Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

US One Step Closer To Electric Grid Cyberguards

Soulskill posted more than 4 years ago | from the take-off-your-shoes-before-replacing-that-fuse dept.

Power 74

coondoggie writes "The US Department of Energy this week officially opened up the bidding for a National Electric Sector Cyber Security Organization that would protect the nation's electrical grid from cyber attacks. According to the DOE, the agency has set an aggressive goal to meet the nation's need for a reliable, efficient, and resilient electric power grid, as well as improved accessibility to a variety of energy sources for generation. In order to achieve this, an independent organization is needed (PDF) to provide executive leadership to facilitate research, development, and deployment priorities; identify and disseminate best cybersecurity practices; organize the collection, analysis, monitoring, and dissemination of infrastructure vulnerabilities and threats; and enhance cybersecurity of the electric grid, including control and IT systems."

cancel ×

74 comments

Sorry! There are no comments related to the filter you selected.

Easy (3, Insightful)

Anonymous Coward | more than 4 years ago | (#31709278)

Disconnect those systems from the internet and make sure the networks they connect to are not connected to the internet.

If they want to be able to monitor, then add sensors as needed and connect that system to the internet.

Dumbasses, all around.

Re:Easy (2, Insightful)

nobodylocalhost (1343981) | more than 4 years ago | (#31709418)

Um... Ok, you have a closed network over hundred miles of wires, what stops me from doing a "on the wire" attack? Just because something is not connected to the internet does not make it physically safe. unless you wrap your communications wire with high voltage power wires... then, it would be rather difficult to perform a physical attack.

Re:Easy (1)

Jurily (900488) | more than 4 years ago | (#31710128)

Ok, you have a closed network over hundred miles of wires, what stops me from doing a "on the wire" attack?

The fact that you're in China. We're talking about cyber attacks. For everything else, there's a rather expensive military.

Re:Easy (1)

JesseL (107722) | more than 4 years ago | (#31710150)

And the only attacks you have to worry about are from people who are overseas and couldn't possibly get here or have contact with sympathizers here?

Re:Easy (1)

Runaway1956 (1322357) | more than 4 years ago | (#31712430)

As JesseL points out - an agent or thousands of agents in the US can gain access, despite the fact that they are furriners. I'll go a wee bit further - much of the "command and control" being installed today is wireless. From a military point of view, wireless has ALWAYS been the least secure method of communications. You'll find that this has been doctrine since the earliest wireless sets. Whatever you broadcast is going to be recieved by the enemy, to be decoded at his leisure. With wire, at least you can detect that your signal is being intercepted.

Re:Easy (1)

ls671 (1122017) | more than 4 years ago | (#31712668)

> With wire, at least you can detect that your signal is being intercepted.

Not necessarily, search around...

Re:Easy (1)

Runaway1956 (1322357) | more than 4 years ago | (#31715430)

Hmmmm. Depending on your hardware, and your capability with your hardware. Let's say that in more than 99% of cases, any security oriented agency, such as the military, knows when one of their lines is open. With any wireless transmitter, you KNOW the line is open to interception. No guesswork involved with that! ;^)

Re:Easy (2, Interesting)

FooAtWFU (699187) | more than 4 years ago | (#31709492)

And then someone splices onto an ethernet connection of the trusted network and brings the whole thing down. Which is easy, since that network is all over the place.

An air-gap solution is one quick and simple line of defense, sure. But I'd rather have real cryptographically-secure authentication on all the relevant systems than an air-gap defense.

Re:Easy (1)

Dragoniz3r (992309) | more than 4 years ago | (#31710090)

Well, if there's one thing we know for sure, it's that a government-contracted program will result in a real cryptographically-secure solution, rather than whatever seems cheapest!

Re:Easy (1)

Khyber (864651) | more than 4 years ago | (#31711650)

"An air-gap solution is one quick and simple line of defense, sure. But I'd rather have real cryptographically-secure authentication on all the relevant systems than an air-gap defense."

How about we go back to pure switch-controlled stuff, and get rid of the network completely? You want it safe, make it so the ONLY way to fuck with the system is to either dig up a wire and cut it (enjoy your electrocution knowing most moronic terrorists) or actually be at the control booth flipping the switches.

Seriously, this kind of shit does NOT need network connectivity. Does NOBODY remember some researchers gaining access to the controls of a nuclear powerplant from the outside? [forbes.com]

Re:Easy (1)

Runaway1956 (1322357) | more than 4 years ago | (#31712492)

Khyber should be modded "insightful" - but he will probably be modded down, if at all. The problem is, everyone thinks in terms of cost efficiency today. And, that is the very reason everything has been networked. No one is willing to position a human being, with all the inherent costs, somewhere that he can manually control anything.

