Department of Energy Invests $50 Million To Improve Critical Energy Infrastructure Security

Orome1 shares a report from Help Net Security: Today, the Department of Energy (DOE) is announcing awards of up to $50 million to DOE's National Laboratories to support early stage research and development of next-generation tools and technologies to further improve the resilience of the Nation's critical energy infrastructure, including the electric grid and oil and natural gas infrastructure. The electricity system must continue to evolve to address a variety of challenges and opportunities such as severe weather and the cyber threat, a changing mix of types of electric generation, the ability for consumers to participate in electricity markets, the growth of the Internet of Things, and the aging of the electricity infrastructure. The seven Resilient Distribution Systems projects awarded through DOE's Grid Modernization Laboratory Consortium (GMLC) will develop and validate innovative approaches to enhance the resilience of distribution systems -- including microgrids -- with high penetration of clean distributed energy resources (DER) and emerging grid technologies at regional scale. The project results are expected to deliver credible information on technical and economic viability of the solutions. The projects will also demonstrate viability to key stakeholders who are ultimately responsible for approving and investing in grid modernization activities. In addition, the Department of Energy "is also announcing 20 cybersecurity projects that will enhance the reliability and resilience of the Nation's electric grid and oil and natural gas infrastructure through innovative, scalable, and cost-effective research and development of cybersecurity solutions."

$50 million?

[PopeRatzo]

They better add a few zeroes to that.

Re:$50 million?

[ls671]

This is just PR, what is really critical is the Strategic Petroleum Reserve of the United States ;-)

https://en.wikipedia.org/wiki/...

Re:$50 million?

[taiwanjohn]

Yeah, like China did recently, on top of the investments they've been making already for the last decade at least.

Re:$50 million?

Internet of um...things. Okay.

Since this sounds a bit vague (IoT), we could consider keeping this internet away from the internet of really important, critical infrastructure that makes a significant difference in the lives of human beings.

Re:$50 million?

[K.+S.+Kyosuke]

early stage research and development

If "early stage research and development" of something costs $50M plus a few zeroes, then that "something" must be either warp drive research or the cure for death. I don't think this is it.

Re: $50 million?

How about 5 of them to teach a new wave of electricians? Or perhaps to children in school, teach an amount of electrical engineering proportional to how much our civilization requires it? I don't think hooking an LED to an AA battery or a lemon is sufficient knowledge of HOW THE ENTIRE FUCKING WORLD UTTERLY DEPENDS ON ELECTRICITY, and yet in public school spend an equivalent amount of effort talking about George Washington's dentures.
USA #1 indeed

Re:$50 million?

[PopeRatzo]

If "early stage research and development" of something costs $50M plus a few zeroes, then that "something" must be either warp drive research or the cure for death. I don't think this is it.

The F-35 "fighter" jet program will cost $1.1 trillion, and doesn't include a warp drive or immortality.

Re:$50 million?

[angel'o'sphere]

It does not? include a warp drive?
I'm disappointed.

What did the Apollo program cost in 'modern dollars'?

Re:$50 million?

[WheezyJoe]

They better add a few zeroes to that.

This. $50mil is is like change stuck in the couch of the Federal Government, not enough to do anything but maybe fund a study that will produce a paper in 8 months that nobody will read. And then there's that "up to" part to really let the air leak out of the balloon.

This is a big country, with a huge, interconnected, antiquated power grid that needs complete re-thinking in a world of public and private solar, heat waves, hurricanes, hackers and insecure control equipment, and a population more dependent than ever on a reliable supply of electricity. Of course, the DOE is under the command of a man who pledged to abolish it, so I wouldn't expect any miracles. But "up to $50 million" won't inspire much of anything.

Re:$50 million?

[K.+S.+Kyosuke]

Those $1.1 trillion is not "early stage research and development", though. I was under the impression that that was the total cost of everything associated with the program until EOL. Not just the physical airplanes, but fixing them for fifty year, paying for the pilots etc. etc.

