Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Staged Hack Causes Generator to Self-Destruct

Zonk posted more than 6 years ago | from the tick-tick-tick-boom dept.

Security 258

An anonymous reader writes "It has been revealed that in a U.S. Department of Homeland Security exercise codenamed 'Aurora' conducted in March of this year, researchers were able to cause a power generator to self-destruct remotely via a hack which changed the operating cycle of the generator. 'Government sources said changes are being made to both computer software and physical hardware to protect power generating equipment. And the Nuclear Regulatory Commission said it is conducting inspections to ensure all nuclear plants have made the fix. Industry experts also said the experiment shows large electric systems are vulnerable in ways not previously demonstrated.'"

cancel ×

258 comments

Sorry! There are no comments related to the filter you selected.

I've seen this before. (1, Funny)

Anonymous Coward | more than 6 years ago | (#20767083)

One time I put my car into reverse while traveling 70 mph on the freeway. It was a very exciting learning experience.

Re:I've seen this before. (0)

Anonymous Coward | more than 6 years ago | (#20767821)

Unless you are talking about a very very old car, you could not have put it in reverse while driving forward. The reverse gear is mechanically blocked to prevent exactly the kind of destructive event that you're hinting at.

Re:I've seen this before. (0)

Anonymous Coward | more than 6 years ago | (#20767921)

BS.

That doesn't work. The solenoid in an automatic transmission won't engage in those conditions. And even if you have a manual with synchros on the reverse shaft, you'll never get them to mesh.

FAIL

this should not be possible (4, Insightful)

arabagast (462679) | more than 6 years ago | (#20767091)

because the automation system controlling the infrastructure is not connected to a public network, like say, the internet - right ?
If it is, then someone should probably do some quick patching asap.

Re:this should not be possible (1)

dropadrop (1057046) | more than 6 years ago | (#20767135)

The network SHOULD not be connected to the internet, but of course this is not always the case.

Re:this should not be possible (2)

Dr. Smoove (1099425) | more than 6 years ago | (#20767163)

No kidding, this type of shit should be on its own infrastructure. The whole thing should be mapped so that there is no point at which things can be routed to a public network.

Re:this should not be possible (1)

e4g4 (533831) | more than 6 years ago | (#20768347)

But how are they supposed to outsource maintenance and monitoring jobs overseas if critical infrastructure controls aren't connected to the internet :P?

Re:this should not be possible (1)

arabagast (462679) | more than 6 years ago | (#20767229)

hence the line about patching asap - preferably with a wire cutter, just for dramatic effect :)
seriously, these computers should never be connected to the a public network. If this must be done, possibly for remote monitoring, it could be done with hardware such as this: Network diode [umd.edu] . It's not infallible, but it's an extra layer of security on top of firewalls and such.

Re:this should not be possible (3, Insightful)

drgonzo59 (747139) | more than 6 years ago | (#20767155)

You see they want remote control and monitoring but they also don't want to be on the Internet. They would have to build their own network, unless they are NSA, FBI or AT&T they cannot do that easily. Even then, once there is any remote control, the attacker doesn't have to jump over the fence of the power station, they have a choice to break one window of the building where the point of remote control is.

Re:this should not be possible (2, Interesting)

SQLGuru (980662) | more than 6 years ago | (#20767323)

Anyone wonder why they've been researching Ethernet over Powerlines? They already have the cables deployed all over the place, they just need to get the data flowing along with all of the other electrons.

Layne

Re:this should not be possible (1, Offtopic)

Hijacked Public (999535) | more than 6 years ago | (#20767465)

If you mean BPL [howstuffworks.com] , it has been rolled out in a few rural areas of the US. I know Cinergy has a lot of BPL customers around Cincinatti.

I hoping it come to southern Indiana soon. Fast up and down.

Re:this should not be possible (1)

Mike89 (1006497) | more than 6 years ago | (#20767555)

Anyone wonder why they've been researching Ethernet over Powerlines? They already have the cables deployed all over the place, they just need to get the data flowing along with all of the other electrons.
Incorrect. Most high-voltage runs are accompanied by (at least some) fibre optic cable. At least, this is true in Australia (my father works for one of the larger transmission companies here).

I believe it's also true in the US because I read somewhere the power companies were onselling this to ISPs?

Re:this should not be possible (4, Interesting)

kent_eh (543303) | more than 6 years ago | (#20768313)

Our company has all our generators (and many other things) remotely controlled, and none of those systems are available to the public internet. We have it all captive on our own infrastructure.
The local power utility ( I know several of their techs who work on the telemetry gear) also has a remote control system which in entirely on their own infrastructure, and has no interconnection with any system that is accessible from a public network.
It may not be the absolutely cheapest way to do things, but it's also a lot more secure.
What's the cost of this sort of failure compared to doing it "right" in the first place?

Re:this should not be possible (1)

morgan_greywolf (835522) | more than 6 years ago | (#20767207)

No. I remember seeing a report sometime during the big blackout that there were control systems hooked to the public Internet running Windows 3.1 with WinSock installed.

Re:this should not be possible (4, Interesting)

LehiNephi (695428) | more than 6 years ago | (#20767273)

It is. It has to be. It would be ideal if you could run isolated networks, but it's impractical. Let's say you run a facility with some gas turbine generators, as in this example. The generator package has to communicate with the control system. The control system has to communicate with the "business" network (for record-keeping, among other reasons), and the business network has to be connected to the internet. There are lots of things you can do to help secure the various levels of the network, e.g. firewalls, vLANs, packet filtering and inspection, intrusion detection and response, etc., but there still is a data path going all the way out from the lowest levels out to the "real world".