Which is weird, since we have millions of Americans sitting around in their Mama's basements and/or in the projects, contributing nothing to society, sucking in those welfare checks.

Re:Easy Not quite (2, Informative)

AJ Mexico (732501) | more than 4 years ago | (#31709662)

Disconnect those systems from the internet

Remember, a lot of these are old school systems. I know that a lot of remote SCADA (Supervisory Control and Data Acquisition) equipment was never on the Internet. Why? Because it had a modem instead. The electric utilities upgrade their stuff at glacial speed. I bet a lot of that stuff is still out there, and still has a modem connected and has weak to no security.

Re:Easy (1, Interesting)

Anonymous Coward | more than 4 years ago | (#31711004)

Sigh. You just don't understand. You're right, but you don't get it. SCADA systems are STUPID. Really stupid. Most of the people that work with them, being programmers are also stupid.

Let's start with monitoring. Most of the hardware that does control has only a single port. The really expensive pieces may have a few. They communicate over a proprietary protocol that I guarantee you there is almost no standard for. Various standards *may* exist by industry, but almost nobody implements it correctly. In my particular industry, people can't agree whether to index at 0 or 1 in the documentation--it's a constant source of confusion.

Now--that one port exists for both command, reporting and control. Hooking up *one* device to it works. If you want to have one device to read, and another to control, you need an expensive wire level switch that can handle RS232/485 switching. And of course, that has to be on a control system...

The real problem is--people don't want to think or understand what they're doing. From the moment we hook up a monitoring device, most customers realize within days that we should have the capability to do control. Of course, the reporting is unsecured--primarily at the user's own request.

When they decide they want to issue remote control, they *want* to do it through the readings interface, so they can see the changes side-by-side in realtime. They want to do it in IE5 or IE6 (we support 7 and 8 these days). They want to use their username or company name as the password. I've had people complain to the CEO because we have a 'password policy' on the website now. "Come on man, we're not the CIA"--they're right--it's not the CIA--it's just the remote controls to $100,000 of compressor station available via XML interface over the internet...

You can say industry's the problem--I'm knowingly writing insecure software. But the real problem is the people buying it--don't request it, don't demand it--and won't pay even a cent extra for it. In fact, some of them won't buy secure software because it's inconvenient. My inability to immediately provide remote-control access to a type of refinery...to the telnet client on somebody's blackberry is believed to have been a major contributing factor to a lost bid.

This shit is already out there. It's not regulated, and the market won't handle it. I'm capable of writing the software, but to be honest--the clients deserve the problems they have coming. I know it's not PC to say that--but it's the truth. They've failed to contain risk at every step, cut every corner possible, gone for the lowest bid at EVERY step regardless of the loss of features.

But you should see a CEO's or the sales dudes face light up like a kid at Christmas when you show him the ability to shut off a remote site by pushing three buttons on his IPhone...

Re:Easy (1)

jc42 (318812) | more than 4 years ago | (#31712004)

Disconnect those systems from the internet and make sure the networks they connect to are not connected to the internet.

Unfortunately, most of today's management will interpret this as a physical, wired connection. We see that in some of the replies already, which assure us that an "air gap" is a solution.

But this computer I'm typing on has no wires connecting it to anything, and it's on the Internet. I could have pulled my "smart phone" out of my pocket and typed this reply on it. The days in which an air gap provided security are now completely over, and anyone who uses such a phrase merely exposes their ignorance.

And we're rapidly reaching the stage where nearly everything has a wireless connection to the Internet. If you have a new car, there's a good chance that it is permanently connected wirelessly, even if a large percentage of the owners don't realize this. There are a number of cameras that have wifi and/or GSM capability. And so on, with smaller and smaller devices as the months go by.

Getting this across to the current generation of management is going to be a problem.

Re:Easy (0)

Anonymous Coward | more than 4 years ago | (#31712274)

The days in which an air gap provided security are now completely over, and anyone who uses such a phrase merely exposes their ignorance

An air gap is still an important security measure, but it assumes you have physical control of the network and resources. If your site-site connection is over wires (internet or not), then you don't have physical control of your network. The whole point of the air-gap is to prevent outsiders from attacking you. If your inside employees aren't trustworthy or are just plain ignorant of good security practices, they too can defeat the benefit of an air-gap. Just ask all the military guys on classified networks (the ones who coined the term airgap).

