Announcement

Collapse
No announcement yet.

Don't make the power grid smart: IT COULD GET HACKED!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Don't make the power grid smart: IT COULD GET HACKED!

    http://edition.cnn.com/2009/TECH/03/...rss_topstories

    Yeahhh... screw automation, hackers could screw it all up!
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B0
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B1
    [ redacted ]

  • #2
    Re: Don't make the power grid smart: IT COULD GET HACKED!

    I agree with your sentiment, but even the article doesn't suggest that. It states that many people are of the opinion that it would be stupid to make the grid smart, but not secure.

    And, frankly, I'd like to at least know that any upgrades they roll out won't get cracked in 3 weeks by some script kiddie.





    seriously, it has to be 4 weeks at least.
    Last edited by YenTheFirst; March 22, 2009, 00:53. Reason: Spelling and formatting errors. That's what I get for perusing slashdot, which uses plain 'ol html fer fermattin'.
    It's not stupid, it's advanced.

    Comment


    • #3
      Re: Don't make the power grid smart: IT COULD GET HACKED!

      Originally posted by YenTheFirst View Post
      I agree with your sentiment, but even the article doesn't suggest that. It states that many people are of the opinion that it would be stupid to make the grid smart, <i>but not secure</i>.

      And, frankly, I'd like to at least know that any upgrades they roll out won't get cracked in 3 weeks by some script kidde.

      seriously, it has to be 4 weeks at least.
      Actually you have nothing to worry about .... I hear they are going to using Mac's.

      xor
      Last edited by xor; March 21, 2009, 16:53.
      Just because you can doesn't mean you should. This applies to making babies, hacking, and youtube videos.

      Comment


      • #4
        Re: Don't make the power grid smart: IT COULD GET HACKED!

        Originally posted by xor View Post
        Actually you have nothing to worry about .... I hear they are going to using Mac's.

        xor
        So they'll have it cracked in 10 seconds?

        Plus, just want I always wanted, an electric meter on my house with a pretty, completely useless UI.
        A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

        Comment


        • #5
          Re: Don't make the power grid smart: IT COULD GET HACKED!

          Originally posted by YenTheFirst View Post
          it would be stupid to make the grid smart, <i>but not secure</i>.
          Step 1: Don't write it in C
          45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B0
          45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B1
          [ redacted ]

          Comment


          • #6
            Re: Don't make the power grid smart: IT COULD GET HACKED!

            Oh this could be very fun.
            http://www.youtube.com/watch?v=MtO6q3FPg8s

            Watching the video is kinda scary. The system, if fully integrated controls when and how you use your electricity. It can tell your thermostat to turn on/off. It set a quota of how many kwhr you're allowed. Worst case scenario, say an overzealous power company thinks your using too much power, they can control how much they let you have.


            They know not only know how much power you're using, but when you're using it.

            Gone are the old days of sticking a really big magnet on the meter to slow it down? Yes, some people actually did this.

            Comment


            • #7
              Re: Don't make the power grid smart: IT COULD GET HACKED!

              According to the CIA, they've already been hacked:
              http://www.greenercomputing.com/blog...-electric-grid
              "As Arthur C Clarke puts it, "Any sufficiently advanced technology is indistinguishable from magic". Here is my corollary: "Any sufficiently technical expert is indistinguishable from a witch"."

              Comment


              • #8
                Re: Don't make the power grid smart: IT COULD GET HACKED!

                Here's the full CIA statement:

                We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyber attacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet.
                The problem I have with that report is that it's big on generalities and very low on specifics. Now, I understand that the information is based on various sources that may or may not be trustworthy, and that the foreign governments involved may not wish to advertise the fact that their grid was hacked, but overall the statement doesn't really give any info that might be used to formulate an active defense of a smart power grid.

                As an ancillary note to this: Due to his real life job, Streaker69 has been compiling a lot of SCADA hacking incidents and related information. As we all know, SCADA is going to be the linchpin of any smart grid. The one thing that Streaker has found is that due to the unique setup of every plant, SCADA hacking has always required two elements:
                • Detailed, insider knowledge of the plant involved.
                • A control program specific to the plant.
                Last edited by Thorn; March 28, 2009, 11:21. Reason: Misspelling
                Thorn
                "If you can't be a good example, then you'll just have to be a horrible warning." - Catherine Aird

                Comment


                • #9
                  Re: Don't make the power grid smart: IT COULD GET HACKED!

                  Originally posted by Thorn View Post
                  As an ancillary note to this: Due to his real life job, Streaker69 has been compiling a lot of SCADA hacking incidents and related information. As we all know, SCADA is going to be the linchpin of any smart grid. The one thing that Streaker has found is that due to the unique setup of every plant, SCADA hacking has always required two elements:
                  • Detailed, insider knowledge of the plant involved.
                  • A control program specific to the plant.
                  I do agree with these points. But there is another issue that I don't think I mentioned to anyone yet.

                  There has been a big push among SCADA vendors for 'webHMI' which of course a very bad idea. We had actually looked into it, and I had published my SCADA screens to it originally but have since taken it offline as I just don't trust their security related to it.
                  A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

                  Comment


                  • #10
                    Re: Don't make the power grid smart: IT COULD GET HACKED!

                    The webmin is a bad idea, if the machine is on a subnet that is available to the outside world. I get sales guy touting easy access to plant data from down the hall to out on the beach, thousands of miles away. Most of these types of applications rely on pre-existing windows security and offer little to none of their own.

                    It doesn't help that sales guy says. It's so easy to get your plant data just set you browser to http:\\192.168.1.1 and it'll automatically install the needed Activex and within a couple of minutes you can complety control your network from anywhere !

