Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Congressional Report: US Power Grid Highly Vulnerable To Cyberattack

Soulskill posted about a year ago | from the industry-strangely-averse-to-voluntary-protections dept.

Power 124

An anonymous reader writes "Despite warnings that a cyberattack could cripple the nation's power supply, a U.S. Congressional report (PDF) finds that power companies' efforts to protect the power grid are insufficient. Attacks are apparently commonplace, with one utility claiming they fight off some 10,000 attempted attacks every month. The report also found that while most power companies are complying with mandatory standards for protection, few do much else above and beyond that to protect the grid. 'For example, NERC has established both mandatory standards and voluntary measures to protect against the computer worm known as Stuxnet. Of those that responded, 91% of IOUs [Investor-Owned Utilities], 83% of municipally- or cooperatively-owned utilities, and 80% of federal entities that own major pieces of the bulk power system reported compliance with the Stuxnet mandatory standards. By contrast, of those that responded to a separate question regarding compliance with voluntary Stuxnet measures, only 21% of IOUs, 44% of municipally- or cooperatively-owned utilities, and 62.5% of federal entities reported compliance.'"

cancel ×

124 comments

That's what ICBMs are for. (-1)

Anonymous Coward | about a year ago | (#43790569)

Zero in on the source of the cyberattack, and end it. If it's just a script kiddie, maybe you use a Tomahawk instead.

Re:That's what ICBMs are for. (2)

c0lo (1497653) | about a year ago | (#43790709)

Zero in on the source of the cyberattack, and end it.

Ummmm... and if the attack originates in a highly distributed bot-net? What about the script-kiddie is on US soil?

Re:That's what ICBMs are for. (1)

OhANameWhatName (2688401) | about a year ago | (#43790727)

What about the script-kiddie is on US soil?

The DOD's charter covers domestic terrorism.

Re:That's what ICBMs are for. (1)

compro01 (777531) | about a year ago | (#43790745)

Ummmm... and if the attack originates in a highly distributed bot-net?

Then you use more tomahawks, obviously.

What about the script-kiddie is on US soil?

Then you send in the drones.

Re:That's what ICBMs are for. (1)

Black Parrot (19622) | about a year ago | (#43790749)

Zero in on the source of the cyberattack, and end it.

Ummmm... and if the attack originates in a highly distributed bot-net? What about the script-kiddie is on US soil?

Or professionals launching the attacks from script kiddies' compromised machines.

Re:That's what ICBMs are for. (1)

Immerman (2627577) | about a year ago | (#43791239)

Just to support c0lo's point - all the anti-terrorism/anti-cyberwarfare mandates in the universe aren't worth a sneeze in a hurricane *after* a massivle distributed zombie attack has been initiated. Hell, you could nuke half the planet and the remaining machines would still probably be more than enough to cripple the target. Now maybe the tinfoil hatters are right and 9/11 was known about well beforehand and allowed/encouraged to happen for political reasons. We'd better pray that they are, because physical security is trivially easy compared to cyber-security in the face of the 99% who don't give a $#@! so long as they can have their Bonsai Buddy "helping" them browse the 'net.

Re:That's what ICBMs are for. (0)

Anonymous Coward | about a year ago | (#43791801)

What about the script-kiddie is on US soil?

Then you get to tick that last annoying box on the "countries we've bombed" list...

Re:That's what ICBMs are for. (0)

Anonymous Coward | about a year ago | (#43791859)

What about the script-kiddie is on US soil?

Then you get to tick that last annoying box on the "countries we've bombed" list...

Yes, it's highly likely that will be the last, but... can it also be the first annoying box on that list, please? Pretty please?

Re:That's what ICBMs are for. (0)

Anonymous Coward | about a year ago | (#43792263)

Zero in on the source of the cyberattack, and end it.

Ummmm... and if the attack originates in a highly distributed bot-net?

Ummmm, nuke from orbit?

Re:That's what ICBMs are for. (1)

Shoten (260439) | about a year ago | (#43793233)

Zero in on the source of the cyberattack, and end it.

Ummmm... and if the attack originates in a highly distributed bot-net? What about the script-kiddie is on US soil?

Still not a problem...and here's why: things change when it becomes about nations. Espionage doesn't have an IP address, and neither does terrorism. Countries are already quite used to using a wide variety of both tactics and sources of information to find out who is behind a certain act even when those who commit the act take technical measures to mask their identity, nationality, and location. If anything, the connected nature of cyber attacks makes it easier to track them, even though you cannot trust that the IP address that's sending you X packets is actually located in the same nation as the aggressor. But even without that, you have signals intelligence and human intelligence which are incredibly effective at uncovering the source of enemy operations, among other things. When a guy in a small company gets hacked, he usually can't figure out who did it because these tools aren't available to him. But if the national power grid comes under concerted siege? Yeah, you bet that we'll figure out who is behind it using every tool available to us as a country.

Re:That's what ICBMs are for. (1)

Internetuser1248 (1787630) | about a year ago | (#43791091)

Zero in on the source of the cyberattack, and end it. If it's just a script kiddie, maybe you use a Tomahawk instead.

They are talking about Stuxnet. You want to fire tomahawks at Washington and Tel Aviv? I don't think the government is going to go for that idea.

Re:That's what ICBMs are for. (2)

chill (34294) | about a year ago | (#43792175)

That depends on which government you're talking about, comrade.

Re: That's what ICBMs are for. (1)

Redmancometh (2676319) | about a year ago | (#43792399)

This is a citation for failure to recognize a joke or troll. This is only a warning. However, future violations will result in immediate sterilization.

Re:That's what ICBMs are for. (1)

gmuslera (3436) | about a year ago | (#43792133)

Maybe is for that that NATO is now recomending the assessination of hackers [issuu.com] , and is very [slashdot.org] easy [slashdot.org] to fall into their definition.

You're kidding me (3, Insightful)

Anonymous Coward | about a year ago | (#43790575)

Our power grid is plugged into the Internet? Can't they spend $40 on a Linksys router and call it good?

