Forgot your password?
typodupeerror
Power Security United States

Congressional Report: US Power Grid Highly Vulnerable To Cyberattack 124

Posted by Soulskill
from the industry-strangely-averse-to-voluntary-protections dept.
An anonymous reader writes "Despite warnings that a cyberattack could cripple the nation's power supply, a U.S. Congressional report (PDF) finds that power companies' efforts to protect the power grid are insufficient. Attacks are apparently commonplace, with one utility claiming they fight off some 10,000 attempted attacks every month. The report also found that while most power companies are complying with mandatory standards for protection, few do much else above and beyond that to protect the grid. 'For example, NERC has established both mandatory standards and voluntary measures to protect against the computer worm known as Stuxnet. Of those that responded, 91% of IOUs [Investor-Owned Utilities], 83% of municipally- or cooperatively-owned utilities, and 80% of federal entities that own major pieces of the bulk power system reported compliance with the Stuxnet mandatory standards. By contrast, of those that responded to a separate question regarding compliance with voluntary Stuxnet measures, only 21% of IOUs, 44% of municipally- or cooperatively-owned utilities, and 62.5% of federal entities reported compliance.'"
This discussion has been archived. No new comments can be posted.

Congressional Report: US Power Grid Highly Vulnerable To Cyberattack

Comments Filter:
  • You're kidding me (Score:3, Insightful)

    by Anonymous Coward on Wednesday May 22, 2013 @12:10AM (#43790575)

    Our power grid is plugged into the Internet? Can't they spend $40 on a Linksys router and call it good?

    • Re:You're kidding me (Score:5, Informative)

      by OhANameWhatName (2688401) on Wednesday May 22, 2013 @12:42AM (#43790735)

      Can't they spend $40 on a Linksys router and call it good?

      You can never spend $40 on a Linksys router and call it good.

      • by drinkypoo (153816)

        You can never spend $40 on a Linksys router and call it good.

        You could, but now you can't, because it also says "Cisco" on the router, and now it sucks ass. That has to be one of the biggest blunders in networking corporate history. It harmed both brands.

      • Splurge for a Huawei. The PLA knows what it's doing.
    • The report doesn't say what kind of attacks, it could have been an attack on the secretary's computer. Here is what the report describes: "cyber attacks ranging from phishing to malware infection to un-friendly probes.....Much of this activity is automated and dynamic in nature able to adapt to what is discovered during its probing process.” Someone is running nmap.

      "Able to adapt" does suggest that an intelligent agent is behind it, but it's hard to know without more detail.
      • Ok, so they figure out the secretary visits eBay and plays solitaire. If you unplung the damned grid from the internet it can't be 'cyber' attacked in any way.
        • by White Flame (1074973) on Wednesday May 22, 2013 @01:53AM (#43790977)

          Stuxnet spread via USB sticks, and successfully 'cyber' attacked nuclear refinement systems that were not on the net.

          These regulations (at least from what I'm familiar with from the nuclear end of things) cover a lot of human & portable equipment policy, and destroy I/O ports in non-connected equipment to try to eliminate potential attack vectors or non-policy human activity that might compromise security. It does go beyond simply unplugging CAT5 cables.

          • So you're comparing our electric grid to Iran? What you're talking about is a personnel training issue - it's entirely fixable without granting the government massive cyber surveillance powers (well more than they have already).
            • If a US power facility does not have policy covering portable storage media, then yes they would be as vulnerable to attack as the Iranian nuclear refinement facilities.

              None of the things being discussed with this security in particular involves cyber surveillance powers; they're all about ensuring that the workers' goings on within a facility itself are in line with security, and that quick workarounds to get things done are not allowed to breach security protocol.

        • by lightknight (213164) on Wednesday May 22, 2013 @03:33AM (#43791329) Homepage

          Not going to happen. The US, and other parts of the world, have been very Marie Antoinette about internet / technology literacy, and the implications of a populous dependent on using said devices where the culture is set to super-apathy mode. They just...they don't care, and the way things are setup, there is no way to make them care, until the inevitable something horrid happens to them, then it's "why can't you guys do anything about this?"

