Slashdot Mirror

← Back to Stories (view on slashdot.org)

At How Much Risk Is the US's Critical Infrastructure? (csoonline.com)

Posted by Soulskill on from the somewhere-between-a-little-and-a-lot dept.

itwbennett writes: There is growing evidence that intrusions into the power grid and other critical infrastructure by hostile foreign nation states are real and happening. But there's "much less agreement over how much of a threat hackers are," writes Taylor Armerding. "On one side are those – some of them top government officials – who have warned that a cyber attack on the nation's critical infrastructure could be catastrophic,"writes Armerding. Others are crying FUD, including C. Thomas, a strategist at Tenable Network Security, who got some attention when he argued in an op-ed that the biggest threat to the U.S. power grid not a skilled hacker, but squirrels, are crying FUD. Who has it right? Agreement seems to coalesce around two points: 1) the cyber security of industrial control systems remains notoriously weak and 2) hostile hackers will improve their skills over time. So, while we haven't reached "catastrophe" yet, a properly motivated terrorist group could become a cyber threat.

26 of 162 comments (clear)

  1. From neglect or from hackers? by NotDrWho · · Score: 3, Insightful

    Because the former is WAY greater a threat than the latter.

    --
    SJW's don't eliminate discrimination. They just expropriate it for themselves.
    1. Re:From neglect or from hackers? by Hognoxious · · Score: 2

      I suspect I detect a whiff of sampling bias here.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    2. Re:From neglect or from hackers? by Z00L00K · · Score: 2

      Every item built needs to be maintained to work in the long run. A dam doesn't see the same amount of wear as a road, but there's some work needed now and then.

      When it comes to infrastructure it's a continuous work since people have a tendency to move around.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    3. Re:From neglect or from hackers? by jbengt · · Score: 2

      I agree that poor people take the brunt of the government incompetence, but that's simply because the rich people have folks on the government payroll looking out for their interests when resources get tight.

      FTFY

      Actually, though I doubt the state government purposefully lead-poisoned the citizens of Flint (they would have known it would be a scandal), you are underestimating the capacity of those in power to hold the working poor in contempt and being OK with letting those freeloaders get hurt: After all, you get out of life what you put into it, so they probably deserve it. (Even if on a personal level they feel some pity when they see it actually happen.)

  2. I'd worry more about the squirrels by dlleigh · · Score: 3, Funny

    But they aren't very organized. Once they set up a twitter feed, or at least unionize, I'll start being concerned.

    1. Re:I'd worry more about the squirrels by 110010001000 · · Score: 3, Funny

      What are you, nuts?

  3. The real risk by rsilvergun · · Score: 2

    Is a lack of funding after 30 years of minimal tax cuts for workers and massive tax cuts for the folks at the top. Look at Flint Michigan.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  4. Washington DC by 110010001000 · · Score: 2

    I live in Washington DC. The power goes out regularly because the power lines are overhead and not buried. Arguably DC is a "critical" city in the US. Yet we all survive. The country probably does better when DC is out of commission, like it will be next week with the big snow storm coming. You still need to pay your tribute on time, I mean taxes.

    1. Re:Washington DC by Z00L00K · · Score: 2

      That's one thing that amazes me - I'm from Europe and overhead lines are only used out in the boondocks. As soon as you are in a village then they are put below ground, same with telephony and internet where I live. But in almost every village and town in the US they are above ground cluttering the view and put at great risk for influence from the elements, accidents and possible sabotage.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    2. Re:Washington DC by 110010001000 · · Score: 2

      Right...most new development uses underground cables, but not everywhere here. They are eventually going to bury our cables here in DC, but it will likely take a few billion dollars and decades.

    3. Re:Washington DC by IT.luddite · · Score: 2

      The primary issue between overhead and underground is the time and cost. The conversion cost from overhead to underground is tremendous and quite frankly, rate payers don't want to pay for it. When the conductor fails (or insulator for underground), the time for repair is also significantly higher. Regarding reliability, redundancy is how most utilities address it. Power feed redundancy can be addressed on distribution circuits can be fed from either end, midpoint ties and reclosers. However, you'll need a large field force or automation to actually utilize the capability once installed, neither of which is high on the list of things rate payers want to pay for. Infrastructure age is primarily seen on the transmission and generation side.

