Department of Energy Invests $50 Million To Improve Critical Energy Infrastructure Security (helpnetsecurity.com)

← Back to Stories (view on slashdot.org)

Department of Energy Invests $50 Million To Improve Critical Energy Infrastructure Security (helpnetsecurity.com)

Posted by BeauHD on Tuesday September 12, 2017 @03:30PM from the next-gen dept.

Orome1 shares a report from Help Net Security: Today, the Department of Energy (DOE) is announcing awards of up to $50 million to DOE's National Laboratories to support early stage research and development of next-generation tools and technologies to further improve the resilience of the Nation's critical energy infrastructure, including the electric grid and oil and natural gas infrastructure. The electricity system must continue to evolve to address a variety of challenges and opportunities such as severe weather and the cyber threat, a changing mix of types of electric generation, the ability for consumers to participate in electricity markets, the growth of the Internet of Things, and the aging of the electricity infrastructure. The seven Resilient Distribution Systems projects awarded through DOE's Grid Modernization Laboratory Consortium (GMLC) will develop and validate innovative approaches to enhance the resilience of distribution systems -- including microgrids -- with high penetration of clean distributed energy resources (DER) and emerging grid technologies at regional scale. The project results are expected to deliver credible information on technical and economic viability of the solutions. The projects will also demonstrate viability to key stakeholders who are ultimately responsible for approving and investing in grid modernization activities. In addition, the Department of Energy "is also announcing 20 cybersecurity projects that will enhance the reliability and resilience of the Nation's electric grid and oil and natural gas infrastructure through innovative, scalable, and cost-effective research and development of cybersecurity solutions."

31 of 51 comments (clear)

Min score:

Reason:

Sort:

$50 million? by PopeRatzo · 2017-09-12 15:47 · Score: 5, Insightful

They better add a few zeroes to that.

--
You are welcome on my lawn.
1. Re:$50 million? by ls671 · 2017-09-12 16:02 · Score: 1
  
  This is just PR, what is really critical is the Strategic Petroleum Reserve of the United States ;-)
  https://en.wikipedia.org/wiki/...
  
  --
  Everything I write is lies, read between the lines.
2. Re:$50 million? by taiwanjohn · 2017-09-12 18:08 · Score: 1
  
  Yeah, like China did recently, on top of the investments they've been making already for the last decade at least.
  
  --
  XML is like violence. If it doesn't solve your problem, you're not using enough of it. --AC
3. Re:$50 million? by K.+S.+Kyosuke · 2017-09-12 20:55 · Score: 1
  
  early stage research and development
  If "early stage research and development" of something costs $50M plus a few zeroes, then that "something" must be either warp drive research or the cure for death. I don't think this is it.
  
  --
  Ezekiel 23:20
4. Re:$50 million? by PopeRatzo · 2017-09-13 01:50 · Score: 1
  
  If "early stage research and development" of something costs $50M plus a few zeroes, then that "something" must be either warp drive research or the cure for death. I don't think this is it.
  The F-35 "fighter" jet program will cost $1.1 trillion, and doesn't include a warp drive or immortality.
  
  --
  You are welcome on my lawn.
5. Re:$50 million? by angel'o'sphere · 2017-09-13 08:08 · Score: 1
  
  It does not? include a warp drive?
  I'm disappointed.
  What did the Apollo program cost in 'modern dollars'?
  
  --
  Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
6. Re:$50 million? by WheezyJoe · 2017-09-13 09:38 · Score: 1
  
  They better add a few zeroes to that.
  This. $50mil is is like change stuck in the couch of the Federal Government, not enough to do anything but maybe fund a study that will produce a paper in 8 months that nobody will read. And then there's that "up to" part to really let the air leak out of the balloon.
  This is a big country, with a huge, interconnected, antiquated power grid that needs complete re-thinking in a world of public and private solar, heat waves, hurricanes, hackers and insecure control equipment, and a population more dependent than ever on a reliable supply of electricity. Of course, the DOE is under the command of a man who pledged to abolish it, so I wouldn't expect any miracles. But "up to $50 million" won't inspire much of anything.
  
  --
  Take it easy, Charlie, I've got an Angle...
7. Re:$50 million? by K.+S.+Kyosuke · 2017-09-13 23:13 · Score: 1
  
  Those $1.1 trillion is not "early stage research and development", though. I was under the impression that that was the total cost of everything associated with the program until EOL. Not just the physical airplanes, but fixing them for fifty year, paying for the pilots etc. etc.
  