The basic answer still has to be, if you don't need internet connectivity then do not connect to it and expose yourself.

Re:Easy (0)

Anonymous Coward | more than 4 years ago | (#31712050)

The control computers are IBM AIX Unix machines. The problem is that over the last 10 years the computers that are now used to talk to the control computers has been moved from other Unix machines to windows machines and those machines are not restricted from the Internet. Some even have dual NIC cards to allow the use on the internet on one side and access to the grid controlling computers. Like a compromised Windows box that connects the the control grid..... (oh no just lost power!!) .....

Re:Easy (1)

hesaigo999ca (786966) | more than 4 years ago | (#31746842)

What you propose is so common sense, and yet they make it sound like great feats of engineering to come up with them....seriously all they need is to control access to the systems, and limit the apps on each machine, no chat clients or internet, your less bound to use them for other things then monitor power grid consumptions etc...
Also, I tend to think you under simplified the problem....dumb-asses need to go, and get some real geeks in place

3 step plan (2, Insightful)

Jurily (900488) | more than 4 years ago | (#31709284)

1. Don't put key systems on the internet
2. ???
3. PROFIT!

Re:3 step plan (2, Insightful)

snooo53 (663796) | more than 4 years ago | (#31709340)

The thing is, you've got remote substations, lines, generators, etc... that all have to communicate with your control system. Just because a network isn't on the internet, doesn't mean it's not vulnerable to attack, especially when those nodes may be hundreds of miles away.

Re:3 step plan (1, Interesting)

Anonymous Coward | more than 4 years ago | (#31709372)

The issue here is cyber-security. How else would the government cause outages to blame on pedophiles^W terrorists^W China? How else would they be able to cut the power to Michigan and Montana when the popular revolts begin?

Are you suggesting that the government should send teams to every substation to flick the switches? What is this, the dark ages?

-- Ethanol-fueled

Re:3 step plan (1)

Jurily (900488) | more than 4 years ago | (#31710146)

Just because a network isn't on the internet, doesn't mean it's not vulnerable to attack, especially when those nodes may be hundreds of miles away.

What exactly is the job of the military, again?

Re:3 step plan (2, Interesting)

LordAndrewSama (1216602) | more than 4 years ago | (#31711230)

Install dictators in foreign nations with lots of oil, then replace them when they get uppity?

Re:3 step plan (1)

Khyber (864651) | more than 4 years ago | (#31711680)

"The thing is, you've got remote substations, lines, generators, etc... that all have to communicate with your control system. Just because a network isn't on the internet, doesn't mean it's not vulnerable to attack, especially when those nodes may be hundreds of miles away."

I seem to remember this magical thing called broadband over powerline. Yes, let's see you tap into a 75,000kV line and get access to that data.

Re:3 step plan (1)

Drivintin (917847) | more than 4 years ago | (#31709390)

I can't agree with this enough, not every machine needs to be able to access the web. Granted you could probably gain access via a gateway system, but just the other day I watched a customs agent while it was slow play on the web. Seems like those guys would have access to a lot of data just to be sitting there playing on the web from their own workstation!

Re:3 step plan (2, Interesting)

pilgrim23 (716938) | more than 4 years ago | (#31710296)

I can already look at my "Smart" meter on the Net. now if I could just write to it. anyone know how to jailbreak a electric meter?

Re:3 step plan (0)

Anonymous Coward | more than 4 years ago | (#31712722)

most of them operate at the 900mhz single. The older ones are transmit only, new ones are for DSM that can shut off devices in your house are two-way.

I have a great way to protect against cyber-attack (2, Insightful)

Ender_Stonebender (60900) | more than 4 years ago | (#31709300)

I have a great way to protect the power grid against cyber-attacks: Don't connect it to the internet!

If there's no route to the power grid's control computers via the internet, then there's no way that a cyber-attack could affect it. And no, this doesn't mean that power companies can't connect to the internet to accept bill payment or requests to connect/disconnect service - just that they shouldn't allow anything critical to be CONTROLLED over the internet - and it also doesn't mean that they can't have a private TCP/IP network that for sharing information among their various systems, which obviously is something that they will want to optimize the power grid and power production to get maximum return on their high capital investments.

Re:I have a great way to protect against cyber-att (3, Interesting)

Doc Ruby (173196) | more than 4 years ago | (#31709364)

No, we should have both a secure infrastructure and an infrastructure that benefits from connecting to the public Internet. And a public Internet that benefits from connecting to the secure infrastructure.

