be critical of them for this but industrial controls are typically running infrastructure or manufacturing equipment, shutting down either of these for upgrades is very costly.
It also doesn't help that many people doing controls are electrical engineers or technicians who don't understand network technology well and doesn't communicate with the IT department.
Many companies understand that they don't understand and just refuse to put their machines on a network, unfortunately they are missing out the benefits of capturing data about their process, remotely view and troubleshooting faults, etc.
Neither hackers nor squirrels. Physical attacks have already happened in California. A relative few attacks coordinated to occur simultaneously on multiple power stations would do the trick.
I can't remember where I saw it, but in a story about EMPs the author noted that the components that are used to build the transmission stations are only manufactured by one or two companies overseas. The build time on these components is 3-5 years. They don't have spares sitting around.
And that they use the same password on all devices if they do use a password.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
What's this "US Infratstucture" Thing you keep talking about? :-)
SCNR
We suffer more in our imagination than in reality. - Seneca
You can take down a power grid with an EMP bomb. Military installations are already hardened against EMP bombs. Civilian installations are not hardened because the government and the utilities are not willing to foot the bill for upgrading equipment.
Wait until we get squirrel hackers. Then we're in trouble.
But there is the rub in an effort to do things cheaper they are trying to do things like replace dedicated fiber with DSL and VPN's.
No sir I dont like it.
"There is growing evidence that intrusions into the power grid and other critical infrastructure by hostile foreign nation states are real and happening."
Just who in their tapdancing-jesus-christ mode connects their critical infrastructure directly to the Internet?
You may be able to take down a portion of the grid with a very very big EMP.
"The biggest risk is squirrels."
Do these people not understand that these two statements are not contradictory? Does anyone here understand that? The question "who is right" is trivial to answer. Both are.
A cyber attack could be catastrophic, albeit rare. And squirrel outages, due to the comparatively high rate of occurrence combined with the level of damage, are a bigger risk.
New law Critical Infrastructure parts must made in USA / other non China places / or at very least have no overseas coders in the mix / full code review with the US GOV.
Better to do it now then later by force of martial law.
As some one whose worked in industrial automation (PLCs and their ancillary products) the infrastructure is most definitely at risk. The only thing keeping terrorism at bay is the technical knowledge necessary to mess with it. Engineers at power stations are old farts, and they like things a certain way, the old way. PLCs communicate to other machines in the field using ancient serial protocols, proprietary back planes, and discreet data points. As Rockwell and Siemens and etc decide they need to wake up to the real world however they are putting more of their data over ethernet, but security is an afterthought, and there's your problem. They are designing security into newer protocols, I actually worked on something called DNP-3, and that specification does have an encryption layer in it. I come on to add AES-256 to an existing implementation. Again, afterthought. The effect out in the field of course is that new impl. will cause disruption, consuming devices will need to be upgraded, and etc. That costs money. And so on. Its rarely the case that one simply needs to add a password to an existing infrastructure. Even if that is all that's needed, it usually will still have a cascading effect.
Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
Not always.
Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
I work with lots of serial-to-Ethernet stuff, various gateways, etc. in an industry with a lot of old technology. The truth is that the vendors of this stuff make it easy to set up, open access by default, and almost never updated. Patches for known things like ssh vulnerabilities or kernel bugs take months. What often happens is some lowest-bid contractor is hired by the utility company to implement control systems, leaves them wide open and the company has no idea how to secure them.
Remember Windows XP SP2? This was the first client OS update after Microsoft started acknowledging security issues. Before that, the firewall was off and everything was on by default, including remote access to system files and services. That was a pretty big shift - before this, very little in the way of security hardening was done because the goal was to make it as easy as possible to use the system. The same thing probably has to happen for these SCADA vendors and other "magic Ethernet converter" device manufacturers to make it difficult to access things remotely by default.
answer is:
VERY at risk.
Like all infrastructure, management and budgeting is done on a by crisis basis.
The rest of the time it is ignored to make the numbers look good and keep the bonuses flowing.
Russia and China already has that capability to take down the entire US power grid.
What would a successful EMP attack look like? The EMP Commission, in 2008, estimated that within 12 months of a nationwide blackout, up to 90% of the U.S. population could possibly perish from starvation, disease and societal breakdown.
http://www.wsj.com/articles/james-woolsey-and-peter-vincent-pry-the-growing-threat-from-an-emp-attack-1407885281
As shown a few years ago a simple software bug in an operator room led to a breakup, which led to a cascade failure https://en.wikipedia.org/wiki/... read the sequence of event. You may not even need a big emp, a few well placed C4 charge on important transformer and equipments in the power network may be enough as this above demonstrate.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
"a properly motivated terrorist group"
As opposed to what, a lazy one? Do they have motivational away days for the team to get them all fired up?