Re:You're kidding me (4, Informative)

OhANameWhatName (2688401) | about a year ago | (#43790735)

Can't they spend $40 on a Linksys router and call it good?

You can never spend $40 on a Linksys router and call it good.

Re:You're kidding me (2)

drinkypoo (153816) | about a year ago | (#43793015)

You can never spend $40 on a Linksys router and call it good.

You could, but now you can't, because it also says "Cisco" on the router, and now it sucks ass. That has to be one of the biggest blunders in networking corporate history. It harmed both brands.

Re:You're kidding me (1)

ebno-10db (1459097) | about a year ago | (#43793641)

Splurge for a Huawei. The PLA knows what it's doing.

Re:You're kidding me (2)

phantomfive (622387) | about a year ago | (#43790741)

The report doesn't say what kind of attacks, it could have been an attack on the secretary's computer. Here is what the report describes: "cyber attacks ranging from phishing to malware infection to un-friendly probes.....Much of this activity is automated and dynamic in nature able to adapt to what is discovered during its probing process.” Someone is running nmap.

"Able to adapt" does suggest that an intelligent agent is behind it, but it's hard to know without more detail.

Re:You're kidding me (1)

pixelpusher220 (529617) | about a year ago | (#43790929)

Ok, so they figure out the secretary visits eBay and plays solitaire. If you unplung the damned grid from the internet it can't be 'cyber' attacked in any way.

Re:You're kidding me (3, Insightful)

White Flame (1074973) | about a year ago | (#43790977)

Stuxnet spread via USB sticks, and successfully 'cyber' attacked nuclear refinement systems that were not on the net.

These regulations (at least from what I'm familiar with from the nuclear end of things) cover a lot of human & portable equipment policy, and destroy I/O ports in non-connected equipment to try to eliminate potential attack vectors or non-policy human activity that might compromise security. It does go beyond simply unplugging CAT5 cables.

so the real threat is (-1)

Anonymous Coward | about a year ago | (#43791367)

so the real threat is some jerk plugging in a USB stick to a pc running the electricity grid
ok i want to get paid to tell you the following
A) two cameras in that room with views and motion sensors on that usb slot
B) two people in that room at all times
watching the other
C) any software/change etc has ot be thoroughly tested and cant be involved in any pc that has touched anything but the designers pc.
D he also is watched like above
E) and has cameras like above

like 1 million jerks with top secret level security and it sounds all like its donkey piss security
your fucking nation sounds more stupid every day and that rank 31 math really begins to show it

Re:You're kidding me (1)

pixelpusher220 (529617) | about a year ago | (#43793069)

So you're comparing our electric grid to Iran? What you're talking about is a personnel training issue - it's entirely fixable without granting the government massive cyber surveillance powers (well more than they have already).

Re:You're kidding me (3, Insightful)

lightknight (213164) | about a year ago | (#43791329)

Not going to happen. The US, and other parts of the world, have been very Marie Antoinette about internet / technology literacy, and the implications of a populous dependent on using said devices where the culture is set to super-apathy mode. They just...they don't care, and the way things are setup, there is no way to make them care, until the inevitable something horrid happens to them, then it's "why can't you guys do anything about this?"

Consider this: your average secretary for a CEO / Chairman / President of a company may or may not have the technological literacy to know whether or not his / her machine has become infected, and is now sending the VIP's electronic Rolodex / tax returns to some bad people. But the VIP is totally cool with how things are, until some insider breaks his company, or personally targets him. And then it's asking IT / the FBI to track down some people who have had a six month start, and probably swept their tracks right before their big heist. This is how technology illiteracy is killing companies.

   

Re:You're kidding me (1)

pixelpusher220 (529617) | about a year ago | (#43793107)

onsider this: your average secretary for a CEO / Chairman / President of a company may or may not have the technological literacy to know whether or not his / her machine has become infected, and is now sending the VIP's electronic Rolodex / tax returns to some bad people. But the VIP is totally cool with how things are, until some insider breaks his company, or personally targets him. And then it's asking IT / the FBI to track down some people who have had a six month start, and probably swept their tracks right before their big heist. This is how technology illiteracy is killing companies.

What if anything does this have to do with a cyber attack on the electrical grid?

Re: You're kidding me (1)

locutus2k (103517) | about a year ago | (#43792337)

keep in mind that the core infrastructure used by the power grid makes up a sizable chunk of the internet. not only is it used for commercial and residenrial Internet access but it is used for things like traffic light timing systems. with that in mind it can't just be unplugged. it has to br properly firewalled and segregated. hopefully that is being done and it has to be constantly monitored.

Re: You're kidding me (2)

pixelpusher220 (529617) | about a year ago | (#43793097)

The electrical grid does not make up a sizable chunk of the internet. Sure there's connectivity between various electrical sites but that's on physically separate networks that without someone plugging the wrong cable in aren't going to be accessible from the internet. The problem is they've attached lots of the command and control nodes to the internet, but the core electrical infrastructure is not on the internet.

Re:You're kidding me (0)

Anonymous Coward | about a year ago | (#43790937)

unfriendly probes, as in ssh login attempts, and they only have 10,000 of them pet month?
I think I have more of those per month at home.

No, the idiots connect them to the Internet (2, Insightful)

Anonymous Coward | about a year ago | (#43791065)

Read it an weep, I'd be sacked if ever I did that, yet their network admins seem to think it's an 'improvement':

"Grid operations and control systems are increasingly automated, incorporate two - way
communications, and are connected to the Internet or other computer networks. While these improvements have allowed for critical modernization of the grid, this increased interconnectivity has made the grid more vulnerable to remote cyber attacks."

So they took a critical system and connected it to every hacker and script kiddie on the planet, knowing that botnets endlessly test every IP address for vulnerabilities. And they complain about botnets testing the stuff THEY CONNECTED to the internet! WTF.

It's a case of incompetent sysadmins, couples to a self serving 'cyber-war' agenda on behalf of the people who should be advising them to disconnect them from the internet!