(Our company has also been working with Idaho National Labs on this exact issue, can you tell? The government is taking it pretty seriously)

There are a few problems. For example, there's a lot of old control gear out there, and if it talks ethernet, it assumes that anything it receives is legitimate. Also, the equipment involved is produced in small enough quantities that there can't be a great deal of effort expended on security features. It's not like Windows, where millions and millions of copies are sold, and lots of people actively look for holes.

Re:this should not be possible (1)

jimstapleton (999106) | more than 6 years ago | (#20767335)

It seems changes should be manageable on-site, while offsite monitoring should be done by dumps.

i.e. You could burn discs with the necessary logs/data, you could set up a send-only piece of hardware, etc.

Re:this should not be possible (1)

sholden (12227) | more than 6 years ago | (#20767859)

Surely you can have a one way data path from the control system to the "business" network. It means the "business" network only gets the data it is given and can't make real time queries, and if some data it doesn't have is required the control system will need to be updated to send that too.

There's no need to plug in an ethernet connection (and the associated exposed network stack), a serial cable on which the data is sent (which does not read commands) should do.

Of course it's a hassle and more costly than just plugging in an ethernet cable. For a power plant that seems worthwhile though... they can make a very big boom... and going offline is very costly to the surrounding people/businesses/farm animals.

Re:this should not be possible (1)

dpbsmith (263124) | more than 6 years ago | (#20767987)

"It is. It has to be. It would be ideal if you could run isolated networks, but it's impractical. Let's say you run a facility with some gas turbine generators, as in this example. The generator package has to communicate with the control system."

Sure.

"The control system has to communicate with the "business" network (for record-keeping, among other reasons),"

What? Why? Why? Why?

What's so darn important that it requires instantaneous communication? Why can't it just gather summaries in, you know, overnight batch runs or something, and write them on media that can be hand-carried to the business system?

Re:this should not be possible (4, Insightful)

Rosco P. Coltrane (209368) | more than 6 years ago | (#20767285)

because the automation system controlling the infrastructure is not connected to a public network, like say, the internet - right ?

You know, the internet isn't the only network out there. The telephone system is another, with wetware acting as clients and servers. For example:

JOE (technician): *rrring*.. hello?
JACK (mischievous social engineer): Hey Joe, this is Terry at central control
JOE: Hi Terry, what can I do for you?
JACK: I need you to offset the timing on the third generator coil by 20% please.
JOE: Uh? 20%? That sounds dangerous.
JACK: It's urgent! the power-grid is not stable, if you don't do this, we'll have New York in the dark!
JOE: erh.. I really need to talk to my supervisor for this. Who did you say you were?
JACK: I've already talked to your supervisor. John's gonna be really pissed off if you don't do this!
JOE: Well ok then. Here goes...
**KABOOM**

See? no need for any internet, wetware can be hacked too.

Re:this should not be possible (1, Informative)

guruevi (827432) | more than 6 years ago | (#20767905)

Well, if there is an established procedure for offsetting timings on any coil (as in chain of command), 'Terry' should call your supervisor, not you and then when you (technician) say it is dangerous, there should be a call back to 'Terry' and his supervisor.

Working in dangerous or otherwise critical environments is all about having established procedures mimicing the way public key infrastructures work. Both public (technicians calling each other) and private (supervisors calling each other) keys (commands) should match and be verified on both sides before anything is executed.

Re:this should not be possible (1)

Errtu76 (776778) | more than 6 years ago | (#20768083)

This sounds awfully familiar. Haven't you worked on the script for Hackers? I must say i'm a little disappointed you didn't mention Jack committing harikiri if Joe didn't cooperate.

Re:this should not be possible (1)

Maximum Prophet (716608) | more than 6 years ago | (#20768293)

Correct, but your senario only takes out one generator. What the fine article talks about, from a DHS standpoint, is a coordinated attack, set to go off everywhere at the same time. Much chaos would ensue...

Re:this should not be possible (0)

Anonymous Coward | more than 6 years ago | (#20767297)

Yeah, if only the planes during 9/11 weren't connected to a public network, like the internet...

Oh, wait. They weren't.

People can still weasle their way in, even if it isn't public-network accesible.

Re:this should not be possible (1)

Rosco P. Coltrane (209368) | more than 6 years ago | (#20767327)

Yeah, if only the planes during 9/11 weren't connected to a public network, like the internet... Oh, wait. They weren't.

Yes they were. If you ever placed a 20$/min phone call from a plane, you would know.

But I digress, telephones obviously didn't cause the planes to crash.

Re:this should not be possible (2, Interesting)

arivanov (12034) | more than 6 years ago | (#20767411)

IIRC, The US network is connected in places or separated by weak bastion hosts. If you do not remember the case when Slammer caused blackouts in the North East, some of us do.

Even if the USA network was not connected, the control systems themselves use laughable authentication (if any). Most other networks are similar. They have been built by control automation engineers whose knowledge of networking and security is somewhere between laughing stock and none. This is valid for the rest of the world, not just the USA.

I am surprised the control automation allows setting parameters which are outside permitted ranges. This is something control and automation people usually get right. I remember my dad spending months on numerical models of the grid to compile sets of allowed parameters all of which ended being hardcoded in hardware and software. Nothing was left to be adjusted outside these ranges (this was not in the USA though).

One really worrying bit is that this is not USA limited. The same automation software and hardware is used in the UK and quite a few other countries.

Re:this should not be possible (2, Informative)

StickyWidget (741415) | more than 6 years ago | (#20768025)

It is possible. First, control systems are connected to a public network because the way electricity is traded among generators, transmission owners, and other members of the electric power community. They use the Internet as the common communications infrastructure for the business side, which gives orders to the production side (the generators). This is the way of the unregulated market, and it's starting to be run a lot like other industries. Because the production side is run by the business side, the connections between the two are inevitable, due to various benefits (lowered costs due to increased process intelligence, proactive maintenance, and a host of others).