I want a list of atrocities done in your name - Recoil
There are a good number of countries that wish the US ill will. Few of them have the means for direct military conflict and all are an ocean away. They have very few ways they can directly attack the US, short of a 911-style incident. We are also in economic competition with our "friends". Malicious hacking is one of the few available avenues, with a relatively low barrier to entry. It's also more difficult to prove who launched the attack or even to prove that it wasn't a "rouge individual" versus a government-sanctioned attack. Cyber attacks are not a question of "if", but a question of "when" and "how bad".
Competition Good, Monopoly Bad.
Others are crying FUD [...] are crying FUD.
Slashdot, never change.
With federal grants. Now a days we just sorta abandon folks to their fate...
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
It's not like the US hasn't had a shitload of enemies for a long time who would have loved to have turned off the lights. They were willing to fly fucking planes into buildings.
Even your basic basement hacker might have an interest in this, if only for the thrill of knowing you were responsible for a blackout.
Even if you argue that major state actors wouldn't do this until they "needed" it at some crisis moment, that doesn't exclude more generic non-state actors interested in more immediate results.
So why hasn't it happened yet?
"You can take down a power grid with an EMP bomb."
No need for that. Every year thousands of outages are caused by termites, squirrels, birds, ice rain and drunks in the US and still power cables are nailed to the same wooden posts as 100 years ago.
The only thing keeping terrorism at bay is the technical knowledge necessary to mess with it.
Doesn't take much technical knowledge to cut cables in an underground vault and shoot transformers with a sniper rifle.
http://www.npr.org/sections/thetwo-way/2014/02/05/272015606/sniper-attack-on-calif-power-station-raises-terrorism-fears
the combined threat from hacking squirrels?
They used to but it is cheaper and probably more robust to rely on the Internet for communications paths. Not necessarily better but definitely cheaper.
As someone who has the daily job of making the case for security for my company, I can tell you that its not really laziness. It's an inability to understand and properly assign risk.
Businesses who don't understand risks make poor prioritization decisions.
Most places I have worked at do not complain about security, they just believe they have higher priorities for the time of the various staff and resources we have and don't assign the resources for all of the projects needed. And even I have to admit, it's not very useful to have excellent security for a product that no one is using because it lacks features or capacity. Having said that, it is still something you have to at least plan for build in from the very beginning, even if you don't spend all your time or money on it. Otherwise, you will be playing an even more expensive game of catch-up, which even fewer companies want to do.
Why is it a matter of assigning risk? Why isn't it just part of "Best Practices"?
We demand no less from our financial institutions(not that they always follow through)
no matter how good it is, it is human nature always wants to make things better
That statement speculates what might happen IF the whole grid was taken down by an EMP, but says nothing about what it would take to do so or if who has the capability. The article is paywalled so if it does specifically state what exactly China and Russia are going to use to take down the entire grid at once, I'd like for you to post it.
Mostly because it requires coordination and some special skills. The 9/11 terrorists needed to learn how to fly just enough to hit buildings and that required a number of attackers, good organization, and backing. That doesn't mean that the capability didn't exist for planes to fly into buildings for decades, it just wasn't used.
You will also note that hijackings are not a "thing" like they were in the 70s and 80s. 9/11 was both the worst case scenario, and immediately made hijacking much, much harder afterward because hijacking depends on the passengers thinking they have a chance to live if they don't all rush you and take you down. Without that hope of survival, the passengers' fear now becomes what will happen if they *don't* attack the hijackers.
If someone wanted to hit the US power grid and has that capability, they're not going to do it until they can get maximum effect from it, because as soon as it becomes realized as a threat, the grid will not be as simple a target anymore. It will get a lot more secure very quickly. They will get one shot at it.
So to answer your question, lone hackers *can't* make a grid failure happen with their limited capabilities, and state actors will want to keep their target unaware of the actual threat until it is needed, lest the killing stroke be blunted.
Engineers at power stations are old farts, and they like things a certain way, the old way. PLCs communicate to other machines in the field using ancient serial protocols, proprietary back planes, and discreet data points. As Rockwell and Siemens and etc decide they need to wake up to the real world however they are putting more of their data over ethernet, but security is an afterthought, and there's your problem..
Security is absolutely NOT an afterthought at power stations. At least not in the US. That's simply flat out wrong. And those old fart engineers know what keeps a plant running reliably, they have very good reasons and experience to have things a certain way. A smart noob would do well to ask the old engineer exactly why they like things a certain way. Now, there are always going to be better ways that come along, but they won't come through ignorance of what has been working well for quite some time.
I would think that the ability to knock out the grid, or parts of it, would be something that wouldn't have a long shelf life.
Components get replaced, security systems change, the people managing it do stuff differently, accounts get removed/added/changed, patches get installed, operating systems change, etc.
Some remote exploits may allow more durable penetration, but I would bet a fair amount just might expire, making maintaining the capability a long-term prospect involving greater exposure and more risk.