What you're saying is like saying we shouldn't run railroads across the Wild West because it's Wild. We needed both complete railroad networks, and a governable West. And we got both. And then we got everything else that could follow on a governable, railroad accessible West.

The American Way is to do some things because not because they're easy, but because they're hard. Because those hard things yield the greatest rewards. Including proving we can do anything worthwhile we want, even when the easy cop out beckons.

Re:I have a great way to protect against cyber-att (1)

maxume (22995) | more than 4 years ago | (#31709604)

Too bad there are barely any indians left to kill.

(I don't think people living today are particularly responsible for the crimes of history, but we can choose what we glorify)

Re:I have a great way to protect against cyber-att (2, Funny)

Low Ranked Craig (1327799) | more than 4 years ago | (#31710116)

There are a billion Indians to kill, but they haven't done anything to me so I vote for leaving them alone. Besides, the Pakistanis have dibs from what I've heard.

Re:I have a great way to protect against cyber-att (1)

Doc Ruby (173196) | more than 4 years ago | (#31711072)

This time around we don't kill the "indians". Instead of invading and genociding the cultures already on the Internet, we secure our lines on them. Unlike material domains, there's infinite room on the Internet for everyone. But we should allow anyone who wants to live there securely that option, even if people want to live out in the open at their own risk.

Re:I have a great way to protect against cyber-att (1)

maxume (22995) | more than 4 years ago | (#31711092)

I wasn't criticizing your point about securing the internet, I was pointing out that it is pretty crass to talk about the taming of the West in these terms:

The American Way is to do some things because not because they're easy, but because they're hard. Because those hard things yield the greatest rewards. Including proving we can do anything worthwhile we want, even when the easy cop out beckons.

I suppose you could wave your hands around and say that isn't what you were doing, but that's what I saw.

Re:I have a great way to protect against cyber-att (2, Insightful)

BitterOak (537666) | more than 4 years ago | (#31709804)

What you're saying is like saying we shouldn't run railroads across the Wild West because it's Wild. We needed both complete railroad networks, and a governable West. And we got both. And then we got everything else that could follow on a governable, railroad accessible West.

I'm afraid your analogy breaks down because no one is suggesting we don't provide electrical service to homes that have Internet service, which is what your train analogy would imply. They are just suggesting that grid control systems not be run by computers connected to the Internet, which is quite a reasonable proposition.

Re:I have a great way to protect against cyber-att (1)

Doc Ruby (173196) | more than 4 years ago | (#31711038)

No, they're suggesting we don't put the power network on the Internet, because the Internet is too dangerous to secure. Just like they might have said don't put the railroad network in the Wild West, because the Wild West is too dangerous to secure. They might have said "stick to the coasts" or "just one secured corridor across the country": a private rail network that could be secured from the Wild West. Or a private power network that could be secured from the Internet.

Instead we built a rail network that tamed the West. Likewise, the security work to protect the power network would make the Internet safer for everyone. And the pair would grow both. And the US around it.

The proposition is reasonable, but wrong. Consider that in the 1840s the US was a sliver along the Atlantic and the Gulf, proposing to colonize the whole continent that it had political claims to, but which was filled with whole civilizations protecting their rightful land. Securing the West for American colonization would require unprecedented warfare and genocide, not to mention new engineering on an unprecedented scale. And they did it. The price was abominable, but that didn't stop them. And they reaped the reward, that we continue to benefit from.

We should learn from that history. Not to fail to secure what is ours, but not to do it in a way that exacts such a terrible cost. The Internet is not the 1800s American frontier, and the 21st Century has gained a lot more wisdom about the costs and alternatives. And the "natives" have a lot more power to protect themselves from the security invasion. We can secure the Internet enough to trust connecting the power grid and plenty of other essential infrastructure to it, without destroying the societies inhabiting the Internet, though protecting us from any threat from them. And gain the benefits of not just the networks, but the varied people on them.

Or we can give up on making the Internet safe for essential communications. Which will get us more expensive, more limited essential communications. And will leave the Internet vulnerable to whichever gangs care to ransack it. Securing it would be better, and is entirely possible.

Re:I have a great way to protect against cyber-att (2, Funny)

Cynonamous Anoward (994767) | more than 4 years ago | (#31710112)

We needed both complete railroad networks, and a governable West. And we got both.

You haven't been to the west, have you?

Re:I have a great way to protect against cyber-att (2, Interesting)

Duradin (1261418) | more than 4 years ago | (#31710390)

I thought Texas was just a honeypot for Teabaggers.

