back to article US power grid the target of 'numerous and daily' cyber-attacks

The US electricity grid is under near constant attack from malware and cyber-criminals, yet most utility companies implement only the barest minimum of security standards, according to a new report released by Congressmen Ed Markey (D-MA) and Henry Waxman (D-CA). "National security experts say that cyber attacks on America's …

COMMENTS

This topic is closed for new posts.
  1. Don Jefe

    Working OK?

    If the attacks are this frequent doesn't that indicate that current security measures are working reasonably well; seeing as how there haven't been any reports of major successful attacks?

    1. Anonymous Coward
      Anonymous Coward

      Re: Working OK?

      I was kind of thinking the same thing. I haven't been reading about massive power outages all over the place, and my power at home has failed only twice (during storms, for a total of a few minutes) in the past two years.

      I guess they've been smart enough to keep the SCADA stuff on a network separate from their internal one after all, despite all the hand wringing predictions about how when hackers turned their attention at US power grids we'd become a third world country overnight.

    2. Chris Miller

      Re: Working OK?

      I imagine that by 'attacks' they mean probes to find out if some well-known TCP port has been left open by mistake, rather than APTs.

      1. Ole Juul

        Re: Working OK?

        I imagine that by 'attacks' they mean probes to find out if some well-known TCP port has been left open by mistake, rather than APTs.

        I agree. The bogeyman takes on any form you want. The lack of clarity and substantiation really bugs me when we hear of these foreign attacks. Surely I'm not the only one who considers credibility to be an issue here and would like that "little issue" cleared up before I take this seriously.

    3. Anonymous Coward
      Anonymous Coward

      Re: Working OK?

      "doesn't that indicate that current security measures are working reasonably well...?"

      So far, yes. But you assume that because we don't see anything, there's been no successful attacks, which may not be accurate. And even if it accurate, how complacent do you want to be? The most probable cause of the Saudi Aramco attack was Iran, reasoning was that if it was OK to attack Iran's industrial systems, then the easiest way of getting back at the US was to disrupt Saudi oil exports. It delivered its payload, but whether it actually worked to disrupt exports or not is unclear (a bit like the unclear effects of Stuxnet).

      Had the Aramco disruption been more effective, it would have been as effective as closing the Straits of Hormuz, which the US spend billions on military hardware to keep open. That's high stakes, in my view. Coming closer to home, the electricity grid is seen as a peachy target because if you can shut down sufficient of the grid you cause the economy to grind to a halt. In this respect, attacks on power stations are small beer, because the grid is generally resilient, but if you attack the transmission system itself then you may have more success, albeit without being able to cause much physical damage.

      The threat of blackouts is not a big one, and the most probable scenario would be a short term power outage whilst transmission management systems are cleaned up and rebooted. But that's still worth putting a modest effort in to avoid.

      1. Don Jefe

        Re: Working OK?

        I agree completely. But it seems they are making the effort to manage security. Seeing as how they aren't failing it seems unnecessary to have Congress step in and mandate a bunch of spending.

    4. Tom 13

      Re: Working OK?

      That was one of my thoughts. Here are some others:

      How tough are the minimal NERC standards?

      A soldier might only meet the minimum Ranger physical fitness standards, but that's still probably a hell of a log higher than the Surgeon General's recommended minimum fitness standards. Of course NERC's standards might be the same as Homer Simpson's minimum physical fitness standards too.

      If I were implementing tougher standards than NERC, would I necessarily want a Congresscritter knowing that?

      Corollary question: would I want world + dog to know that? Because if Congresscritter does now, they will soon.

      What constitutes an attack?

      Do they have threat levels for attacks?

      If they do have threat levels, what does the distribution of attacks look like?

      One generally assumes that if you are meeting and exceeding published standards or Industry Best Practices, that you are safer than places where it is ignored. But I have worked in places that didn't have the official certs that were pretty secure and I worked at places that had the certs and were quite the opposite.

  2. Dazed and Confused

    10,000 per month?

    10,000 per hour would seem closer to the normal hit rate on the Internet. Of course it depends on how you count these things and what you even bother to log. I remember a few years ago the guy heading up a project I was working on ask for the root password on the front end box.

    him "can I have the root password for that box?"

    me "are YOU going to fix it when YOU break it?"

    him (ducking the question) "well I might need to change something when you're not here"

    me "what would you want to change?"

    him "well I might need to change the firewall"

    (it was difficult to explain to this guy that locking your car is a good idea when you park outside a pub)

    I showed him the log file, it scrolled off the screen faster than you could hope to read. I did a wc and worked out we we'd been hit by unwanted packets on average 3 times per second since the previous weekend, without even bothering to log the most common junk.

    He agreed that perhaps he'd leave it alone.

  3. PlacidCasual
    WTF?

    Complexity of Control Systems

    If the UK power industry is any indication the complexity and bespoke nature of UK power station control systems may provide some security. The systems have often been upgraded in a piecemeal way over decades or made backward compatible to obsolete plant as legacy systems become to old maintian. It means each station has a unique control system controlling a unique plant architecture. In the UK even plants with nominally similar plant process set ups have different PLC's and control interfaces because the build to price philosophies used in construction. When only one or two long serving members of staff can interpret how changes in the control system will effect the process it probably means cyber attackers will be somewhat flumoxed even if they gain access.

  4. John Smith 19 Gold badge
    Flame

    *Why* would they do any more than the statuory minimum?

