Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Power Security

Communications Protocol Leaves Power Grid Vulnerable 68

Posted by Soulskill
from the electricity-is-a-luxury dept.
mspohr writes "The NY Times has an interesting story about a pair of researchers who 'discovered that they could freeze, or crash, the software that monitors a [power] substation, thereby blinding control center operators from the power grid.' These two engineers wrote software to test for vulnerabilities in the control systems of electrical power grids which use a protocol called DNP3 to communicate with sub-stations. They first tested an open source implementation of the protocol and didn't find any problems. They were worried that their software test wasn't adequate so they started testing proprietary systems. The broke every single one of the 16 proprietary systems they tested initially and found nine more systems vulnerable in later testing. They were able to install malware and also found firewalls ineffective. The pair reported this to the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team, I.C.S.-C.E.R.T. and didn't get much of a response. It's scary that our electrical grid is so vulnerable and there doesn't seem to be much urgency to get it fixed. A few patches have been issued, but who knows if the systems have been updated?"
This discussion has been archived. No new comments can be posted.

Communications Protocol Leaves Power Grid Vulnerable

Comments Filter:
  • What are the odds that our best friends already have botnets ready to take our grid down on command?

    Excuse me while I got get a few solar panels.

    • by cusco (717999)

      "Our best friends" - you mean like the friendly folks that helped write Stuxnet? Pretty much guaranteed. Having worked in the utility industry for a time I can pretty much guarantee as well that the fixes they mentioned haven't been deployed, as no one wants to take down a substation that controls, for example, a Navy base and an aircraft factory to update software.

      • by sjames (1099)

        Much better to have an enemy shut it down when it most suits them.

    • by HiThere (15173)

      IIUC, this wouldn't depend on a botnet. This isn't a DDOS attack, this is a code vulnerability. So a lone malicious hacker could take down the grid. (Yeah, some code vulnerabilities need a botnet to set things up. IIUC this isn't one of them.)

  • by BoRegardless (721219) on Friday October 18, 2013 @03:59PM (#45169669)

    It is not like this is a new issue. Fire all IT managers who were responsible for not doing penetration testing, including the ones at Homeland Security.

    If you do NOT hold managers responsible then they are just lifers waiting for their pension!!

    • by jc42 (318812) on Friday October 18, 2013 @04:17PM (#45169843) Homepage Journal

      If history is any guide, the managers of these systems are trying to find ways to prosecute the researchers for their actions. It's fairly standard to classify security testing methods as attacks (since that's in effect what they are), and publishing the problems is generally considered telling the "terrorists" how to attack the systems.

      But this is about what should be expected for systems that depend on "security by obscurity". And the managers of such systems rarely reward someone who demonstrates how they've failed.

    • by E-Rock (84950)

      If you want to go after someone, it probably should be the vendor that sold the crappy implementation.

      I'm not a fan of more government, but since the power grid really goes beyond the company owning it, you should have regulations requiring the testing and remediation of any technical/physical security issues. That takes care of your hypothetical lazy IT Manager, the boss who blocks the good manager because it's expensive and not required, and the company who wants to keep selling equipment.

    • by icebike (68054)

      It is not like this is a new issue. Fire all IT managers who were responsible for not doing penetration testing, including the ones at Homeland Security.

      If you do NOT hold managers responsible then they are just lifers waiting for their pension!!

      Before you loop that noose over the tree branch, perhaps you should check if this report actually reflects the real world.

      TFA simply says the tested software from vendors, not real world installations. This software is in actual use, but that doesn't necessarily mean its running naked on the internet. Most often this is run on private circuits, as most of these installations predate the availability of internet. Even when on the internet, most of these installations use VPN between plants and control ce

      • by HiThere (15173)

        Well, as for private networks...
        Do you remember a few years back when a nuclear plant that was only on a private network was taken over by a virus. (Nothing major happened that time.) This was because in a different building on the network a contractor plugged in his laptop to the private network. I believe that this was by accident. I think he was trying to go on the web. But his laptop had an active infection.

        What with wifi becomming increasingly common, I don't think private networks count as securi

      • Sure, you can scan the net and find some SCADA controllers small water pumps in East Podunk Oklahoma. But they don't control big city plants.

        Well here I am in West Podunk Oklahoma and our water pump is controlled by an Emitrol Sytstems relay board connected to an IMSAI 8080 with RS-232 to our PDP-8. I talk to the pump and post to Slashdot with an LA36 DECWriter. It does lower case but it sure looks funny.

        Don't go touching my pump now.
        This is my pump.
        There are many like it, but this one is mine.

    • by thegarbz (1787294)

      This problem is often brought about by a LACK of IT involvement. In many operational systems the control system is maintained by a small group with more knowledge of the plant and the vendor package than IT infrastructure. You may be targeting the wrong people.

      In any case you're still right. DNP3 is about the most secure of the telemetry protocols, and actually has some basic form of encryption. An attacker shouldn't even be able to get as far as to see or communicate with it.

  • by digsbo (1292334) on Friday October 18, 2013 @03:59PM (#45169675)
    I worked for a fellow who'd previously done some work on power grids. He was aware of these problems in 2005 or earlier. I'm pretty sure these problems were also published in the 9/11 comission's report. But I don't think patching holes in power grid controls provides enough theater to keep people scared, so it hasn't been done.
  • DHS? (Score:3, Insightful)

    by reboot246 (623534) on Friday October 18, 2013 @03:59PM (#45169683) Homepage
    Their first mistake was assuming that the Department of Homeland Security actually cares about homeland security. Department of Homeland Control would be a better, more accurate name.
  • by CanHasDIY (1672858)

    It's scary that our electrical grid is so vulnerable and there doesn't seem to be much urgency to get it fixed.