Re:I have a great way to protect against cyber-att (1)

Doc Ruby (173196) | more than 4 years ago | (#31711058)

I lived there for years, in the Northern California that was created by the rail network, and which still cradles any number of outlaw cultures. That "Western independence" myth is for people from Glennbeckistan.

I also lived in Louisiana for years. That is an ungovernable wilderness.

Re:I have a great way to protect against cyber-att (0)

Anonymous Coward | more than 4 years ago | (#31712496)

No, but once the railroad is complete he will be able to do so.

Re:I have a great way to protect against cyber-att (1)

mswhippingboy (754599) | more than 4 years ago | (#31710156)

Why would you need to have an internet connection to the grid? Do you really need the ability to shut off the power to a city or or country? I think not. You're local power utility, which controls the power going to your house (called a distribution organization) is who you need to interact with. The grid is within the realm of a different organization a (called a transmission organization). These organizations deal with the transmission of large amounts of power between cities, states, counties and such. You local power company buys it's power from them. In other words, they manage the trading of power between companies. I see no need for an individual to have any access to their infrastructure at all.

Re:I have a great way to protect against cyber-att (2, Interesting)

cosm (1072588) | more than 4 years ago | (#31709440)

On your statements:

Don't connect it to the internet!

"and it also doesn't mean that they can't have a private TCP/IP network that for sharing information among their various systems"

:

Knowing that boundary is becoming increasingly difficult with our interconnected society. Not to mention, things like social engineering, rogue media (flash-drives etc...) are increasingly hard to regulate internally. A lot of these security issues also stem off an even more pivotal attack vector, the human element.

The engineers, programmers, and designers may be well aware of security practices and threats, but a blue-collar operator may not be as well versed in these areas. This leads to a crossroads: Do we focus on more 'intelligent systems' that are infallible (as much as they can be, and more than they are now), with the ability to be more secure, regardless of operator skill level? Or the alternative, entailing increased operator training?

Well planned systems are always fallible in the hands of the untrained, so I imagine the best scenario falls somewhere in between, but leaning towards the automated side, for systems are easier and cheaper to maintain in the long run if they are designed solid from the onset.

Which leads to a paradox. Contract bidding usually goes the cheapest route, which is almost always not the highest of quality. With these contractors spitting out unrefined systems at minimal-effort-maximal-profit mentality, we will always be behind the power curve (so to speak).

In the end, if and when an infrastructure attack does hit us hard, I imagine there will be less regret of preventative measures, and more blame flaming, for that is what we do as a country, isn't it?

Re:I have a great way to protect against cyber-att (2, Informative)

OzPeter (195038) | more than 4 years ago | (#31709664)

I have a great way to protect the power grid against cyber-attacks: Don't connect it to the internet!

I work in Industrial Automation, IE the kind that is used in Power Plants, Manufacturing Plants and basically anything else that is automated. The equipment and software is generally controlled by third party manufacturers. Of course as no software is really bug free, these manufacturers are continually releasing updates (although I have reported some of those practices on The DailyWTF) and they release these updates via .. The .. Internet.

Fine, so how do I get my updates in a timely manner? Perhaps I should download from the public internet and walk the software across the air-gap to the secure Internet?? Well that sounds fine and dandy until you consider that right now (while I am slacking off) I am in VA and working on a manufacturing system in SC, so walking that air-gap would take at least a 6 hour, one-way drive just to get to the plant. So we are talking an extra $1000 on top of the project costs just to do a single, simple update.

That kinda screws my effectiveness to do my job. And that is the base argument of why things are connected to the internet - convenience and cost. But the answer is not go backwards and take all the tools away. The answer is to provide better security on the systems that are connected to the Internet

Two thoughts have crossed my mind while I was writing this:

  • The Internet's root DNS servers are connected to the Internet, but no one is running around screamin that the sky is falling because they are vulnerable. And if they get taken down then when are in deep shit
  • I have said this before, 1/2 dozen guys with SUV's and high powered rifles could easily take down the power grid in a matter of hours

Re:I have a great way to protect against cyber-att (2, Informative)

mswhippingboy (754599) | more than 4 years ago | (#31710044)

I have a great way to protect the power grid against cyber-attacks: Don't connect it to the internet!

Nothing on the grid is, or will be connected to the Internet. Yes, you may find it amazing, but the IT folks in the energy sector have already figured this out, even without your advice! Duh..

However, if you think that's all it takes to secure the grid you're even more naive than you sound.