Second, quick patching on control systems is a no-no. These systems run for 24x7, and are running highly customized and tested software. If a patch exists, it likely isn't under warranty from the vendor. This means that if a patch is applied, the vendor is well within their rights not to support the system anymore. Also, these systems typically can't just be rebooted, they are running real-time calculation and monitoring to ensure the process variables stay within controlled range. Shutting them down is often tantamount to shutting down the plant, which costs a metric f%&k-ton of money if it stays down.

Parent comment is not insightful, and certainly not intelligent, how about some corrective action Mods? Read the Blackout Report, it has perhaps the best explanation of how the power system function from top to bottom.

~Sticky

Re:this should not be possible (1)

Phil-14 (1277) | more than 6 years ago | (#20768333)

If the public power system weren't heavily networked, it would not be possible to hook the California power system's consumers (and their electric cars) to hydroelectric plants in Washington State, or Quebec.

And even if it weren't connected to the public internet, it would still be connected to _an_ internet that could be hacked...

It's too late for us to just Stop Using The Networks Because They Aren't Secure Enough, without massive expense. We're going to have to make them more secure the hard way.

Pretty Sly... (-1, Offtopic)

Veetox (931340) | more than 6 years ago | (#20767113)

I think the ruling in this case was much more apropos than the privacy concerns in the past - privacy is one of those rights that seems to have very little force in the face of all kinds of laws. For example, many abortion proponents including R.B. Ginsberg have expressed that the ruling in RvW was regrettable because it was based on privacy rather than a more logical and constitutional standard. Still, this current case will likely hit the supreme court in one way or another, and by the time it gets seen there, will Bush still be in office; will the Patriot Act still be in effect, or will Congress have eliminated it by then?

computer software and physical hardware (1)

RasendeRutje (829555) | more than 6 years ago | (#20767115)

"computer software and physical hardware"
How about het NON-computer software and NON-physical hardware?

Re:computer software and physical hardware (0)

Anonymous Coward | more than 6 years ago | (#20767219)

That would be simulating a program in an integrated circuit on a virtual machine?

Likely excuse (0)

Anonymous Coward | more than 6 years ago | (#20767147)

A program that happens to be called 'Aurora' destroys a generator hundreds of miles away. I happen to know another program named 'Aurora' that could do that same thing.

Bruce Willis will prevent this from ever happening (1)

dstiggy (1145347) | more than 6 years ago | (#20767151)

Did anyone else immediately think of Live Free or Die Hard when reading this?

Re:Bruce Willis will prevent this from ever happen (5, Funny)

Anonymous Coward | more than 6 years ago | (#20767205)

Did anyone else immediately think of Live Free or Die Hard when reading this?
No, because you're the only one who watched that movie.

Re:Bruce Willis will prevent this from ever happen (3, Funny)

morgan_greywolf (835522) | more than 6 years ago | (#20767267)

Did anyone else immediately think of Live Free or Die Hard when reading this?
No, because you're the only one who watched that movie.
I did....oh wait, did you say that was supposed to be a movie? Gak!

Re:Bruce Willis will prevent this from ever happen (1)

ceroklis (1083863) | more than 6 years ago | (#20768409)

It's worth watching if only for this wonderful bit of dialogue:

Bruce Willis goes to see the dirty fat nerd who lives with his mother.
- smelly nerd: What are you doing in my command center ?
- Willis: It's not a command center, it's a basement.

Don't connect it up (3, Informative)

squoozer (730327) | more than 6 years ago | (#20767165)

There is a really simple and quick fix for this problem - don't connect the control equipment to a (public) computer network.

What is more interesting than the fact this was possible is the fact that some numb skull thought it might be a good idea to link critical control systems to a public network. I can see that there is scope for remote control, especially with a nuclear plant, but I hardly think sending the data over the Intertubes is the correct way to do it.

Re:Don't connect it up (2, Insightful)

LehiNephi (695428) | more than 6 years ago | (#20767353)

There's one problem with that: in today's world, data has to flow back to headquarters. Take an oil production facility for example. The plant has to send back a daily report detailing exactly how much gas/oil/water/CO2/H2S/sand/whatever is produced. Gas turbines send data back to the manufacturer for performance evaluation, maintenance scheduling, and troubleshooting. Yes, someone could do it manually, but there are myriad other functions that require network connectivity beyond the control system.

Re:Don't connect it up (0)

Anonymous Coward | more than 6 years ago | (#20767537)

Then use a dedicated line (ISDN?) that is set up to be secure through strong encryption and authentication, not the internet.

Re:Don't connect it up (1)

prelelat (201821) | more than 6 years ago | (#20768177)

why on earth could you not run two networks at the plant? I bet a thumb drive would work wonders for transferring data to a terminal in the same room to send data to headquarters. Hell you could have someone do it hourly if you really wanted, but you probably only need it once a day when you say do a backup of that same data. As for running the equipment, I'm sure it's ran all internally anyways, why do you have to have that computer network connected to the outside world?

Re:Don't connect it up (1)

HaloZero (610207) | more than 6 years ago | (#20768241)

Please. There are ways to do this safely without constant connectivity. You have a router that's connected for a sum total of five minutes - a random five minutes, mind you, but five minutes - not even five minutes, really. As long as it takes to xmit the data to a proxy server on the perimeter, which can then host it for whoever wants to come along and read the report at 3pm that day. Or whatever specified interval.

Re:Don't connect it up (1)

Jah-Wren Ryel (80510) | more than 6 years ago | (#20768309)

There's one problem with that: in today's world, data has to flow back to headquarters.
Then use a Data Diode [tenix.com] it is a physically secure link that provides one-way data flow (it's essentially half of a fibre-optic pair, the transmit half is connected up while the receive half has been removed).