  --
  Ezekiel 23:20
Coronal Mass Ejection for Life On Earth, Alex... by GerryGilmore · 2017-09-12 15:47 · Score: 4, Funny

Seriously - The Economist magazine recently had a great article (https://www.economist.com/news/world-if/21724908-huge-potential-impact-rich-countries-prolonged-loss-electricity-disaster) highlighting A) the catastrophic effect on civilized life and B) the ridiculously low cost of preventive measures and C) as always, the lack of political will, coupled with a lack of technical knowledge across broad swaths of our populace and - especially! - politicians married with a "gubmint regulations are bad, M'Kay!" mentality and you have potential disaster looming. Don' worry, though, the latest version of Apple's iPhone will have an app to fix that! :-)
I'll take 10 million by Khyber · 2017-09-12 17:11 · Score: 1

And I'll just take your electrical grids off the fucking internet. There, highly secure (physical attacks only.) Saved you 40 million so you can play with figuring out the oil and gas side of things.

--
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
1. Re:I'll take 10 million by Bob+the+Super+Hamste · 2017-09-13 01:14 · Score: 3, Informative
  
  I see someone has no idea of what they are talking about in this regard. Here is the current standard that grid operators have to comply with. Also here is what is currently being asked of suppliers by the grid operators when getting a new system. Add in that the systems be benchmarked against these or these is also becoming written into the contracts now. I would assume that operators in the oil and gas industry either have similar things or are at least smart enough to re-purpose the above as the effort to do so would be minimal. A lot of the security efforts for securing the grid are not to protect it from the general internet, they are already separated and if not the company fucked up really bad and if NERC finds out the company will be paying some huge fines so let NERC know. Instead the security is to protect the control system from stupid users who find a USB rubber ducky in the parking lot, connects their corporate laptop to the control network, someone doing malicious things out at some remote substation that then gets into the main control system, or malicious insider. The people going after the grid are professionals and more often than not state actors not little Timmy from down the street who just found out about Low Orbit Ion Cannon or Armitage.
  
  --
  Time to offend someone
2. Re:I'll take 10 million by Mr+D+from+63 · 2017-09-13 02:20 · Score: 1
  
  I see someone has no idea of what they are talking about in this regard.
  Please, stop with the facts. Its more fun to just assume 'its all connected to the internet', so we can all say how stupid and negligent they are. We don't need to have a clue, its /.
3. Re:I'll take 10 million by Khyber · 2017-09-13 11:01 · Score: 1
  
  "I see someone has no idea of what they are talking about in this regard."
  I see someone fails to remember how IBM researchers hacked and gained remote control of a nuclear fucking reactor.
  You think these power companies are actually complying with regulations? You better open your eyes, sonny boy. If the penalty for non-compliance the profits made from non-compliance, they will choose to not comply. This is how you have companies like Oncor in Texas fucking things up royally.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
4. Re:I'll take 10 million by Khyber · 2017-09-13 11:02 · Score: 1
  
  Fucking inserting HTML when I select plain text. Thanks, Slashdot. If the penalty of non-compliance is less tan the profits gained by non-compliance, they'll choose non-compliance.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
5. Re:I'll take 10 million by Bob+the+Super+Hamste · 2017-09-14 00:28 · Score: 1
  
  Well considering that NERC CIP penalties can be $1,000,000 a day for each violation they are taken seriously. The IBM incident you mention was actually one of the many has been a big driving force for the successive NERC CIP regulation updates that have come since. My major complaint about the NERC CIP regulations is that they are too open to interpretation by auditors and there is a bit too much cozyness between the auditor and the operator. Thankfully in the last few years power companies have started to fear NERC more starting when CIP v5 was out but not enforced yet. The existing regulations don't go far enough, there is a lot of room for improvement, but they are better than just about any other industry's. Having worked with NERC it is a slow and sometimes painful process but things will continue to get better. The Europeans are in an even worse situation and the operators elsewhere in the world who do want security always want to ensure that they are compliant with NERC CIP even if NERC doesn't have jurisdiction.
  