Re:No, the idiots connect them to the Internet (2)

maxwell demon (590494) | about a year ago | (#43791429)

Read it an weep, I'd be sacked if ever I did that, yet their network admins seem to think it's an 'improvement':

"Grid operations and control systems are increasingly automated, incorporate two - way
communications, and are connected to the Internet or other computer networks. While these improvements have allowed for critical modernization of the grid, this increased interconnectivity has made the grid more vulnerable to remote cyber attacks."

So they took a critical system and connected it to every hacker and script kiddie on the planet, knowing that botnets endlessly test every IP address for vulnerabilities. And they complain about botnets testing the stuff THEY CONNECTED to the internet! WTF.

It's a case of incompetent sysadmins, couples to a self serving 'cyber-war' agenda on behalf of the people who should be advising them to disconnect them from the internet!

Something similar happened to me. I figured out that putting all my money in front of my door would be quite useful because I'd just take some of it when I leave the house, and I don't need my money inside anyway. However as soon as I did so, people just started to take away my money lying there! Who would have thought that!

Mod parent up (1)

Viol8 (599362) | about a year ago | (#43792091)

Wish I had mod points. It seems these days that vital computer networks are being run by the criminally clueless and lazy.

Re:You're kidding me (1)

Inda (580031) | about a year ago | (#43792653)

Try £10,000 on a box in the power station control room that's got "industrially secured" on the box. It's a firewall, fire blanket and fire extinguisher all rolled into one! It ticked all the checkboxes on the spec sheet. It cost £10,000. It's all we needed.

Except anyone can walk into the control room and push any buttons they like. There's even a USB interface on each PC.

Sure, this is not the grid (UK), it's the power generators. The grid is actually stuck 50 years in the past.

Well... (2)

fuzzyfuzzyfungus (1223518) | about a year ago | (#43790579)

It sure is a good thing that we've been focusing our efforts on defense, rather than developing sophisticated attack toolkits and releasing them into the wild where they definitely won't get reverse engineered and re-deployed...

Re:Well... (1)

anagama (611277) | about a year ago | (#43790875)

karma

Re:Well... (2)

Immerman (2627577) | about a year ago | (#43791249)

Touche'. Reminds me of a maxim from a SF book from way back - in essence: "Never bring to a fight a weapon against which you have no defense."

Oh noes! (1)

angel'o'sphere (80593) | about a year ago | (#43790589)

Now the terrorists know it, too!

Re:Oh noes! (1)

OhANameWhatName (2688401) | about a year ago | (#43790759)

Now the terrorists know it, too

I think you're going too far calling the US congress terrorists.

Re: Oh noes! (0)

Anonymous Coward | about a year ago | (#43790769)

It is an insult to terrorists.

At least terrorists aren't complete sellouts.

Re: Oh noes! (1)

Immerman (2627577) | about a year ago | (#43791253)

You sure about that? From what I've heard in various case-studies, most terrorist organizations are in fact primarily fund-raising groups.

Protect against stuxnet? (0)

Anonymous Coward | about a year ago | (#43790603)

How will you defend yourselves against........ yourselves?

Re:Protect against stuxnet? (3, Funny)

chill (34294) | about a year ago | (#43792189)

Firewall off 127.0.0.1. Hell, might as well just blackhole the entire RFC 1918 space. Who need 10. networks anyway?

Compared to spam? (1)

Anonymous Coward | about a year ago | (#43790607)

10,000 attempted attacks every month.

90,000 spam emails filtered in the same time period.

I guess it's not cool to call spam "tools of the terrorists" yet.

Re:Compared to spam? (2)

SuricouRaven (1897204) | about a year ago | (#43791287)

How many of those consist of viruses port-scanning the entire internet looking for a host running the particular version of some PHP admin console they need to infect?

I get thousands of phpMyAdmin login attempts every (0)

Anonymous Coward | about a year ago | (#43791623)

- day.

Good thing I don't have either PHP or MySQL installed on my server!

I run CentOS 5. By default it comes with a desktop GUI, and a modest number of daemons that run right out of the box. I disabled most of the daemons for a few days, to determine whether I really needed them at all, then used yum to remove the packages entirely. I also removed all the GUI software. There's only a few dozen packages installed now, just the bare minimum required for my server to operate.

Lots of hacks are distributed in source code form, then compile the Bag 'O Tricks after being deposited on the victim's box. The Morris worm did that. So I removed all the development tools.

From time to time, I find a completely exposed administrative login page on sites whose owners should know better, such as government agencies. If you must use a web form to log in as the admin, use .htaccess and htpasswd to hide that login page from the search engines!

After the fertilizer hits the ventilator (4, Insightful)

aphelion_rock (575206) | about a year ago | (#43790629)

Why bother with complex security measures?

(1) It costs money
(2) There is no measurable profit
(3) There is no measurable increase in productivity
(4) There is no measurable increase in share price
(5) The bozos who make the decisions usually don't understand the issues anyway

Only once the proverbial hits the fan will something be done and even the it will probably be blamed on the power lines sagging onto a tree on a hot day...

Re:After the fertilizer hits the ventilator (1)

Black Parrot (19622) | about a year ago | (#43790723)

Your conclusion is probably right, but one workaround would be for Congress to grant the utilities big bucks to fix it, whereupon entrepreneurs with solutions (and con artists with "solutions") would pop up all over. That would take care of (1), (2), and (4).

Not sure I like that suggestion, but admittedly it is in our national interest to do something about it.

I vaguely remember reading that our national grids are a mere hop and a skip of the Grim Reaper, even without cyberattacks.

Re:After the fertilizer hits the ventilator (3, Interesting)

c0lo (1497653) | about a year ago | (#43790791)

Why bother with complex security measures?