                    In my experience the IT department typically wants nothing to with the SCADA systems. So, although they are on <sometimes> on seperate subnets, since they are not part of the domain you have. User security typically autologin of an admin account, little to no patching beyond initial install and no antivirus.

                    The HMI (Human machine interface), the gui of the SCADA system typically is underprotected as well. Many systems use easy to guess usernames and passwords, if any at all. Then again for some programs all you need to do is delete the password file and it will be recreated with the factory default adminstrator.

                    The only thing that deters issues is proprietary protocols and programs that cost thousands of dollars.

                    However, if all you want to do is create havoc, then port scan the control network.It's widely known that PLCs, RTUs etc use only a small subset of the TCP/IP stack and therefore are not robust to such "attacks". A port scan can do anything from create a temporary interruption to completely faulting the network. Which requires a power-on reset of the ethernet communications device(s). Either condition can cause catostrophic consequences for a critical process. I've seen something like a virus scan cripple a system resulting in a million dollar process loss.

                    I also see a lot more wireless going in too and that makes me cringe. While it may be useful or cost saving in some cicrumstances, there is the occasion where it's simply implemented because it's the latest whiz bang feature managment got sold on. In fact I've got one system that uses a wireless barcode scanner to the SCADA system. Sounds nice but it only supports WEP!

                    SCADA is no where near as robust as it needs to be and is many years away from any real security. It's an 'open' system that requires little or no authentication.

                    Comment


                    • #11
                      Re: Don't make the power grid smart: IT COULD GET HACKED!

                      Normal Malware or grandstanding for political gain?

                      http://online.wsj.com/article/SB123914805204099085.html

                      Without going too much into the TFB area, this kind of article released so soon after the article that Obama is making an attempt to get a law passed that the internet can be shut down in case of "national emergency", is this just an attempt to incite fear into the teaming masses?
                      A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

                      Comment


                      • #12
                        Re: Don't make the power grid smart: IT COULD GET HACKED!

                        Originally posted by streaker69 View Post
                        Normal Malware or grandstanding for political gain?

                        http://online.wsj.com/article/SB123914805204099085.html

                        Without going too much into the TFB area, this kind of article released so soon after the article that Obama is making an attempt to get a law passed that the internet can be shut down in case of "national emergency", is this just an attempt to incite fear into the teaming masses?
                        They can't shut down the internet we will just re-program our cell phones and surf the old Sat-Coms. Isn't that what hackers do all the time?

                        xor
                        Just because you can doesn't mean you should. This applies to making babies, hacking, and youtube videos.

                        Comment


                        • #13
                          Re: Don't make the power grid smart: IT COULD GET HACKED!

                          Originally posted by xor View Post
                          They can't shut down the internet we will just re-program our cell phones and surf the old Sat-Coms. Isn't that what hackers do all the time?

                          xor
                          Only if you're an ex-Mac hipster who plays with dolls, accompanied by a world-weary old cop.

                          "Yippi-kay-ay, motherfu - "


                          In a story today about attacking the grid, the Wall Street Journal says that the Electricity Grid in U.S. Penetrated By Spies


                          By Siobhan Gorman
                          Technology
                          Wall Street Journal
                          April 8, 2009

                          WASHINGTON -- Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials.

                          The spies came from China, Russia and other countries, these officials said, and were believed to be on a mission to navigate the U.S.
                          electrical system and its controls. The intruders haven't sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.

                          "The Chinese have attempted to map our infrastructure, such as the electrical grid," said a senior intelligence official. "So have the Russians."

                          The espionage appeared pervasive across the U.S. and doesn't target a particular company or region, said a former Department of Homeland Security official. "There are intrusions, and they are growing," the former official said, referring to electrical systems. "There were a lot last year."

                          <...>
                          Last edited by Thorn; April 8, 2009, 08:35. Reason: Added WSJ article
                          Thorn
                          "If you can't be a good example, then you'll just have to be a horrible warning." - Catherine Aird

                          Comment


                          • #14
                            Re: Don't make the power grid smart: IT COULD GET HACKED!

                            Originally posted by Thorn View Post
                            Only if you're an ex-Mac hipster who plays with dolls, accompanied by a world-weary old cop.

                            "Yippi-kay-ay, motherfu - "
                            I guess I'll have to hang around with you more often John

                            xor
                            Just because you can doesn't mean you should. This applies to making babies, hacking, and youtube videos.

                            Comment


                            • #15
                              Re: Don't make the power grid smart: IT COULD GET HACKED!

                              On one of the channels I'm on most of the time, one of the guys went on a rant about it and has some authority on the subject since he does pen-tests on power plants and the like.

                              Everything he's seen come down the pipe is just your run of the mill malware that is on far too many machines already and doesn't appear to be something specific to the grid or a specific purpose.

                              From this, one can make a conjecture as to the actual circumstances;

                              1. Malware hops the airgap (if any that is) and gets into the c&c system at some facilities.
                              2. Since most of the common malware is controlled by shady business types in china and russia the malware found is 'from russia and china'
                              3. Ergo, the chinese and russians must be penetrating the grid for some nefarious purpose (other than to sel wang enhancement projects)
                              4. Take this information, call a few reporters, make a stink in order to justify spending more money to fix real problems, like the lack of a plasma TV in the break room

                              That's not to say there haven't been actual penetrations, but I'm wagering that alot of the rhetoric was about non-targeted malware being touted to drum up business for someone/something

                              Just my $0.02
                              Never drink anything larger than your head!





                              Comment

                              Working...
                              X