          Consider this: your average secretary for a CEO / Chairman / President of a company may or may not have the technological literacy to know whether or not his / her machine has become infected, and is now sending the VIP's electronic Rolodex / tax returns to some bad people. But the VIP is totally cool with how things are, until some insider breaks his company, or personally targets him. And then it's asking IT / the FBI to track down some people who have had a six month start, and probably swept their tracks right before their big heist. This is how technology illiteracy is killing companies.

             

          • onsider this: your average secretary for a CEO / Chairman / President of a company may or may not have the technological literacy to know whether or not his / her machine has become infected, and is now sending the VIP's electronic Rolodex / tax returns to some bad people. But the VIP is totally cool with how things are, until some insider breaks his company, or personally targets him. And then it's asking IT / the FBI to track down some people who have had a six month start, and probably swept their tracks right before their big heist. This is how technology illiteracy is killing companies.

            What if anything does this have to do with a cyber attack on the electrical grid?

        • keep in mind that the core infrastructure used by the power grid makes up a sizable chunk of the internet. not only is it used for commercial and residenrial Internet access but it is used for things like traffic light timing systems. with that in mind it can't just be unplugged. it has to br properly firewalled and segregated. hopefully that is being done and it has to be constantly monitored.

          • The electrical grid does not make up a sizable chunk of the internet. Sure there's connectivity between various electrical sites but that's on physically separate networks that without someone plugging the wrong cable in aren't going to be accessible from the internet. The problem is they've attached lots of the command and control nodes to the internet, but the core electrical infrastructure is not on the internet.
      • by Anonymous Coward

        Read it an weep, I'd be sacked if ever I did that, yet their network admins seem to think it's an 'improvement':

        "Grid operations and control systems are increasingly automated, incorporate two - way
        communications, and are connected to the Internet or other computer networks. While these improvements have allowed for critical modernization of the grid, this increased interconnectivity has made the grid more vulnerable to remote cyber attacks."

        So they took a critical system and connected it to every hacker an

        • Read it an weep, I'd be sacked if ever I did that, yet their network admins seem to think it's an 'improvement':

          "Grid operations and control systems are increasingly automated, incorporate two - way
          communications, and are connected to the Internet or other computer networks. While these improvements have allowed for critical modernization of the grid, this increased interconnectivity has made the grid more vulnerable to remote cyber attacks."

          So they took a critical system and connected it to every hacker and script kiddie on the planet, knowing that botnets endlessly test every IP address for vulnerabilities. And they complain about botnets testing the stuff THEY CONNECTED to the internet! WTF.

          It's a case of incompetent sysadmins, couples to a self serving 'cyber-war' agenda on behalf of the people who should be advising them to disconnect them from the internet!

          Something similar happened to me. I figured out that putting all my money in front of my door would be quite useful because I'd just take some of it when I leave the house, and I don't need my money inside anyway. However as soon as I did so, people just started to take away my money lying there! Who would have thought that!

        • Wish I had mod points. It seems these days that vital computer networks are being run by the criminally clueless and lazy.

    • by Inda (580031)

      Try £10,000 on a box in the power station control room that's got "industrially secured" on the box. It's a firewall, fire blanket and fire extinguisher all rolled into one! It ticked all the checkboxes on the spec sheet. It cost £10,000. It's all we needed.

      Except anyone can walk into the control room and push any buttons they like. There's even a USB interface on each PC.

      Sure, this is not the grid (UK), it's the power generators. The grid is actually stuck 50 years in the past.

  • by fuzzyfuzzyfungus (1223518) on Wednesday May 22, 2013 @12:10AM (#43790579) Journal

    It sure is a good thing that we've been focusing our efforts on defense, rather than developing sophisticated attack toolkits and releasing them into the wild where they definitely won't get reverse engineered and re-deployed...