(0) We have laws that criminalize the breach of ToS-es, so it's no longer our problem... we have 3-letter-agencies and US Attorney Carmen M. Ortiz to protect us.
Our mission is not security but to make profits (e.g. externalize costs, avoid taxes, etc; if it would lead to increase profits, we'll even lobby the Congress to repel the Law of gravitational attraction)

(1) It costs money
(2) There is no measurable profit
(3) There is no measurable increase in productivity
(4) There is no measurable increase in share price

Only once the proverbial hits the fan will something be done and even the it will probably be blamed on the power lines sagging onto a tree on a hot day...

FTFY

Re:After the fertilizer hits the ventilator (1)

jhoegl (638955) | about a year ago | (#43790919)

There IS measurable profit and increase in productivity, which will lead to increase in share price.
Once you realize a grid is down, and you are losing money to a preventable issue, you will be able to determine the cost.
Of course this is reactive thinking instead of forward thinking, something only money grubbing corps do.
Productivity is increased or recoupped because you arent hiring people to chase after viruses, paying OT to people fixing something in the middle of the night, and losing time on their work because of all of this.
I mean seriously, it takes 5 seconds of forethought to know how to "measure" this.

Re:After the fertilizer hits the ventilator (2)

Slick_W1lly (778565) | about a year ago | (#43791491)

Yeah, but it 'doesn't work'

Take, for example, the latest hurricanes on the east coast. Or better 'snow on the trees' of 2012 fame.
Lots of trees came down. Fell on power lines, cut power to my neighbourhood for a week. Hurricane sandy was 2-to-3-weeks for most in my area.

One assumes they lost a shedload of business during that period, but until $lost-for-not-providing-power > the cost of *burying the damn power lines* it won't happen.
They beg and whine and moan at the state for money to perform the stupidly obvious action that they should be taking upon themselves.

Hell, my country ( Britain) started burying the power lines after WW2 (when bombs did it for them). The USA still puts them on poles and makes houses out of sticks. Didnt y'all learn from the three little pigs?

Moronic.

Re:After the fertilizer hits the ventilator (1)

White Flame (1074973) | about a year ago | (#43790985)

(6) Nobody wants to commit to responsibility to cybersecurity policy & procedure, in case it doesn't work.

Re:After the fertilizer hits the ventilator (1)

aphelion_rock (575206) | about a year ago | (#43791183)

(6) Nobody wants to commit to responsibility to cybersecurity policy & procedure, in case it doesn't work.

Very true
This was my experience with the Y2K program. I looked at what was being done and commented that it wasn't addressing the whole issue. The response: "We need to look like we are being seen to be doing the right thing so we cannot be sued for negligence" rather than actually putting in a technically correct solution.

Re:After the fertilizer hits the ventilator (1)

Anonymous Coward | about a year ago | (#43792413)

Hence why the for-profit utilities have far lower security compliance rates than the government run ones. Unless you start micromanaging penalty structures (while various political parties try and poke holes in them) the cheapest way to run something is rarely the way that is in the best interest of the general public, and business selection pressure is always to the cheapest way. It's no good saying "oh, but when the utilities that do not implement security fail, people will stop paying them!", that's closing the barn after the horse has bolted.

Congressional Report: (0)

fustakrakich (1673220) | about a year ago | (#43790667)

Sky highly vulnerable to gravity. Likely to fall any second now..

Re:Congressional Report: (1)

OhANameWhatName (2688401) | about a year ago | (#43790773)

It may even be time to panic [youtube.com] .

Yeah ... this is bullshit (0)

Anonymous Coward | about a year ago | (#43790703)

I used to work in the industry, most sites are mandated to have air-gaps between their intrenal and external networks.

Re:Yeah ... this is bullshit (1)

phantomfive (622387) | about a year ago | (#43790715)

Iran had airgaps too, but that didn't protect them against Stuxnet. Air-gaps are good, but not sufficient.

Re:Yeah ... this is bullshit (1)

Black Parrot (19622) | about a year ago | (#43790731)

Iran had airgaps too, but that didn't protect them against Stuxnet. Air-gaps are good, but not sufficient.

Problem with air gaps is, most people have an air gap between their ears.

Re:Yeah ... this is bullshit (1)

OhANameWhatName (2688401) | about a year ago | (#43790793)

Iran had airgaps too, but that didn't protect them against Stuxnet

Precisely. What if Stuxnet attacked US power plants??

Re:Yeah ... this is bullshit (2, Informative)

Anonymous Coward | about a year ago | (#43791059)

Actually most of the equipment covered under NERC is custom embedded firmware. An air gap in this case is actually highly effective. In order to install a Trojan you need to access one of about 5,000 computers run by a select few people and trick them into installing a new firmware version on a proprietary system. Firmware updates are fairly uncommon, and take a lot of time with these systems (typically 9600 baud through a serial port). To do this automatically behind the users back would be highly unlikely as it would cause a visual reset condition on the hardware. The hacks that have been implemented primarily target SCADA systems, so if you have no SCADA you have no virtually no issue.

Note that I actually am a contractor that specializes in NERC compliance. The problem is that without SCADA your system is less usable, and requires a lot more direct maintenance (more downtime when something happens).

I would actually be more afraid of a custom bug targeting transmission systems than generation.

There are much bigger issues that need to be addressed here. I can't go into the specifics on this but there are a lot of things that scare me more than computer viruses.

The Canadian Coast Guard uses SCADA, US Doesn't (0)

Anonymous Coward | about a year ago | (#43791649)

My first week at Trihedral Engineering [trihedral.com] , a Canadian HMI/SCADA vendor, I attended a product training course with a Coast Guard vessel's chief engineer. They had our software installed in their ship's bridge, driving PLCs all over the ship.

I also have a friend who is in the US Coast Guard. He's stationed in Alaska, and enforces fisheries regulations. He programs lots of his ship's PLC directly with ladder logic. All these PLCs run independently; there is no central computer as with Canadian vessels. When I told him what the Canadian practice was, he replied that they were all insane because such a system could not be reliable.

