Forgot your password?
typodupeerror
Power Security United States

Lack of US Cybersecurity Across the Electric Grid 95

Posted by Soulskill
from the asking-for-trouble dept.
Lasrick writes: "Meghan McGuinness of the Bipartisan Policy Center writes about the Electric Grid Cybersecurity Initiative, a collaborative effort between the center's Energy and Homeland Security Projects. She points out that over half the attacks on U.S. critical infrastructure sectors last year were on the energy sector. Cyber attacks could come from a variety of sources, and 'a large-scale cyber attack or combined cyber and physical attack could lead to enormous costs, potentially triggering sustained power outages over large portions of the electric grid and prolonged disruptions in communications, food and water supplies, and health care delivery.' ECGI is recommending the creation of a new, industry-supported model that would create incentives for the continual improvement and adaptation needed to respond effectively to rapidly evolving cyber threats. The vulnerability of the grid has been much discussed this last week; McGuinness's recommendations are a good place to start."
This discussion has been archived. No new comments can be posted.

Lack of US Cybersecurity Across the Electric Grid

Comments Filter:
  • by Anonymous Coward

    Why not a separate WAN for the power based stuff, similar to NIPRNet and SIPRnet? That way, if there is a bridge across the Internet, it is point to point encrypted, but most traffic would be on separate leased lines. With this in place, combined by measures to limit connectivity, it would make it far harder than just having an Internet connected box to be able to do power grid shenanigans, unless one has physical access to the substations/stations.

    • by Desler (1608317)

      Because that would require huge amounts of capital expenditure that eats into profits.

    • Why not a separate WAN for the power based stuff, similar to NIPRNet and SIPRnet? That way, if there is a bridge across the Internet, it is point to point encrypted, but most traffic would be on separate leased lines. With this in place, combined by measures to limit connectivity, it would make it far harder than just having an Internet connected box to be able to do power grid shenanigans, unless one has physical access to the substations/stations.

      Because you have to treat the network as if it is already compromised -- as it is guaranteed to be by a combination of ineptness, laziness, malfeasance, temporal complexity creep, etc. Plus, airgapping is not a panacea, as Stuxnet showed us.

      Add to that how dumb some of the components of the energy grid are, and you have a situation where you really do have to prepare yourself for the worst. I think the overall chaos and complexity is likely the only thing that has protected it to date.

      • by bobbied (2522392) on Tuesday April 15, 2014 @06:04PM (#46761597)

        Add to that how dumb some of the components of the energy grid are, and you have a situation where you really do have to prepare yourself for the worst. I think the overall chaos and complexity is likely the only thing that has protected it to date.

        Now you are just pandering fear. You rightly observe that it would be an extremely complex problem to try and disrupt the power infrastructure in this country using what is connected to the internet. There are a multitude of systems, control types and locations, all of which are constantly changing over time. This makes trying to figure out how you could use these contact points to actually do something significant to the power grid using the internet a problem complex enough to be worthy of a supercomputer and a long time to research and catalog what was accessible would be required to feed such a computer.

        But there is one thing you forget (or just don't know). MOST of the critical infrastructure, the really important stuff, is NOT unprotected. It is very much behind firewalls with encrypted VPN links. You might find access to some backup generator on the web, but a major power plant will be secured pretty well. They are not going to let some yahoo hacker mess with millions of dollars of equipment, but they might let the building manager monitor his emergency backup generator from home or something. The really critical stuff is protected. What's not, is the far flung stuff, the really remote substation, and how much damage are you going to do from there? Not much, certainly nothing of national significance or more than say an Ice Storm.

        Cyber attacks are not that big of a risk... How do I know? Has it happened yet? Even on a small scale? Why? Because nobody thought of or tried it? No, because it's way too hard of a problem for just anybody to mount an effective attack, and if they HAVE done it, there was so little disruption in things as to be insignificant compared to other events which happen more often.

        • > MOST of the critical infrastructure, the really important stuff, is NOT unprotected.

          Yes, it has 95% coverage. Unfortunately, it's alike a dike against a flood. One weak spot and the intruders are in. The intruders don't even have to be clever, just persistent.