  • Now the terrorists know it, too!

    • Now the terrorists know it, too

      I think you're going too far calling the US congress terrorists.

  • by Anonymous Coward

    10,000 attempted attacks every month.

    90,000 spam emails filtered in the same time period.

    I guess it's not cool to call spam "tools of the terrorists" yet.

    • How many of those consist of viruses port-scanning the entire internet looking for a host running the particular version of some PHP admin console they need to infect?

  • by aphelion_rock (575206) on Wednesday May 22, 2013 @12:19AM (#43790629)

    Why bother with complex security measures?

    (1) It costs money
    (2) There is no measurable profit
    (3) There is no measurable increase in productivity
    (4) There is no measurable increase in share price
    (5) The bozos who make the decisions usually don't understand the issues anyway

    Only once the proverbial hits the fan will something be done and even the it will probably be blamed on the power lines sagging onto a tree on a hot day...

    • Your conclusion is probably right, but one workaround would be for Congress to grant the utilities big bucks to fix it, whereupon entrepreneurs with solutions (and con artists with "solutions") would pop up all over. That would take care of (1), (2), and (4).

      Not sure I like that suggestion, but admittedly it is in our national interest to do something about it.

      I vaguely remember reading that our national grids are a mere hop and a skip of the Grim Reaper, even without cyberattacks.

    • by c0lo (1497653) on Wednesday May 22, 2013 @12:48AM (#43790791)

      Why bother with complex security measures?

      (0) We have laws that criminalize the breach of ToS-es, so it's no longer our problem... we have 3-letter-agencies and US Attorney Carmen M. Ortiz to protect us.
      Our mission is not security but to make profits (e.g. externalize costs, avoid taxes, etc; if it would lead to increase profits, we'll even lobby the Congress to repel the Law of gravitational attraction)

      (1) It costs money
      (2) There is no measurable profit
      (3) There is no measurable increase in productivity
      (4) There is no measurable increase in share price

      Only once the proverbial hits the fan will something be done and even the it will probably be blamed on the power lines sagging onto a tree on a hot day...

      FTFY

    • by jhoegl (638955)
      There IS measurable profit and increase in productivity, which will lead to increase in share price.
      Once you realize a grid is down, and you are losing money to a preventable issue, you will be able to determine the cost.
      Of course this is reactive thinking instead of forward thinking, something only money grubbing corps do.
      Productivity is increased or recoupped because you arent hiring people to chase after viruses, paying OT to people fixing something in the middle of the night, and losing time on their
      • Yeah, but it 'doesn't work'

        Take, for example, the latest hurricanes on the east coast. Or better 'snow on the trees' of 2012 fame.
        Lots of trees came down. Fell on power lines, cut power to my neighbourhood for a week. Hurricane sandy was 2-to-3-weeks for most in my area.

        One assumes they lost a shedload of business during that period, but until $lost-for-not-providing-power > the cost of *burying the damn power lines* it won't happen.
        They beg and whine and moan at the state for money to perform the stupid

        • by cusco (717999)
          When I was a kid in the 1970s Detroit Edison did a study and found that it would cost half a million dollars to bury the power lines in a certain area, so the idea was shelved. Coincidentally the very next day an ice storm caused three quarters of a million in damage to that same area. They fixed the overhead lines and then left them that way for the next decade at least.
    • (6) Nobody wants to commit to responsibility to cybersecurity policy & procedure, in case it doesn't work.

      • (6) Nobody wants to commit to responsibility to cybersecurity policy & procedure, in case it doesn't work.

        Very true
        This was my experience with the Y2K program. I looked at what was being done and commented that it wasn't addressing the whole issue. The response: "We need to look like we are being seen to be doing the right thing so we cannot be sued for negligence" rather than actually putting in a technically correct solution.