Coronal Mass Ejection for Life On Earth, Alex...

[GerryGilmore]

Seriously - The Economist magazine recently had a great article (https://www.economist.com/news/world-if/21724908-huge-potential-impact-rich-countries-prolonged-loss-electricity-disaster) highlighting A) the catastrophic effect on civilized life and B) the ridiculously low cost of preventive measures and C) as always, the lack of political will, coupled with a lack of technical knowledge across broad swaths of our populace and - especially! - politicians married with a "gubmint regulations are bad, M'Kay!" mentality and you have potential disaster looming. Don' worry, though, the latest version of Apple's iPhone will have an app to fix that! :-)

COAL JOBS! FINALLY!

Trump is so right about these things, it's uncanny!

Captcha : TRAITORS - NO FUCKING KIDDING!

$50 million = half an F-35 Fighter Jet

And Lockheed Martin has already built hundreds of them.

Of course, energy security isn't nearly as important to Americans as.......

Re:$50 million = half an F-35 Fighter Jet

[pntkl]

Of course, energy security isn't nearly as important to Americans as.......

Energy security should be among the top items of the list of critical needs. We could certainly afford to invest heavily. A great crux of the problem is that it requires adapting to its realities, after we hit key milestones/plateaus. With optimal handling of energy markets, we could likely diminish corruption and more importantly diminish difficult to measure discrepancies in reporting, without providing a broken vacuum that requires immediate fulfillment. It could even provide an outlet for abandoning fiat currencies and fractional reserve banking. However, such changes would likely require drastic changes for much of the status quo. People would have to put aside many ideas they've hurt one another over, time and time again.

Hard to believe our leaders collectively plan for our survival beyond a few fleeting moments with such abysmal investment in things like energy security--it seems largely left to the fortunes or misfortunes of the market. Natural monopolies that last longer than the limitations of technology dictate them being natural end up asking us to call their great depletion a favorable gain (bah). And apparently, we are still collectively okay with our state of being. We all seem to quickly forget what we see each time we walk away from a mirror.

Re:$50 million = half an F-35 Fighter Jet

[PopeRatzo]

An F-35 costs a minimum of $165 million, so that $50 mil is less than 1/3.

https://www.bloomberg.com/news...

Re:$50 million = half an F-35 Fighter Jet

[sheph]

I agree that energy security should be more of a priority. But as someone who actually works on software that controls the electrical grid I can tell you a lot of the problem is management. They want things, don't understand the security ramifications, and then when you point them out they call you paranoid. You could fix that today with $0. R&R defective management. It's not that we don't know what to do. It's that we're not allowed to.

Re:$50 million = half an F-35 Fighter Jet

Americans != Congresscritters

Most of us wouldn't mind seeing some of the boondoggles like the fighter jets tossed. Those billions of dollars could be used for actually useful things, be it fixing infrastructure, a guaranteed minimum income (so the welfare/food stamps/section 8 housing/social security can be tossed), a functioning school system, actual government grants for R&D, and so on.

Re:$50 million = half an F-35 Fighter Jet

it is a fight-club scenario, anybody who knows what is done to protect infrastructure cannot speak about what is being done to protect infrastructure

the $50 M is just a checkmark in a box that says, "What the public needs to know about"

really, but then I do not know anything about what is being done to protect infrastructure

catch-phrase = echelon... lol

I'll take 10 million

[Khyber]

And I'll just take your electrical grids off the fucking internet. There, highly secure (physical attacks only.) Saved you 40 million so you can play with figuring out the oil and gas side of things.

Re: I'll take 10 million

If remote access is denied, how many thousands of full time staff are needed at what price to read the meters of three hundred fifty million customers?

You one dimensional thinking is severely flawed. The grid is impossible to realistically secure, so fault tolerance should be the goal. Non destructive failures. Have a transformer cut off power when tension or current on cables is over the designated limit. Have a big old manual switch to throw it back online.

