Foreign cyber-spies have reportedly been infiltrating the US electrical grid and planting software that can be used to destroy key components. According to the Wall Street Journal - which cites unnamed national security officials - electro-spooks hailing from China, Russia, and "other countries" are trying to navigate and …
isn't them the same folks
who said something about the WMD in Iraq?
We've been telling them for years to keep the SCADA air-gapped from the public network. Would they listen? No, of course not. Manglement always knows better than the security folks.
i'm not sure the us has a "national grid"
"planting software that can be used to destroy key components."
You mean they maliciously installed Internet Explorer 8 ?
It doesn't take National Security Regulations to show that connecting a SCADA system to the Internet is a really bad idea. Only an idiot, an MBA or a cost-fixated bean-counter in the wrong job could have so little understanding of the possible consequences as to do it.
Then again, look at the people who are running water companies, power plants, the national grid, etc.
I rest my case, m'lud.
Do unto others...
as you would have them do unto you.
Well, it's a little bit rich of the USA to complain if the Russians have managed to infiltrate their electrical grid and leave a few rogue programs behind. Didn't the good old USA supply Russia with deliberately-flawed computers, technical manuals, faulty designs and so on when Reagan was in power? Is spying and sabotage only OK if it's being done by the USA to somebody else?
Of course, when things go wrong with the power grid in the USA, they can't wait to blame somebody else: "http://news.bbc.co.uk/1/hi/world/americas/3152451.stm".
"It was dem Canucks", said the Americans. "Nope, wasn't us", said the Canadians. And who was right? Next time, they'll be able to say "It was the Russians/Chinese/Canadians/other people".
Fact or fiction?
I find it somewhat amusing that not three months ago, 24 had this as an integral part of one of their story arcs. Infiltration of a chemical refinery's systems to cause an explosion, hacking in via computer (using a pinched security device which gave the baddies unlimited access to just about every Government system connected to the intertubes).
Is this REALLY going to happen in real life? Surely people in charge of security at key facilities are going to be even more paranoid about their network security than we are of uk.gov. (If not, they kinda deserve to be killed in a massive meltdown for their shortsightedness...)
Paris, because she's had a few people own her box
... cue "well, if they'd just used (X) instead, this would *NEVER* have happened", in 3, 2, 1...
Why do all these things have to be connected to the internet? If they REALLY have to connect all these control systems to some interconnected network to monitor it in some other place, at least have something that isn't .... I don't know connected to the world?
Something needs to be kept secure, don't plug it into the intarwebs! is it that difficult?
fecking crazy I say!
Wall Street Journal?
They must be mad!
> Because security on the systems is not regulated in the US, protection of key infrastructure is left in the hands of the industry.
From my past experience of SCADA at a certain globally owned fizzy pop factory, and knowledge of IT in general, any numpty who connects a SCADA network to teh intarwebs, or authorises it to happen in the first place, should be taken out and shot!
What did they think would happen? Hackers, crackers and foreign governments / commercial interests would ignore them because they were "On God's side".
Wall Street Journal. Specialist subject. "The bleedin' obvious!"
Torches out, Portaloos at the ready chaps.
The Russians / Chinese / Norks / Iranians / Taleban / Al Quaeda / etc. etc. are coming.
Hmmmmm ..... someones been watching DieHard 4.0 a bit too much
Just relax eh.
We just needed to shunt some extra power to the Molson breweries to prepare for the Stanley Cup playoffs....we'll give it back.
For the love of crap
For the love of crap, don't hook SCADA to intranets or the Internet!!! They are NOT meant for it. Meaning, (from what I've read).... in some cases, no security whatsoever. Buffer overflows. No validation of input. And so on.. basically, it's designed to work reliably when communicating within it's environment, not deal with anything on the public Internet. Worse, some of it (not control systems.. I hope.. but at least monitoring systems..) run on Windows. Unpatched Windows. (Probably because the software is certified for *that* OS version, not that OS + patches...)
Hmm...wheres Bauer when you need him
Methinks WSJ been watchin a lil too much 24...
Paris..cos if she could read, she wouldnt read the Journal
People have known for years that SCADA was insecure. People have, likewise, known that these machines should not be connected to the Internet. The only wonder is that these people are apparently only now waking up to these facts.
I hope y'all can forgive me...
...for laughing until piss myself, as this sounds like the kind of over-the-top bullshit that George Smith used to so joyfully debunk in his digital security blog some years back.
I caught this story earlier today, elsewhere -- like, the Drudge Report (appropriate somehow) -- and I'm _still_ laughing until I piss myself. I mean, Jeezus H.W. Christ. The friggin' _Wall_Street_Journal_? Oh, yeah, I'm going to believe a high-tech terror threat story in the goddamn' _Wall_Street_Journal_. Y'know, I actually read that whole goddamn' article through, and you wouldn't have believed my disappointment to find absolutely no references to Electromagnetic Pulse Weapons or Electronic Pearl Harbor.
Of course, you realize that if they'd been running OSX, there'd have been no threat. (;^>
Grinnin' and duckin',
@ Do unto others
@ Do unto others
Nice. So this is the way our "allies" back us up.
