Massive Power Outages In Brazil Caused By Hackers 462
Hugh Pickens writes "CBS reports on 60 minutes that a massive two-day power outage in Brazil's Espirito Santo State affecting more than three million people in 2007, and another, smaller event in three cities north of Rio de Janeiro in January 2005, were perpetrated by hackers manipulating control systems. Former Chief of US National Intelligence Retired Adm. Mike McConnell says that the 'United States is not prepared for such an attack' and believes it could happen in America. 'If I were an attacker and wanted to do strategic damage to the United States, I would either take the cold of winter or the heat of summer,' says McConnell, 'I would probably sack electric power on the US East Coast, maybe the West Coast and attempt to cause a cascading effect.' Congressman Jim Langevin says that US power companies need to be forced to deal with the issue after they told Congress they would take steps to defend their operations but did not follow up. 'They admit that they misled Congress. The private sector has different priorities than we do in providing security. Their bottom line is about profits,' says Langevin. 'We need to change their motivation so that when see vulnerability like this, we can require them to fix it.' McConnell adds that a similar attack to the one in Brazil is poised to take place on US soil and that it may take some horrific event to get the country focused on shoring up cyber security. 'If the power grid was taken off line in the middle of winter and it caused people to suffer and die, that would galvanize the nation. I hope we don't get there.'"
Good luck with that (Score:5, Insightful)
Probably impossible.
As we all should know by now, impenetrable security doesn't exist. What we should probably have is tighter backup power for essential services and places like hospitals, where local redundancy could help in the face of a remote 'hacker' type attack
Places where there is a lot of danger for people without electrical power don't need billions spent on the security of their power systems. They need redundancy, generators in their buildings that could be used to keep people alive, batteries, and common sense.
Oh well, let's spend a bunch of money on fear like we always do.
Otherwise summarized as: (Score:2)
Movie at 10.
Re:Otherwise summarized as: (Score:5, Funny)
Unsecure infrastructure networks vulnerable to internet based attack.
Movie at 10.
Movie Postponed due to power failure.
Re:Good luck with that (Score:5, Interesting)
there's the attitude: There is always somebody out there smarter than you, and there is always going to be a bug or security vulnerability somewhere in the system.
There was an interesting blog in the economist magazine pondering what else could be done with the 680 billion the US spends annually on defense.
While the US has spent a trillion in Iraq the chinese have spent a trillion improving their infrastructure.
Re: (Score:3, Interesting)
Re:Good luck with that (Score:4, Insightful)
Re: (Score:3, Interesting)
I'm suddenly curious at whether, statistically, this use of the word steal garners as much commentary as the copyright infringement use of the word steal does, on slashdot.
Re: (Score:3, Informative)
Uh, in what made up world?
http://www.globalsecurity.org/military/world/spending.htm [globalsecurity.org]
We can't go improvin' our infrastructure now, that'd be socialist and SCARY
And we can't rely on our socialist defense now can we? That'd be socialist and SCARY too... Oh wait.
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
It is easy to say that a data center needs its own source of standby power, but there are a lot of industries where a one minute outage causes a six to twelve-hour restart time, and the margins are far too thin to support the additional generation infrastructure.
I know a few people putting in multi-megawatt fuel cell systems, but these have the same restart-time problem that the utility grid has, which is ultimately the problem.
The easiest fix at a utility scale is to increase the amount of spinning reserve
Smart grid makes it more exposed to hacking (Score:3, Insightful)
Re: (Score:3, Interesting)
Ten years ago when I last toured an ISO's command center, they were able to project load to within 0.5% 24 hours in advance. Granted, spinning reserve was higher back then, but the fundamental logic hasn't changed much.
So I am lost as to what the smart grid is actually supposed to do, aside from a fancy version of automated demand-response. It wouldn't be fast enough to actually function as "protection".
Re: (Score:3, Insightful)
So each facility evaluates its energy reliability needs. Some may come to the conclusion that they need higher reliability than what the local utility provides. But today, that's just based on gut feelings. Because there is no reliability or 'uptime' standard to which utilities must adhere. And as a result, there's no marginal price for additional MTBF or grid uptime. So people who think they need better reliability just go out and buy their own genset.
In some ways, this is analogous to servers. Everyone ca
Re: (Score:3, Interesting)
Impenetrable security may not exist, but good security and crappy security do exist. We'd rather have good than crappy, but the power companies would rather spend on executive bonuses than on good security.
We do need improved security on SCADA (like making it REALLY separate from the internet and business LANs), but that's not billions in cost. As you point out, backup power is good.
More resiliency in the grid is a big one. If the grid has adequate spare capacity it can tolerate a few sudden losses and can
Re: (Score:3, Interesting)
Maybe it might be for the best to have SCADA controlling systems airgapped, or at the least, if people want reports from the systems, have locked down machines that poll them and then copy the results to another network. You could have two boxes on separate networks that communicate text solely through a serial cable (no PPP or SLIP, just data passed as a stream through the cable from the inside box to the outside one. Perhaps even cut the RX+ and RX- lines going to the inner box for maximum security) to
Re:Good luck with that (Score:5, Insightful)
As we all should know by now, impenetrable security doesn't exist.