    Sure - scary to you, scary to me, scary to the old lady down the road.

    You know who it's not scary to? The NSA, CIA, and all other clandestine TLAs that profit from allowing harm to come to American citizens.

    Remember: the CIA had solid intel about the 9/11/2001 terrorists, but did nothing to stop them; same goes for the Boston Bombers. The more Americans that they can allow to be injured by "terrorists," the fatter their budgets grow.

    Stopping terrorist attacks is the last thing anyone in the federal governme

    • So a post saying CIA wanted 9/11 to happen so it's budget would be increased gets modded "Interesting". You mods really need to hang out more on conspiracy nut message boards, you'll find a lot more "interesting" stuff there.

      • So a post saying CIA wanted 9/11 to happen so it's budget would be increased gets modded "Interesting". You mods really need to hang out more on conspiracy nut message boards, you'll find a lot more "interesting" stuff there.

        There's nothing nutty about it - it's a proven fact that the government had good, solid intel that a group of mostly Saudi men were planning on hijacking planes and crashing them into buildings. It's also a proven fact that our government did nothing to stop them, and that the budgets and powers of various TLAs see explosive growth (no pun intended) when shit like that is allowed to happen. Contrary to what a lot of people seem to want to believe, the people who run these agencies are not inept, incompetent

        • by gtall (79522)

          Care post a link to this proof?

          • [washingtonpost.com] http://www.washingtonpost.com/wp-dyn/content/article/2006/09/30/AR2006093000282.html [washingtonpost.com]

            On July 10, 2001, two months before the attacks on the World Trade Center and the Pentagon, then-CIA Director George J. Tenet met with his counterterrorism chief, J. Cofer Black, at CIA headquarters to review the latest on Osama bin Laden and his al-Qaeda terrorist organization. Black laid out the case, consisting of communications intercepts and other top-secret intelligence showing the increasing likelihood that al-Qaeda

            • by gtall (79522)

              Okay, they were going to attack the U.S. How were they to do this? What specifically was the U.S. to protect against? You might have noticed that the U.S. is a large country with a lot of infrastructure. Right now your evidence is more along the lines of the aliens are visiting earth.

      • by HiThere (15173)

        Now there's no proof that they wanted it to happen. I'll admit that there is proof that they knew about it, and about some of the participants, ahead of time, but that's separate from what their desires and goals were.

        If you were to ask me what I guessed, then I would agree with you, but I don't know where the decision came from, and I tend to believe that the decision was a bit higher. That, however, is also just a guess.

        P.S.: We also don't know just exactly how much they knew ahead of time, and how spe

    • by mlts (1038732) *

      I hate so state this, but you are actually right.

      Consider a grid down scenario done by some intruder. There would be laws passed by Congress, but I would be genuinely surprised if any of what they passed actually did anything for genuine security.

      Instead, it would likely be laws for expanded surveillance 24/7 on US citizens, mandatory DRM stacks in all hardware accessing the Internet, trying to make it illegal to be anonymous to websites, and things that wouldn't prevent another power loss, but lowering th

  • Is the problem with the protocol or the implementation of that protocol?

    Mr. Crain ran his security test on his open-source DNP3 program and didn't find anything wrong. Frustrated, he tested a third-party vendor’s program to make sure his software was working. The first program he targeted belonged to Triangle MicroWorks, a Raleigh, North Carolina based company that sells source code to large vendors of S.C.A.D.A. systems. It broke instantly.

    If the vulnerability is not in an open source implementation but is in third party vendor implementation then it looks like an implementation problem not a protocol problem.

    • by Darinbob (1142669)

      Also note that this is not a protocol that you just trivially tap into. These are not on the internet in general (though never trust your local utility to do the smart thing) and the individual end point devices often don't even have operating systems. Sure, they could put malware onto PCs running in a utilitie's back office, but at that point it is irrelevant what protocol is being used.

      Overall this sounds like a typical Timothy "omg smart grid are evil!" article except that it wasn't from Timothy.

  • Write protect the appliances. It is impossible to remotely modify the code then installing malware should be very difficult. The next trick would be making it impossible to pass executable code to the system's ram.

    Even if you couldn't accomplish the second part... the first part is easy and it would mean recovering from any breach with a reboot.

    There are ways to secure these systems. But ultimately they're going to have to have limited access from remote users. Security updates and modifications to the soft

  • "The NY Times has an interesting story about a pair of researchers who 'discovered that they could freeze, or crash, the software that monitors a [power] substation, thereby blinding control center operators from the power grid.' .. It's scary that our electrical grid is so vulnerable and there doesn't seem to be much urgency to get it fixed"

    Then don't connect your electrical grid directly to the Internet !!
  • Whoever is giving access to vital national resources on the Internet should be arrested and shot.

  • The researches have shown that the system can be compromised from within the network. This should come as no surprise. In many regards DNP3 is far better than any alternative, many of which do not even offer basic authentication let alone encryption. The critical part is the researchers were effectively sitting at the keyboard of their targeted machine. They shouldn't be able to get remotely that far. They should be separated by isolated networks, firewalls, etc.

Building translators is good clean fun. -- T. Cheatham

Working...