Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Feds Offer $20M For Critical Open Source Energy Network Cybersecurity Tools

samzenpus posted about a year and a half ago | from the won't-somebody-please-think-of-the-energy-supply? dept.

Government 56

coondoggie writes "The US Department of Energy today said it would spend $20 million on the development of advanced cybersecurity tools to help protect the nation's vulnerable energy supply. The DOE technologies developed under this program should be interoperable, scalable, cost-effective advanced tools that do not impede critical energy delivery functions, that are innovative and can easily be commercialized or made available through open source for no cost."

Sorry! There are no comments related to the filter you selected.

wire cutters (3, Insightful)

Anonymous Coward | about a year and a half ago | (#42865903)

easy - a pair of wire cutters and firing of those responsible for hooking up naively coded devices to untrusted networks.

Re:wire cutters (1)

Langalf (557561) | about a year and a half ago | (#42865971)

Given the amount of trouble I have convincing supposedly intelligent people NOT to hook things up to our control network willy-nilly, I certainly agree with this sentiment.

Re:wire cutters (2)

icebike (68054) | about a year and a half ago | (#42866393)

Given the amount of trouble I have convincing supposedly intelligent people NOT to hook things up to our control network willy-nilly, I certainly agree with this sentiment.

While that might be part of solution, remember that Stuxnet was delivered on a thumb drive.

Also remember that you need some computer system for plant management in the modern world. If not for doing actual machine control, at least for doing monitoring and reporting. And therein lies the problem. Even if you air-gap your control network from your corporate net, you have to put stuff onto the control net and take stuff off. And you still end up hooking a lot of machine controllers to your control network.

Other than physically locking the cable plant, removing USB ports, diskette drives, and wifi, you are always going to face the possibility of rogue software creeping onto your control net somehow.

Maybe it would be easier to detect, profile, and filter machine control at the transmission layer than to rely solely on preventing any future camel from getting its nose under the tent.

Re:wire cutters (2)

Type44Q (1233630) | about a year and a half ago | (#42866525)

While that might be part of solution, remember that Stuxnet was delivered on a thumb drive.

That's why the other half of the solution is "don't run your centrifuges with the same damp, soggy operating system that you use to connect to the Internet... :p

Re:wire cutters (2)

innerweb (721995) | about a year and a half ago | (#42868401)

I run my centrifuges on AmigaOS. No problems ever.

Re:wire cutters (1)

dbIII (701233) | about a year and a half ago | (#42868129)

You mean just like the way we were doing it in the early 1990s?
The practices to solve the problem are clear but people just think it's inconvenient to implement them. Read only when it doesn't need to be anything else and get those MS video games machines out of the environment - if people want to connect to the real systems and use a MS video games machine to do it there are plenty of ways to present information to them without giving those buggy malware infected piles of shit full access.

Re:wire cutters (1)

kilodelta (843627) | about a year and a half ago | (#42866489)

Or - disconnect all SCADA devices from the network. Better yet, wire up an authentication module for the SCADA device instead of leaving security hole laden SCADA devices out there. Then of course you could re-write the IP stack for SCADA and vary the delay timing. That will stop a good many attacks.

Re:wire cutters (-1)

Anonymous Coward | about a year and a half ago | (#42867167)


Or - disconnect all SCADA devices from the network. Better yet, wire up an authentication module for the SCADA device instead of leaving security hole laden SCADA devices out there. Then of course you could re-write the IP stack for SCADA and vary the delay timing. That will stop a good many attacks.

#1..
ya know what, we need jobs, FORGET re-write the IP stack for SCADA, FORGET firewalls in front of SCADA, what we need you got partially correct, disconnect all "primary critical system SCADA" (you know the dangerous stuff) and hire some motherfucking people to turn the valve, flip the switch, cycle the pump, etc.

#2
I can see a lot of temp jobs if we made our grid shielded from the sun, and hackers, by taking all those fucking SMART SPY METERS off the fucking houses and back to the analog meters.

#3
Remove the power of selecting the FCC from the POTUS. Let the people vote - as Celente says. (Just not electronic vote (ban that un-validatable insecure hacked shit too and create some more fucking JOBS))

#4
What the fuck happened to the Stanely Meyer VW from 1970? How about all you globalwarming climate change (but sun and wx mod denier) fascists? Where's his fucking car? Why doesn't my new fuckin 2013 car run on water? Why does my new fuckin 2013 car SPY ON ME? Why is it vulnerable to EM?