Totally impenetrable physical security doesn't exist, but totally impenetrable electronic security most certainly does. It's quite simple to make something completely immune to hacker attacks over the internet: disconnect it from the internet!
Why the nation's power grid control absolutely needs to be tied into the internet, I have no idea. Maybe someone in the field can enlighten me. But if this is a big concern, it seems like it'd be pretty to eliminate the security threat by not having any control over the power grid exposed to the internet. If someone needs to exercise some control over the system, they have to get in their car and drive to the power plant.
Of course, this wouldn't prevent someone from sneaking in somehow, but that's a far more remote danger than some hacker on the internet (who could be anywhere in the world, and probably not anywhere near your power plant) gaining access.
Re:Good luck with that (Score:5, Insightful)
As we all should know by now, impenetrable security doesn't exist. What we should probably have is tighter backup power for essential services and places like hospitals, where local redundancy could help in the face of a remote 'hacker' type attack
Places where there is a lot of danger for people without electrical power don't need billions spent on the security of their power systems. They need redundancy, generators in their buildings that could be used to keep people alive, batteries, and common sense.
This isn't about impenetrable security. This is about taking basic precautions about known attack vectors. For example, many of these systems are not fail safe so an attacker can actually cause a generator to physically destroy itself. Since these generators are very specialized pieces of equipment, you don't just go to Home Depot and pick up another one.
It is not enough to protect hospitals, etc. A prolonged loss of power to the northern part of the US in the depths of winter would be devastating. Even with backup power supplies, no one has plans to deal with a month of no electricity.
This isn't about spending money on fear. It is about naively ignoring a threat and hoping it will never happen. We need to find a way to force utility companies to take these threats seriously and the only way to do that is to have financial penalties for lax security.
Re: (Score:3, Insightful)
Still worried about the possibility of remote hacking from a guy who spent too much time climbing trees in hi
Re: (Score:3, Insightful)
Probably impossible.
As we all should know by now, impenetrable security doesn't exist.
Maybe not. But a good first step would be to not connect critical infrastructure to the internet.
Re:Good luck with that (Score:5, Insightful)
Oh well, let's spend a bunch of money on fear like we always do.
Terrorists are the least of out worries here in the midwest US. In the winer we have ice storms, in the spring and summer we have storms and wind. An outage caused by hackers probably wouldn't last lomg here, but when a tornado rips through and destroys every utility pole and the equipment hanging from them, it'll take a while to get back on line.
When the tornados ripped through here in 2006, [slashdot.org] as I walked through the destruction in search of a hot cup of coffee the next day, the thing I thought most was "If Bin Laden saw this he'd give up. No way could a terrorist do this much damage!"
The threat is narural events. The danger from terrorists is minimal.
Re: (Score:3, Insightful)
prove it, damn defeatists always claim that a perfect system is impossible. Hire competent workers ...
And there's your problem right there.
Even the DoD and the CIA still hire the occassional spy and give them top secret security clearance.
If bad actors can't crack the hardware or software, they will always find a problem exists between keyboard and chair.
Re:Good luck with that (Score:5, Funny)
Comment removed (Score:5, Insightful)
Re:So... (Score:5, Informative)
Re: (Score:3, Informative)
Remote access and e-mail notifications more often drive the internet connections we have seen. When facility engineering is out-sourced, it becomes even more complicated, because there is fundamental conflict in the way the contracts are written-- the Owner might require all security go through them, but they don't allow the facility engineers to be on their network.
Usually you end up with a DSL connection and a "firewall router." Usually it is just a monitoring network, but control seems to creep in more
Comment removed (Score:5, Insightful)
Re: (Score:2)
why cant you just string a data line right below the transmission lines?
Why bother? You already have the high tension line. Run the data on that. Physical security against most attackers is built in by the numerous volts sitting on the line already, and by the redundant network already in place. IT security should be no worse than you already have on the internet, and you should be exempt from attacks by casual hackers because they don't have easy access. Concerted attacks by dedicated evil-doers are another matter, because anyone can gain access. but the evil-doers are g
Re:Why? (Score:4, Insightful)
There is no need to reinvent the wheel, the power companies should just be using proper compartmentalization techniques to dig some trenches between the internet and their systems.
Re: (Score:2)
Why would one not use fibre optics, to avoid such interference?
Re: (Score:3, Insightful)
Yes, if only someone would invent a way to transmit data using light, maybe over a long fibre of some transparent material...
Hit'em in their wallets (Score:5, Interesting)
Exactly right, this is a capitalist society, ran on making money. If they won't integrate safety systems to protect the system properly from hacker attacks, hit them in the wallet, hard. Pass sound regulation to force them to implement safeguards, require inspections/audits that they are done, not just take their BS word for it. If all they give you is hot air and no implementation, fine them millions of dollars, and on a regular basis if needbe til they implement it.
Re: (Score:2, Insightful)
Re: (Score:2, Insightful)
But how much energy can congress really expect them to expend defending against imagined threats?