    4. Re:Washington DC by Zak3056 · · Score: 2

      Europe has plenty of old areas. Many of them were bombed back into the stone age 70 years ago, and had a chance to build new infrastructure when they were reconstructed. When someone does an ROI calculation, it's a lot easier to get things done when the choice is "Spend 20% more to install buried lines rather than overhead lines" vs "spend 120% more to replace existing, working, overhead lines with buried lines."

      Not saying this is right, but it is reality. It's probably why the US infrastructure is in such a shitty state, because it "works" (after a fashion) and replacing it is seen by many (on both sides of the political spectrum) as an unnecessary cost. You only have replacements when something horribly wrong is discovered, like the Lake Champlain Bridge.(which was found to be catastrophically unsafe, was closed, and dropped into the lake in a two month period). The replacement opened two years later. I can only imagine what kind of economic damage that caused, as routing around that bridge probably added 1-1.5 hours to transit times each way.

      --
      What part of "shall not be infringed" is so hard to understand?
  5. OMG by 110010001000 · · Score: 3, Funny

    OMG Critical infrastructure should never be connected to the intertubes!!!!!

  6. Needs Prodding by Hoorayforthings · · Score: 2

    I work in the industrial control world, some anecdotal things to share...

    I've seen access to PLC's running critical water structure completely available via a web browser from anywhere in the world...since fixed. There is movement to close all these holes but the industrial control world moves very slow. It's very conservative, thinking "if it ain't broke, don't fix it" with the definition of broke being physically destroyed. It's easy to be critical of them for this but industrial controls are typically running infrastructure or manufacturing equipment, shutting down either of these for upgrades is very costly.

    It also doesn't help that many people doing controls are electrical engineers or technicians who don't understand network technology well and doesn't communicate with the IT department.

    Many companies understand that they don't understand and just refuse to put their machines on a network, unfortunately they are missing out the benefits of capturing data about their process, remotely view and troubleshooting faults, etc.

    1. Re:Needs Prodding by silas_moeckel · · Score: 2

      I've had vendors tell me water/sewage gear in a mid sized city did not support routing. OK sure I can see them sending arp requests for the gw they have set when I inject traffic at them, but who knows maybe they have some funky L2 broadcast component. I'm voting for the vendors looked at old gear and went the answer is no get new stuff for anything it was not currently doing.

      I had those same vendors tell me their gear did not support running through a tagged vlan, as in no change but moving their uplink into a vlaned port. They literally came back that only native vlan 1 was supported.

      It's ok this is the same town who had dark fiber but the vendor told me it does not support vlans jumbos anything over a 1500mtu or gigabit on point to point glass in the ground. Companies see the government coming and try and BS their way into a payday.

      At the end of the day I got some political coverage and setup routing a vlan and some firewalling. Works just fine. You can no longer turn off water pumps from the public library any school or any other government building. You can now control the stuff from someplace else than a 90's PC in a decommissioned maintenance garage. 10ge works just fine over that 100mbs only single mode fiber as well.

      --
      No sir I dont like it.
  7. Neither by entropy01 · · Score: 2

    Neither hackers nor squirrels. Physical attacks have already happened in California. A relative few attacks coordinated to occur simultaneously on multiple power stations would do the trick.
    I can't remember where I saw it, but in a story about EMPs the author noted that the components that are used to build the transmission stations are only manufactured by one or two companies overseas. The build time on these components is 3-5 years. They don't have spares sitting around.

  8. Re:It will all collapse by fluffernutter · · Score: 2

    Yes.. because being indebted to China is a good way to go.

    --
    Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
  9. Answer: both by Obfuscant · · Score: 4, Insightful
    "A cyber-attack could be catastrophic."

    "The biggest risk is squirrels."

    Do these people not understand that these two statements are not contradictory? Does anyone here understand that? The question "who is right" is trivial to answer. Both are.

    A cyber attack could be catastrophic, albeit rare. And squirrel outages, due to the comparatively high rate of occurrence combined with the level of damage, are a bigger risk.