Re:Don't connect it up (0)

Anonymous Coward | more than 6 years ago | (#20768443)

Power plants need bidirectional connections because they constantly report their current output and capabilities to the "grid" controller, who also constantly sends them adjustments. All power which is used at any point in time must be produced within a few seconds of the consumption. The only buffer fast enough to react to shorter bursts is the mechanical energy in the generator flywheels. All other fluctuations must be compensated in a coordinated fashion, and that requires bidirectional outside communication.

Re:Don't connect it up (4, Interesting)

theotherbastard (939373) | more than 6 years ago | (#20768041)

Except that would never work with how the power grid is setup. The plants all communicate with Central Control. (I know because I happen to work for an Electric Company) Central Control is a big room with video walls the likes of which you have never seen! (Our main one happens to be the largest video wall in North America) These control centers are (gues what!) controlling how much power goes out across the lines at any given moment. And it has to be carefully controlled otherwise you get a sag or a spike which does all sorts of damage.

In addition to the Central Control there are Regional Dispatch Offices which have information about the grid as well. These mainly coordinate repair and upgrade efforts. But, they need to know which circuits are hot because people's lives are on the line.

So, simply isolating the plants would not work. Certainly not in our day and age.

Re:Don't connect it up (0)

Anonymous Coward | more than 6 years ago | (#20768277)

First of all, it was a staged hack. The purpose was to find out if someone can physically destroy the generator, GIVEN that he has remote access to the control system. The test says nothing about whether these systems are actually connected to public networks or dedicated lines (which might not be sufficiently secured either, btw).

Second, yes, there shouldn't be a universal network connection into the control system. All that is needed is a parameter flow in and out. But that's the interesting bit: Even that wouldn't have saved the generator. The control system wasn't hacked to do anything it wasn't supposed to do. The regular control mechanisms were used to make the generator exceed its safe operating frame.

Perhaps you've heard of viruses which physically destroy monitors or other computer hardware. Monitors would fry if you gave them a signal with a horizontal frequency that exceeded their specification. Processors would fry if they were overclocked (before they got embedded heat sensors and clock throttling). You can still fry graphics cards that way, especially if the fan is software controlled.

Car analogy time: It's like overrevving the motor in your car. Sometimes there are no safeties at all, but most modern hardware is designed for idiot operators. There's a cost involved with that though, so many systems are designed with software controls that keep the hardware within operating limits. They just found out that the control system does not catch all cases where the hardware is driven beyond critical by a certain sequence of nominal parameters. Like a car where you can normally go full throttle in idle without damaging the engine, but when you push the pedal with a certain frequency, you can still make the engine go beyond its limit and destroy itself.

Beware (1)

caesura (1159543) | more than 6 years ago | (#20767211)

Hackers can and will hack into your computer and make it explode. I learned this from the front page of a tabloid last week.

Re:Beware (1)

operagost (62405) | more than 6 years ago | (#20768469)

I learned from the movies that 24.75.345.200 and 75.748.86.91 are valid IP addresses.

This was done long time ago (0)

Anonymous Coward | more than 6 years ago | (#20767213)

Like 11 and a half years by now. Name Chernobyl rings a bell?

Re:This was done long time ago (1)

Rosco P. Coltrane (209368) | more than 6 years ago | (#20767359)

Like 11 and a half years by now. Name Chernobyl rings a bell?

Hello friend. Now don't panic, but I'm afraid I have to tell you you're stuck in the year 1997.

Why mention Nuclear? (4, Insightful)

brucmack (572780) | more than 6 years ago | (#20767247)

I don't understand why Nuclear power needed to be singled out. The electrical generators are pretty similar regardless of the fuel source. And if it blows up, it's not going to take the nuclear reactor / coal furnace / (insert steam source here) with it, since they tend to be very well separated from each other.

Re:Why mention Nuclear? (0, Flamebait)

SQLGuru (980662) | more than 6 years ago | (#20767371)

While the generators, etc. would blow up the same, what if say the nuclear control rod was also controlled in a very similar manner.....probably likely since people like to reuse components to reduce cost and all.....now say I remotely control that little rod to be moved in that very special way where, say, some sort of nuclear meltdown happens.....

That's the concern with nuclear.....not the whole generator thing, but the extrapolation into what ELSE could be done remotely using similar ideas.

Layne

Re:Why mention Nuclear? (4, Insightful)

Anonymous Coward | more than 6 years ago | (#20767747)

The parent post is profoundly ignorant of how a modern nuclear reactor works.

Re:Why mention Nuclear? (1)

AndersOSU (873247) | more than 6 years ago | (#20767659)

Because the turbines is where your secondary coolant loop dumps most of its heat. If your heat sink stops functioning, your primary coolant heats up. If your power plant was designed by some guy in Russia in 1952, and you had bypassed the rudimentary safety interlocks, despite the Cyrillic script clearly telling you never to push this button, this could potentially cause a meltdown.

Remotely caused power generator to self-destruct? (1)

permaculture (567540) | more than 6 years ago | (#20767259)

"cause a power generator to self-destruct remotely". This seems unlikely.

What probably happened was that they "remotely caused a power generator to self-destruct."

/stickler

Re:Remotely caused power generator to self-destruc (1)

necro81 (917438) | more than 6 years ago | (#20767491)

You see, man, you're sending me all these crazy signals. I can't take it! It's frying my brain and sucking my will to live!

That's IT! I'm sick of this! I'm going to self destruct - that'll show you. But, just to be tricky, I'm not going to self destruct right here, I'm going to go over to that corner and do it remotely. Ha!