This is basic, mostly mechanical stuff any ME and any decent EE can do as a student project. Plus it works if something like the annualish "hundred year" storms trash an area...

Re:I'll take 10 million

And I'll just take your electrical grids off the fucking internet. .

Direct control systems are already off the internet, even monitoring system are isolated. So exactly what were you going to do?

Re:I'll take 10 million

[Bob+the+Super+Hamste]

I see someone has no idea of what they are talking about in this regard. Here is the current standard that grid operators have to comply with. Also here is what is currently being asked of suppliers by the grid operators when getting a new system. Add in that the systems be benchmarked against these or these is also becoming written into the contracts now. I would assume that operators in the oil and gas industry either have similar things or are at least smart enough to re-purpose the above as the effort to do so would be minimal. A lot of the security efforts for securing the grid are not to protect it from the general internet, they are already separated and if not the company fucked up really bad and if NERC finds out the company will be paying some huge fines so let NERC know. Instead the security is to protect the control system from stupid users who find a USB rubber ducky in the parking lot, connects their corporate laptop to the control network, someone doing malicious things out at some remote substation that then gets into the main control system, or malicious insider. The people going after the grid are professionals and more often than not state actors not little Timmy from down the street who just found out about Low Orbit Ion Cannon or Armitage.

Re:I'll take 10 million

[Mr+D+from+63]

I see someone has no idea of what they are talking about in this regard.

Please, stop with the facts. Its more fun to just assume 'its all connected to the internet', so we can all say how stupid and negligent they are. We don't need to have a clue, its /.

Re:I'll take 10 million

[Khyber]

"I see someone has no idea of what they are talking about in this regard."

I see someone fails to remember how IBM researchers hacked and gained remote control of a nuclear fucking reactor.

You think these power companies are actually complying with regulations? You better open your eyes, sonny boy. If the penalty for non-compliance the profits made from non-compliance, they will choose to not comply. This is how you have companies like Oncor in Texas fucking things up royally.

Re:I'll take 10 million

[Khyber]

Fucking inserting HTML when I select plain text. Thanks, Slashdot. If the penalty of non-compliance is less tan the profits gained by non-compliance, they'll choose non-compliance.

Re:I'll take 10 million

[Bob+the+Super+Hamste]

Well considering that NERC CIP penalties can be $1,000,000 a day for each violation they are taken seriously. The IBM incident you mention was actually one of the many has been a big driving force for the successive NERC CIP regulation updates that have come since. My major complaint about the NERC CIP regulations is that they are too open to interpretation by auditors and there is a bit too much cozyness between the auditor and the operator. Thankfully in the last few years power companies have started to fear NERC more starting when CIP v5 was out but not enforced yet. The existing regulations don't go far enough, there is a lot of room for improvement, but they are better than just about any other industry's. Having worked with NERC it is a slow and sometimes painful process but things will continue to get better. The Europeans are in an even worse situation and the operators elsewhere in the world who do want security always want to ensure that they are compliant with NERC CIP even if NERC doesn't have jurisdiction.

Well

[buss_error]

I'm all for that. But how expensive is it to block port 23 and changing the BIOS of SCADA systems so that the first thing to be configured is a password?

I have seen power, water, sewer, and traffic systems put into production with an internet gateway that had telnet open, with default admin credentials that are well known.

I have a few "go to" things for the rare occasions I'll take a consulting gig on.

1. nmap the device. Secure the open ports.
2. No default passwords, and it's best if you can change the admin account name to something non-standard.
3. patch patch patch
4. Secure SSH so that only ssh key access is allowed. No username/password.
5. Create a key for each device. Best if you create the key with a password - I usually use the serial number of the device obfuscated. So if the serial number is 123, then the password for that key would be zyx or some simple transposition. I usually use a 10 letter word whose letters don't repeat. INTRODUCES, BLOCKHEADS, CORNFLAKES - and I usually say order them so it doesn't spell a word. EG: BLOCKHEADS to ABCDEHKLOS. And change the key based on the third or second to last number.
6 firewalls, firewalls firewalls. Limit port access to only those IP's you know and control.
7. Trust nothing completely. Defense in depth.
8. Construct "alarm" data and configure deep packet inspection to look for those alarm data and trigger an alert.
9. Ensure you have a panic button to shut down the network.