Mouth off about the US all you want, Michael; I notice you're doing in English, not German.
I also notice your icon choice is decidely American-heavy. Isn't this a Brit rag? Where are your famous people's icons?
Back to basics?
Maybe going back to a bloke with a phone and a switch might work out cheaper in the long run, because I don't think some Tom Clancy scenario will be materialising to save them.
For our next trick.....
"Because security on the systems is not regulated in the US, protection of key infrastructure left in the hands of the industry."
I'm sure they'll do as fine a job of self-regulation as the finance industry did over the past few years.
Scotty, do you have John McCain's number ?
Well if the Chinese, Russians, and "others", didn't already know how crappy US power grid security was already they sure do now.
My money is on this being departmental spin to get more money, generate more fear, produce a few patriotic hoorars, and remind everyone who the "enemies" are.
Looks like we need a New World Order to sort this one out!
Why Not ?
OK, I agree the numpties in Management shouldn't be connecting these things as they stand.
BUT - Why shouldn't they be connected to the Internet?
The technology and know-how is available to make SCADA secure - it just needs buy-in from the industry and the manufacturers to make it happen. Why should we the public pay our utility companies billions to install dedicated private networks for SCADA when the same plants are connected to a (relatively) free global communication network. I'll state it again before the flames start - IT NEEDS TO BE DESIGNED TO BE SECURE. But building a secure network on top of the internet is cheaper than installing fibre cable between every site.
Would any control gear on an electric grid need to be accesible from outside of a power company network?
That is all.
Well, almost all. What about the double standards here - people actually doing things to harm the US v Gary McKinnon uncovering a passwordless admin account?
Mine's the one with all the wallets and credit cards hung on the outside with velcro.
Oh noes - teh interwebs ate my lectrics!!
I thought that the biggest threat to the US power grid was kettles.
@ Don't connect SCADA to the net
Customers want it.
And its easier for support engineers to fix something that way rather than drive to the middle of nowhere, and walk through muddy fields. And a whole lot quicker.
the grid system is complex
I'm guessing the reason you want to hook it up to teh interwebs would be to prevent whole sections of the country losing power - which has happened. Yes we do have a national grid, but it is sectioned up, and the different pieces have probably got to have some way to talk to one another. It does seem that it wouldn't be too much to ask that they emulate the military and use bulk encryption and "private" networks to do this...
@@ Do unto others: I call troll on this. If it is some sincere american, then I'll add, as one to another, a hearty and equally sincere stfu.
Connected to Internet not Always Real Time
Did everyone miss how the Diebold ATM machine's were hacked? It doesn't take a physical, real-time connection to make the transfer. All it takes is some luser to connect his work laptop to his home network to watch some "art films" some night. The payload gets planted on his machine. Then he troddles back into the office, connects to the "secure" LAN and the payload is set loose.
So, how do you protect it? There are lots of draconian measures (no laptops, forced VPN connections, etc), but those only infuriate the luser, and may even make them find ways around the "restrictions." Probably a better method is a two fold approach - make sure the lusers machine is well virus checked, and use smart network switches on the secure lan that do deep packet inspection and (hopefully) filter out threats before they spread.
The "why not" is simple, it is better to be safe than sorry, even if it costs a bit more. Given the amount of motivation and the resources of would-be attackers (these are nation states we are talking about, and not small ones either) I would suggest that the system cannot be made secure enough. I have seen too many systems that seemed secure fall to a to a clever attack to trust that we will be able to lock down SCADA tightly enough that it is completely resistant to assault.
Then too, there is the factor that the more secure a system is, the more of a Pain in the A** it is to use. Do you really use select tough passwords for your accounts, use a different password for each account, change passwords frequently, and refrain from having a list of your passwords for all the different accounts? I would be very surprised if you could truthfully answer yes to all of these, human beings are just not mentally equipped to be able to keep track of all the required passwords without taking a shortcut somewhere despite the fact that this weakens the protection that the passwords provide.
Let me give you a concrete example from history: the Venona decrypts were made possible because generating a new one-time pad was so much effort that someone in the Soviet crypto section couldn't be bothered and reused a previously used one (this being a big crypto no-no, they are called one-time pads for a good reason). This lapse allowed western cryptanalysts to decode some of the messages to and from the spy networks in place in the US and elsewhere, revealing the extent of Soviet penetration during the years leading up to the Cold War (while the USSR was the ostensible ally of the US and UK) as well as outing particular individuals as spies.
Linking SCADA systems to a publicly accessible network, and especially to the internet is, IMO, just an invitation to come pwn us. The principle is simple: you can't hack what you don't have access to. Deviating from this principle just because it may be more expensive to do things that way is fundamentally unsound (and connecting SCADA systems to the internet without even *trying* to harden them is, I think we can all agree, breathtakingly, culpably, stupid).
- 20 Freescale staff on vanished Malaysia Airlines flight MH370
- Neil Young touts MP3 player that's no Piece of Crap
- Review Distro diaspora: Four flavours of Ubuntu unpacked
- Fee fie Firefox: Mozilla's lawyers probe Dell over browser install charge
- Sysadmins and devs: Do these job descriptions make any sense?