Announcement

Collapse
No announcement yet.

Don't make the power grid smart: IT COULD GET HACKED!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Re: Don't make the power grid smart: IT COULD GET HACKED!

    Originally posted by renderman View Post
    On one of the channels I'm on most of the time, one of the guys went on a rant about it and has some authority on the subject since he does pen-tests on power plants and the like.

    Everything he's seen come down the pipe is just your run of the mill malware that is on far too many machines already and doesn't appear to be something specific to the grid or a specific purpose.

    From this, one can make a conjecture as to the actual circumstances;

    1. Malware hops the airgap (if any that is) and gets into the c&c system at some facilities.
    2. Since most of the common malware is controlled by shady business types in china and russia the malware found is 'from russia and china'
    3. Ergo, the chinese and russians must be penetrating the grid for some nefarious purpose (other than to sel wang enhancement projects)
    4. Take this information, call a few reporters, make a stink in order to justify spending more money to fix real problems, like the lack of a plasma TV in the break room

    That's not to say there haven't been actual penetrations, but I'm wagering that alot of the rhetoric was about non-targeted malware being touted to drum up business for someone/something

    Just my $0.02
    I agree with you 100% on this. That is what it seems to me, a bunch of scaremongering.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

    Comment


    • #17
      Re: Don't make the power grid smart: IT COULD GET HACKED!

      Could get hacked? the power grid has been hacked many times...

      http://www.telegraph.co.uk/news/worl...ower-grid.html

      this is just the most recent.
      Network Jesus died for your SYN

      Comment


      • #18
        Re: Don't make the power grid smart: IT COULD GET HACKED!

        While the power grid is technically a dumb network of switches and knobs one could hack into the substation wireless telemetry network and alter the data making people throw the wrong switches and knobs. Therefore creating either a DOS attack or something more destructive. I typically see yagi antennas at most substations these days. I'm no expert but I assume they serve a purpose.

        http://www.getwirelessllc.com/Soluti..._Utilities.cfm

        I personally hate all the fear mongering. I grew up in a time when we faced a real threat, the USSR and 30k + nuclear war heads pointed at us. A country that had a boots on the ground intelligence capability that was second to none. Yet we prevailed, and the very real threat of nuclear holocaust is now taken a back seat to a bunch of guys living in caves with AK-47's. Sad when you put it into a little historical perspective.

        What I hate about these reports is that they lack the why, or any plausible scenarios. Just be afraid, be very afraid. Anything that man can break we can fix and make it better. Heck you don't need cyberspace to knock out the Eastern Sea boards power grid just blow up a transformer in the Niagara Falls valley.

        xor

        Also democrats don't fear monger, we hawk prudence; we don't seek and destroy, we sweep and clear; we don't Wage a War On Terror, we perform Overseas Contingency Operations. (rolls eyes)

        Note to America: Please grow a pair.
        Last edited by xor; April 8, 2009, 16:05.
        Just because you can doesn't mean you should. This applies to making babies, hacking, and youtube videos.

        Comment


        • #19
          Re: Don't make the power grid smart: IT COULD GET HACKED!

          Originally posted by xor View Post

          What I hate about these reports is that they lack the why, or any plausible scenarios. Just be afraid, be very afraid. Anything that man can break we can fix and make it better. Heck you don't need cyberspace to knock out the Eastern Sea boards power grid just blow up a transformer in the Niagara Falls valley.
          The blackout of August 2003, if I recall, was abated because the guys that run the grid in PA went against policy and took us off the grid. When they saw the cascade start they made the decision, pretty much on their own to disconnect from the main grid and saved us from going dark. It probably also created a "fire-break" to keep the cascade from rolling into other states.

          From the articles that I have about it, it was a combination of issues that caused it's start. A transformer burning up at a substation in conjunction with the slammer worm.

          Even if the grid were to fail, short of a high altitude EMP, it wouldn't be a major disaster. Life will go on, most of the other utilities have their own contingency plans for a major power failure.
          A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

          Comment


          • #20
            Re: Don't make the power grid smart: IT COULD GET HACKED!