There's nothing imagined about any of these threats. They are very, very real. What we know about is scary enough, what we may yet learn could be truly frightening. Maybe you caught that little part in the story where the military is having some of their computer chips made overseas. I wonder how much money you'd think it would be worth to stop four of five of our own Predators and Reapers from bombing US
Northeast Blackout of 2003 (Score:2)
You spend the money in such a way as to make the system generally more robust, not just against terrorist attacks, but also against acts of nature, disgruntled employees, criminal extortion, and sheer human idiocy.
A lot of US infrastructure has been desperately vulnerable for years. How many terrorists would it take to black out fifty million people in North America? Apparently zero.
Remember the Northeast Blackout of 2003 [wikipedia.org] ?
If the reporting was accurate, that affected 55 million people across eight US s
Re: (Score:3, Interesting)
Exactly right, this is a capitalist society, ran on making money. If they won't integrate safety systems to protect the system properly from hacker attacks, hit them in the wallet, hard.
This is the fundamental point. Those with the ability to secure the system need to be the ones paying for breeches. Bruce Schneier had several good articles around this point. The main example being banks/credit card companies paying for fraud. If they could just push that onto the customer, there would be far more instances of fraud. Instead, they take responsibility for the whole system and customers are far better off for it.
Re: (Score:3, Interesting)
Credit card companies push the consequences of fraud onto stores and such. Those stores that choose to accept credit card payments factor the risk of fraud into the prices they charge. The credit card companies do attempt to protect their customers from fraud, but only because they wouldn't make any money if they didn't have any members (they also work with stores to prevent fraud, as they figure it will lead to clearing more transactions).
The credit card companies certainly don't pay for fraud though.
Re: (Score:2)
breeches[brich-iz]
-noun (used with a plural verb)
1. Also called knee breeches. knee-length trousers, often having ornamental buckles or elaborate decoration at or near the bottoms, commonly worn by men and boys in the 17th, 18th, and early 19th centuries.
2. riding breeches.
3. Informal. trousers.
--Idiom
4. too big for one's breeches, asserting oneself beyond one's authority or ability.
Re: (Score:2)
Re: (Score:2, Funny)
Thats crazy talk. Here is the solution:
1) It's government regulation that is the problem. If the government would just loosen the regulations a little the power companies would be able to make more money. Then they could spend that money on other things like security, safety, and protecting the environment.
2) We should allow power companies to join the RIAA. Once hackers know they will face life imprisonment for copy right infringement, they will too scared to do anything. While we are at it, why not just g
Re:Hit'em in their wallets (Score:4, Insightful)
Well, the energy sector has traditionally been heavily regulated, and works well compared to the huge mess the deregulated banking system made of itself. You do realize that the government took over the banking sector because the bankers failed to run it?
Re: (Score:3, Insightful)
"Well, the energy sector has traditionally been heavily regulated, and works well compared"
Well excepting for that Enron/Dynegy/Reliant/Williams thing where they nearly bankrupted California manipulating the electricity market, shutting off power plants to create artificial shortages for example, and FERC mostly sat on the sidelines watching.
And then of course there was oil spiking to $140 a barrel due to market manipulation, though chances are you can probably blame a fair bit of that on Goldman/Citi and o
Re:Hit'em in their wallets (Score:5, Insightful)
Yes, of course! The government has already taken over the banking sector, the mortgage sector, the automotive sector, is about to take over the healthcare sector, so fuck it - the government may as well take over the energy sector as well. I can't wait until they take over food distribution - I've always wanted to know what it's like to stand in line for a loaf of bread all day.
I am not a fan of government intervention either, nor do I like what was done with banking and automobiles. Having said that, this isn't what is being proposed here. If the electric utilities must comply with laws mandating that they meet or exceed a minimum standard of security, this would be much more like the way local Board of Health requires that restaurants handle food in ways that prevent food poisoning. The Board of Health does not own the restaurants and it does not choose their management; it just periodically inspects them and can shut them down if there are egregious violations. Something similar could be worked out for the power companies when it comes to security.
Re:Hit'em in their wallets (Score:5, Insightful)
If they won't integrate safety systems to protect the system properly from hacker attacks, hit them in the wallet, hard. Pass sound regulation to force them to implement safeguards, require inspections/audits that they are done, not just take their BS word for it.
Yes, of course! The government has already taken over the banking sector, the mortgage sector, the automotive sector, is about to take over the healthcare sector, so fuck it - the government may as well take over the energy sector as well. I can't wait until they take over food distribution - I've always wanted to know what it's like to stand in line for a loaf of bread all day.
The great blackout of 2003, which took out the north east united states and a good chunk of ontario, was caused by deregulation (removing the requirement to clear the branches around the power lines [wikipedia.org]).
Quebec, which has state-owned power (Hydro-Quebec) was not hit hard by that blackout, because it keeps its grid out of phase with those dangerously unregulated parts around it.
Learn the lesson: You can't trust the greedy to run critical infrastructure.