  • cloud-synergy-profit!
  • Low hanging fruit (Score:5, Interesting)

    by AK Marc (707885) on Tuesday April 15, 2014 @05:13PM (#46761051)
    I could take out a substation with parts found in any store and wouldn't trigger any alerts buying them. Heck, damage things with a bow and arrow and thick metal wire. There are cheaper/easier ways to take down power. Back a pickup truck into a tower. The "cyber" complaint is FUD. It may be true, but is still FUD because it's easier to attack the infrastructure in other ways.
    • I could take out a substation with parts found in any store and wouldn't trigger any alerts buying them. Heck, damage things with a bow and arrow and thick metal wire. There are cheaper/easier ways to take down power. Back a pickup truck into a tower. The "cyber" complaint is FUD. It may be true, but is still FUD because it's easier to attack the infrastructure in other ways.

      If you're in Jilin province China, backing a pickup truck into a tower is going to be a wee bit tricky. Clicking a button to take out power for the Midwest? Pretty easy at the moment.

    • by bobbied (2522392)

      How right you are.. Just stand back from the wire when you launch that arrow...

      The Cyber FUD is like the Y2K FUD of 15 years ago and the EMP FUD and the Solar Flair FUD... All designed to make you fear something most of us don't understand.

      • by AK Marc (707885)
        Tie one end of the cable to the base of the tower, have enough line that when you fire it, it'll pull away from you, and not stay coiled at your feet. The arc from the power line to the base will likely vaporise the line, so you wouldn't want to be too close, and it will damage the line, the tower, and the equipment on both ends of the line.

        The Cyber FUD is like the Y2K FUD of 15 years ago and the EMP FUD and the Solar Flair FUD... All designed to make you fear something most of us don't understand.

        Y2K wasn't FUD. 95% of it was needed work to prevent more expensive failures after. Yes, a broken date on a system clock isn't that bad, unless your accounting softwa

      • by sjames (1099)

        Y2K wasn't entirely FUD. Yes, the world is ending crowd were spreading FUD, but the fact is, there was a big effort in the mobnths leading up to Y2K to fix the many very real problems. Most of the fixes were successful, but it required paying enough to get people who moved up from coding in COBOL to management years ago to go back to coding for a while.

        • by bobbied (2522392)

          Y2K was certainly FUD in popular culture of the day. I knew many people who had prepared for the power grid to go down for months, buying food, bottled water and storing large quantities of fuel. They knew I was an electrical engineer/programmer and kept asking me "How bad is it going to be?" My response was exactly what I'd say about a cyber attack today. Some limited outages are possible, but highly unlikely, don't worry about it.

          Like all FUD, they took the first phrase and chopped out "limited" and

          • by sjames (1099)

            Yes, that's why I said not entirely FUD.

            A cyber attack has more potential to bring the grid down for an extended time than Y2K did. Y2K would have been random-like failures and would have covered limited areas. A deliberate attack OTOH would be targeted at the grid's weak spots and would be more likely to result in physical damage to critical equipment. It's not the end of the world scenario some would have us believe, but it's a potentially serious problem.

            • by bobbied (2522392)

              Yes, that's why I said not entirely FUD.

              A cyber attack has more potential to bring the grid down for an extended time than Y2K did. Y2K would have been random-like failures and would have covered limited areas. A deliberate attack OTOH would be targeted at the grid's weak spots and would be more likely to result in physical damage to critical equipment. It's not the end of the world scenario some would have us believe, but it's a potentially serious problem.

              IMHO, the risk of a Y2K issue on January 2nd, 2000 was higher than a successful cyber attack is today.. (Yes, that's a full 24 hours after the 2 digit year rolled over..)

              Your mileage may vary.

              • by sjames (1099)

                I saw a few Y2K issues on Jan 2nd.

                • by bobbied (2522392)

                  My lights stayed on pretty much the whole year before and the year after... But I suppose...

                  • by sjames (1099)

                    Did I say the issue was the lights?

                    • by bobbied (2522392)

                      I don't know about you, but I've been talking exclusively about the power grid.. Which was what the original article was about.