    • by Anonymous Coward

      Hence why the for-profit utilities have far lower security compliance rates than the government run ones. Unless you start micromanaging penalty structures (while various political parties try and poke holes in them) the cheapest way to run something is rarely the way that is in the best interest of the general public, and business selection pressure is always to the cheapest way. It's no good saying "oh, but when the utilities that do not implement security fail, people will stop paying them!", that's clos

    • Obligatory SMBC comic [smbc-comics.com]. The people demand security.
  • by phantomfive (622387) on Wednesday May 22, 2013 @12:46AM (#43790775) Journal
    The report mentions there has not been a single instance of damage caused by cyber-attacks.

    There has been damage, however, " the only physical attacks experienced on their systems seemed linked to acts of vandalism and thefts of copper. Most incidents appeared unrelated to terrorism. However, one federal entity that owns a major piece of the bulk power system reported a Molotov cocktail was thrown at a dam."

    I have no idea what to think of that.
    • by anagama (611277)

      Drunk kids having a little fun. Basically ... all kids are terrors in one way or another. Too bad we've moved way beyond imposing a fine, a stern talking to, and maybe a few hours picking up garbage on the freeway.

    • by Immerman (2627577)

      If the only "terrorists" we have to worry about are idiots stupid enough to throw a molotov cocktail on a dam as though that would actually hurt anything then there's not much point in defending against them. Frankly though I don't think terrorists are the problem. Realistically, when has a terrorist caused much more than an inconvenience and a few days of overdramatic journalism. 9/11? More deaths and property damage occur via bad luck and stupidity in any 24-hour window. The only thing that made it not

      • by DarkOx (621550)

        I think the parents point was that they were probably just some kids, not terrorists. I recall as a kid playing with fire, my friends and I would deliberately chose large relatively impervious cement structures like those big stome drain tubes etc because we could be pretty certain we would do no damage to them, and there would be nothing flammable near by for fire to spread to.

        If you want see what a molatove cocktail will do, throwing agaist the side of a big concrete damn is probably about the safest pla

  • Your conclusion is probably right, but the decision will be for Congress to give a lot of money to solve, why entrepreneurs and their solutions (and crooks "Decision"), pop-up everywhere. Care should be taken (1), (2) and (4). Not sure I like this proposal, but really in our national interest to do something about it. I vaguely remember reading that our national network are just a hop and a jump from the mower, even without the cyber attacks. By Hi-Tech ITO
  • by Anonymous Coward
    I worked on some of the software that manages the bidding and load-balancing of the grid that powers much of the US and some smaller portions of the world. I have to say that it, by far, was some of the worst software I have ever seen in my life. Spaghetti like you wouldn't believe.
    To be clear, it wasn't the code that actually ran the grid, but it told the grid the optimal way to run at certain times.
    Bug fixes were "fixed" by - how to say it - filtering existing code. We weren't allowed to change existing
  • Out here in "flyover country" we have storms, tornadoes, lightning, wind, ice, and snow. Power outages, while not all that common, are just something we have to deal with. I see big diesel or natural gas generators outside every government building and most businesses. A lot of homeowners I know have their own portable generators. When storms come through someone inevitably loses power, it happens. It can take a few hours to get fixed, in rare and extreme cases it can take days. Life goes on.

    What kind

    • If you can trigger a cascade failure, you could black out a state for days. It's happened by accident before.

      It'd have to be an inside job, though. Even if someone outside could compromise the security, only someone with very precise knowledge of how the grid is build could pull off a cascade failure. Not just how it's designed, but how all those really tidy schematics translate to the real equipment - only someone who works with it would know, for example, if a breaker rated for 65A is going to trip reliab

    • by Immerman (2627577)

      Heck, I suffered multi-hour power outages several times near downtown Denver over the course of a couple years. Shit happens, people deal with it. So long as nobody manages to blow anything up it's just a nuisance. And an excuse to eat all that ice-cream in the freezer, just in case.