All of the transmission organizations I've worked with have their grid networks completely isolated from their "business" networks that may have some external connectivity. Most won't even allow a simple serial (as in RS-232) wire connection between these systems to transfer data (it's a royal pain when we need to get data from one network to the other and usually involves some form of sneaker-net).

The problem is that even that level of isolation does not guarantee that these systems can't get hacked into. Some of the equipment on the grid is ancient and the cost to upgrade to something modern is cost prohibitive. Contrary to what most people think, power companies are tightly regulated by public utility commissions. They can't raise rates willy-nilly, so expensive upgrades usually don't get approved. Local politicians don't want their constituents pissed off because they approved a rate increase to enhance the infrastructure.

This is going to be a tough nut to crack and I for one am glad to see that this threat is finally being taken seriously.

Whether anything comes of it will remain to be seen.

Re:I have a great way to protect against cyber-att (1)

Archimboldo (847057) | more than 4 years ago | (#31767698)

Interesting post. But you said there is no internet connectivity, and they can still be hacked into. Through what medium?

InfraGard (4, Interesting)

cosm (1072588) | more than 4 years ago | (#31709306)

This seems similar to the InfraGard [infragard.net] initiative, but standard operating procedure dictates our government must form another organization to oversee the preexisting organization that is involved the current organizations et al. Recursive agencies cost us money, and while I do advocate heavier infrastucture protection, hopefully this isn't just another bean-counting expenditure, but instead an operation that actually contributes to our infrastructure security.

Re:InfraGard (1)

kernelphr34k (1179539) | more than 4 years ago | (#31710574)

InfraGard needs to be disbanded!! It's another shady govt organization that does NO GOOD.

Here's a quote from their website.
"Gain access to an FBI secure communication network complete with VPN encrypted website, webmail, listservs, message boards and much more."

"Learn time-sensitive, infrastructure related security information from government sources such as DHS and the FBI."

Do I need to say more? Why are normal citizens able to get this type of data so they can spy on their neighbors and report to the FBI? Ugh.... The FBI is using the ignorance of the people to report on other people.

Re:InfraGard (0)

Anonymous Coward | more than 4 years ago | (#31712508)

Worse than that, DHS already *has* this capability!

Dont we need a grid worth defending first? (2, Interesting)

Kenja (541830) | more than 4 years ago | (#31709316)

seems that building an actual reliable & redundant power grid would be a better idea...

All I want to know is... (2, Interesting)

dwiget001 (1073738) | more than 4 years ago | (#31709354)

... who will monitor the cyberguards?

Re:All I want to know is... (1)

garompeta (1068578) | more than 4 years ago | (#31709536)

The cyberguards shall monitor themselves.

Re:All I want to know is... (1)

pushing-robot (1037830) | more than 4 years ago | (#31709736)

Tron.

Re:All I want to know is... (1)

Sjefsmurf (1414991) | more than 4 years ago | (#31710174)

I think that was outsourced to India? I also heard that the security software development will be outsourced to China.

Big red button (1)

Manip (656104) | more than 4 years ago | (#31709362)

The US's electricity grid needs a big red button that reads - "Disconnect from the internet." This new organisation will then spend years and millions on communities and finally decide to push that button. Then the bunnies and little kids will live happily ever after.

Seriously guys, use the Internet for getting diagnostic data back but for the love of god do not hook in any control systems. We're talking both at the state and city level. If you have to send a guy down there in a van to flip a switch then frankly do that instead or alternatively telephone into it.

Re:Big red button (1)

jc42 (318812) | more than 4 years ago | (#31712126)

Seriously guys, use the Internet for getting diagnostic data back but for the love of god do not hook in any control systems.

I'd guess this will work about as well as with the electronic voting boxes in recent elections. Some of the stories here talked about the discovery that some of those boxes, when visibly "disconnected", still had a live IR port. There were demos of bringing a similarly-equipped laptop into the voting area, connecting via IR to those voting machines, and poking around inside them from across the room.

Consider how people assured us that with the electronic voting stuff, they took security very seriously. But it was just "security theater", designed to impress management, the media and the computer-illiterate masses. We can expect the same thing with the security in the electric system.

It'll probably be run by the TSA.

Outsourced Government Security Monopoly? (3, Interesting)

Doc Ruby (173196) | more than 4 years ago | (#31709412)

Some systems are properly a monopoly. The nation shouldn't have two Army services. In general security for a given political area, like nationwide, statewide or countywide are best (or perhaps just least badly) run by a monopoly governed by officials elected by the people. Certainly at the national level that is the case.