                      If you want expand from there, I've seen Y2K problems as recently as a month ago. Not that it mattered that my sprinkler controller isn't Y2K aware. First of March, just pick a year that starts on the right day of the week and it will work, at lest until the end of February. All you have to do is ignore the year in the mean time.

                      I never said Y2K wasn't a problem, only that all the

      • Solar flares aren't exactly FUD.
        A big CME that hits earth will take out the electrical grid on the side of the planet it hits.
        Problem is, it would be unaffordable to prepare for the energy that would dump into the net. The currents would be massive and unlike lightning strikes a higher placed cable isn't going to fix it. You'd need to do something like equipping all masts with a lightning arrester AND make it possible to physically short the in- and outputs for all transformers. Then the amount of igniting/

        • by bobbied (2522392)

          I failed to make my real point... Sorry...

          What I'm trying to say is that any Cyber attack I can imagine is less likely and less damaging than many of the other possible issues. A CME *could* cause an extremely serious and lasting problem. But we are talking about a once in a century (or more) event, which because of it's infrequency and the "recent" technological advance we call electricity, nobody really *knows* how such an event would play out.

          Personally, I'm not so sure a CME would put the grid out

          • A blown transformer can be replaced. No problem. 2000 blown transformers including the one that powers the transformer factory is a whole other matter. It would probably take years to get the system back up.

            Lightning protection doesn't work as well as it seems. Lightning protection is based on short high voltage high current spikes that blow the transformer in a fraction of a second.
            The low voltage "fry a transformer in an hour" DC currents a CME would inject in the system are a different matter entirely. S

    • A little looking on google sat imagery lets you see where the big pylons go. Can't be that hard to identify the lines into a major city and have your acy-cutter team down a few pylons on each one.

      • by AK Marc (707885)
        I'd hire a cement mixer and weld on some push bars, and drive into them. Faster, and more fun.
        • Depends how many minions your terrorist cell has. Speed would be essential - you need to get down as many pylons as possible before the power company realises what just happened and sends in the local police, FBI and DHS after you. So it should be a coordinated strike in multiple places at once.

    • by Anonymous Coward

      Used to do "threat assesments" for commecial nuclear plants as part of modification packages while a staff EE; easy as falling off a log to break the distribution and transmission systems with 'rocks and sticks' technology, harder-n-hell to break a power plant from the outside in a way that the shutdown systems can not prevent major unrecoverable damage ... OK, true only if the "operators" keep their damn hands in their pockets.
      This newly discovered vulnerability IS well understood by almost every EE I have

    • by Xipher (868293)

      Physical attacks may be easy, but attacking over network infrastructure can be coordinated without even being in the country and could take out ever target simultaneously.

  • by symbolset (646467) * on Tuesday April 15, 2014 @05:24PM (#46761147) Journal
    OK, that's enough nightmare fuel for one day.
  • by eyepeepackets (33477) on Tuesday April 15, 2014 @05:24PM (#46761151)

    But, but...what about the poor baby profits?

    Seriously, you won't see these corporations do anything like this until they are forced to do so with heavy regulations, potential heavy fines and the real possibility of criminal prosecution upon proof of criminal negligence by a prosecuting attorney.

    MBA school teaches them this: costs equal profits taken out of your pocket, so anything you can do to put the costs anywhere else is the profit in your pocket. This is how they think and how they operate. This is why you don't want business running and maintaining your infrastructure.

  • by PPH (736903) on Tuesday April 15, 2014 @05:35PM (#46761275)

    Companies want to concentrate on their core competencies. To an electric utility, IT isn't a core competency.

    My power company can't be bothered to trim trees and replace rotten poles. That's all contracted out. Their core competency is collecting bills. Heck, they don't even read their own meters. That's contracted out.

    So good luck with the whole 'secure the system' idea. Outages are all classified as 'Acts of God'. Maybe. I guess God has it in for corporate morons.

    • Re:Core competency (Score:5, Interesting)

      by delcielo (217760) on Tuesday April 15, 2014 @05:53PM (#46761465) Journal
      Electric utility companies do have some interesting dynamics. Staff tend to have long tenures, so many of the plant operations folks remember days before they had to deal with IT folks to do their business. But, everybody (and I mean everybody) at this point understand the necessity and value of a strong IT staff. They may resent it, but they get it.