    • by AK Marc (707885)
      What you should be worried about are the things they don't think about (usually because someone says it's impossible). What happens to a turbine if power is input and no power is output? Often they spin out of spec and can destroy themselves. So target plants to destroy the generators themselves. Those are harder to repair/replace, and take out enough, and you'll have rolling blackouts for months.
  • by http (589131) on Wednesday May 22, 2013 @03:00AM (#43791219) Homepage Journal

    OMNI magazine recently set its archives loose online. Check the January 1989 issue, "The Rules of the Game" (http://archive.org/stream/omni-magazine-1989-01/OMNI_1989_01#page/n17/mode/2up, flip to page 42) for the low tech nightmare. If you think the nation without a power grid would make for a seriously bad month, you lack imagination. Try a seriously bad year, or longer. Pretty much every piece of infrastructure is built with the assumption that electicity is somewhere close at hand.

    The physical infrastructure of the power grid is an infinitely easier target, with gigantic ROI for terrorists or actual enemy agents. The $100,000 you could spend for a good 0-day would be better spent on a few RPGs and some half-decent watches. Network attacks are a fool's errand. If you want to prevent awful things, your money is better spent on guards.

    That OMNI article may be the first "How can I unknow this?" moment of my literate life.

    • 1. Google maps reveals power lines.
      2. Minions take angle grinders to pylons at agreed times.
      3. Minions run to another location before anyone arrives to investigate.

      One team of minions could trash many pylons before being caught, and a toppled-over pylon would take days to re-erect even if every shortcut was taken in construction. No rare or expensive resources required.

      • by Mashiki (184564)

        Funny you mention that, because police here in Canada have been warned to watch for natives doing this in order to disrupt the country. It's been an on-going warning since the 1980's.

        • by drinkypoo (153816)

          Funny you mention that, because police here in Canada have been warned to watch for natives doing this in order to disrupt the country. It's been an on-going warning since the 1980's.

          This is what I came to say, not this specific thing, but that it's bullshit. How the hell do you watch for people doing this? For that matter, you don't even need an angle grinder, just a hack saw. It would take a long time, but it's much easier to conceal and a lot lighter to carry around. The truth is that most of our cities get power through just one or two points and it would be easy to disrupt them, but nobody is actually even trying. We know nobody is trying because of how pathetically easy it would b

      • No need for an angle grinder, a wrench will do just fine.

        It would take a while to beat the effect of the 1998 ice storm. [wikipedia.org] It downed more than 1000 pylons.

      • by Anonymous Coward
        Fuck wasting time on pylons shoot some of the large transformers at a substation with a rifle. If you can't find a substation to shoot transformers in then shoot some of the pole pigs. Google maps also reveals where sub stations are. As an added bonus you can shoot a transformer from a greater distance than taking an angle grinder to a pylon not to mention the time difference between the 2 options.
    • by AK Marc (707885)
      G Gordon Liddy spreading FUD? You fear that? Yes, there are plenty of ways of causing mass problems that don't rely on listening to the lies of a convicted felon who is paid to lie.
      • by http (589131)

        Did you even read the article? The authorship in this particular case is irrelevant - unless... can you point out what lies were presented in that article?

        • by AK Marc (707885)
          It was a fictional story that was mainly worst-case (with some not-quite-worst-case thrown in so that anyone who claimed it was "worst case" could be rebutted). Yes, there are vulnerable parts of electrical generation/distribution. But the "real" terrorists have never targeted hidden infrastructure. They could do more damage with a bomb in a transformer station, but would rather blow up in a marketplace. Even in war, there have been suspected saboteurs, and they never caused significant damage.

          Yes, t
  • by Anonymous Coward

    Human Machine Interface / Supervisory Control And Data Acquisition. That's the proper name for the central control of a distributed industrial control system. Just one of our licenses controlled a giant automobile assembly plant from a single PC, that if I understand correctly turned out a new pickup truck every fifteen seconds.