            This was on the InfoSec New list this morning, and sums up the whole thing quite nicely, I think:

            Originally posted by Richard Forno <rforno AT infowarrior DOT org>

            Jeebus. Everyone in the world needs to take a deep breath and calm the hell down here. They're screaming bloody murder about hackers and the power grids and ZMFGTHESKYISFALLING. How quickly they forget that this kind of stuff was reported / found / observed in the 1996 PCCIP report that kicked off the whole notion of "infrastructure protection" and scaring folks into creating the whole CIP industry. Yet they continued to sacrifice security/survivability for convenience and cost-cutting, with the obvious results. (to competent infosec folks, anyway)

            Bottom line? Screw the breathless hysteria and headlines, WE ARE DOING THIS TO OURSELVES.

            -rf
            Thorn
            "If you can't be a good example, then you'll just have to be a horrible warning." - Catherine Aird

            Comment


            • #21
              Re: Don't make the power grid smart: IT COULD GET HACKED!

              An observation made by myself a while ago about hacking power grids, phone networks (outages, not phreaking), water systems, is that the hysteria level is exponentially tied to the perceived cause.

              Power failures happen. Be it rolling Enron blackouts or jackass in a car taking out a transformer on the highway. Most people just deal with it and light some candles or something and continue on (another observation is that birth rates 9 months from the blackout are directly proportional to the length of the blackout)

              It's when people perceive that a malicious hand was at work that the fear skyrockets, even though the resulting effect on the people is the same.

              How much work would it take to re-create the 2003 blackouts? My uneducated guess is more than an average bad guy is willing to put in, particularly if he wants to keep things down for longer by destroying equipment rather than sabotage that can be repaired.

              Generators blow, lines fail, water mains burst, it's all things we live with. How is the effect any different if it's caused by an outside source?
              Never drink anything larger than your head!





              Comment


              • #22
                Re: Don't make the power grid smart: IT COULD GET HACKED!

                Originally posted by renderman View Post
                An observation made by myself a while ago about hacking power grids, phone networks (outages, not phreaking), water systems, is that the hysteria level is exponentially tied to the perceived cause.

                Power failures happen. Be it rolling Enron blackouts or jackass in a car taking out a transformer on the highway. Most people just deal with it and light some candles or something and continue on (another observation is that birth rates 9 months from the blackout are directly proportional to the length of the blackout)

                It's when people perceive that a malicious hand was at work that the fear skyrockets, even though the resulting effect on the people is the same.

                How much work would it take to re-create the 2003 blackouts? My uneducated guess is more than an average bad guy is willing to put in, particularly if he wants to keep things down for longer by destroying equipment rather than sabotage that can be repaired.

                Generators blow, lines fail, water mains burst, it's all things we live with. How is the effect any different if it's caused by an outside source?
                The things people should be concerned about they're not. Things like solar flares, and directed energy weapons which could actually destroy infrastructure as well as personal items on a large scale for a long time.

                xor
                Just because you can doesn't mean you should. This applies to making babies, hacking, and youtube videos.

                Comment


                • #23
                  Re: Don't make the power grid smart: IT COULD GET HACKED!

                  http://www.pacetoday.com.au/Article/...ds/480902.aspx

                  I just ran across this today. I haven't been able to find much in technical details, but if this is anything like the other items I found related to Wireless and SCADA it will be far from secure, and this is a brand new product.
                  A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

                  Comment


                  • #24
                    Re: Don't make the power grid smart: IT COULD GET HACKED!

                    Originally posted by renderman View Post
                    Generators blow, lines fail, water mains burst, it's all things we live with. How is the effect any different if it's caused by an outside source?
                    it still can send you into a small skid when it happens unexpectedly, heh.

                    last night all the Sprint phones in the area went out of service for an hour or so. i don't know if it was just that carrier, since most folk i know are on there.

                    at least i still had the internet and thanks to the neighbor next door there's no shortage of short- and long-range radio gear if any real interruption in communication technology were to happen.

                    i do look forward to render and prez's talk at DEFCON. short of keeping the shotgun ready and the bug-out-bag packed, there's not a lot of disaster preparation that goes on 'round here.
                    "I'll admit I had an OiNK account and frequented it quite often… What made OiNK a great place was that it was like the world's greatest record store… iTunes kind of feels like Sam Goody to me. I don't feel cool when I go there. I'm tired of seeing John Mayer's face pop up. I feel like I'm being hustled when I visit there, and I don't think their product is that great. DRM, low bit rate, etc... OiNK it existed because it filled a void of what people want."
                    - Trent Reznor

                    Comment


                    • #25
                      Re: Don't make the power grid smart: IT COULD GET HACKED!