      And, you can bet that the IT departments at electric utilities are as professional as any. Your assumption that they don't want to be good at it is utterly and shamefully false. Even if it were true, they have no choice. There's a lot going on at utility companies that these types of scare-mongering authors never talk about. She very briefly mentions the NERC-CIP regulations (glossed them over, really) without also mentioning the IT components of reliability audits, internal audits, internal exercises, external pen tests, coordinated exercises with regional entities, law enforcement, FERC, etc. Industry peer groups play a big role as well. Protecting the power grid is vitally important to us. Why on earth would it not be? We run a metered business. We can't bill if we aren't creating, transmitting and distributing power.

      Is it vulnerable? Of course, as is the highway system, water, food distribution, agriculture, shipping, etc.

      Now, I totally agree that NERC-CIP should be more assistive and less about pure compliance with standards; but "continuous improvement" is a concept that is constantly harped on by both staff and regulators. It's already there.
  • by bobbied (2522392) on Tuesday April 15, 2014 @05:42PM (#46761353)

    So here we go again... Some uncontrollable thing is going to disrupt our electric grid and technological infrastructure!

    Just over a decade ago it was Y2K. Folks where stockpiling food, water and fuel for generators in fear that the electric grid was obviously going down at 12:00AM January 1, 2000 when all their 2 digit year clocks rolled over.

    Since then, I've heard stories about people who fear an EMP that will take out the grid and are out stocking up on food, water, fuel getting ready to live without power for years..

    Last week, here on slashdot, we had a story on a huge solar storm powerful enough to bring down the grid... Folks where encouraged to stock up, by food, water, fuel and prepare for weeks without power..

    So, here we are today discussing a cyber attack on the power grid that could bring the grid down.... Need I type the rest?

    Really? Look, it would *really* suck if the power grid in North America went down. Yes people would die and it would be a huge mess to fix with disruptions in food supplies and fuel. Of all the ways the grid could be disabled, cyber attack is the least likely and the one easiest to fix. It's unlikely to take the whole grid down unless the saboteurs where extremely crafty and organized. They would have to first find enough infrastructure to access, manage to break in, understand how all the stuff they could control was interconnected and what failures they could induce and THEN coordinate all the individual attacks well enough to actually do something more than just local damage before they cut power to enough infrastructure they needed to continue the attack. How all the infrastructure is connected and interrelates are not easy problems to solve.

    We have bigger fish to fry than fearing some mythical cyber attack on infrastructure like the power grid. I won't say it will NEVER happen, but you are talking about something that his bordering on impossible. This is like Y2K. A bunch of Chicken Little's that don't have a clue about how things *really* work or how resilient things really are overall, stoking up panic over small things. So, go stock up on food, water and fuel, just don't do it because you fear some cyber attack on the power grid.

    • The EMP people tend to be a bit silly. They have no idea how an EMP would actually work or what it would do, and often end up doing silly things like making sure their torches are packed in metal boxes so the pulse won't somehow damage the electronics.

    • by Anonymous Coward

      I'm going to don my tinfoil hat here. However, people forget regions like Katrina hit areas and places where power goes down and stays down.

      Until the national guard came in after Katrina, there were marauders taking everything a person had, and if they couldn't smash, shoot, or bully their way into a house, they torched the place.

      Now, picture this on a regional basis. Most grids are interconnected except for ERCOT (and who wants to touch Texas power.) Something that brings a grid down and keeps it down f

      • by PPH (736903)

        Something that brings a grid down and keeps it down for more than a few hours will end up turning into riots and looting.

        Try days or a week out where I live*. Nobody riots. Everyone has a camp stove and supplies. Many of us have gensets and don't even notice the flicker when the power goes down.

        The local power company no longer has the staff to maintain their own system. Its all done by contractors or surrounding utilities sending in help. And I don't live in some backwater hick town. I can spit on Bill Gates' house** from my place.