IT takes SEVEN MOTHER FUCKING WIRES TO RUN A VW !!! SO what's all this SHIT on my 2013?

Shall I go on, or is that enough to keep you busy.
Oh yeah, after that FCC thing is back to their original mission statement then perhaps we can get these fascist corporations off the fuckin "PUBLIC SPECTRUM"

NOt the answers you were looking for? Fuck you. I posted these answers every day for a decade and a half.

I DID MY PART.

(oh yeah when I say fuck you I don't mean kilodelta)

Re:wire cutters (0)

Anonymous Coward | about a year and a half ago | (#42866751)

a pair of wire cutters and firing of those responsible for hooking up naively coded devices to untrusted networks.

If we are lucky, that's what they'll do, at least after they hand out 20M to various contractors.

Re:wire cutters (2)

Shoten (260439) | about a year and a half ago | (#42868035)

Check out the latest edition of the ICS-CERT journal. Replacing Ethernet with USB drives or other media...and you cannot do offsite backups without them, mind you, nor can you offload data for analytics, reporting, or support any other way...is not really an air gap. All it does is remove some degree of vulnerability while greatly hindering your ability to do things like patch management, security monitoring (are you going to put a separate Nitro Security or ArcSight instance into every power plant, with its own dedicated staff? Good luck getting funding for that...), antivirus updates (hint: this was what went wrong in the incident described by ICS-CERT because of the airgap) and remote emergency management. Oh, and also say good bye to grid balancing, AMI, energy trading, remote dispatching...what else am I forgetting, because there are a whole lot of different functions that are critical to the power grid that require data exchange.

Even nuclear power plants aren't airgapped anymore. They use data diodes to help protect themselves...but unfortunately, that solution is beyond the budgets of what power companies have for each of their environments, and a lot of what they need to do requires two-way communications as well. It's very easy to say "oh, air gap it...if you don't, you're a moron." The reality, however, is that you can't actually do that in the power industry anymore, for the same kinds of reasons why financial institutions gave up on that long ago.

Re:wire cutters (1)

jmcvetta (153563) | about a year and a half ago | (#42868611)

Actually this is probably the right solution. More and more I am convinced we must air gap all safety-critical systems from the internet. Big stuff like power stations and industrial equipment obviously; but also small stuff like building HVAC, generators, etc. This includes self-driving cars - the drive controller must be physically unable to communicate with any network.

It's basically a minimax situation. We have to minimize the damage from the maximal failure mode. With networked control systems, the worst case scenario is a remote hostile attacker gaining coordinated simultaneous access to multiple critical systems. That kind of godawful catastrophe is effectively prevented if remote control of the systems is physically impossible. With air gapped controls the worst case is reduced from "shit-tons of stuff destroyed" to "a handful of stuff destroyed".

Yes, in many cases this will require setting up (or retaining) control rooms full of monkeys pushing buttons. Not the most glamorous or ennobling work, but as a side effect it will create a few jobs. Yes, engineers will have to go in to the plant - or call people who are on-site - to work on the systems. That will suck, but it'll give them an excuse to ask for more pay or a nicer office setup. Yes, you'll periodically have to stick a piece of physical media into your self-driving car to update it's navigation system. Tough shit, it's a small price to pay.

Re:wire cutters (1)

gweihir (88907) | about a year and a half ago | (#42868627)

Indeed. But from the description of what they want, I deduce they are completely clueless about what is and is not possible and hence, they may have trouble actually using a wire cutter due to lac of skill.

20 million government project? (5, Funny)

trdtaylor (2664195) | about a year and a half ago | (#42865935)

"interoperable, scalable, cost-effective advanced tools that do not impede critical energy delivery functions, that are innovative and can easily be commercialized or made available through open source for no cost."

Choose two.

Gov't Response (4, Funny)

alostpacket (1972110) | about a year and a half ago | (#42866217)

1) Interoperable
2) Scalable
2a) Cost-effective
2b) Advanced
2c) Does not impeded critical energy functions
2d) Innovative
2e) I.) Easily commercialized
2e) II.) Or, made available through open source
2d) No cost.

Per your request ID (#42865935), we have met your requirements and expect work to implement the product to commence immediately.

Cordially ruling in your best interest,
- The Government

(at least now we know what "step 2) ????" is)

Re:Gov't Response (0)

Anonymous Coward | about a year and a half ago | (#42866583)

This is why the internet is full of WTFBBQ, What the F*ck, Bar-B-Q.