There are other things, a bit more subtle to go into.

Re:Well

You forgot some points but I won't pedantically bore everyone pretending I'm the authority on them.

Re:Well

I'm all for that. But how expensive is it to block port 23 and changing the BIOS of SCADA systems so that the first thing to be configured is a password?

I have seen power, water, sewer, and traffic systems put into production with an internet gateway that had telnet open, with default admin credentials that are well known.

I have a few "go to" things for the rare occasions I'll take a consulting gig on.

1. nmap the device. Secure the open ports.
2. No default passwords, and it's best if you can change the admin account name to something non-standard.
3. patch patch patch
4. Secure SSH so that only ssh key access is allowed. No username/password.
5. Create a key for each device. Best if you create the key with a password - I usually use the serial number of the device obfuscated. So if the serial number is 123, then the password for that key would be zyx or some simple transposition. I usually use a 10 letter word whose letters don't repeat. INTRODUCES, BLOCKHEADS, CORNFLAKES - and I usually say order them so it doesn't spell a word. EG: BLOCKHEADS to ABCDEHKLOS. And change the key based on the third or second to last number.
6 firewalls, firewalls firewalls. Limit port access to only those IP's you know and control.
7. Trust nothing completely. Defense in depth.
8. Construct "alarm" data and configure deep packet inspection to look for those alarm data and trigger an alert.
9. Ensure you have a panic button to shut down the network.

There are other things, a bit more subtle to go into.

If the 'the grid' control networks looked like a corporate network, this might make sense. But 'the grid' is really a huge number of segmented and isolated networks, of varying levels of actual control or risk, most of which have much of the security you describe. Some improperly isolated networks or ones missing some protections probably exist, but they are outliers and can't bring down the greater system.

There is a need for communication between some of the networks across the grid, and that is where extra diligence and R&D might not be bad idea, unless you feel you've thought of everything.

Re:Well

[angel'o'sphere]

My favourite admin user/password is:
User: 'Ruth'
Passwd: 'geh heim' :P

Meh.

Cybersecurity is one thing. But a little storm comes by (Irma) and it looks like I'll be on generator power for 3-4 weeks. Most of the wiring in my neighborhood is on the ground. It doesn't matter how much telemetry there is.

Sigh. It's too hot to sleep (89F at 2am) which just sucks for a month.

Re:Meh.

Maybe if you converted to metric, like the rest of the world, we'd care about the US. It's pretty quickly becomming irrelevent.

Re:Meh.

This is why you need those backup sources. Not much could be done to protect those wires. Bury them? Still going to lose the transformers and/or end up with cable paths full of water. I keep 1kw of solar, 500w wind gen, 2x 800w gas gens on hand just for emergency stuffs. Last time i needed it was 6yr ago when the garage burned down due to a faulty light. This setup cost 125$x10, $200 charger, $300, $100 charger, $200x2.