        *No cyber attack required. Rotten poles fall over. In fact, we could never tell the differenc


    • if (xx00 > yy99)
      payOut100YearsOfSavings();

      no payment

      if ( 2000 > 1999)
      payOut100YearsOfPayment();

      Wow, even after expanding the second example, it is still buggy.
      What you think how many Y2K bugs I have fixed?
      What day was 27th of december xx01? Monday, Sunday? Certainly 1901 was a different day than 2001. So ... does your elevator - which is shut down on sundays - work at 27th of december 2001, which is mistaken for 1901?
      Claiming Y2K was FUD is biggest idiotic t

      • by bobbied (2522392)

        .... I was claiming that the FUD about the Y2K bug taking down the electric grid or doing away with society as we know it was FUD...

        Example code aside, how many *real live* issues have you seen from Y2K bugs that didn't get fixed? None worth mentioning? None that caused the loss of life or property. Yea, me too. I got nothing either. Seems the *problem* got fixed for the most part.

        • What nonsense is that?
          The problem got fixed and that is the reason it is FUD?
          If the problem had not been fixed ... what then?

          There are hundreds of scenarios where life indeed was in danger ... but luckily the 'bugs' got fixed in time.

          • by bobbied (2522392)

            Really?

            I'm comparing the historical FUD that came BEFORE January 1 2000, with what I'm calling FUD about cyber attacks today. Come on it's not that hard..

            • It is hard, as before 2000 it was no FUD.
              About current day cyber attacks I have no opinion.
              Except: would take me 5 minutes to cause a USA wide power outage. Well, worst case 50 ... in fact every one with google skills likely needs less than 24h to figure how to take it down. I would call that a serious thread and not FUD.

              • by bobbied (2522392)

                It is hard, as before 2000 it was no FUD. About current day cyber attacks I have no opinion. Except: would take me 5 minutes to cause a USA wide power outage. Well, worst case 50 ... in fact every one with google skills likely needs less than 24h to figure how to take it down. I would call that a serious thread and not FUD.

                If 50 min is all it takes, then why as it not happened? Surely there is some nut job out there crazy enough to do it and smart enough to pull it off. Surely... It's not like all the folks in the middle east are somehow stupid, and a lot of them have serious issues with the USA and would love nothing more than to put us all in the dark, if even for a short time. Wide spread outages, caused by somebody hacking, simply have not happened. Why? If it is so easy, surely somebody would have tried it by now be

                • There are likely not many people that have any interest in taking out the power grid.
                  Just like many people have no interest in randomly killing neighbours.
                  Just because it can be done it does not mean there are people out there mad enough to do it.
                  The next thing is: you need access to a computer (an important, not a random one) on the network of the power company, that means physical access. Obviously a computer involved in controlling a power plant is very unlikely to be reached via the internet.

                  • by bobbied (2522392)

                    We have been discussing a cyber attack on the power grid Just so it's clear..

                    There are likely not many people that have any interest in taking out the power grid.

                    We part ways on that statement. There are *countries* where you would be hailed as a hero if you did this. Countries where they would gladly pay great sums to anybody who could actually *do* this at their bidding. So I hope you see how wrong you seem to me on your above statement.

                    Full stop now... Don't think we are getting anywhere now..

    • by Darinbob (1142669)

      Y2K was indeed going to be a problem. But there weren't too many serious problems precisely because people did something about it. There was enough warning that there was some time to solve things. In 1996 even we had some Y2K problems. The myth was that things would suddenly die at midnight on 1/1/2000 which was not what Y2K was all about.

      • by bobbied (2522392)

        Y2K was indeed going to be a problem. But there weren't too many serious problems precisely because people did something about it. There was enough warning that there was some time to solve things. In 1996 even we had some Y2K problems. The myth was that things would suddenly die at midnight on 1/1/2000 which was not what Y2K was all about.

        But that's what the "prepers" of the day latched on to as justification of their stocking up binge. It was FUD, propagated by people who over estimated the risks and the effects of problems and under estimated our ability to mitigate the issues that *might* have come up at 12:01 AM January 1, 2000.