Can someone translate this? Who WROTE this?
Cost-effective and open source and free? Well,
I cannot touch this. My brain is refusing to allocate enough thought driven
verbage to call this anything but WTFBBQ.

Mabye after a beer, I can calm it down.

I have a 486 that runs Linux Router, and it has for years, it was free,
and it works reliably. very reliably. Its Scalable, ( how many 486s are lying around. )

Cost effective ( It was free. )
its Advanced ( It comes from the brits in CS Departs ).
Its Innovative, ( the commercial version is $1400 ).

And it can all run on a 63.5W Power supply, thus making the pencil pushers, And the anal-retentives ( I dont use this often, but it does apply ).
HAPPY. ( clusterf*ck ). Happy cl*sterf*ck.

why not spend on redundancy as well? (1)

gadget junkie (618542) | about a year and a half ago | (#42865949)

Software solutions are all well and fine, but I find it highly ironic that the menace comes from the internet, an offspring of a DARPA grant that had reliability and redundancy at its core. Granted, the possibility of somebody lobbing H bombs has receded since the cold war, but a little physical investment would do a power of good, especially since it would cost a fraction of the subsidies sunk each year in renewable energy.

Hmm... I can do this for a fraction of the cost... (2)

JimXugle (921609) | about a year and a half ago | (#42865957)

Problem solved [amazon.com]

Re:Hmm... I can do this for a fraction of the cost (3, Funny)

stewsters (1406737) | about a year and a half ago | (#42866023)

The quantity drop down only goes to 30. We are going to need a few more if we are going to secure our infrastructure in a timely manner.

Re:Hmm... I can do this for a fraction of the cost (0)

Anonymous Coward | about a year and a half ago | (#42866029)

LOL! finally a true fix that gets to the root of the problem..

Re:Hmm... I can do this for a fraction of the cost (3, Insightful)

Art Challenor (2621733) | about a year and a half ago | (#42866281)

Comments of the type "just don't connect to the Internet" are a little short-sighted. Much of the energy, water, wastewater, etc. etc. infrastructure is remote. Think substations, liftstations, pumpstations, smart switches, etc. etc. For some of these a dedicated network may make sense, but there's a huge cost saving in using the existing networking buildout, ie the Internet, to monitor and indeed control these types of facilities. Many of these are small, a controller, something that does something (pump, switch, whatever) and a small amount of monitoring.

Securing this IS a challenge, espeically since the vast majority of the equipment used in these facility was (and continues to be) designed with no inherent security, but having someone drive to a remote facility to check it, or install an end-to-end custom network is a much bigger project and is simply not possible - taxpayer would (rightly) object to the cost.

There are many other situation where there is a solid "business case" for having an asset connected to the Internet, remote maintenance, tracking, etc. Not necessarily as critical, but would still benefit from a secure solution.

Re:Hmm... I can do this for a fraction of the cost (1)

Charliemopps (1157495) | about a year and a half ago | (#42866389)

I work for an ISP. Dedicated solutions aren't all that hard or expensive. They're just usually slow. Most cash registers have less than a 56k connection, but they never touch the internet. The problem is the government loves to overspend, and overplan. So I'm sure their plan involves full HD realtime video of the facility or some other stupid shit they don't need on their secured network. Put command and control on your private network. Put your security cameras on... well anything else.

Re:Hmm... I can do this for a fraction of the cost (1)

fuzzyfuzzyfungus (1223518) | about a year and a half ago | (#42866425)

Even if you can't justify a full rocking-it-old-school-with-our-own-private-leased-lines-from-everywhere-to-everywhere, you'd still hope that(given the truly deplorable state of the various devices in important places), you could spring for a logically isolated network running on top of your cheap internet connection.

VPNs and such add additional complexity, and aren't invulnerable by any means; but there is a middle ground between 'physically private network' and 'on the internet', which at least allows you to reduce the number of externally visible devices(and make it so that the externally visible devices are dedicated network security gear, ideally built by people who know about network security, rather than dedicated industrial control devices built by people who know about industrial controls and...less... about security).

Re:Hmm... I can do this for a fraction of the cost (2)

penix1 (722987) | about a year and a half ago | (#42866665)

To add insult to injury, the power companies in my state are 100% private companies. So here we go bailing out private companies using tax payer money to fix a problem cause by their short sightedness. This again is a failure of capitalism or should I say another success of private industry externalizing the risk and privatizing the profits. I say fuck 'em. Let them use their profits to fix this problem they created.