    If you're going to attack a nation's power grid, you attack that power grid's HMI / SCADA installations. That's easier to do than you think, because remote installations are often

  • This report actually tells that with a few exceptions, the grid is protected in the way that federal regulations require. It then goes on to say that federal regulations are not strict enough. It comes up with "tens of thousands of attacks" where everyone that knows what this is about will know that these are a few standard port scans. If you count every package as a single attack, you'll get into big numbers easily. It claims destruction of tens of thousands of hard drives at an Arab oil company, while in

    • by FirstOne (193462)

      The biggest actual threat the report can come up with is physical damage to large distribution station transformers. To damage these, physical action, not cyber, will have to be taken.

      If one manages to turn on and off sufficient load in a synchronous fashion, (5 secs on, 5secs off, repeat.) it will cause the power companies turbines and generators to literally leap off their foundations and self destruct.

      This destructive act could be accomplished by hacking the substations or by taking control of a sufficient number of Smart meters with remote service interruption capability.

  • I remember an 80's movie called Prime Risk where some girl is working on an ATM hack then realises terrorists are already in the system planning to blow up key data nodes to bring the banking system to its knees. Iliked it because she used an Atari 800/810 disk drive for everything but it was still an OK film from memory.
  • If a single utility is resisting 10,000 attacks a month, then there must be hundreds of thousands of attempts across the entire country network each week.

    Since we don't read about the chaos the system overall seems to be reasonably well protected and contradicts the phrase "highly vulnerable".

    • by PetiePooo (606423)
      The 10000 attempted attacks per month is the CIO's way of justifying their core firewall. Every SYN packet that hits port 22 is an attempted attack.

      You see, they need big scary numbers to justify to the CFO why they need a maintenance contract on their overpriced Cisco what-cha-ma-call-it doothingy that separates their network from the wild and caa-razy internet. "10000 attempts?!? Wow! Good job, Biff. Here's your budget."

      Sad. But true.
  • by Gothmolly (148874) on Wednesday May 22, 2013 @08:30AM (#43792621)

    Take a large helping of 'duh', sprinkle on some crisis mentality, garnished with a little fascism, and served up by a population programmed to trade freedom for security.

    We'll nationalize the power grid in less than 20 years.

  • Connect your SCADA units to the Internet through VPNs running on embedded hardware. There, all it too was one sentence ...

    ps: Stuxnet only runs on Microsoft Windows ...

  • I read a book by Tom Clancy once that ended with a plane crashing into the Capital Building....years later we had 9/11. I have recently read several books that had subplots of the Chinese hacking our infrastructure. Power, Water and Nuclear. It seems to me that fiction can be turned into reality someone really grabs an idea... It almost makes you want to buy a generator and a pallet of water.... History has shown us that the U.S, Government is reactive not proactive to these type of problems.
  • No Industrial Controller should ever be connected to the internet. This security problem applies to all Manufacturing, Chemical, Pharmaceutical, and Power industries.

    When multiple sites need to be connected, they should use a Serial Dial-up or Leased Line connection or a VPN bridge that cannot respond to any Internet requests that do not originate from the VPN. DDOS attacks against the VPN nodes should only be able to disconnect the controller networks at which point a fallback Dial-up connection will ta
  • The ugliest humans I have ever seenugly on the inside type are in congress. And I give no quarter to anything that comes from there. After anything they say has been reviewed then we will see what is really going on.
  • This "Cyber" buzzword sounds über-cool, I have to admit it.
    Very 80's and 90's cool with all these Tron guys and Wargames (the movie).

    But WTF? We are in 2013 already, who the heck still believes that you can "attack" a WAN or a network that's not even on the internet from the internet?

    It's the new "War On Drugs" making a problem were it didn't exist and in this case the threat itself is so vague and abstract that the common people has no way to know even if any halfwitted IT guy can tell it's all plain

Every young man should have a hobby: learning how to handle money is the best one. -- Jack Hurley

Working...