Re:Hit'em in their wallets (Score:5, Informative)
The great blackout of 2003, which took out the north east united states and a good chunk of ontario, was caused by deregulation (removing the requirement to clear the branches around the power lines [wikipedia.org]).
Quebec, which has state-owned power (Hydro-Quebec) was not hit hard by that blackout, because it keeps its grid out of phase with those dangerously unregulated parts around it.
Learn the lesson: You can't trust the greedy to run critical infrastructure.
Misleading and incorrect.
1. The article your cited does not state that the blackout was due to deregulation "removing the requirement to clear branches around the power lines." It states, quite clearly, that the main cause was due to a generating plant going offline, then several power transmission lines going offline (or "tripping") due to tree contact. Nowhere does it say that deregulation had anything to do with that sequence of events.
Since you're too busy being pedantic and patronizing to look for this follow-up info, here's the keywords you need: “Utility Vegetation Management Final Report,”
At first glance, Rule 218 seems clear in its intent, but it has historically generated a great deal of
industry discussion regarding what it actually requires. For example, the use of the word
“should” versus “shall” points to its application as a general guideline, not a mandate. More
importantly, Rule 218 does not specifically state that clearances should be “maintained”
between energized lines and vegetation. While some have argued that it can be interpreted as a
“no-touch rule”, the industry has not interpreted it to require that mandatory clearances be
maintained at all times.
You have to FORCE them to do their job right, or else they'll argue that they don't have to, and they'll let their negligent ways cause major inconveniences for millions of people.
Re:Hit'em in their wallets (Score:5, Interesting)
The government regulates the energy sector, and look at what we have: a system that has not imploded on itself, the way the banks nearly did. Sounds like a pretty solid strategy to me -- and given the attacks in Brazil, it sounds like the government should add some new regulations to the list for energy companies, in the interest of national security.
Re: (Score:3, Informative)
and that we then deregulated the banks,
We did not deregulate the banks. We removed some of the regulation, but we did not deregulate them. You can't do some things half-way and have them not fail. We had too much regulation to make them be fully deregulated and therefore not fail, and too little regulation for them not to fail. We can't know what would happen if banks were fully deregulated because they were not (and don't even bring up the great depression because there was again, too much regulation to be free and too little to be controlled
Re:Hit'em in their wallets (Score:5, Informative)
We did not deregulate the banks.
Not completely, but enough to cause the financial mess. The Glass-Steagal act was passed in the Depression to prevent future disasters like that. It worked, until the Act was overturned in 1999/2000 by a Republican congress and Bill Clinton. Then we got a real estate bubble and a meltdown.
Yeah, but a system that is still a pain. Lets see, if I'm unhappy about the level of service of my current utility what are my options? Not a whole lot. If I don't like my bank there are at least 5 within about 5 miles where I live.
Apples and oranges. What do you propose? 10 sets of power lines running everywhere? There's a reason utilities are highly regulated monopolies: because it's simply impractical and absurd to have multiple power companies, multiple (landline) phone companies, multiple cable companies servicing the same areas. They tried this with telephones in the early 1900s in Manhattan and it was a disaster; you can find photos on the internet showing the ridiculous telephone poles with hundreds of wires on them. Maybe you'd like to have dozens of water and sewer pipes running everywhere too.
If you don't like your power company, you're free to buy a generator and make your own power. Part of living in a society means giving up some of your freedoms, and freedom of choice is definitely one of those. You can't choose your government (at least without agreement from your fellow voters), and you can't choose your utilities. Deal with it.
Or you know, how about allowing utility companies to actually compete for prices, service and security.
Compete against who? No one wants dozens of sets of power lines running through their neighborhoods. Stop being idiotic.
Re:Hit'em in their wallets (Score:4, Insightful)
We can't know what would happen if banks were fully deregulated
read a little history [virginia.edu], young man.
Lets see, if I'm unhappy about the level of service of my current utility what are my options? Not a whole lot.
Exactly. They are beholden to the shareholders, not their customers. They're a monopoly and don't have to care about their customers. A lot of the financial mess we're in now is a result of businesses that aren't monopolies acting as if they were.
My utility company is owned by the city. If they piss me off I'll not vote for the incumbant mayor (an dthat's happened here before). As a result, we get cheap dependable power.
Or you know, how about allowing utility companies to actually compete for prices, service and security.
And how do you go about that? Have ten different power grids in your town with ten electric companies, all with their own poles and cables? Utilities are a natural monoploly and NEED to be heavily regulated. Actually, natural monopolies shouw be owned by the city or state. It's the only way they can be held accountable to the people who pay them.
Re: (Score:2)
government has already taken over
Welcome to the beginning of The New World Order...
Internets... (Score:5, Insightful)
I don't see why they can't just buy a phone line for each power station and link to central stations (also with NON-Internet-facing systems) like that.
Re: (Score:2)
That's not the worst. There are stories of medical systems running Windows, connected to the internet, and shutting down at one point because of an autorestart from Windows Update.