                      The blackout-pregnancy link is pretty much a myth...
                      Most people are too concerned about other things to get their groove on.

                      More interesting is the hysteria surrounding it. I wasn't in the US when the duct-tape and plastic sheet hysteria was going on, but manipulating that for personal gain might make an interesting "theoretical" talk.

                      Comment


                      • #26
                        Re: Don't make the power grid smart: IT COULD GET HACKED!

                        Originally posted by xor View Post
                        Actually you have nothing to worry about .... I hear they are going to using Mac's.

                        xor
                        That would be a great way to get all the "Macs can't be hacked" people to wake up . . .
                        "Freedom is the right of all sentient beings." -Optimus Prime

                        Comment


                        • #27
                          Re: Don't make the power grid smart: IT COULD GET HACKED!

                          I just got back from a tour of a local Co-Gen facility that's taking methane generated by the host facility and using it to power 1.5MW generators which is then supplied to the main power grid. I was on the tour because our facility is looking into installing a Co-Gen in the next couple of years.

                          Sadly, both their IT and Physical security is atrocious. The Co-Gen was surrounded by a 8' chainlink fence with no wire on the top. It is out in the middle of nowhere with no cameras and no guards. It would be rather simple to enter the compound where the generators are sitting and no one would know you're there.

                          The control cabinet for the Methane input wasn't locked, when we got there, but even if it was locked, it would have been simply bypassed as it was a cheap cabinet type lock. The locks on all the doors were cheap as well, nothing had a deadbolt or a padlock hasp on it, except for a storage container.

                          Inside the Switchgear building was their data connection. From what I could see it was possibly a private line ADSL link to their main facility about 30 miles away. The reason why I think it was a private line and not a regular ADSL line was because of the Circuit ID written on the box. Inside the switchgear room was an OIT that controls the entire facility. This had no authentication on it and was just ready for anyone to press buttons.

                          In the operators office was another OIT that also could run the facility, when we came in it was in "locked" mode, meaning no changes could be made. While he was showing us the system, he simply clicked a button and it unlocked. No user/pass challenge.

                          Hanging on the wall was a Linksys 54G AP. I quickly did a discrete scan of wireless networks from my Blackberry just to see what it was. The SSID was being broadcast and it was using WPA-Personal. The SSID also indicated what the facility was. Sitting on his desk was a pair of laptops which he said one was configured to plug directly into the generators for troubleshooting issues and adjusting the onboard computers. The other one, I assumed, was the one he takes home with him so he could connect remotely.

                          I didn't see a modem or any other remote connection method on the site so I'm assuming he would connect via a VPN to their main site and then jump the ADSL line down to there. On both OIT's was an ancient version of VNC.

                          This facility obviously isn't big enough to unbalance the grid and cause a major blackout. But having the AP sitting there is kind of scary as if it were hacked chances are someone would have access to the rest of the grid in that area.
                          A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

                          Comment


                          • #28
                            Re: Don't make the power grid smart: IT COULD GET HACKED!

                            Originally posted by streaker69 View Post
                            I just got back from a tour of a local Co-Gen facility that's taking methane generated by the host facility and using it to power 1.5MW generators which is then supplied to the main power grid. I was on the tour because our facility is looking into installing a Co-Gen in the next couple of years.

                            Sadly, both their IT and Physical security is atrocious. The Co-Gen was surrounded by a 8' chainlink fence with no wire on the top. It is out in the middle of nowhere with no cameras and no guards. It would be rather simple to enter the compound where the generators are sitting and no one would know you're there.