The US Coast Guard is a real low-budget operation. That must be the real reason they don't use HMI/SCADA on our vessels. Bart told me that there was no way I could contact him when I was at sea, not even via email. Even the US Navy has Internet on its ships, it's easy to email a Navy man.

Re:Yeah ... this is bullshit (1)

OhANameWhatName (2688401) | about a year ago | (#43790781)

most sites are mandated to have air-gaps between their intrenal and external networks

The air isn't the problem, it's the wires.

Re:Yeah ... this is bullshit (0)

Anonymous Coward | about a year ago | (#43790901)

And since when have air gaps prevent internal wireless networks from being accessed externally?

Re:Yeah ... this is bullshit (1)

Immerman (2627577) | about a year ago | (#43791277)

Since always. "Airgap" is a anachronistic term that originated before the proliferation of wireless networks. If it's physically possible from a signal to get between the internal and external networks you don't have an airgap. And yes that pretty much means that, actual air aside, if you have a wireless internal network outside of a secure faraday cage you *don't* have an airgap.

All the damage caused (2)

phantomfive (622387) | about a year ago | (#43790775)

The report mentions there has not been a single instance of damage caused by cyber-attacks.

There has been damage, however, " the only physical attacks experienced on their systems seemed linked to acts of vandalism and thefts of copper. Most incidents appeared unrelated to terrorism. However, one federal entity that owns a major piece of the bulk power system reported a Molotov cocktail was thrown at a dam."

I have no idea what to think of that.

Re:All the damage caused (0)

anagama (611277) | about a year ago | (#43790887)

Drunk kids having a little fun. Basically ... all kids are terrors in one way or another. Too bad we've moved way beyond imposing a fine, a stern talking to, and maybe a few hours picking up garbage on the freeway.

Re:All the damage caused (1)

Immerman (2627577) | about a year ago | (#43791303)

If the only "terrorists" we have to worry about are idiots stupid enough to throw a molotov cocktail on a dam as though that would actually hurt anything then there's not much point in defending against them. Frankly though I don't think terrorists are the problem. Realistically, when has a terrorist caused much more than an inconvenience and a few days of overdramatic journalism. 9/11? More deaths and property damage occur via bad luck and stupidity in any 24-hour window. The only thing that made it noteworthy was that it was concentrated in one place and the video made for good ratings.

Re:All the damage caused (1)

DarkOx (621550) | about a year ago | (#43791685)

I think the parents point was that they were probably just some kids, not terrorists. I recall as a kid playing with fire, my friends and I would deliberately chose large relatively impervious cement structures like those big stome drain tubes etc because we could be pretty certain we would do no damage to them, and there would be nothing flammable near by for fire to spread to.

If you want see what a molatove cocktail will do, throwing agaist the side of a big concrete damn is probably about the safest place possible. Yes it's still a pollution source and such, and a stern word and even a fine probably make sense, but we don't know the intent and its silly assume its terrorism.

Re:All the damage caused (0)

Anonymous Coward | about a year ago | (#43793139)

If you wanted to do some real damage to the power system a simple intermediate powered (7.62x39, 5.56x45, .30-30) or high powered (.308, .30-06, 7.62x54r) rifle round to a few transformers at various substations would do the trick. There typically isn't much security beyond a chain link fence around them and in remote areas a getaway would be easy and there wouldn't be any witnesses. When the transformer blows it will get rid of the bullet and bullet hole so tracing it back becomes even more difficult, especially if you aren't a complete retard and police up your brass. Now toss in that those transformers are very expensive and very reliable when not shot so power companies tend to not keep many extras on hand and there is a substantial lead time when ordering new ones and it would quickly create problems. Even shooting a few pole pigs in an area would do substantial damage to the system for similar reasons but it wouldn't be as widespread of an effect or as expensive to repair.

Easy Way (1)

hitechito (2923083) | about a year ago | (#43790845)

Your conclusion is probably right, but the decision will be for Congress to give a lot of money to solve, why entrepreneurs and their solutions (and crooks "Decision"), pop-up everywhere. Care should be taken (1), (2) and (4). Not sure I like this proposal, but really in our national interest to do something about it. I vaguely remember reading that our national network are just a hop and a jump from the mower, even without the cyber attacks. By Hi-Tech ITO

Vulnerable From Within ! (0)

Anonymous Coward | about a year ago | (#43790853)

At the opportune moment the President of the United States of America will issue an order to destroy the power grids across the contiguous USA and the killing of the executive staffs of the companies in charge. This operation will take approximates 15 minutes to accomplish give pre-positioning of assets.

Re:Vulnerable From Within ! (1)

Dutchmaan (442553) | about a year ago | (#43790897)

At the opportune moment the President of the United States of America will issue an order to destroy the power grids across the contiguous USA and the killing of the executive staffs of the companies in charge. This operation will take approximates 15 minutes to accomplish give pre-positioning of assets.

I would have thought you were Glenn Beck for a moment except you didn't frame your paranoia as a question...

Re:Vulnerable From Within ! (1)

Immerman (2627577) | about a year ago | (#43791311)

No, see, that's the benefit of posting anonymously - you don't have to phrase your blatantly libelous accusations as a question in order to avoid legal liablity.

And the software... (1)

Anonymous Coward | about a year ago | (#43790873)

I worked on some of the software that manages the bidding and load-balancing of the grid that powers much of the US and some smaller portions of the world. I have to say that it, by far, was some of the worst software I have ever seen in my life. Spaghetti like you wouldn't believe.
To be clear, it wasn't the code that actually ran the grid, but it told the grid the optimal way to run at certain times.
Bug fixes were "fixed" by - how to say it - filtering existing code. We weren't allowed to change existing code, we had to write stuff on top of bugs to fix them. I will say that it took about six months for even the simplest code to make it into production. Very thorough testing at least. If you like to work slow, that was the place.

lowballing (-1)

Anonymous Coward | about a year ago | (#43791013)

The real number is 86400 attacks per day. That's what I see on my internet connection. 20 megabytes per day of attacks from the Chinese.