f' that- it's time to get the government out

It's utterly ridicules that the government be involved in electricity distribution or production and private enterprises need to take over. BUT it needs to be sold off in a way that ensures we don't end up with monopolies. There is no reason for government to get involved this if you let the free market do its thing. The proper response to actual free market failures (like the 1930s crash) is for people to be more cautious with what they do with there money. The free market should provide for what government need not and its only our own government interference that has led us into this terrible system that we have today. A truly free market has risks- but if you don't want to live in a communist state like we have today (about 70% of my wealth was being stolen from me via hidden taxes/fees, property taxes, income taxes, sales taxes, and similar where I was living in NJ until recently) or see sky high taxes like we have and be in control of your own money, education, investments, risks, and so on that is what must be done. I've done well for myself- but I see no reason I should prosper off your tax dollars. I've profited explicitly because governments paid me for my products at excess prices. While I had the "lowest bid" in one recent sale the entire system is setup such that we all still pay absurdly for product. They paid 8x what any other company would have paid. Something is terribly broken- and it's this system that redistributes wealth rather than let the free market figure it out. Guaranteed loans, welfare, and similar ensure a select elite profit and the costs for housing and college continue to sky rocket out of control. It also opens the doors to defrauding us all. I'm doing better now than ever before since I moved to NH. No sales taxes here although property taxes are still too high, too many police, too much tie in with federal government, and more. We need to go back to being independent self-sustaining members of society and proud of that rather than relying on 'handouts' that ultimately we're all paying for and cost greatly more than we get back in turn. This is also destroying our liberties and freedom. And the later is why I moved to NH to partake in the Free State Project. What is worse than the taxes are the license plates, vehicular registration, restrictions on my freedom to travel, bear arms, and even marry who I like (I'm gay- so it matters to me).

Re:f' that- it's time to get the government out

[dehachel12]

'government out' leads to another instance(large corporations) taking power. Government still has a tiny bit of oversight(elections)

Re: f' that- it's time to get the government out

But he said to structure the sell off so that companies can't become monopolies. He'll do that without government involvement. Instead he'll get some people to monitor the industry. They can be paid by a small fee paid by everyone so they can do it as a fill time job. Set some standards, work with other regions.

It's a great idea. You can do it for other industries too. Oil, gas, coal. Maybe even the environment protected by some sort of agency with jurisdiction over these other groups. These groups get big though, so we need another group to oversee al the legal contracts, make sure they get executed properly. Maybe even have a third, co equal group to judge any disputes...

Seems like a good idea. Now all we need is name for this new, never before imagined system of governance establishment. Maybe we could call it...
Establishnance. Yeah that seems good.

Re: f' that- it's time to get the government out

The reason we have these monopolies is because of government action in the first place dumb ass. You can't just privatize it and expect the monopolies to go away. But that doesn't mean the problem wasn't created in the first place by stealing from the masses to produce the costly infrastructure in such a way as to burden others (running phone lines to people living in the middle of nowhere) or creating a monopoly to supposedly attract investment in infrastructure in the first place (cable companies in the 1970s and 1980s). There are some places where monopolies weren't granted and have there are more choices today as a result. However it's rare because most places gave in and destroyed what should have been a free market. The problem is we don't have a free market. Trying to turn back time and fix it is an extraordinarily difficult problem because you've given these companies first mover advantages that can't be undone. Competitors can't magically be made to be in a similar position and so competition doesn't exist or won't work to anybody investing in a business that competes without some other serious innovative advantage. But even that can be a challenge because the government is manipulated by these corporations and industries to keep out new innovative competition. More reason we need to end the regulations- we need more Ubers and Lyfts. If you don't like these companies (and I don't, but not for the reasons most socialists dislike em) you can still choose one of the traditional transportation options (ie cabs, etc).

Re: f' that- it's time to get the government out

And here i was, worried you'd just go off another rant rather than enumerate a clear and succinct path by which you avoid natural monopolies without government involvement in energy infrastructure.

It's easy to tear down an existing structure. Building q new one without the same flaws is surprisingly difficult if you don't change the underlying nature somehow.

The solution of course is microgrids. Distributed solar, wind, etc. And a national backplane bus to interconnect them. A confederation can be set up within a zip code. Peered within cities and states and then federal standards (60kv vs 110v maybe? Agreed clock Hz sync...)

I wonder what sort of organization could constitutionally regulate such an entity though...

Go ahead and have the last word now, and don't forget to take your blood pressure meds instead of going for a walk.

Re: f' that- it's time to get the government out

>But that doesn't mean the problem wasn't created in the first place by stealing from the masses to produce the costly infrastructure in such a way as to burden others (running phone lines to people living in the middle of nowhere)
would there be a telephone system without government ? I don't think so.

Re:Coronal Mass Ejection for Life On Earth, Alex..