Re:Hmm... I can do this for a fraction of the cost (1)

Runaway1956 (1322357) | about a year and a half ago | (#42867619)

No, the obverse is true.

Connecting these gadgets to the internet is the short sighted "solution", which has caused more problems than it solved.

When building infrastructure, isn't it more intelligent to build the INFRASTRUCTURE? Run a wire out to the gadget, directly from the control station!! Not wireless, but a wire!

Re:Hmm... I can do this for a fraction of the cost (1)

c0lo (1497653) | about a year and a half ago | (#42866725)

Underbid [aliexpress.com] to 5% of the competition price.

Warning: may have backdoors planted by People's Liberation Army.

easy (0)

Anonymous Coward | about a year and a half ago | (#42865997)

just dont attach it to the interwebs LOL
oh my what idiot designed it all should be shot

Wait, what? (1)

oodaloop (1229816) | about a year and a half ago | (#42866021)

Wasn't the cyber threat to our critical infrastructure overblown by DHS and CyberCom just to get a bigger budget? Why is DOE so concerned that they're going to spend 20 million of their current budget?

Re:Wait, what? (1)

Synerg1y (2169962) | about a year and a half ago | (#42866093)

It's now, or later? I don't think they considered cyber security when setting up the electrical plants and grids too much back then.

Re:Wait, what? (1)

vlm (69642) | about a year and a half ago | (#42866275)

sure they did, they just didn't have the budget.

The fiber my local powerco installed along the ROW for their SCADA didn't go in until decades after the blueboxers where having their way with Ma Bell.

Silver Bullet Bargain (1)

anorlunda (311253) | about a year and a half ago | (#42866141)

There isn't one word in the referenced article that is specific to energy delivery systems.

These guys are asking for the silver bullet to solve any cyber security problem in any system from any threat. The reward:, a measly 20 million.

Re:Silver Bullet Bargain (3, Informative)

bill_mcgonigle (4333) | about a year and a half ago | (#42866535)

These guys are asking for the silver bullet to solve any cyber security problem in any system from any threat. The reward:, a measly 20 million.

It's a government contract - you don't actually have to deliver. /snark

But, yeah, for $20M my company could coordinate one hell of a automated crypto system (hardware & software) to layer on top of SCADA gear that would protect it from unauthorized use and of course it would be open source. I can think of a dozen grants that need to happen immediately on various open source networking and crypto software packages to make them better suited for the task. It would not be perfect (it cannot be) but it would be tremendously better than the status quo and it would all be free for deployment on commodity hardware or from an ecosystem of willing cooperators.

The trouble is, the requirements for government contracting self-select for companies that can't even do the paperwork for less than $20M.

Sure fire solution.... (1)

rts008 (812749) | about a year and a half ago | (#42866201)

Unplug it from the net!

Do I get my 20 million?

Aren't the free tools already available? (1)

planckscale (579258) | about a year and a half ago | (#42866229)

As far as identifying and responding to intrusions, it seems everything is already there, just needs to be implemented with agents that can monitor controllers, which I'm sure has already been coded anyway. Mashups of current security tools like SecurityOnion http://securityonion.blogspot.com/ [blogspot.com] would be a good starting point methinks.

TLDR (2)

vlm (69642) | about a year and a half ago | (#42866317)

TLDR of the whole topic: Can't prevent layer 8 malfunctions via any method at any lower level 1-7. There is NOTHING the techs can do if mgmt fails. No checkbox can save them, no silver bullet can save them...

Re:TLDR (1)

fuzzyfuzzyfungus (1223518) | about a year and a half ago | (#42866441)

Are you sure that silver bullets don't work against management? They work on most meat-based targets, as well as werewolves...

Re:TLDR (1)

bill_mcgonigle (4333) | about a year and a half ago | (#42866465)

management? They work on most meat-based targets

Thar's y'er problem - everybody knows management is entirely made of hot air.

Re:TLDR (1)

gmhowell (26755) | about a year and a half ago | (#42867457)

Are you sure that silver bullets don't work against management? They work on most meat-based targets, as well as werewolves...

This is the government. Think less Lon Chaney and more Bela Legosi, and you'll see why silver bullets are ineffective. (Although given it is made of the stapled together remains of some other dead agencies and has an abby normal brain, I'm thinking DHS might be Frankenstein (Yes, yes, Frankenstein's monster pedants))

Re:TLDR (1)

Anonymous Coward | about a year and a half ago | (#42867057)

The 8th layer of the ISO Model: Operator.