I've heard it said NetFlix accounts for 50% of the traffic on the US internet from 5pm to midnight, no matter the time-zone.

The Chinese hackers must account for the rest, only they're operating 24 hours a day, 365 days a year.

All countries should block China at the BGP level, if for no other reason than to speed up the internet for all of their citizens.

Big interests screwing us all over... (0)

Anonymous Coward | about a year ago | (#43791023)

Big interests are going to cause us all disaster! They will plug the entire system into the internet so that the boss can watch the power grid dashboard from his cell phone or tablet while in her jammies at home (possibly while creating and sending lightning bolts to the special other). That there are critical systems plugged into the 'net for kiddies to game is not the only disconcerting thing here though. The big interests will shout bloody murder when someone wants to connect their solar panel/wind charger network to the grid (allowing them to put excess power into the grid and get paid for it). "NO!" they cry, "We sell power to customers! Customers don't sell power to us!" They might install slightly larger systems so that instead of just satisfying their own needs, they can provide power to others and get paid for it. It could even keep a local part of the grid up while all others around them suffer power failures. Its not hard to get parts of a grid in sync later either. Years ago I had a computer that could take its entire clock sync (memory, the processor, main bus, everything from an external outside source). You could send a sync signal to a grid so that local grids lock phase with an external grid (the main grid). But they don't do that either. I'm not exactly a tree hugger, but I am big on using local resources and being self reliant. If you could be for putting power into the grid, it could solve the vulnerability of the grid. Germany allows it. No one in North America does.

Feeding an island is DEADLY. (5, Informative)

Ungrounded Lightning (62228) | about a year ago | (#43791349)

It could even keep a local part of the grid up while all others around them suffer power failures.

And that is a BIG no-no. Because it kills linemen trying to fix the outage.

Those transformers work both ways. Your little generator or inverter gets stepped up to maybe 8,000 or 12,000 volts. Then a lineman who thinks the power is down brushes against a wire (or comes within a quarter-inch of it) and is "burned" - to death.

Grid-connected inverters with a "sell" feature MUST monitor the network and shut down if they detect islanding - being cut off from the grid, with one or a collection of generators running autonomously. It's perfectly OK to feed power into the grid when it's up (if you're using UL approved equipment, connected according to code, inspected for compliance, and the utility knows you're doing it according to the rules.) It's perfectly OK to have things wired so your equipment still feed your house if the grid goes down, but it MUST cut itself off from the dying or dead grid and stay off until the grid comes back up and stabilizes at the nominal voltage and frequency.

Re:Big interests screwing us all over... (0)

Anonymous Coward | about a year ago | (#43792383)

If you could be for putting power into the grid, it could solve the vulnerability of the grid. Germany allows it. No one in North America does.

That's not true. There is a national requirement in the US that utilities support net metering (also Canada supports it). Source: http://en.wikipedia.org/wiki/Net_metering#United_States [wikipedia.org]

Unfortunately, this doesn't really solve anything. Net metering tends to increase the variability of the power needed rather than reduce it. An increase in variable power requires more oil or natural gas to compensate when the power is not available.

What's worse? Terrorists or tornadoes? (1)

blindseer (891256) | about a year ago | (#43791085)

Out here in "flyover country" we have storms, tornadoes, lightning, wind, ice, and snow. Power outages, while not all that common, are just something we have to deal with. I see big diesel or natural gas generators outside every government building and most businesses. A lot of homeowners I know have their own portable generators. When storms come through someone inevitably loses power, it happens. It can take a few hours to get fixed, in rare and extreme cases it can take days. Life goes on.

What kind of damage could a cyber attack on the electrical grid do? It will be inconvenient certainly. Just this last Monday I had to take a minor detour around some downed power lines while driving to work. On Tuesday the roads were clear and the power back on as far as I could tell. Other than a handful of people in Oklahoma that had travel difficulties it seems everyone went to work on Monday where I work.

I'm just trying to imagine the damage that a successful cyber attack on the power rid might cause. Then I try to imagine that damage as compared to weather out hear in the Great Plains. If people here were even told it was a terror strike then would anyone believe them? How would people act differently?

I'm sure that there are means to harden the power grid from cyber attacks but they would either be prudent also for natural disasters or overkill for such a small risk,

There is already a large number of natural gas generators around here. I'm not sure how much but it sits idle for long periods of time until needed. Data centers are equipped to sell any excess to a utility. There are spares for all kinds of gear. There are a lot of windmills to help along.

If the big boys, nuclear and coal, have to go down then it could take days to come back up. Once they are back to full steam then we know our troubles are over.

What should I be worried about?

Re:What's worse? Terrorists or tornadoes? (2)

SuricouRaven (1897204) | about a year ago | (#43791301)

If you can trigger a cascade failure, you could black out a state for days. It's happened by accident before.

It'd have to be an inside job, though. Even if someone outside could compromise the security, only someone with very precise knowledge of how the grid is build could pull off a cascade failure. Not just how it's designed, but how all those really tidy schematics translate to the real equipment - only someone who works with it would know, for example, if a breaker rated for 65A is going to trip reliably at 70A, or that substation 2398-A-49 is located in the middle of Old Man Triggerhappy's ranch and it'll take two days arguing before he'll stop waving his shotgun at the 'trespassers' who need to fix it.

Re:What's worse? Terrorists or tornadoes? (1)

Immerman (2627577) | about a year ago | (#43791341)

Heck, I suffered multi-hour power outages several times near downtown Denver over the course of a couple years. Shit happens, people deal with it. So long as nobody manages to blow anything up it's just a nuisance. And an excuse to eat all that ice-cream in the freezer, just in case.

A power outage in Quebec killed some people (0)

Anonymous Coward | about a year ago | (#43791571)

There was a powerful snowstorm that knocked down entire transmission towers all over the province. People were freezing to death, especially people with weakened metabolisms such as the elderly.

I've lived in Maine, Washington, Idaho, Nova Scotia and Newfoundland, so I know what a power outage is like. But if an attack on the grid were intelligently done, you could take out most of the country.