                            The control cabinet for the Methane input wasn't locked, when we got there, but even if it was locked, it would have been simply bypassed as it was a cheap cabinet type lock. The locks on all the doors were cheap as well, nothing had a deadbolt or a padlock hasp on it, except for a storage container.

                            Inside the Switchgear building was their data connection. From what I could see it was possibly a private line ADSL link to their main facility about 30 miles away. The reason why I think it was a private line and not a regular ADSL line was because of the Circuit ID written on the box. Inside the switchgear room was an OIT that controls the entire facility. This had no authentication on it and was just ready for anyone to press buttons.

                            In the operators office was another OIT that also could run the facility, when we came in it was in "locked" mode, meaning no changes could be made. While he was showing us the system, he simply clicked a button and it unlocked. No user/pass challenge.

                            Hanging on the wall was a Linksys 54G AP. I quickly did a discrete scan of wireless networks from my Blackberry just to see what it was. The SSID was being broadcast and it was using WPA-Personal. The SSID also indicated what the facility was. Sitting on his desk was a pair of laptops which he said one was configured to plug directly into the generators for troubleshooting issues and adjusting the onboard computers. The other one, I assumed, was the one he takes home with him so he could connect remotely.

                            I didn't see a modem or any other remote connection method on the site so I'm assuming he would connect via a VPN to their main site and then jump the ADSL line down to there. On both OIT's was an ancient version of VNC.

                            This facility obviously isn't big enough to unbalance the grid and cause a major blackout. But having the AP sitting there is kind of scary as if it were hacked chances are someone would have access to the rest of the grid in that area.
                            Well everybody knows that no one would think of physically attacking the plant. You onl y have to worry about virtual access. And they have firewalls to protect them.

                            Sadly this is how most places are. I've seen better security in sewage treatment plants (not yours, haven't been there yet.) then in power generating facilities. Hell, I've seen better security on the cisterns at the local state park. We drove up the wrong unmarked road and we're looking around 5 minutes before we were met by the park police and shown that the entrance to the park was on the other side.

                            Believe me, I've seen it all from redicuously locked down systems requiring key card access, to run a single machine, to absolutely no restriction to run the entire plant!

                            Smart Grid will be hacked the day it gets installed. I don't care how good the heuristics system is. Personally, I've looked at what they say it can do and it scares me.

                            Comment


                            • #29
                              Re: Don't make the power grid smart: IT COULD GET HACKED!

                              Originally posted by beakmyn View Post
                              Sadly this is how most places are. I've seen better security in sewage treatment plants (not yours, haven't been there yet.) then in power generating facilities.
                              I'm still working on getting better security implemented at our site. It's an uphill battle because I'm going against managers that are of the idea that since nothing bad has happened so far, then we don't have anything to worry about.

                              Even when something bad does happen it's just shrugged off as an isolated incident. We've had an increasing amount of incidents occur against several of our properties including a smashed window at our main office. The window was said to have been vandalism, but I saw it as an attempt to enter the building since it was in the most concealed corner of the building. I'd think if it was vandals they would have broken the nice big window out front, not a 2x2' window near the back door behind a bush.
                              A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

                              Comment


                              • #30
                                Re: Don't make the power grid smart: IT COULD GET HACKED!

                                Originally posted by streaker69 View Post
                                I'm still working on getting better security implemented at our site. It's an uphill battle because I'm going against managers that are of the idea that since nothing bad has happened so far, then we don't have anything to worry about.

                                Even when something bad does happen it's just shrugged off as an isolated incident. We've had an increasing amount of incidents occur against several of our properties including a smashed window at our main office. The window was said to have been vandalism, but I saw it as an attempt to enter the building since it was in the most concealed corner of the building. I'd think if it was vandals they would have broken the nice big window out front, not a 2x2' window near the back door behind a bush.
                                It's the work of militant Amish Terrorists. The ALO Amish Liberation Organization. Why do you think they wear black.

                                xor

                                I could always come up there and spray paint ALO on the sides of buildings.
                                Just because you can doesn't mean you should. This applies to making babies, hacking, and youtube videos.

                                Comment

                                Working...
                                X