Re:Remotely caused power generator to self-destruc (3, Funny)

morgan_greywolf (835522) | more than 6 years ago | (#20767611)

Hi! This is Chief Rufus Xavier Sarsaparilla of the Grammar Police. Where do we send your check, Lt. Permaculture?

Um, WHY was the generator on the internet?!! (4, Informative)

jollyreaper (513215) | more than 6 years ago | (#20767283)

I'm no computer security expert but I do know of the world's most unhackable firewall -- it's called a one inch air gap. Put that gap between the network cable and the NIC and nobody is gaining access.

Yes, I know power plants will require some net access for web, email, etc. But the office worker network and the command and control computers and network for the generators should have nothing to do with each other! Separate systems, no network connectivity, the plant software should be operating in a vacuum bubble. The rest of the world should not exist for it, no way, no how. Oh, need to install a patch for the software? After being thoroughly tested and vetted on a proofing system, the software is then installed the old-fashioned way, off of CD-ROM's. Now if someone can fuck with the CD-ROM's, THAT I can understand. I can buy the plausibility of the NSA printer hack [vmyths.com] , even if it was a hoax. (NSA puts a virus on printers heading to Iraq, takes down their network.) The story about the CIA sabotaging software for equipment the Russians were buying to use in their pipelines [damninteresting.com] is true. These are secure systems completely cut off from external contact that were sabotaged by the insertion of compromised components that were not detected. That makes perfect sense.

It always bothers me when I see movies showing hackers getting in to some place and gaining access to files on servers that should never have a connection to the outside world. Then again, maybe I'm giving the fictional syadmins of the target systems too much credit. Who knows, maybe next week we'll read about some Korean hackers who were able to compromise a Minuteman silo and add it to their botnet.

Re:Um, WHY was the generator on the internet?!! (1)

jamesh (87723) | more than 6 years ago | (#20767381)

I have about 90 inches of air between my computer and the network, and it's not stopping me.

The "1 inch (or mm) air gap" idea is a good one, but getting harder and harder to implement. If a tech has a laptop connected to the internal network, and has wireless enabled, and its in range of the hacker then you have a problem (in theory - see the recent apple wireless compromise)

If he has a PC connected to the internal network with no wireless, but has his phone connected to it via USB, then in theory that could also be an attack path (ok... that one's a stretch).

You've also got to remember, all it takes is one employee with a grudge, or who you aren't paying enough, and all the air gaps in the world won't help you. There is never a single solution.

Re:Um, WHY was the generator on the internet?!! (3, Funny)

jollyreaper (513215) | more than 6 years ago | (#20767951)

You've also got to remember, all it takes is one employee with a grudge, or who you aren't paying enough, and all the air gaps in the world won't help you. There is never a single solution.
Fire employees, turn off computers. I'm feeling grumpy.

Re:Um, WHY was the generator on the internet?!! (1)

multipartmixed (163409) | more than 6 years ago | (#20768099)

The right PDA (e.g. iPhone) could also be a path of vulnerability -- he could log into the internal wifi network, and get hacked over the cellular network.

Re:Um, WHY was the generator on the internet?!! (1)

Rosco P. Coltrane (209368) | more than 6 years ago | (#20767383)

I'm no computer security expert but I do know of the world's most unhackable firewall -- it's called a one inch air gap. Put that gap between the network cable and the NIC and nobody is gaining access.

Sorry, not enough. Smart hackers up the line voltage in the network cable to 20kV to cross the one inch air gap.

Re:Um, WHY was the generator on the internet?!! (1)

SQLGuru (980662) | more than 6 years ago | (#20767425)

Actually, the connections come in when you start looking at feeding operating data into the business processes.....or when you want to monitor the state of the machine to automatically trigger preventative maintenance.....or automated control.

Layne

Re:Um, WHY was the generator on the internet?!! (1)

jollyreaper (513215) | more than 6 years ago | (#20768019)

Actually, the connections come in when you start looking at feeding operating data into the business processes.....or when you want to monitor the state of the machine to automatically trigger preventative maintenance.....or automated control.
But still, why aren't they hardening the shit out of these interfaces? Is it because nobody takes software engineering seriously? There are a lot of tricky and subtle problems that knock airplanes out of the sky but aerospace engineers are paid the big bucks to make sure that doesn't happen. Their employers know that faults that do make it past inspection lead to massive class-action suits from the survivors' families.

The only two explanations I can think of: A) Fight Club car recall theory where the business owners decide the cost of wrongful death suits is lower than the cost to correct or B) Windows Vista theory where the engineers are smart enough and motivated to make a good product but indomitable stupidity within the corporate power structure makes success a null probability. In other words, it's malice or stupidity but I'm not sure which.

Re:Um, WHY was the generator on the internet?!! (1)

ScentCone (795499) | more than 6 years ago | (#20767603)

the plant software should be operating in a vacuum bubble

The problem is that they can't. If you think back to some of the more recent spectacular blackouts, you'll recall that the reason they were so far-reaching was that the networked systems that allow the generation and distribution systems (often run halfway across the continent by different parties/agencies) to talk to each other and properly duck out of the way or isolate themselves from damaging surges and faults... weren't fast enough or well-enough tuned to prevent the problem. Big, multi-state/province blackouts can only be prevented when the whole system IS internetworked. Now, does that call for the construction of a completely separate, ultra-high-performance network spanning thousands of miles and thousands of nodes? Yes. Or, it could call for using VPNs over the existing internet, but with better-than-the-banks-use stuff at each node to authenticate legit traffic and perform intrusion detection.

This is just as true of systems that could end up backwashing sewage into drinking water (which has happened), monkeying with natural gas pipelining hardware, or even handling traffic control devices right at the time that you're trying to evacuate a city for some reason.