New York City has had two blackouts. My father had a Master's Degree in electrical power engineering, so I know how this usually works. The ultimate cause could be as minor as a failure to trim a tree away from a power line.

It's extremely difficult to run AC power all over both the US and Canada - they're directly interconnected - because we use AC current. If two different generating plants weren't precisely synchronized at the point that their power lines connected, there would be a lot of current flow due to the out of phase voltage, that would melt the power lines or make transformers explode. Many of the electrical substations that the power companies use adjust the phase of the current so that doesn't happen.

If the power goes out in one region, the voltage on its lines will drop to zero. Neighboring regions, if not tightly controlled, will flood that first region with current. They'll get overloaded in turn, then drop out.

Very weird priorities (4, Interesting)

http (589131) | about a year ago | (#43791219)

OMNI magazine recently set its archives loose online. Check the January 1989 issue, "The Rules of the Game" (http://archive.org/stream/omni-magazine-1989-01/OMNI_1989_01#page/n17/mode/2up, flip to page 42) for the low tech nightmare. If you think the nation without a power grid would make for a seriously bad month, you lack imagination. Try a seriously bad year, or longer. Pretty much every piece of infrastructure is built with the assumption that electicity is somewhere close at hand.

The physical infrastructure of the power grid is an infinitely easier target, with gigantic ROI for terrorists or actual enemy agents. The $100,000 you could spend for a good 0-day would be better spent on a few RPGs and some half-decent watches. Network attacks are a fool's errand. If you want to prevent awful things, your money is better spent on guards.

That OMNI article may be the first "How can I unknow this?" moment of my literate life.

Re:Very weird priorities (1)

SuricouRaven (1897204) | about a year ago | (#43791321)

1. Google maps reveals power lines.
2. Minions take angle grinders to pylons at agreed times.
3. Minions run to another location before anyone arrives to investigate.

One team of minions could trash many pylons before being caught, and a toppled-over pylon would take days to re-erect even if every shortcut was taken in construction. No rare or expensive resources required.

Re:Very weird priorities (1)

Mashiki (184564) | about a year ago | (#43791561)

Funny you mention that, because police here in Canada have been warned to watch for natives doing this in order to disrupt the country. It's been an on-going warning since the 1980's.

Re:Very weird priorities (1)

drinkypoo (153816) | about a year ago | (#43792989)

Funny you mention that, because police here in Canada have been warned to watch for natives doing this in order to disrupt the country. It's been an on-going warning since the 1980's.

This is what I came to say, not this specific thing, but that it's bullshit. How the hell do you watch for people doing this? For that matter, you don't even need an angle grinder, just a hack saw. It would take a long time, but it's much easier to conceal and a lot lighter to carry around. The truth is that most of our cities get power through just one or two points and it would be easy to disrupt them, but nobody is actually even trying. We know nobody is trying because of how pathetically easy it would be.

Re:Very weird priorities (1)

CanadianRealist (1258974) | about a year ago | (#43793189)

No need for an angle grinder, a wrench will do just fine.

It would take a while to beat the effect of the 1998 ice storm. [wikipedia.org] It downed more than 1000 pylons.

Re:Very weird priorities (1)

Anonymous Coward | about a year ago | (#43793219)

Fuck wasting time on pylons shoot some of the large transformers at a substation with a rifle. If you can't find a substation to shoot transformers in then shoot some of the pole pigs. Google maps also reveals where sub stations are. As an added bonus you can shoot a transformer from a greater distance than taking an angle grinder to a pylon not to mention the time difference between the 2 options.

let me say (0, Insightful)

Anonymous Coward | about a year ago | (#43791325)

NO its not the power grid that is the problem
ITS THE FUCKING RETARDS IN YOUR GOVT THAT ARE YOUR THREAT.....
Who the fuck makes this shit
no fucking really time to get nasty ass on old people that have no fooking excuse to do insane things like ...i dunno make the entire electricity grid accessible to a smuck idiot dumb nuts script kiddy....
USA should be turned into DIM
DUMB IDIOT MORONS
smarten then fuck up and dont you dare take someones civil rights cause you wankers designed a system that deserves to get bitch slapped to show HOW RETARDED YOU ARE

Re:let me say (1)

OhANameWhatName (2688401) | about a year ago | (#43791375)

No need to get all worked up, the article is talking about electricity infrastructure, your bridge is still safe.

More "Cyber-Attack" FUD (0)

Anonymous Coward | about a year ago | (#43791391)

There sure has been a lot of it lately. Seems like someone wants to justify those internet-tapping datacenters pretty badly and push through more SOPA/PIPA/Whatever other Internet power-grab bills pretty badly.

I used to develop HMI/SCADA. I resigned in protest (2, Interesting)

Anonymous Coward | about a year ago | (#43791539)

Human Machine Interface / Supervisory Control And Data Acquisition. That's the proper name for the central control of a distributed industrial control system. Just one of our licenses controlled a giant automobile assembly plant from a single PC, that if I understand correctly turned out a new pickup truck every fifteen seconds.

If you're going to attack a nation's power grid, you attack that power grid's HMI / SCADA installations. That's easier to do than you think, because remote installations are often controlled via dialup modem, and lots of installations are right on the internet. The people who install this stuff, while generally well-trained by the vendor, are usually industrial engineers who have little understanding of modern security practices.

This company didn't know how to do C++ memory management.

One day a colleague proudly announced that she had found the cause of a memory leak - leaks are disastrous in HMI/SCADA, because the software runs uninterrupted for years on end sometimes - to be a failure to delete a pointer. She checked in a fix that did an explicit call to delete, then reassigned the bug to QA to verify.

Well I filed a bug against her specific fix, then broadcast a short, stern, loud angry email about the importance of smart pointers, not just for memory management, but for all resource management - network sockets and the like. I've worked in a lot of C++ shops, but have been astounded that very few alleged C++ coders know what smart pointers or initialization lists are.