Security (Score:5, Interesting)
Most systems here in the US are only secure because they're obscure. Someone who has worked in the industry for more than about a year has enough knowledge to cause some widespread destruction. Up until recently, the emergency broadcast service was only a phone number and modem, with no authentication!
No Security (Score:5, Interesting)
Up until recently, the emergency broadcast service was only a phone number and modem, with no authentication!
The CATV company I work for had a crazy insecure ebs system. It was these ancient boxes in the head ends that just watched for a carrier on a certain freq in the return path. Once it saw any carrier it would flip over the EBS system and all the audio on our analog channels would go down. This carrier came from another dumb box that was in the main head end. That box was triggered by a unsecured phone line and all you needed to do was know the number to it. All anyone needed to spam 250K customers was a telephone.
The whole system looked like it was built by some ham radio op with parts from RadioShack in the 1980's.
We only got rid of this system LAST YEAR after some prankster with a signal generator figgered out how to trigger one of the dumb boxes. We now have a new system with scrolling text across the screen and clear audio... though I wouldn't be surprised if it was just as half assed as the old system.
Im posting this AC because coworkers know my /. nick :)
Re: (Score:2)
I concur. Airports are the same way, and still this way. Many are running standard PLCs like Allen-Bradley or Modicon. They are connected directly to a modem line with no authentication. So grab yourself a copy of RSLogix or Unity Pro, dial into these places, and have fun modifying the ladder logic and wreak havoc on the airport as all bags get re-routed to who knows where. I've seen the same issues with power plants and water treatment facilities.
The only upside is that the modem line isn't hooked up all t
Re: (Score:3, Funny)
wreak havoc on the airport as all bags get re-routed to who knows where.
Is that not standard airline practice?
Hell the bags might end up at the right place for once.....
Re: (Score:2)
Most of the systems are controlled by PLCs. Most PLCs to this day have no access control whatsoever. Some of the attempts at "security" I've heard for PLCs are salesguy technobabble. (The password is stored on the PC being used to access the PLC; the PLC retrieves the password FROM THE PC in order to verify the validity of the user. No shit, this is what a major vendor told me.)
A kid with a laptop with the right software, a modem, and knowledge of a few phone numbers could take out significant infrastru
Re: (Score:2)
A kid with a length of chain and a potato gun could also take out some significant infrastructure in the power industry. Physical security is important as well.
Re: (Score:3, Funny)
Hehe... Back when I was in the Air Force, we had a squirrel shut down the entire base for 8 hours. S/he crawled into the main power station, and committed suicide across the breakers, blowing up a good chunk of the station and about 100' of main feeder line.
Today no doubt the press would have whipped up frenzy about a "possible terrorist attack" with artistic renderings of the squirrel in mufti....
Nostalgia (Score:3, Insightful)
Re: (Score:3, Interesting)
To be fair, almost no amount of prevention could begin to equal the cost of a truly major event like a significant amount of the US power grid being down for more than a brief flicker.
You need SCADA security (Score:4, Informative)
I work for a company involved in SCADA systems that control half of Australia's water supply and a fair bit of the country's power grid.
SCADA networks have evolved, out of convenience, to coexist with existing LANS and thus progressively have become more dependent on TCP/IP protocols, thus becoming (rather by default) Internet-enabled.
Vulnerabilities are to some degree covered by the RTU programming, which has built in safeguards against doing wrong things. But it's not impossible for a dedicated hacker to create a bit of havoc, and this point is not lost on our client base. Our clients are actively investing now to isolate SCADA networks from the Internet, because safety has to overrule operational convenience. Work is going on now, and the door is fast closing on this avenue of attack.
It's all about SCADA. Little intelligent valves in little steel boxes attached to a lot of industrial plant. It's automation, true, but there are rather a lot of eyes watching it.
Re: (Score:2)
most of the control protocols have no authentication built into them either, in fact none of the ones i've worked with. maybe the newer ones do?
Re: (Score:2)
I'm not aware of any that do? Off the top of my head I can think of CIP, Modbus, Ethernet/IP, Profibus, ProfiNET, DeviceNet, and CANOpen and none of these have any authentication. At best, some of these like CIP have security through obscurity, but others like Modbus are completely known specifications.
Re: (Score:2)
hey, while you're spending money to do that, why not also spend the small chump change it would take to harden our grid against EMP and geomagnetic disturbances?
Re: (Score:3, Insightful)
Then again I could just take my $2000 plasma cutter, $500 generator and $6000 hilux and head up into the mountains and take down three or four high voltage towers and kill power to about 8 million people for a week or more and be home before nightfall. Just in time to laugh at all of you while you scream in hysteria demanding quadzillions be spent on protecting over hyped "attack vectors".
Talk about not seeing the forest for the trees...
But as long as it's protected by fancy sounding acronyms it appears th
Like we'd respond that well (Score:5, Insightful)
If 9/11 was any indication, our national response would be characterized by...
Only in my wildest fantasies would such an attack mobilize the country to have a rational, balanced cyber-security posture.
Re:Like we'd respond that well (Score:4, Funny)
"RIAA/MPAA sleezeballs capitalizing on it in ways I don't even want to contemplate."