Outsourcing that job to a private corporation to hold the national monopoly is asking for trouble. There will be no pool of private competitors competing for that contract, because the national market supports only one vendor: the one who wins that contract. That circular setup means the benefits of competition to produce the best candidate will not.

There is plenty of room for outsourcing regional security work to vendors actually competing at that scale, if indeed there are multiple vendors of security to large power grids. Let the regional front line vendors compete to keep their contracts. But the monopoly at the top that actually manages those regions into a comprehensive, integrated national infrastructure defense should be within the government. Which is the only monopoly that has a chance to behave properly.

Re:Outsourced Government Security Monopoly? (1)

rsborg (111459) | more than 4 years ago | (#31709686)

Outsourcing that job to a private corporation to hold the national monopoly is asking for trouble. There will be no pool of private competitors competing for that contract, because the national market supports only one vendor: the one who wins that contract. That circular setup means the benefits of competition to produce the best candidate will not.

Isn't this what mandated open standards and "all your work is belong to US" kind of government IP contact designed to prevent against?

Re:Outsourced Government Security Monopoly? (0)

Anonymous Coward | more than 4 years ago | (#31709890)

"The nation shouldn't have two Army services."

Why not? When armies compete, they have to offer higher salaries and better body armor. Individual soldiers win!

Re:Outsourced Government Security Monopoly? (1)

Alex Belits (437) | more than 4 years ago | (#31714448)

And I thought that when armies compete they just kill civilians and occasionally each other...

Re:Outsourced Government Security Monopoly? (1)

jc42 (318812) | more than 4 years ago | (#31712348)

Some systems are properly a monopoly. The nation shouldn't have two Army services.

Ah, but here in the US, we have more than one. There's also that other one called the Marine Corps. And there's the one that used to be called Blackwater USA, then Blackwater Worldwide, and then recently renamed itself to Xe Services LLC so as to hide from all the bad publicity. I'll leave it open for other readers here to name a few of the other US Armies.

Give it all to Microsoft (0)

Anonymous Coward | more than 4 years ago | (#31709470)

I am sure that Microsoft would do a fantastic job handling securing our power grid! They get my vote of confidence!

uhm (0)

Anonymous Coward | more than 4 years ago | (#31709486)

Murphy's law:

If you can't connect to the net - The net can't
connect to you.

Why would you want key infrastructures to be accessible through the net? Use leased lines.. for the children!

Re:uhm (1)

garompeta (1068578) | more than 4 years ago | (#31709548)

Unless you are in Soviet Russia

A day late, but topical (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31709534)

http://pwr2own.com [pwr2own.com]

CZAR (1)

hoggoth (414195) | more than 4 years ago | (#31709634)

We need an Electrical Grid Cybersecurity Czar. How can we get anything done without a CZAR?

The Cyberguards Will Be Running On None Other (-1)

Anonymous Coward | more than 4 years ago | (#31709886)

than the most unreliable [microsoft.com]
operating system in the world.

Yours In Perm,
Kilgore T.

Cyber-what? (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31709988)

I'm going to cyber-ram my cyber-fist up the cyber-ass of the next idiot who cyber-prepends the term "cyber" onto a random word.

fcfs.

As long as we have centralized power distribution (0, Troll)

gestalt_n_pepper (991155) | more than 4 years ago | (#31710046)

on a large scale, it's indefensible. If we had a thousand dams with many thousands of small generators, many thousand solar installations on every structure in the country where it made sense, many thousands of tiny wind farms, many thousands of small geothermal generators, and so on, with passive protection from overload for all, this wouldn't be an issue. For that matter, neither would fuel shortages, at least as far as electricity goes.

Brilliant Managment Strategy (0)

Anonymous Coward | more than 4 years ago | (#31710070)

Let's see. All the authority goes to the National Electric Sector Cyber Security Organization. All the responsibility remains with the grunts in the field. See anything wrong with that?

If it *does* work well, why not a National Cyber Security Organization for every other industry? Heck we could have one uber National Security Organization to rule over all the others.

Internet-connected? (0)

Anonymous Coward | more than 4 years ago | (#31710330)

What baffles me is that people don't look at this with the mindest present during the days of the developemnt of ARPA/DARPAnet: build a secure, multinode information infrastructure that is not subjected to widespread, catostrophic failure due to the failure of one or more nodes. Building it such that all nodes are known & secure doesn't guarantee perfection, but it puts us as close to top-notch infrastructure as possible. While building another net will entail huge outlays of taxpayer dollars, it would also (if done properly) yield new techology & innovation that would inevitably carry over to other industries and improve day-to-day life in general (as the internet has), in addition to solidifying national security. Build the best possible power management net & grid, work out the bugs, then figure out how/when it should be connected to the internet.