Fantastically expensive. And the money just hasn't been spent well enough or often enough yet. And, we've still got lots of Cold War-era control systems out there. I think this is more about practices than it is about the plumbing, per se.

Re:Um, WHY was the generator on the internet?!! (1)

TheLink (130905) | more than 6 years ago | (#20767947)

Even if you used private networks, determined hackers could still tap into them so you'd have to use encryption, firewalls and all that - which pushes the cost up even more.

"Big, multi-state/province blackouts can only be prevented when the whole system IS internetworked"

Not correct. Big multistate blackouts can be prevented if you don't have a big grid in the first place. Each electrical network will be isolated from the others. But apparently it is more expensive to do things this way (assuming a safer environment), plus some places tend to produce the power while other places use it...

Another advantage of not having the electrical in a big grid is the hackers will have to break into each system to sabotage them, and that might be a bit more difficult if they don't all have the same weaknesses.

As for the article saying "For about $5 million and between three to five years of preparation, an organization, whether it be transnational terrorist groups or nation states, could mount a strategic attack against the United States"

For that amount of money and preparation you could do _other_ stuff that doesn't involve "hacking power utilities" which would be pretty damaging to the USA too.

Sack whoever connected it to an untrusted network (0)

Anonymous Coward | more than 6 years ago | (#20767287)

So someone connected a generator to an untrusted network and it was hacked? While they're at it, why not hand your keys and security pass to terrorist?

Whenever this comes up, it's usually some firewall vendor trying to sell people firewalls on their internal control systems. It would be negligent to connect a safety critical system to an open network like that in the real world. At every job I've worked on, it was an instant sacking offence.

So if that was done, and not just a fake demonstration by a firewall vendor, the sysadmin concerned should be dismissed immediately.

Damn I'm Cynical... (1)

KGIII (973947) | more than 6 years ago | (#20767317)

I have to wonder about the authenticity and if this is viable in the real world. The term "staged" really does raise a red flag making me curious if this is probable or even possible. It isn't that we shouldn't be defending against these things nor that I am dunking my head in the sand but, well, without more details...

Re:Damn I'm Cynical... (1)

Gordonjcp (186804) | more than 6 years ago | (#20767585)

I call bullshit. All they've shown is a picture of a generator with some sort of steam coming out. There's no description of what they actually *did*.

Did they apply too much load to the generator until the engine stalled? You'd have to sprag the circuit breakers for that to happen.

Re:Damn I'm Cynical... (1)

Detritus (11846) | more than 6 years ago | (#20768113)

One way to destroy a generator is to put it online without properly phasing it with the grid.

Decreasing DHS budget... (3, Insightful)

bracktra (712808) | more than 6 years ago | (#20767355)

"Fast and resolute mitigating action is needed to avoid a national disaster," the letter said. But five years later, there is no such program. Federal spending on electronic security is projected to increase slightly in the coming fiscal year, but spending in the Department of Homeland Security is projected to decrease to less than $100 million, with only $12 million spent to secure power control systems.
1. Stage PR stunt about an impending 'emergency!!!'.
2. Complain about lack of funding to solve desperate hole in our nation's security.
3. ???
4. Profit!

They are connected to the Internet (4, Interesting)

Isbjorn (755227) | more than 6 years ago | (#20767375)

I am the system administrator for a large state government agency. Recently I was essentially forced to connect a Windows XP boiler control system for an electrical generation plant to the Internet, so that the vendor can do remote maintenance. If I hadn't found out about it, it would be connected directly without even a firewall... This system had no anti-virus software, and of course it has a popular remote-control software installed for the vendor's access. The only reason I can sleep at night is that the plant is far away from any populated area, and may be shut down due to other reasons soon. I will be sending this video to a number of people in an email today.

Re:They are connected to the Internet (1)

Joe The Dragon (967727) | more than 6 years ago | (#20767749)

You should of said that it will not go on the network with off any anti-virus software and that you must have full control over installing updates. Also you should have a firewall for the full site no just a software fire wall on each pc.

Well thaaar's your problem! (0)

Anonymous Coward | more than 6 years ago | (#20767439)

Well thaars your problem!
Ya need to turn on windows update!

Operating System? (2, Funny)

trelanexiph (605826) | more than 6 years ago | (#20767457)

From TFA "researchers were able to cause a power generator to self-destruct remotely via a hack which changed the operating cycle of the generator"

You mean they upgraded it to Microsoft Windows Vista?

TV is 3 years faster than Government (1)

suv4x4 (956391) | more than 6 years ago | (#20767471)

The TV movie Category 6: Day of Destruction [imdb.com] went into details that US power plants are vulnerable to remote attacks, and featured such a guy who managed to make generators self-destruct from his home PC (he died when connectivity was cut off, and realising what he did, he went to the power plant to fix things locally, but too late).

And there we go, 3 years later the government wakes up to the threat as well.

Guess my advice to government fellows is: watch more TV, it'll raise your IQ. OMG the irony :(

Gotta love US television (1)

youthoftoday (975074) | more than 6 years ago | (#20767515)

Perhaps only in the US could a report on a vulnerability turn so quickly into dramatic eschatological nonsense.

Also, did I see nixie tubes? How old is your infrastructure?

Re:Gotta love US television (1)

multipartmixed (163409) | more than 6 years ago | (#20767943)

I think they got rid of Nixie in 1974. Presumably, he took his tube with him.

Although a Whitehouse aide may have saved some of his emissions in a safe-deposit box somewhere.

inconcievable! (0)

Anonymous Coward | more than 6 years ago | (#20767575)

Or like that songs says. BOOM BOOM BOOM Out goes the lights.

I quote ... (1)

ThirdPrize (938147) | more than 6 years ago | (#20767597)

"I can't say it [the vulnerability] has been eliminated. But I can say a lot of risk has been taken off the table," said Robert Jamison, acting undersecretary of DHS's National Protection and Programs Directorate as he pulled the network cable out of the wall socket.