[ Vendors ] are designing security into newer protocols...
That's nice... *today*. Well, assuming every protocol someone designs and that someone implements will be free of security flaws... But, "nice today" is not very useful long term.
Imagine, for example, that something is running using Windows XP or a decades old Linux distro. They could have had the best available security when they were built, but they would suck now. A decades old SSH would now be vulnerable.
It seems that historically, sites always end up with some sort of old cruft in existence. As long as you have to account for equipment not being patched or upgraded, the quality of that equipment's security is insufficient. You need layers. Sane physical controls. An architecture of least privilege. You probably want some sort of VPN that has a guarantee of ongoing security maintenance even when everything else doesn't. Even then, the network access should have some of the attributes you'd use in physical controls - you don't let Joe Whoever into just any control room, so *try* to not allow network connection from just anywhere.
Of the above layers, the architecture may be the most important. For example, if it's OK to be air-gapped, that takes a lot of attack vectors off the table.
I'll trust what you have to say after you tell me how many Rockwell Turbo encabulators you have worked on.
https://www.youtube.com/watch?...
Seriously, the west should be going back to having decent security. That means not just govs, but businesses, esp. when they are critical. 20 years ago, we are decent on that. Not anymore. Yet, Russia, China, North Korea, etc are hard core on their security because they still in a cold war mentality.
I prefer the "u" in honour as it seems to be missing these days.
Why is it a matter of assigning risk? Why isn't it just part of "Best Practices"?
Because if it's a low risk low impact item then spending money on it is poor prioritization. There are always more needs for resources than there are resources available.
A couple of high altitude fairly large nukes would do the job just fine.
"From neglect or from hackers?"
The former also makes the latter more likely.
If you enter "The Growing Threat From an EMP Attack" into Google, you can bypass the paywall to read the article for free. The Soviets during the Cold War could launch from space, the Chinese from an offshore freighter, or the North Korean with their missiles that are designed for mid-flight explosions. Of the three potential adversaries, China is the most likely, as there are Chinese freighters in every US port.
A couple of high altitude fairly large nukes would do the job just fine.
No, they would not.
They say they have the 'primary ingredients for an EMP attack", but no where do they talk about what is required to completely knock out the entire grid. There seems to be an assumption this can be easily done if you have some missiles and warheads. There is some conclusion jumping going on, its nice to leave that stuff out when one is writing such an article because it dampens reactions.
https://en.wikipedia.org/wiki/...
https://en.wikipedia.org/wiki/...
Yup, EMPs have been created, nobody is arguing that. Now, where exactly does it say what it takes to take out the entire grid?
Nahhhhhh. That can't happen. Twice.
If I have been able to see further than others, it is because I bought a pair of binoculars.
I'd go into more detail, but that would be unwise.
Hackers can only attack things which morons put online.
Or those things which were made accessible or are supplied by an online component.
The real risk is the physical method. If you don't understand that ... good.
-- Tigger warning: This post may contain tiggers! --
> serial-to-Ethernet stuff
Haha, I worked at a company whose bread and butter were devices like that... then they got into payment processing as well.
Products were barely cobbled together by people with not enough time or understanding to make a secure system. I left, and they tried to get me back to do some consulting.. I asked em about what kinds of security testing they do... 'well we use openssl'... hahaha ok... sure.. jesus.
http://www.masturbateforpeace.com/
Russia and China could simple destroy all US cities with regular bombs, so who cares if they can knock out the power grid with an EMP bomb?
This space intentionally left blank
Imagine that. :O
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
You have to consider the environmental blow back from 2,000+ nuclear bombs being detonated in the atmosphere. A massive EMP attack would be much cleaner if the bombs are detonated in the upper atmosphere. Since the US military is harden against EMP attacks, a nuclear strike in retaliation becomes inevitable. Hence, mutual assured destruction keep the big players in check. Not so much for the terrorists.
They are designing security into newer protocols, I actually worked on something called DNP-3
I'm actually highly sceptical of this approach. I grilled one of Schneider's techs who worked on DNP-3 implementation about their long list of security advisories they published over the past few years. I flat out think that people who don't understand security shouldn't be in the business of designing security.
Give me a control system run over a VPN from a dedicated network / security vendor without any further encryption any day. A direct to internet connected device which is difficult to upgrade firmware on and highly dependent on the security skills of a vendor who's never done security is asking for trouble.
This conversation started when we were talking network infrastructure, I mentioned that we put all products behind hardware VPN boxes, and he proudly proclaimed with their DNP-3 protocol we don't need to! I just shook my head.
No, not the country, the film.
There are "terrorist attacks" all the way through the film which are actually decrepit infrastructure breaking down (and are then used as justification for draconian law changes)
It seemed improbable at the time, but it seems we're being primed along that direction.
Perhaps more people should watch it.