        Fear and uncertainty of a possible Cyber attack is being used the same way and in my mind with even less justification. Is is an issue for the grid operators to look at? Sure, but it's not a huge risk, and I'll

  • by BoRegardless (721219) on Tuesday April 15, 2014 @05:50PM (#46761417)

    After 10 years of HEAVY security articles & discussion, remind me again why ANY critical infrastructure SCADA system should be allowed to be online?

    Come on now. Why? Are we talking total incompetence at the top of these orgs and their watchdogs?

    • by mlts (1038732)

      I wonder what ever happened to the concept of the data diode. That way, stuff can be monitored... but it would take someone physically there for action [1]. I've done this on a low bandwidth basis by using two machines on physically separate networks, a serial cable that has one line cut (so it could only send signal one direction), syslog on one side, and a redirect from the serial port to a file on the other side.

      [1]: Of course, this isn't 100%, someone can pretend to be a manager or upper muckety muck

      • by PPH (736903)

        I wonder what ever happened to the concept of the data diode.

        Many SCADA systems are inherently bi-directional. Some controller monitors system parameters. It then returns feedback to control the processes. Or it forwards them upstream for human attention and intervention.

        You could try to 'air gap' such a system from the Internet. But the guy carrying a laptop around to update PLC firmware is going to use it to check his company e-mail. And eventually, the CEO is going to send out one of his/her missives company-wide over the cocktail lounge WiFi at the golf course.

    • by jbrandv (96371)

      Easy answer, money and greed. The corporate overlords want more money not more security they have to pay for.

  • there is zero need for a grid any more. wind power has been under a dollar a watt for years, and PV panels for about two years now, and I'm talking about consumer prices. the only thing keeping people from installing their own sources of electricity is laziness.
  • "ECGI is recommending the creation of a new, industry-supported model that would create incentives for the continual improvement and adaptation needed to respond effectively to rapidly evolving cyber threats"

    How about not connecting your Electric Grid directly to the Internet ..
  • by jofny (540291) on Tuesday April 15, 2014 @06:50PM (#46761997) Homepage
    That article and the sources it references fatally misunderstand both the nature of cybersecurity as a large scale problem space and the paths to improve the situation.

    First, cybersecurity is inherently a business management problem - how the business itself operates is what introduces vulnerable systems (whether through purchasing decisions, operating maturity, development, HR, market timing, financial trade-offs, user awareness and responsibility management etc.). Even if the rate at which those vulnerabilities are introduced by the business remains constant, increasingly connected and complex systems assure that the vulnerable space will increase is the overall business - not just the dedicated cybersecurity functions & capabilities are improved. It will become, if it hasn't already, functionally impossible to resource cybersecurity in a way that keeps risk down to limits we find acceptable. In other words, train up all the security people you want and create all the security specific standards you can - unless you standardize and base business environments into predictable patterns, those security efforts will continue to fail.

    Second, because of the deeply embedded business nature of the problem (only the symptoms of which are really technical), any external organization that comes in to try and help "fix it" will face substantial challenges - telling an independent organization that it must change the way it makes money fundamentally in order to meet theoretical and apparently-to-non-security-folks abstract risks doesn't go far quickly and involving government in any way assures that the conversation will stay as log jammed as it has been. There has to be a DEEP culture change that involves planning for long term business maturity, and that is almost antithetical to the culture in the U.S.

    Third, there ARE organizations and programs that are and have been attempting this. This stuff isn't "new", just the reporting on it is - journalists rarely investigate this stuff beyond what it takes to write a succulent story. (I work for one of those organizations.)

    Fourth, for all of the talk about all the "attacks against the grid" as opposed to other attacks, there is almost no information provided of useful analytical value. How much are other sectors looking? What kind of attacks are these? Real? Automated? A function of being on the internet at large? Etc. etc.

    Finally, for all you "air gap" people - get with reality. There are no air gaps. Anywhere. Data moves across systems - whether they are connected by technology or not. If you're someone who is seriously attempting to interfere with critical infrastructure operations, you know this, know how to exploit it, and have the time/resources to do so.
  • And birds. Those are the true power-line terrorists around these parts. They create massive power grid outages regularly. They also like to start brush fires with their suicidal attacks.

Life. Don't talk to me about life. - Marvin the Paranoid Anroid

Working...