My boss ordered me to stop filing bug reports like that. I resigned not long after. I didn't even give them notice; I sent them a written resignation via email from home, then just stopped showing up to work, not even to pick up the personal possessions I'd brought there. Eventually they packed them up and mailed them to me in a box.

When I interviewed, my future boss told me it was a million-line program that was only half done - a half-million lines of code! - after twenty years of development. I didn't want to drive the company out of business, or tip off the terrorists as to how to crash our industrial economy, so I kept quiet about it for seven years. I figured that if they were going to fix their memory management, seven years ought to be enough. If they didn't, then that program would be riddled with exploits.

Tell them Michael Crawford [goingware.com] sent you. I'm posting as Anonymous Coward because I can't be bothered to recover my /. password.

Sensationalist report (1)

dutchwhizzman (817898) | about a year ago | (#43791593)

This report actually tells that with a few exceptions, the grid is protected in the way that federal regulations require. It then goes on to say that federal regulations are not strict enough. It comes up with "tens of thousands of attacks" where everyone that knows what this is about will know that these are a few standard port scans. If you count every package as a single attack, you'll get into big numbers easily. It claims destruction of tens of thousands of hard drives at an Arab oil company, while in truth, these drives weren't damaged, but the contents of them was wiped or changed due to a large scale virus infection. The company had good backups in place and as far as is publicly known, no significant amount of relevant data was lost. The entire attack did cost a lot of money, but nothing vitally critical was damaged and the company is still in business today. I'm not sure, but I doubt the attack even hindered them pumping or selling a single gallon of oil.

The biggest actual threat the report can come up with is physical damage to large distribution station transformers. To damage these, physical action, not cyber, will have to be taken. This is out of scope of the research and should have been kept out of the report.

There are many good recommendations in the report that will improve resilience and resistance against cyber attacks on the US national power grid. However, the tone and exaggeration of the report will make it hard for professionals to take it seriously and for politicians to "do the right thing" and get the things in place to make the recommendations become true.

Re:Sensationalist report (0)

Anonymous Coward | about a year ago | (#43792645)

Agreed. This is a report for managers to ask for more money from the VP's. This is NOT a report for those who know how things really work.

Anyone who's run an Internet-facing system with any sort of IDS / packet-logger knows that there are ALWAYS things out there scanning your IP range. Whether you are running a flower shop or a SCADA system, the scans are the same. The big question is - how do you handle it?

My small IP range got thousands of hits per month. Sometimes a thousand a day. And this was for a small DSL network. So that part of this report - means absolutely nothing to me. Unless network admins are complete idiots (which most will not be), they've got a system firewall in place to disallow these scripted port scans. It's sensationalistic drama for people who don't understand that the underbelly of the Internet isn't all lolcats and unicorns.

What about the banking system? (1)

clickclickdrone (964164) | about a year ago | (#43791597)

I remember an 80's movie called Prime Risk where some girl is working on an ATM hack then realises terrorists are already in the system planning to blow up key data nodes to bring the banking system to its knees. Iliked it because she used an Atari 800/810 disk drive for everything but it was still an OK film from memory.

Compromised windows machines portscan everyone (0)

Anonymous Coward | about a year ago | (#43791923)

The scriptkiddie infections on american homes (and anyeone abroad, where they will be labelled "terrorist") portscan. That means "try a random machine that can be reached for infecting with the same virus". That isn't an attempt to "bring down the power grid", it's because a virus writer DOES NOT CARE if it tries to portscan the energy secretary's PC, the Linux webserver, the RTOS bespoke controller for the grid, the latter two it is not programmed to infect and therefore are unable to infect). It isn't trying to own them in order to bring the USA's infrastructure down.

Seriously, Die Hard 4 was an enjoyably SILLY movie, but the real damage done wasn't the hollywood idiotic attempts at geek tech terms, but that some silly fuckers in the US government apparently BELIEVE IT WAS A DOCUMENTARY.

Long Line Vulnerability (0)

Anonymous Coward | about a year ago | (#43791981)

Cyber attack is one issue but a small band of people dedicated to messing up power lines could have a dramatic effect as well. It is rather like
Jesse James and an endless string of banks in every direction. People with a tiny knowledge of power lines could destroy quite a few lines with ease.
The implication is that any protest or revolutionary group that has willing members could seriously damage the power supply and create a situation where constant use of troops would be required just to keep lines standing. It requires no equipment or explosives at all to do such things.
                        Other problems might include people trained to destroy a sewage treatment facility as chaos would result if sewage could not be pumped.
                        It is always better not to be hated as no matter who you are you are always more vulnerable than you might suspect.

Must Be Reasonably Protected (1)

Habberhead (178825) | about a year ago | (#43792371)

If a single utility is resisting 10,000 attacks a month, then there must be hundreds of thousands of attempts across the entire country network each week.

Since we don't read about the chaos the system overall seems to be reasonably well protected and contradicts the phrase "highly vulnerable".

Re:Must Be Reasonably Protected (1)

PetiePooo (606423) | about a year ago | (#43792715)

The 10000 attempted attacks per month is the CIO's way of justifying their core firewall. Every SYN packet that hits port 22 is an attempted attack.

You see, they need big scary numbers to justify to the CFO why they need a maintenance contract on their overpriced Cisco what-cha-ma-call-it doothingy that separates their network from the wild and caa-razy internet. "10000 attempts?!? Wow! Good job, Biff. Here's your budget."

Sad. But true.

Oceania has always been at war with Eastasia (2)

Gothmolly (148874) | about a year ago | (#43792621)

Take a large helping of 'duh', sprinkle on some crisis mentality, garnished with a little fascism, and served up by a population programmed to trade freedom for security.

We'll nationalize the power grid in less than 20 years.

Security through legislation? (1)

dgharmon (2564621) | about a year ago | (#43793127)

Connect your SCADA units to the Internet through VPNs running on embedded hardware. There, all it too was one sentence ...

ps: Stuxnet only runs on Microsoft Windows ...

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...