Can't wait! (1)

G4Cube (863788) | more than 4 years ago | (#31710726)

Runs on Win Server 2010

Not the only problem (2, Insightful)

Trip6 (1184883) | more than 4 years ago | (#31711388)

Forget the power grid, all our communication infrastructure is equally if not more vulnerable.

A year ago, all of South San Jose suffered a communication outage due to this intentional fiber sabotage:

http://www.pcworld.com/businesscenter/article/162910/fiber_cuts_slash_silicon_valleys_internet_arteries.html [pcworld.com]

I was driving south on 101 to Morgan Hill to work. About 3 miles north of my destination, my cell phone call was lost. At work, we had power but no internet, phones, or cell phones. We had radio, that was about it. It was later blamed on the fiber lines cut, which happened coincidentally right after the AT&T union contract had expired. Might as well been a terrorist.

Re:Not the only problem (1)

cffrost (885375) | more than 4 years ago | (#31720960)

At work, we had power but no internet, phones, or cell phones. [...] Might as well been a terrorist.

Indeed; the thought of Internet connectivity issues is a truly terrifying specter.

More bureaucracy is NOT the answer (1)

xmundt (415364) | more than 4 years ago | (#31713518)

Greetings and Salutations.
          The fact of the matter is that there is a lot of ANY countries infrastructure that can be easily disrupted if one can get access to them, either through physical access or through a network. There is little that can be done to prevent this, short of draconian measures that would be unacceptable to most Americans. Instead of creating an expensive bureaucracy that, very quickly, will graduate from protecting the country to perpetuating itself and growing without end (yes, like a cancer), perhaps it would be wiser to look at the infrastructure and find ways to upgrade it to make it more fault-tolerant. Right now, for example, the power grid is like a row of dominoes. Hit the right one at the right time, and, failure will cascade through the system, spreading darkness across the land. It seems that adding some way of breaking up the grid into smaller sections would allow for quicker control of such failure, and keeping the disruption to a minimum.
          Having said this, I should also point out that this is a GREAT use of alternative energy sources. Instead of having one huge network, perhaps we could evolve to a number of smaller, self-contained grids powered by locally generated electricity.
            Of course, changing America's interactions with the world to stop treating them in such a way that we generate large numbers of people who believe that we as such an enemy that the best course of action is to blow themselves up to kill us...
            Pleasant dreams
            Dave Mundt

           

Reality Check (1)

AB3A (192265) | more than 4 years ago | (#31716292)

It would be nice to separate the electric generation, transmission, and distribution networks from the Internet, but it ain't happening. SCADA systems are being interconnected to each other and to proxies that deliver data to the Internet in real time, or near real time.

Nobody can avoid this. SCADA systems are delicious fountains of high fructose data that executive operations staff, researchers, and governments are finding hard to resist. The Smart Grid is only the latest of many wide eyed high tech applications to hit this space. There have been many before it.

We're already exposed. The question is how to build resiliency in to this effort. As you might imagine, it's not easy. This isn't some office application where damage can be repaired with a backup. These systems affect physical assets and public safety in our cities. There is no backup to restore broken lives.

This isn't an ideal situation. Most utilities would love to return to the days when everything could be isolated. But if anything, all this smart metering and smart grid stuff will cause everything to get even more connected and integrated. There is good value in such connections. Nevertheless, it has been hyped while glossing over the details of the security risks.

Now that we know we're exposed, we need people with embedded systems backgrounds, control engineers with practical systems design experience, and security professionals to come together and to share information without killing each other. (All three fields are well known for having their share of prima-donna character flaws)

I wish DOE the best of luck. The horse is already out of the barn and they're still trying to figure out how to close the door.

cybersecurity for power grids ain't possible. (1)

seekertom (1587993) | more than 4 years ago | (#31717204)

think 'computer virus'. how many programs do we have available to eradicate them? are the viruses gone? but there IS a way to prevent anything from entering the grid system... as said, don't connect it DIRECTLY to the internet. do what pirates do to overcome drm stuff for copying movies (play movie, capture ota with a camera, re-record on disc.)... in this case, get the source doc in printed form, scan it optically, then pass it back and forth to the internet as desired. no virus or hacking possible! thanks fer lis'nin' seekertom
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>