  --
  Time to offend someone
Re:$50 million = half an F-35 Fighter Jet by pntkl · 2017-09-12 17:16 · Score: 1, Interesting

Of course, energy security isn't nearly as important to Americans as.......
Energy security should be among the top items of the list of critical needs. We could certainly afford to invest heavily. A great crux of the problem is that it requires adapting to its realities, after we hit key milestones/plateaus. With optimal handling of energy markets, we could likely diminish corruption and more importantly diminish difficult to measure discrepancies in reporting, without providing a broken vacuum that requires immediate fulfillment. It could even provide an outlet for abandoning fiat currencies and fractional reserve banking. However, such changes would likely require drastic changes for much of the status quo. People would have to put aside many ideas they've hurt one another over, time and time again.
Hard to believe our leaders collectively plan for our survival beyond a few fleeting moments with such abysmal investment in things like energy security--it seems largely left to the fortunes or misfortunes of the market. Natural monopolies that last longer than the limitations of technology dictate them being natural end up asking us to call their great depletion a favorable gain (bah). And apparently, we are still collectively okay with our state of being. We all seem to quickly forget what we see each time we walk away from a mirror.
Well by buss_error · 2017-09-12 17:26 · Score: 4, Interesting

I'm all for that. But how expensive is it to block port 23 and changing the BIOS of SCADA systems so that the first thing to be configured is a password?
I have seen power, water, sewer, and traffic systems put into production with an internet gateway that had telnet open, with default admin credentials that are well known.
I have a few "go to" things for the rare occasions I'll take a consulting gig on.
1. nmap the device. Secure the open ports.
2. No default passwords, and it's best if you can change the admin account name to something non-standard.
3. patch patch patch
4. Secure SSH so that only ssh key access is allowed. No username/password.
5. Create a key for each device. Best if you create the key with a password - I usually use the serial number of the device obfuscated. So if the serial number is 123, then the password for that key would be zyx or some simple transposition. I usually use a 10 letter word whose letters don't repeat. INTRODUCES, BLOCKHEADS, CORNFLAKES - and I usually say order them so it doesn't spell a word. EG: BLOCKHEADS to ABCDEHKLOS. And change the key based on the third or second to last number.
6 firewalls, firewalls firewalls. Limit port access to only those IP's you know and control.
7. Trust nothing completely. Defense in depth.
8. Construct "alarm" data and configure deep packet inspection to look for those alarm data and trigger an alert.
9. Ensure you have a panic button to shut down the network.
There are other things, a bit more subtle to go into.

--
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
1. Re:Well by Anonymous Coward · 2017-09-12 17:58 · Score: 1
  
  You forgot some points but I won't pedantically bore everyone pretending I'm the authority on them.
2. Re:Well by Anonymous Coward · 2017-09-12 23:43 · Score: 1
  
  I'm all for that. But how expensive is it to block port 23 and changing the BIOS of SCADA systems so that the first thing to be configured is a password?
  I have seen power, water, sewer, and traffic systems put into production with an internet gateway that had telnet open, with default admin credentials that are well known.
  I have a few "go to" things for the rare occasions I'll take a consulting gig on.
  1. nmap the device. Secure the open ports.
  2. No default passwords, and it's best if you can change the admin account name to something non-standard.
  3. patch patch patch
  4. Secure SSH so that only ssh key access is allowed. No username/password.
  5. Create a key for each device. Best if you create the key with a password - I usually use the serial number of the device obfuscated. So if the serial number is 123, then the password for that key would be zyx or some simple transposition. I usually use a 10 letter word whose letters don't repeat. INTRODUCES, BLOCKHEADS, CORNFLAKES - and I usually say order them so it doesn't spell a word. EG: BLOCKHEADS to ABCDEHKLOS. And change the key based on the third or second to last number.
  6 firewalls, firewalls firewalls. Limit port access to only those IP's you know and control.
  7. Trust nothing completely. Defense in depth.
  8. Construct "alarm" data and configure deep packet inspection to look for those alarm data and trigger an alert.
  9. Ensure you have a panic button to shut down the network.
  There are other things, a bit more subtle to go into.
  If the 'the grid' control networks looked like a corporate network, this might make sense. But 'the grid' is really a huge number of segmented and isolated networks, of varying levels of actual control or risk, most of which have much of the security you describe. Some improperly isolated networks or ones missing some protections probably exist, but they are outliers and can't bring down the greater system.
  There is a need for communication between some of the networks across the grid, and that is where extra diligence and R&D might not be bad idea, unless you feel you've thought of everything.
3. Re:Well by angel'o'sphere · 2017-09-13 08:13 · Score: 1
  
  My favourite admin user/password is:
  User: 'Ruth'
  Passwd: 'geh heim' :P
  
  --
  Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
Re:$50 million = half an F-35 Fighter Jet by PopeRatzo · 2017-09-12 17:35 · Score: 2

An F-35 costs a minimum of $165 million, so that $50 mil is less than 1/3.
https://www.bloomberg.com/news...