Well duh... (1)

flyingfsck (986395) | more than 6 years ago | (#20767645)

With a staged hack I can launch an ICBM...

Disconnecting is NOT an option (5, Insightful)

ExE122 (954104) | more than 6 years ago | (#20767661)

These post are getting ridiculous. Too many people are saying "why don't they just disconnect it from the network?" and getting modded as "insightful".

It's NOT that simple! If they are connected to the network, there is probably a very good reason for it, and not just cause some engineer wants to check his email and download pr0n while listening to the generators hum.

These generators more than likely are controlled by self-optimizing systems based on a variety of data that is collected. If they're providing power to various remote sites, they need the internet for gathering data from those sites.

The internet is more than just a public free-for-all, it is the communication medium for many business/mission-critical systems (see LehiNephi's response above). They really just need to have the right security in place to keep it safe.

Re:Disconnecting is NOT an option (4, Insightful)

makapuf (412290) | more than 6 years ago | (#20768141)

s/the internet/a private wan

why do you need internet (the public one, with no QoS) to have remote access from one point (data collecting / stat computer) to the power plant ?

Yes, the data have to be collected from somewhere, but why not make a private WAN (or a VPN if best-effort QoS is OK for you) for this ? It's not about playing WoW with your neighbour, it's about remote controlling a nuclear core, so maybe it would make sense.

Re:Disconnecting is NOT an option (3, Insightful)

nels_tomlinson (106413) | more than 6 years ago | (#20768321)

If they are connected to the network, there is probably a very good reason for it...

Lazyness? Insanely stupid cost cutting?

Yes, the components of the system need to get data back to the dispatcher, and receive instructions in return. No, that doesn't require the internet. You can use a modem on a leased line. Yes, it really is possible to send and receive data without the intarweb.

The internet is a cheap, insecure way to accomplish what should be done on an expensive, secure, private network.

We also need to look out for homer simpson's in... (1)

Joe The Dragon (967727) | more than 6 years ago | (#20767681)

We also need to look out for homer Simpson's in the control room to mess things up like the one time he spilled some food on the control panel killing the power at the new york albany power plan and he got off by blaming it on Max Power.

Die Hard 4.0 (1)

KiwiCanuck (1075767) | more than 6 years ago | (#20767699)

Hasn't any1 seen the new die hard movie? There are advantages to hard wire, or direct control. What's next? Wireless access!

There are Easier Ways... (4, Insightful)

xfmr_expert (853170) | more than 6 years ago | (#20767701)

There are easier ways to damage the bulk power grid (or local transmission). Pick up a rifle at your nearest sporting goods store. Go to your nearest transmission substation (or even large generating plant). Take a shot at the porcelain on one of the transformer bushings. Kablam! You just removed a few hundred MW (or perhaps more) or generating capacity or transfer capability and caused millions of dollars in damage. If it's a generating station, the cost of lost revenue could drive the total to 70 or 80 million. Actually, I have seen bushings with bullet holes. Obviously not that common, or something would be done about it, but it does happen. It won't always cause an immediate and catastrophic failure, but it certainly can. Especially if one keeps trying... The bigger danger to this nations power grid is lack of investment and a severe brain drain in engineering personnel.

Jumping Generators (4, Interesting)

torkus (1133985) | more than 6 years ago | (#20767835)

What a bunch of sad geeks we've become. Instead of crying about how it was connected to the 'net i watched the video.

I'd like to know what they did to make a multi-ton generator JUMP like that thing did. After a few jumps there were a couple chunks of black stuff flying around. If you watch the "full" video it's clear they cut it at least once if not more. I'm guessing it took them quite a long while to get the generator to "blow up".

Anyone have thoughts as to how they did it? I'm going to guess they messed with the fuel/air mix or delivery and caused a massive backfire while under/overloading the alternator side. I'd guess for kicks they also forcibly turned off the cooling fans creating an over-temp in the engine. Assuming i'm right and they cut out 95% of the video length that explains it a bit better. The failure seemed two-fold: A failed main-crankshaft seal spewed out white "smoke" (read over-temp coolant) and something up by the valves making black smoke.

This is probably something you could do to a regular car if you were poking around in the engine management computer.

Re:Jumping Generators (2, Insightful)

trybywrench (584843) | more than 6 years ago | (#20768047)

looks like a thrown rod, maybe they somehow cut off the supply of oil? I don't think the oil pump is usually under any kind of computer control though. ..maybe they over revved the engine and blew a piston that way. Keep the tach red lined long enough and something bad will happen. I don't know about a backfire, wouldn't a backfire cause a stall in the worst case? It looks like something mechanical broke inside the engine (that shudder) and then it slowly ground to a hault.

Re:Jumping Generators (0)

Anonymous Coward | more than 6 years ago | (#20768179)

The answer is very simple. When a generator is online it must be "in-phase", meaning pefectly aligned in its generation cycle with the grid. Slow the generator down by .1 Hz and watch what happens when the laws of physics take over.

Re:Jumping Generators (0)

Anonymous Coward | more than 6 years ago | (#20768375)

Wanna make a big generator jump?

Disconnect it from the grid, wait until it's about, say, 180 degrees out of phase, and reconnect it.

Repeat as necessary until it's broke.

You can't just "slow it down", because when it's connected it will stay in phase. On a large-scale power grid, there's just too much energy involved for a brake of some kind to work. And if you try to drive it faster, all you'll do is increase the current load it's supplying to the grid.

Oh, and you really can't use internal combustion engines to power a generator that's running in parallel with other generators. The speed control on a diesel generator isn't fine enough - a few tenths of a percent or better speed control is really necessary to run generators in parallel. Generally, that means a turbine of some kind.

