Slashdot Mirror

← Back to Stories (view on slashdot.org)

GE Fixing Bug in Software After Warning About Power Grid Hacks (reuters.com)

Posted by msmash on from the fixing-things dept.

General Electric said on Wednesday it is fixing a bug in software used to control the flow of electricity in a utility's power systems after researchers found that hackers could shut down parts of an electric grid. From a report: The vulnerability could enable attackers to gain remote control of GE protection relays, enabling them to "disconnect sectors of the power grid at will," according to an abstract posted late last week on the Black Hat security conference website. Protection relays are circuit breakers that utilities program to open and halt power transmission when dangerous conditions surface.

5 of 38 comments (clear)

  1. Re:And these breakers are connected to the network by DickBreath · · Score: 4, Funny

    If air gaps are not possible, then at least change which port Telnet is running on.

    --

    I'll see your senator, and I'll raise you two judges.
  2. Re:And these breakers are connected to the network by darkain · · Score: 3, Insightful

    That simply isn't ideal anymore. When a critical situation happens, say an earthquake, how long does it take to deploy a person to a breaker unit to manually change its state? They NEED to be networked in today's age to have the level of agility needed to handle a situation.

  3. Billions can attack a network target by PeterM+from+Berkeley · · Score: 2, Insightful

    If your asset is attached to the network, literally billions of people could potentially attack it, from anywhere on the world. Not only that, but they can unleash automated attacks upon your asset from other Internet targets they've previously compromised.

    If your asset is on its own network, or is non-networked, that cuts down on the number of possible attackers tremendously.

    So, critical infrastructure should NOT be on the Internet, or at least not without a correspondingly LARGE investment in security commensurate to the risk.

    --PeterM

    1. Re:Billions can attack a network target by thegarbz · · Score: 2

      If your asset is not on a network, no one will care about attackers because power outages will become incredibly common due to the inability to properly manage the grid.

      If your asset is on it's own network, just expect to pay the appropriate price for electricity when the providers are forced to build a nation wide network of their own, and let me tell you Americans are currently getting one hell of a bargain on electricity.

      The internet is a necessity. But then so are VPN tunnels, firewalls, and proper network design.

  4. Re:info on Recloser by thegarbz · · Score: 2

    Sorry but horseshit. These companies in general know very little about security. Leave security to those people who specialise in it and put every installation behind a proper VPN before it gets a cable plugged in. And then put the crappy security provided by these protocols in anyway.

    Not that it matters what these companies build, because the end user will screw it up anyway. I went into a substation at a power plant in Germany the other day. I've never visited this power plant before. The maintenance supervisor was trying to show off his new PLC and control cabinet but the computer was logged out. He tried to login as "Administrator" with a few different passwords without success. I reached over and typed "password" ... fail. "Password" ... fail. "passw0rd" and I was greeted with a lovely desktop and an auto starting HMI with write access and no user access control to the relays.

    Siemens put a lot about security in their manual too. It doesn't mean shit if you end up with customers like that.