When you install photoelectric panels, you're BURNING our fossil fuel industry!
Passive home heating is like passive smoking: IT KILLS! Insist on genuine 2000 Megawatt active air conditioning from a certified generation station.
You wouldn't steal a car... so why build a windmill? Just because all your friends are doing it doesn't make it right!
Firewood is BOLSHEVISM!
California power embargo of 2000/1 (Score:5, Interesting)
So the enron-organized power embargo hitting california in the summer of 2001 is now being recognized as terrorism? The central valley and inland empire areas hit 100+ degrees most summer days. Wonder how many elderly died, or had their lifespans shortened due to heat stress during the rolling power outages.
Naive Population (Score:3, Insightful)
Re: (Score:3, Insightful)
The government is just a corporate sock puppet, and blaming the government is one of the oldest tricks in the corporate handbook.
1) Lobby for deregulation
2) Profit
3) Shit hits the fan
4) Blame the goverment
5) GOTO 1
Well, Duh! (Score:2)
Obviously the evil terrorist hackers would have to attack the electricity distribution via the control centres on the internerd, the power companies long ago stipulated that all pylons and power poles be made of adamantium and be guarded 24/7 so there is no feasible way to attack the wires strung all over the fricken country.
Is this a cover... (Score:2)
Liberals (Score:5, Funny)
I haven't been modded troll or flamebait in a long time, just thought I'd try it out.
Hmm... (Score:2)
Reading this article, I was thinking this security guy is exaggerating and playing down at the same time.
First of all, in the U.S. many companies use so much crap when it comes to IT that it makes me sick, so everything is possible. However, I think it is much more probable many systems will blow up on a large scale without any malice involved, but just due to incompetence and negligence.
At the same time this guy admits the U.S. is actively preparing and maybe even conducting cyber-warfare against other cou
From Experience (Score:4, Informative)
Having worked at a utility in an IT consulting position I've had some experience supporting/implementing the control systems for a reasonably large scale SCADA system.
What I've come across is the people running/maintaining the SCADA system often don't have a Security/IT background, they have an electrical engineering or similar background. This can often make discussions about firewalls - TCP/IP and routing challenging. On top of this, most of the guys (and it is guys) involved are older, engineering types with the culture and communication differences that that implies. They are often very reluctant to let IT in to their systems to assist. Workstations/servers are often not visible to standard IT management processes like patch management and antivirus because of inter-group politics.
We run into the classic security vs. usability argument. More security often makes it more difficult for them to do their job (at least for them) and is also much harder to implement, maintain and troubleshoot.
A lot of systems have historically been serial and have migrated over to IP gradually. This has often been done without adequate planning and analysis, resulting in a system that is deemed successful because it works, not because it is secure.
Money as always is a factor. I know for a fact the enhanced security version of the SCADA solution was NOT installed, as it was too hard and too expensive and as a result was put off until later.
In our case, all the devices and RTUs out there come in over a private network, NOT the internet. This traffic is in the process of being encrypted with IPSEC. The weak point is and will always be the client devices or terminals. Remote access to these is the achilles heel of any system. Having such systems completely separate should be a requirement, but is often put aside in the name of usability for workers to get access from home, or the ability to access the internet from the control PC.
The requirements for criticial infrastructure exists and has done for some time, ISO27002 and NERC have a huge number of requirements. Good luck finding a utility that complies with all of them.
A horrific incident may be the catalyst to have changes made. But in the meantime it's down to money, silos and politics.
If the power grid is so vulnerable, why hasn't... (Score:5, Interesting)
...it been taken out in the U.S.?
If there's a dozen guys pissed off and zealous/brave/willing/stupid enough to hijack planes and fly them into buildings, surely there's 100s more pissed off guys with m@d sk1llz who could do this, and wouldn't be held back because it's not a suicide mission, and doesn't directly burn thousands to death in an ensuing fire and crash.
And I'd wager that hacking the power system is probably a decidedly less resource-intensive activity than even small-scale physical attacks (bomb/gun/kidnapping/etc), the participants can engage in almost total anonymity, and there's no messy explosives/weapons to buy or store or get caught with. All this means its something that even a lone crank could pull off, opening the doors to a whole panoply of groups with gripes, including or especially all manner of domestic crackpots. You don't need Al Quaalude or zillions of dollars or a complex intelligence network.
Forcing the grid offline and in a way that kept it down/brain damaged for any length of time over 48-72 hours, especially if it was widespread, would have such a cascading effect and probably spawn anarchy. At a minimum billions lost, thousands killed, possibly riots or widespread civil disorder. Katrina times 9/11. So the effect would be substantial and easily deniable, making it the kind of thing China or Russia or any other competitive major power might want to do just to fuck with the Americans and keep them off balance.
Yet it hasn't happened here or Western Europe or most modern Asian countries. Why?
Re:If the power grid is so vulnerable, why hasn't. (Score:4, Informative)
>
Yet it hasn't happened here or Western Europe or most modern Asian countries. Why?