CRT viruses, CMOS, hardware, etc. (0)

Anonymous Coward | more than 6 years ago | (#20767935)

It used to be possible to do the same thing with old CRT monitors. A virus could drive the refresh rate high enough to burn them out. All newer CRTs have an automatic cutoff to prevent accidents. A virus could also re-flash the BIOS so that it could not boot. I sure that there are other possible scenerios where hardware could actually be destroyed. I have been waiting for a virus to come along with a serious payload to alert people to the idea that security matters and that a lack of it can be very expensive.

I used to work for a SCADA/HMI software vendor (2, Interesting)

Anonymous Coward | more than 6 years ago | (#20768133)

I don't usually post anonymously, but I will this time.

I used to be a developer for a SCADA/HMI software vendor. That stands for Supervisory Control And Data Acquisition [wikipedia.org] / Human Machine Interface.

It is quite common for such software to be used in places where its failure could cause injury or death.

Many of our customers put their SCADA systems on the Internet, so that our support staff could work with their systems, as well as to allow our consultant engineers to remotely upload new releases.

One day my boss told me that a lot of our customers didn't use SSL encryption, either because they couldn't be bothered with it, or because they couldn't figure out how to install the server software or certificate correctly.

Anyone with a packet sniffer running on the path between us and our customers could have easily stolen the passwords.

Our product, BTW, ran on Microsoft Windows.

pfft, that's nothing (1)

sootman (158191) | more than 6 years ago | (#20768223)

"researchers were able to cause a power generator to self-destruct remotely via a hack which changed the operating cycle of the generator"

My dad used to make hard drive cabinets walk across the room by doing a slow read in one direction and a fast read in the other. (Sorry if I'm sketchy on the details, but it was something like that. The story was told long ago and the events happened even longer before that. This was back when hard disk platters were 12" across, copper-colored, and held a few MB each.)

The threat is real (3, Interesting)

Maximum Prophet (716608) | more than 6 years ago | (#20768235)

We know that, because *we* did it to the Soviets. http://www.msnbc.msn.com/id/4394002 [msn.com]

And their machines weren't even connected to the internet. So all the people who are saying, "Just disconnect it", well, that's not good enough. We have to engineer systems that are hardened and handle failure gracefully. And don't use stolen software.

Terrorists do not have to think... (0)

Anonymous Coward | more than 6 years ago | (#20768329)

...of ways to implement their terrorism - all they have to do is read Slashdot and follow up on those articles of all the scientists publicly demonstrating how to cause mayhem and destruction on our infrastructure. The terrorists' level of sophistication is directly related to us showing them that certain things are indeed possible. Here's another nice ripe target for them to exploit and one that we practically handed to them as to how to accomplish it. It's one thing to test for vulnerabilities for the purpose of exposing and fixing flaws, but yet another to be so public with the testing of those vulnerabilities that we essentially become the Terrorist Think Tank for the terrorists. Hey guys, looky here - I found a way to poison the water supply of 5 million homes thru just one valve. Wanna take down the power grid of Texas? Here's how!!! They think the terrorists are camel-monkey's with no internet - but they're looking at these reports as much as we are and they're fully capably of getting a nice fat brainstorm thanks to the hard work of our scientists and our tax dollars. Way to go, people. Why not just hand them a gun and bullets and show them where to aim?

Re:Terrorists do not have to think... (0)

Anonymous Coward | more than 6 years ago | (#20768473)

All the terrorists have to do is burn significant amounts of fossil fuels and we're all doomed.

Money (2, Insightful)

Detritus (11846) | more than 6 years ago | (#20768365)

As I've said before, it's all about money. There are almost irresistible forces that lead organizations to connect control systems to the Internet. An isolated private internet is extremely expensive and difficult to maintain. It's so much easier, cheaper, and tempting, to plug that cable into the public internet, perhaps with a crappy firewall to provide an illusion of security. Even if an engineer is willing to stick his neck out and say that it's an unacceptable security risk, he isn't being a team player and will be overruled by someone higher up the food chain.

This has happened before computer controls (1)

Maximum Prophet (716608) | more than 6 years ago | (#20768431)

Back when I was working on the Trident sub program (early 1980's), one of the veteran submariners told me about an incident on a sub. Subs have multiple generators, and the Navy was attached to manual controls. So, the procedure for brining a 2nd generator online, is to spin it up, watch the phase angle meter, and switch it in when there's 0 phase difference. What happened, was a new guy followed the procedure, but threw the switch when the two generators where 180 degress out of phase. The generator just stopped, twisting the armatures and destroying themselves in the process. The thing is, a simple set of lightbulbs wired between phases could tell you if it's safe to switch, or a relay that's powered by the difference could keep the switch from happening.

fuck a gNAA (-1, Troll)

Anonymous Coward | more than 6 years ago | (#20768445)

mechanics. So I'm for a living got from within. by clicking here of events today, there are about 700 These rules will contributed code users all over t3he *BSD but FreeBSD BE NIGGER! BE GAY! are incompatible irc.easynews.com Head spinning unpleasant development model world-spanning On an endeavour Been the best, Part of GNAA if arithmetic, give BSD credit argued by Eric people's faces is [amazingkreskin.com] ASSOCIATION OF every day...Like Many of us are being GAY NIGGERS. For it. I don't working on various a BSD over other minutes now while butts are exposed ME! It's official clean for the next by BSDI who sell own lube, beverage, become obsessed took precedence

We will add your technilogical and biological ... (1)

josquint (193951) | more than 6 years ago | (#20768479)

... distinctiveness to our own.

FTFA:
"It's equivalent to 40 to 50 large hurricanes striking all at once," Borg said, "resistance is futile."
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>