The 8th layer of GSA: Some asshole operator who controls $20 in discretionary spending,
or the ability to convince those assholes that do, and can string together 21 words,
that he got from the internet, pasted on a Life Game spinner, and cooked up
some verbiage that made the assholes with $20 in discretionary spending happy.

Too bad that nobody writing this, or controlling the money or
even thinking about this at the 8th layer of GSA, ( did you fill out the form 355-2/B?)
has a clue what they just said, what it actually means, and a possible solution,
looms like the death star over the white house. Never EVER going to happen.

IF we are in this together, then that side of the boat is sinking rapidly.

IBM, probability the holder of the most patents on security,
is waiting on the side lines, and laughing. Hysterically.
They are again, toasting the stupidity of our electorate.

Please Mod parent + Interesting.

20 Million? (0)

Anonymous Coward | about a year and a half ago | (#42866371)

That's 20 times as much as for Dorner. Where is the equality?

Hmm the part that bothers me is (2)

DarkOx (621550) | about a year and a half ago | (#42866493)

do not impede critical energy delivery functions

Sorry but security is all about impediment. I am going to get jumped all over for saying this but its true.

People attempt to do bad things when three forces meet: opportunity, pressure, and rationalization whether that last one is because "Dear Leader told me too" or "I deserve it" is immaterial.

There is nothing you can do in software about the last two. So that leaves opportunity as the only high ground on which to mount a defense. Guess what that means impediment is just about your only tool. Good luck upgrading all those ancient controllers to use solid authentication, and integrity protocols. Good luck tasking the folks who have been ignoring these problems for the past 20 years (best case), or doing it wrong getting lucking and thinking themselves clever (more likely). Expired certificates etc if they are actually checked will be an impediment. Offline those old EDI systems while everyone figures out how to do sftp will be a problem when nobody knows how to keep control of their know host keys; and those are just some of the easy ones.

The Feds need to pull their heads out of there ass and realize security is about doing the right thing everywhere all the time. Process Process Process. All the technology in world won't help you unless people do the right thing. The Superbowl gate crashes should have tough them that. Computer security is no different. Sure technology can help. Its wonderful today that we have the scalability to do inline IPSing and a firewall can stop things like SQL Slammer (when signatures exist). Won't do a lick of good if some admin decides to turn it off to trouble shoot and than goes "welp everythings working and i feel like headed hope now so, f**k it deal with tomorrow".

Cow pies (1)

CHIT2ME (2667601) | about a year and a half ago | (#42866955)

Dried dung! It's scalable and very easy to distribute. Just wash your hands after collecting it!!! Try to plug your thumb drive into that assholes!!!!

Allow me (2)

lightknight (213164) | about a year and a half ago | (#42867055)

Here's a solution -> hire a bunch of BOFHs to do your security for you. True, you have to keep them happy, but the upside is that security could never be tighter / more fatal for anyone trying to crack your network.

In other words, go find some out of work network admins, the older the better, and employ them in this capacity. They know how to make things pretty air-tight (usually), but are rarely directed to do so (because people HATE it when security is ramped up to Defcon 0; it makes getting work done somewhat difficult, but in theory, very secure). They will, in theory, employ several different strategies to secure their networks, to the insane point of watching the bits crawl across the wire with human eyes to detect patterns that shouldn't be there. There is no magic wand for network security -> if you want to keep humans (and AIs) out, you need to employ comparable assets.

Really? SCADA networks 101!!! (1)

Virtucon (127420) | about a year and a half ago | (#42867197)

1) SCADA networks don't get to company Intranets or the Internet.
2) Disable any portable access devices, from USB ports (thumb drives etc.) to CD/DVD optical drives.
3) All software is clean room tested and deployed by technicians. Only authorized Technicians are allowed to install or change any software configuration on the system.
4) Vulnerability Testing is done in an isolated lab environment to weed out any potential problems with the system.
5) When in doubt, repeat starting at step #1

Re:Really? SCADA networks 101!!! (1)

hamman982 (1371409) | about a year and a half ago | (#42869803)

Yea... few things wrong with this.

1) Managers will want to see the data produced from a SCADA system. From the intranet. From home. From anywhere. Small utilities don't have 24/7 control centres, so they will have people operating the system from their homes after hours. You need to get real here. You will connect it to the internet, using secure methods. SCADA networks aren't often air gapped except for the radio links.