  10. Re:OMG!!! by interval1066 · · Score: 4, Informative

    As some one whose worked in industrial automation (PLCs and their ancillary products) the infrastructure is most definitely at risk. The only thing keeping terrorism at bay is the technical knowledge necessary to mess with it. Engineers at power stations are old farts, and they like things a certain way, the old way. PLCs communicate to other machines in the field using ancient serial protocols, proprietary back planes, and discreet data points. As Rockwell and Siemens and etc decide they need to wake up to the real world however they are putting more of their data over ethernet, but security is an afterthought, and there's your problem. They are designing security into newer protocols, I actually worked on something called DNP-3, and that specification does have an encryption layer in it. I come on to add AES-256 to an existing implementation. Again, afterthought. The effect out in the field of course is that new impl. will cause disruption, consuming devices will need to be upgraded, and etc. That costs money. And so on. Its rarely the case that one simply needs to add a password to an existing infrastructure. Even if that is all that's needed, it usually will still have a cascading effect.

    --
    Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
  11. Re:Well, C. Thomas got it wrong. by Anonymous Coward · · Score: 3, Funny

    Squirrels don't work in groups.

    You are so, so very wrong.

    The problem is that most people who know that squirrels work in groups are now dead. Very very dead. With Oak trees growing out of their rotting corpses.

    Posting anonymously for obvious reasons...

  12. Re:It will all collapse by __aaclcg7560 · · Score: 4, Insightful

    The $800 billion stimulus bill was too small to make an impact and too many states used the money to pay for ongoing expenses rather than investing in infrastructure projects. It should have been two to three times larger. With the baby boomers retiring and the working taxpayers shrinking over the next 20 years, paying more taxes is an inevitable fact of life.

  13. Re:Not very by __aaclcg7560 · · Score: 2

    Russia and China already has that capability to take down the entire US power grid.

    What would a successful EMP attack look like? The EMP Commission, in 2008, estimated that within 12 months of a nationwide blackout, up to 90% of the U.S. population could possibly perish from starvation, disease and societal breakdown.

    http://www.wsj.com/articles/james-woolsey-and-peter-vincent-pry-the-growing-threat-from-an-emp-attack-1407885281

  14. Re:Well, C. Thomas got it wrong. by 110010001000 · · Score: 4, Funny

    Don't listen to him. He is clearly nuts. I am totally not a squirrel. You can trust me.

  15. Re:OMG!!! by __aaclcg7560 · · Score: 2

    The only thing keeping terrorism at bay is the technical knowledge necessary to mess with it.

    Doesn't take much technical knowledge to cut cables in an underground vault and shoot transformers with a sniper rifle.

    http://www.npr.org/sections/thetwo-way/2014/02/05/272015606/sniper-attack-on-calif-power-station-raises-terrorism-fears

  16. Re:If hacking a real risk, wouldn't it have happen by tnk1 · · Score: 2

    Mostly because it requires coordination and some special skills. The 9/11 terrorists needed to learn how to fly just enough to hit buildings and that required a number of attackers, good organization, and backing. That doesn't mean that the capability didn't exist for planes to fly into buildings for decades, it just wasn't used.

    You will also note that hijackings are not a "thing" like they were in the 70s and 80s. 9/11 was both the worst case scenario, and immediately made hijacking much, much harder afterward because hijacking depends on the passengers thinking they have a chance to live if they don't all rush you and take you down. Without that hope of survival, the passengers' fear now becomes what will happen if they *don't* attack the hijackers.

    If someone wanted to hit the US power grid and has that capability, they're not going to do it until they can get maximum effect from it, because as soon as it becomes realized as a threat, the grid will not be as simple a target anymore. It will get a lot more secure very quickly. They will get one shot at it.

    So to answer your question, lone hackers *can't* make a grid failure happen with their limited capabilities, and state actors will want to keep their target unaware of the actual threat until it is needed, lest the killing stroke be blunted.

  17. Re:It will all collapse by __aaclcg7560 · · Score: 2

    If you haven't noticed the financial news today, the US economy is stronger than the world economies because those other idiots choose to cut their budgets and strangle their recovery in the mistaken belief that government spending was bad. In fact, those other idiots are now embracing stimulus.

    https://uk.finance.yahoo.com/news/world-stocks-oil-surge-central-125120140.html