Well, at least where I work, we no longer allow modems to be attached to any equipment. This is a huge cost item; that means we have to fly in a tech with a laptop for several thousand dollars when something goes down instead of allowing the factory to dial in on their modem.
We choose to do this as we are a "major" target - a medium sized public utility. I would guess many of the smaller utilities don't have the resources to do this. So it's a question of targets; if someone was to study the network, they could identify a weak small utility that could bring down a larger utility that would then cascade to a major failure down the line. I'd guess it hasn't happened because the outcome is uncertain and not guaranteed; our operators are pretty damn good at taking care of upstream failures.
Re: (Score:3, Interesting)
Yet it hasn't happened here or Western Europe or most modern Asian countries. Why?
Because the enemies you keep hearing about, are neither as a numerous nor as powerful as your government would like you to believe.
It suits the agenda of those in power, to have a public who are so shit-scared about terrorists, that they will accept any indignity, any intrusion into their lives, any loss of freedom... just to make the terrorism fear go away.
Why these systems are connected to the Internet (Score:3, Interesting)
I know all the comments are about to come flooding in that these systems should be air gapped from the Internet, but that isn't practical in today's environment. These systems need to be indirectly connected to the corporate networks, because the data is valuable to the companies. Much of this is due to deregulation. Since deregulation electric utilities no longer operate as islands with their own generation, transmission and customers. Since nobody liked monopolies in the energy industry, the pieces aren't necessarily owned by the same companies anymore. Energy is also bought and sold in a market environment with prices changing all the time and the information is exchanged over the Internet. If you want to see the current Megawatt Hour (MWh) prices in the midwest check out http://www.midwestiso.org/page/LMP+Contour+Map+(EOR) [midwestiso.org]. Needless to say air gapping isn't practical in today's environment.
and the attack stopped (Score:5, Funny)
just because the hacker didn't have an UPS...
goes good with popcorn (Score:4, Insightful)
Oh yeah, well if I were an attacker, I would build a gravity weapon so powerful that it would pull the moon out of its orbit and crash it into the earth.
OR I would create a poison so potent that just a few drops of it in any lake would kill everyone within a 5-mile radius.
OR I would plant thermonuclear bombs in the capitals of the 10 largest cities in the U.S. and detonate them all at once.
See, Mike McConnell? It's easy to invent terrorist movie plots [schneier.com]. If they gave out awards for Most Creative Terrorist Strategies That Would Never Work, you all all of your three-letter agencies would win first prize every time.
Part of it has to do with (Score:3, Interesting)
Obvious solution (Score:3, Insightful)
Why the hell is this so hard to figure out? Hold cooperation responsible for the negative effects caused by their negligence. Power going out because a skilled hacker found an exploit that the best security experts couldn't find is one thing. But power going out because the IT dept. at the power company decided that they didn't need to take basic security measures is another, that's negligance.
If people die because the power went out and the power went out due to negligence (i.e. some 15 year old managed to ssh into the power plant and fuck everything up because the root password was "password") then charge the company with criminally negligent homicide.
We don't need some special, new incentive to get companies to protect the public interest. We just need to remove all of the immunity we've given the companies. The only question we have to answer here is why the fuck did we give companies immunity from the consequences of their actions?
I disagree with the military... I am brazilian... (Score:5, Insightful)
The blackout in 2005 was a human failure. One transmission line went down, the team recovering that line made a mistake and instead of activating the repaired line disabled the backup line. Result: 3 states withou electric power.
The blackout in 2007 was due a circuit breaker shutting down one line, the same happening after in the backup line, that could manage the excess load (this happened during peak hours, 5 p.m. during a working day).
Ok, these are official explanations and the blackouts may have been caused by evil hackers but, in this case, the brazilian government made an excelent job holding that information for years, leaking now thanks to an american former military that may have some vested interest spreading fear.
2 cents..
cyber bullshit .. (Score:3, Insightful)
Authorities blame human error for Jan.1 blackout - Brazil [bnamericas.com]
A power cut
Re: (Score:3, Funny)
Can you guys dream about Canadian currency being valued at 50% when we export and 500% when we import?
Thanks in advance.
Re: (Score:2)
It's possible, but it's also possible to take out the energy infrastructure of the USA with conventional methods.
There's a book 'Barracuda 945' in which an Arab man, brought to England as a youngster, grows up and joins the military, rises in the ranks to Major, and is then sent to Israel on a mission. He is struck by certain events there, and decides to defect to the Arabs. He uses his military skills to make friends, influence people, and rob a few banks, amassing a huge amount of money. He then comes up
Re:guess what's next ? (Score:5, Informative)
Enron demonstrated that it was possible for a single employee to shut down a power station remotely, simply by calling the control centre from an Enron office, giving his name and position, and asking politely whether it would be possible for the plant to have an impromptu maintenance shutdown for a few hours please, and yes, he did appreciate that once it was shut down it'd take a while to start it up again.
That's how brokers caused the plant shutdowns that caused the brownouts that allowed Enron to gouge electricity prices in California, by charging for the emergency rerouting required to patch the problems that they'd just deliberately created.