3) Yep, usually, but sometimes see 4)

4) You have to be a pretty decent sized organisation or a wealthy one to do this. Small utilities aint got time for that.

In the real world sometimes you have to make compromises on functionality, security, effort and cost. Sometimes a risk of less security is justified. Just make sure you know what to do when shit happens.

Re:Really? SCADA networks 101!!! (1)

Virtucon (127420) | about a year and a half ago | (#42869945)

And that's why there are exposures to hacks and other vulnerabilities. There are ways of providing data without compromising the integrity of the network and while I agree that small players may have more economic challenges in securing their infrastructure they have to have a minimum level of competency to guarantee that some damn worm, malware or an inadvertent "aw shit" from a technician doesn't take them out of operation or do permanent damage. Yes, I agree with you that management personnel are the weakest link here and while a technician may push back, if the boss says "do it" you either comply or find another job. That's precisely the reason why the problem isn't necessarily a technical one, but also one of awareness and training.

How about a piece of financial malware hitting a SCADA network because of the very convenience you mention? It's already happened.
http://www.automationworld.com/power-plant-line-three-weeks-due-malware [automationworld.com] . In this case, it was a mistake, an over zealous IT department policy and the ubiquitous USB thumb drive of death but like Chernobyl, you take one of these things out of the equation and the plant wouldn't have been offline. Also, if I were on the Board of Directors overseeing this company that owned the plant, I'd ask WTF does an IT department have domain over the SCADA system that runs the plant in the first place?

What's also coming to light is that many of the system integrators and providers of SCADA network enabled hardware build these things in closed networks and have no concept or concern for integration issues or vulnerabilities with IP based Intranets or Internets and mixed traffic scenarios. That alone means that SCADA networks must be isolated, locked in cages if necessary to prevent inadvertent tapping or cross switching between it and the company office LAN. One thing that always bothers me is that there's companies with SCADA systems deployed on common company infrastructure and the technicians who installed it believe that since it's on a seperate VLAN it's "Secure." That is until somebody crosses one of the VLANs up or they get affected by a cross VLAN problem such as an inadvertent cross VLAN route, or a network attack where the switch infrastructure is compromised and now the SCADA VLANs are susceptible.

It also doesn't have to be power plants. I've seen passenger locomotives disabled when innocuous data collection systems were introduced into a well engineered SCADA OEM system completely disabling functionality and stranding passengers. Poor design was at fault as well as poor reverse engineering and full understanding of the problem space but it happens all the time when a vendor is trying to deliver under a contract.

Re:Really? SCADA networks 101!!! (1)

hamman982 (1371409) | about a year and a half ago | (#42873555)

I agree with most of what you are saying, but I still don't see a need to completely isolate (physically) SCADA from other networks - it can be done in a pretty secure manner. For an example, in my country the National Grid System Operator provides access to its SCADA Network to distributors essentially by a giant VPN. If we didn't have this access we would be back to the days of ringing up the System Operator to do network switching by telephone.

The problem of IT running SCADA systems is a big one, I think that a lack of people skilled in all parts of a SCADA system (radio, electrical engineering, IT, networking etc) is part of the issue , which can create an opportunity for IT to take over.

!st steps (1)

SnarfQuest (469614) | about a year and a half ago | (#42867223)

1. Don't use Widows anywhere in your network. Eliminates 99% of the problem.
2. Don't plug things into the internet that don't need to be, like power plant systems. Nobody should need to be able to manipulate them remotely. Are these plants not staffed any more? If you want to view information, make a read-only gateway to the systems.
4. Don't use Windows anywhere in your network.
5. Don't use software with known holes in it, like Windows.

Two Words: Air Gap (3, Insightful)

rsagris (831741) | about a year and a half ago | (#42867313)

Seriously: water, power, and other critical utility infrastructure providers are not a low density/low volume market. There are large enough economies of scale such that there should really be no discussion here. There should be a separate physical network for these industries.

Air gap the network, heck, develop and mandate totally new hardware interconnects to ensure some moronic PHM or more likely brain dead network admin isn't physically capable of connecting COTS hardware to SCADA hardware.