    It's the distribution grid, not any single power plant. There is only one.

    So if it falls over the US taxpayer government will pick up the bill because this is also "too big to fail."

    Now if there were incentives to improve that would be a different story. I'm talking fines equal to a % of gross profit.

    Otherwise it will be a case of "They'll get their power back, eventually."

    But if Congress legislates (what Obama has already agreed in principle) the industry will whine explain it will make them "uncompetitive" and "reduce their power to compete in world markets".

    1. Anonymous Coward
      Unhappy

      Re: *Why* would they do any more than the statuory minimum?

      "Now if there were incentives to improve that would be a different story. I'm talking fines equal to a % of gross profit."

      That's a threat, not an incentive. As regulated businesses, the industry does what the regulator requests and permits to be recovered. If you want more doing, then build that into the price review/rate settlement. Whilst we shouldn't be complacent, there been few successful attacks - how much do you want adding to your bill to spend against this eventuality?

      This idea of "fines as % of turnover" is wildly popular with idiot civil servants, but few other industries are subject to such daft ideas. My power company could be fined "up to 10% of turnover" for a whole range of petty misdemeanours - for example not installing enough smart meters, failing to handout subsidised insulation, or not offering discounts to government's chosen groups, etc etc. All those mandated programmes are ultimately decided for by government bureaucrats but paid for by power users.

      Now lets assume you still want to proceed. Government are the absolute worst for IT blunders, insecurity, and incompetent planning. You reckon they can draft a law that will be effective in this respect? Or will it be another expensive & prescriptive statutory imposition that the bad guys can easily work around, and has no useful benefits? Remember SOx? So many good reasons to have an act to improve corporate governance and transparency. But didn't stop most of the US investment banks going belly up, didn't stop sub-prime and the bail out of Wall Street.

      Asking for more legislation is music to politicians' ears. But do tell us where more legislation has helped anybody other than the lawyers?

      1. Anonymous Coward
        Anonymous Coward

        Re: *Why* would they do any more than the statuory minimum?

        Bail out of Wall St? Sub-prime? Those were Repugnicans in charge, trying to prove "Government Regulation Bad, Free Market Good" (TM). Instead it only proved the Grumpy Old People were incompetent and should never be allowed near the levers of power.

        Legislation never helps? So Social Security does nothing for anyone? Extreme positions are almost always wrong.

  5. JaitcH
    FAIL

    It might help if anyone really gave a damn!

    GE - USA - sell a lot of SCADA equipment, all over, after all they even have a financing outift to help them.

    And guess where these infrastructure critical parts are made? Of course, CHINA!

    On another corner of the block the USA is deliberately blocking sales by Chinese data companies on the grounds their equipment has backdoors, but when it comes to a US company selling Chinese goods - everything is fine.

    Of course, CISCO, the beneficiary of all the US Government activity, is little better. They, too, have their products bashed out in ... CHINA!

    1. Anonymous Coward
      Anonymous Coward

      Re: It might help if anyone really gave a damn!

      "And guess where these infrastructure critical parts are made? Of course, CHINA!"

      Hold on a mo'

      Most Chinese work is assembly, not semi fabrication (there's a tiny bit of manufacturing, even less design). They'd struggle to put in backdoors if they aren't making the silicon. And because the silicon design is US/Korea/Taiwan, if the Chinese were to put in back doors, they need to reverse engineer the hardware, design their own firmware+spyware, then fabricate an apparently identical semiconductor and assemble the product with that (all undetected).

      If it were that easy to do, then it would be equally easy for Western government, commercial IP owners, or device designers to use the same reverse engineering techniques to demonstrate the threat, and immediately ban Chinese made kit.

      If they could do it, it might work a treat until they get caught. Then nobody buys their products, and their export focused economy stalls. How does that help them?

    2. Tom 13

      Re: It might help if anyone really gave a damn!

      And that should probably start with the biggest problem in this story:

      Congressmen Ed Markey (D-MA) and Henry Waxman (D-CA)

      Those two are barely capable of tying their own shoes let alone tackling securing the power infrastructure. Somebody on their staff must have told them they'd get good press out of pushing the issue. And now they have.

      1. Michael Wojcik Silver badge

        Re: It might help if anyone really gave a damn!

        And that should probably start with the biggest problem in this story:

        Congressmen Ed Markey (D-MA) and Henry Waxman (D-CA)

        Considering that Markey (and a fellow nitwit from the other team, Fred Upton) was behind the extension of Daylight Saving Time in the US a few years ago, I agree it's tough to side with him on any sort of technical issue. Their justifications for the annoying, disruptive, and completely unnecessary DST change were a bunch of debunked research and "more trick-or-treating on Halloween" (Upton actually claimed that was a benefit).

        As others have pointed out, releasing a report that says "x number of attacks", with no details as to what those "attacks" might be, and "no better than minimum standards", without detailing those standards, is useless for any sort of security evaluation. There's no way to compare it to a threat model or do cost-benefit analysis. This is another feeble attempt to justify what will almost certainly be ill-considered, unhelpful legislation.

  6. Pookietoo

    If I were the power companies I'd be doing the legal minimum ...

    ... to counter these "attacks", while watching closely and planning strategies for when they become more of a threat. This rather than increasing the challenge to hackers beyond what it appears to be at the moment. If they're not probing my actual defences or testing my full resilience they don't know where any weakness really lies.

This topic is closed for new posts.

Other stories you might like