--
You are welcome on my lawn.
Re:f' that- it's time to get the government out by dehachel12 · 2017-09-12 19:19 · Score: 1

'government out' leads to another instance(large corporations) taking power. Government still has a tiny bit of oversight(elections)
Re:Coronal Mass Ejection for Life On Earth, Alex.. by Gravis+Zero · 2017-09-12 20:34 · Score: 1

Don' worry, though, the latest version of Apple's iPhone will have an app to fix that! :-)
Oh no! But I choose healthcare instead. ;)
“Maybe rather than getting that new iPhone” Americans “should invest in their own healthcare” - Rep. Jason Chaffetz

--
Anons need not reply. Questions end with a question mark.
Cost of a Mile of Fiber: about $175k by Required+Snark · 2017-09-12 22:35 · Score: 1

Here is a rough estimate as of 2015 from Quora:

For long haul, my rule-of-thumb (based on 35k miles of "thumb" over the last 20 years) is about $175k/mile for two conduit and 144 fiber. Note: this is good for optical ground wire on long-haul electrical transmission lines, as well as buried.

So $50 million buys .285714285714 of a mile, or 1508.57142857 feet or 459.8126 meters.
Thank god we're saved!!

--
Why is Snark Required?
1. Re:Cost of a Mile of Fiber: about $175k by Scarred+Intellect · 2017-09-13 01:12 · Score: 1
  
  Here is a rough estimate as of 2015 from Quora:
  
  For long haul, my rule-of-thumb (based on 35k miles of "thumb" over the last 20 years) is about $175k/mile for two conduit and 144 fiber. Note: this is good for optical ground wire on long-haul electrical transmission lines, as well as buried.
  So $50 million buys .285714285714 of a mile, or 1508.57142857 feet or 459.8126 meters.
  Thank god we're saved!!
  Incorrect.
2. Re:Cost of a Mile of Fiber: about $175k by fox171171 · 2017-09-13 04:30 · Score: 1
  
  Here is a rough estimate as of 2015 from Quora:
  
  For long haul, my rule-of-thumb (based on 35k miles of "thumb" over the last 20 years) is about $175k/mile for two conduit and 144 fiber. Note: this is good for optical ground wire on long-haul electrical transmission lines, as well as buried.
  So $50 million buys .285714285714 of a mile, or 1508.57142857 feet or 459.8126 meters.
  Thank god we're saved!!
  Costs $175k/mile, and $50 million gets a little over a quarter mile? Sign me up for that contract! That's a nice profit margin.
Re:$50 million = half an F-35 Fighter Jet by sheph · 2017-09-13 03:11 · Score: 1

I agree that energy security should be more of a priority. But as someone who actually works on software that controls the electrical grid I can tell you a lot of the problem is management. They want things, don't understand the security ramifications, and then when you point them out they call you paranoid. You could fix that today with $0. R&R defective management. It's not that we don't know what to do. It's that we're not allowed to.

--
I don't believe in karma, I just call it like I see it.
Solution by fox171171 · 2017-09-13 04:21 · Score: 1

Disconnect it from the internet, and give me my $50 million.
Re:Coronal Mass Ejection for Life On Earth, Alex.. by wyHunter · 2017-09-13 04:48 · Score: 1

Given the idiocy of agents of the government, can you blame 'em for saying that regulation is bad? (never mind that in the USA anyway we're one of the most regulated countries on earth..)
$50 million advice by manu0601 · 2017-09-13 13:01 · Score: 1

Here is my bid: you cannot secure that stuff, just unplug it from the net.
Where do I collect my $50 million?
Really fucking expensive. by Anonymous Coward · 2017-09-14 07:10 · Score: 1

Most SCADA systems are commisioned and qualified at great expense and left to run for decades. Upgrades are extremely expensive to perform. Think $millions.
Patching and bios upgrades need to be vendor-qualifed before installation - no-one will take the risk of the lights going out because of an unqualified patch. Vendors are getting better about independent patch releases, but that doesn't help older systems.
Your key protection is retarded. You've reduced the search space to 26!/17! which is searchable in weeks for a modern nation state.
Panic button to shut down the network? WTF. Do you have any idea what would happen to the grid or pipeline if you just hit a panic button and shut down its network? You'd be reading about large long-term outages as damage gets repaired. Even on a smaller scale - if you shut down the network in a confectionery plant they'd be dismantling buildings to remove vats filled with solidified hard-boiled candy. Fail-safe conditions may be human-life-safe, but are often extremely inconvenient.