There is absolutely no reason for any of this stuff to be directly accessible to the public internet, the utility provider can very well have some data diode http://en.wikipedia.org/wiki/Unidirectional_network/ [wikipedia.org] to provide metering information on the public internet side, but there absolutely should be no bidirectional links between the command and control network and the public internet

There would be no astronomically expensive software validation necessary if these industries were mandated to require Hardware level compartmentalization, which funnily enough a custom hardware solution would be orders of magnitude cheaper and deployable now rather than some pie in the sky (never going to happen) software based solution that the "Tube" worshiping ludites in Washington think can actually be created

-RS

Re:Two Words: Air Gap (0)

Anonymous Coward | about a year and a half ago | (#42870841)

A data diode won't protect either, sir.

All it takes is the right man-in-the-middle to inject new outbound data to fool you into doing the wrong things anyway.

umm... (1)

Ryanrule (1657199) | about a year and a half ago | (#42867453)

How about 20 billion? They sure as shit dont mind spending that on guns. Tech can do MUCH more damage.

Just like the government... (1)

Areyoukiddingme (1289470) | about a year and a half ago | (#42867501)

made available through open source for no cost."

"The US Department of Energy today said it would spend $20 million

So $20 million is free to them?

That explains a lot...

$20M For New Technology? (1)

Anonymous Coward | about a year and a half ago | (#42868199)

(Posting anonymously for reasons that will become apparent.)

So they want to spend $20M for technology that's going to improve security? Well, here's an idea: hire more people at these critical energy companies. I work for one, and let me tell you, we're already passing up technology we could be using because none of us have the fricken time to learn it, propose a baseline configuration and integrate it into our existing processes.

  • SELinux, which has been out for over 9 years? Nope, just disable it.
  • Intrusion detection systems like Tripwire? Nope, don't have time for it.
  • Still have systems running old, unsupported (and thus likely full of security vulnerabilities) operating systems? If those servers are still running than we have more high-profile things to work on.
  • Training to really understand a new & different forced-upon-us-from-on-high operating system (when already supporting 4 others) and learn its best security practices? Nope. Here's a 1-week seminar with no periodic follow-up. Just memorize the vendor's 1-800 number and you'll be fine. (Until the system goes down -- then we'll be screaming at you to get it fixed right now!)

I could go on, but it burns me that we're obviously short on manpower. We're not being trained in or using the technology we have to secure our systems but they'll spend money on new shiny stuff.

Re:$20M For New Technology? (0)

Anonymous Coward | about a year and a half ago | (#42876135)

Sure, they hire manpower. It always appears to be in the compliance department.

would it not be..... (0)

Anonymous Coward | about a year and a half ago | (#42869693)

just make sure it is not connected to the internet and wireless and that there are no devices connected to the network with internet and I think you own 90% of the battle. the other 10% is users.... sadly!

One-point Plan (1)

ThatsNotPudding (1045640) | about a year and a half ago | (#42870107)

[unplugs Ethernet cables]
'That will be $20 million, please.'

cengizz (-1)

Anonymous Coward | about a year and a half ago | (#42870549)

The photography is gorgeous kombi servisi [kombiservisiz.net]
. The opening credits alone are worth watching, so if it baymak kombi servisi [baymakkombiservisiz.net]
  was filmed in your neighborhood I'm sure you will enjoy that aspect vaillant kombi servisi [vaillantko...rvisiz.net]
.
Corey Stoll is also excellent. I only know him as Hemingway in the Woody Allen movie Midnight in Paris demirdöküm kombi servisi [demirdokum...rvisiz.com]
.

I was up way too late last night binge viewing vaillant kombi servisi [vaillantkombiservis.net]
. Will beylikdüzü kombi servisi [beylikduzu...ervisi.com] probably do the same tonight kombi servisi [trkombiservisi.com]
Right now we are blessed with a lot of Shiskaberry and Green Crack in the NYC market.
. Of all kadköy kombi servisi [kadikoy-kombiservisi.com] the outlets, Netflix already has the best info on my viewing
  patterns, having shipped me 4 seasons of The Wire in 2 weeks,
Right now we are blessed with a lot of Shiskaberry and Green Crack in the NYC market.
  3 of MadMen in about the same amount of time, Breaking Bad, etc kombi servisleri [kombiservislerin.com]
Employees at the Defense Intelligence Agency, which coordinates intelligence for the Department of Defense, received a presentation last week which included fashion advice for women like, "don't be a plain Jane" and "paint your nails," U.S. News reports.
  . I'm sure they knew this would be video crack to me klima servisi [klima-servisiniz.net]
.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?