So back in the Enron days, you wouldn't have needed two nuclear subs. Just one guy with a telephone, calling all the power stations in turn and asking each of them nicely if they could shut down at a predetermined time and go into "heavy maintenance" mode, but please not to discuss this with anyone else, because of company confidentiality (or because of security).
BTW, you know how you take out the conventional phone and mobile networks? You don't have to. Once the emergency services see the power stations going down and think there's a coordinated attack, they shut down all the public communications as a security measure. You get that for free. So the Employee tells the plant to shut down as a security measure because the NSA has tipped them off that Something Bad is going down, and for God's Sake not to power up again under any circumstances unless they get a particular codeword (which, of course, nobody else has). All the plants shut down together, a bunch of pre-programmed scare stories break on the net, this seems to support the tale that the employee told about there being an imminent security thing, the phone lines and media communications go dead, and by the time people have worked out what's happened, nobody can get through to the power plants to tell them that they've been conned. And when they do, they don't have the fake password. You then have the local power guys desperately defending their plant from the local enforcement guys who want to turn it back on, and perhaps even sabotaging it if they look like they're about to lose.
Telephones are dangerous things. Hopefully it wouldn't work nowadays, because people are more savvy about such things (and because they remember the Enron tapes).
Re:guess what's next ? (Score:5, Interesting)
You hit the problem for today - the social engineering, how the command hierarchy works and that's much more dangerous than any "computer" virus or whatever. I have worked on nuclear power, stock exchange, banking (even Swiss!), military, public safety, hospital, etc environments and they used to have "fail safes" against this kind of problems - now, today, those "fail safes" are often disabled because of business, profits whatever? And it's scary!
Enron couldn't be possible 20 years ago, at least not in environments, countries and corporations I was working at that time, too tight security / control but today?
Anyhow, back to the original subject, the technology is there - it was there in 80's when I was involved to some nuclear / power control systems. Is the knowledge / will there today is another question. Almost seems that this "maximizing profits" is even accepting the problems (for public) as long as the business can make more?
Re: (Score:2, Funny)
Are you suggesting censorship? I think the current modding system does the trick in most cases, but if you'd like I'm sure a slashdot.cn can be arranged.
Re:Your official guide to the Jigaboo presidency (Score:5, Insightful)
Because the remedy for bad speech is more speech. Censorship is never justified. If a post gives you the vapors, stop reading it. A free society is one where it's perfectly fine to stand on a soapbox and make a fool of yourself. I'd like Slashdot to stay as free as possible.
Re: (Score:2)
A free society is one where it's perfectly fine to stand on a soapbox and make a fool of yourself. I'd like Slashdot to stay as free as possible.
By that standard, slashdot is the epitome of freedom. With emphasis on the 'pit'. 8^)
Re: (Score:2, Insightful)
Why can't people stop biting on lame cut'n'paste trolls?
Re:Those gosh-darned HACKERS again (Score:5, Insightful)
Yep. We lost the terminology war a decade ago. It's time we deal with it.
Re: (Score:3, Informative)
Barbarians.
Re:America? (Score:5, Insightful)
English is defined by customary usage. If you said "In America" to 100 English speakers, MAYBE one would include any other country than the US. If you're lucky.
Re:America? (Score:5, Informative)
I'm a Canadian, and I've lived throughout Canada. I have NEVER met anybody outside the Internet who thinks American, in spoken English, means anything other than somebody from the United States of America (North American, maybe, but never "American"). There are a significant portion of them that would be insulted to be themselves referred to as Americans; the rest (aslo a significant portion) would simply be amused.
It's not about not being the whole world. It's about how the language is used. What the hell does your crowd call Canadians, anyway? Can't be "United Statesians", since there's more than one United States in the world.
I assert (based on admittedly anecdotal evidence) that if you ask a random sampling of 100 native born English-speaking Canadians, probably less than 1 and certainly less than 5 would think "American" would refer to anything else but people from the USA.
And I think you know that too, if you're truly Canadian. Although it's a big country, maybe you live in some small enclave where that flies among your friends. I've spent most of my time in the most populous parts of the country. But certainly national television *always* uses American to refer to people from the USA.
Re: (Score:2)
"In America" certainly includes any country in either North or South America
We do not use the term "America" as a geographical set of the continents "North America" and "South America". Similarly, we don't say that someone is in "Dakota", because that territory no longer exists. We always say "North Dakota" or "South Dakota".
However, "America" *is* commonly used around the world as an abbreviated form of "The United States of America".
Re: (Score:2)
I agree. There should be an airgap between the internet and these kinds of things. Or maybe it is time to move them over to one of the other networks that exist that are airgapped (physically disconnected) from the internet.
Re: (Score:3, Informative)
Yes.
There is actually more than one way to turn them off (safeguards and such), but the actual generator button at my plant is both big and red. Additionally, it's not wired in to the system. The safeguards are also physically wired to cause trips. There are also redundancies built in to ensure those trips and they're hardwired. At best, for the plant that I work at, a hacker could operate a non-critical component. That's assuming they could get throug