[Gravis+Zero]

Don' worry, though, the latest version of Apple's iPhone will have an app to fix that! :-)

Oh no! But I choose healthcare instead. ;)

“Maybe rather than getting that new iPhone” Americans “should invest in their own healthcare” - Rep. Jason Chaffetz

Cost of a Mile of Fiber: about $175k

[Required+Snark]

Here is a rough estimate as of 2015 from Quora:

For long haul, my rule-of-thumb (based on 35k miles of "thumb" over the last 20 years) is about $175k/mile for two conduit and 144 fiber. Note: this is good for optical ground wire on long-haul electrical transmission lines, as well as buried.

So $50 million buys .285714285714 of a mile, or 1508.57142857 feet or 459.8126 meters.

Thank god we're saved!!

Re:Cost of a Mile of Fiber: about $175k

[Scarred+Intellect]

Here is a rough estimate as of 2015 from Quora:

For long haul, my rule-of-thumb (based on 35k miles of "thumb" over the last 20 years) is about $175k/mile for two conduit and 144 fiber. Note: this is good for optical ground wire on long-haul electrical transmission lines, as well as buried.

So $50 million buys .285714285714 of a mile, or 1508.57142857 feet or 459.8126 meters.

Thank god we're saved!!

Incorrect.

Re:Cost of a Mile of Fiber: about $175k

[fox171171]

Here is a rough estimate as of 2015 from Quora:

For long haul, my rule-of-thumb (based on 35k miles of "thumb" over the last 20 years) is about $175k/mile for two conduit and 144 fiber. Note: this is good for optical ground wire on long-haul electrical transmission lines, as well as buried.

So $50 million buys .285714285714 of a mile, or 1508.57142857 feet or 459.8126 meters.

Thank god we're saved!!

Costs $175k/mile, and $50 million gets a little over a quarter mile? Sign me up for that contract! That's a nice profit margin.

Re:Cost of a Mile of Fiber: about $175k

For sure I want that contract, even at 175k/mile. I AM a ISP and we have done a mile of bury for as little as 10k. Sure some miles cost more then others, never done more then 50k/mile for fiber. I am sure in a big city that cost goes up some and a lot of that 175k might be ask/use fees.

Solution

[fox171171]

Disconnect it from the internet, and give me my $50 million.

Re:Solution

Ignorant answer is ignorant.

Re:Coronal Mass Ejection for Life On Earth, Alex..

[wyHunter]

Given the idiocy of agents of the government, can you blame 'em for saying that regulation is bad? (never mind that in the USA anyway we're one of the most regulated countries on earth..)

Re:Coronal Mass Ejection for Life On Earth, Alex..

Actually a perfectly valid defense (which people won't like, so will probably be ignored) is to just shut the grid down prior to the magnetic disturbance reaching the Earth. This would result in a temporary grid-wide blackout. Since the magnetic disturbance reaches Earth after the light, we would have sufficient advance notice to shut the grid down.

captcha: current

$50 million advice

[manu0601]

Here is my bid: you cannot secure that stuff, just unplug it from the net.

Where do I collect my $50 million?

Really fucking expensive.

Most SCADA systems are commisioned and qualified at great expense and left to run for decades. Upgrades are extremely expensive to perform. Think $millions.

Patching and bios upgrades need to be vendor-qualifed before installation - no-one will take the risk of the lights going out because of an unqualified patch. Vendors are getting better about independent patch releases, but that doesn't help older systems.

Your key protection is retarded. You've reduced the search space to 26!/17! which is searchable in weeks for a modern nation state.

Panic button to shut down the network? WTF. Do you have any idea what would happen to the grid or pipeline if you just hit a panic button and shut down its network? You'd be reading about large long-term outages as damage gets repaired. Even on a smaller scale - if you shut down the network in a confectionery plant they'd be dismantling buildings to remove vats filled with solidified hard-boiled candy. Fail-safe conditions may be human-life-safe, but are often extremely inconvenient.