How Vulnerable Is Our Power Grid?

coreboarder writes "Recently it was divulged that the Brazilian power infrastructure was compromised by hackers. Then it was announced that it was apparently faulty equipment. A downplay to the global public or an honest clarification? Either way, it raises the question: how vulnerable are we, really? With winter and all its icy glory hurtling towards those of us in the northern hemisphere, how open are we to everything from terrorist threats to simple 'pay me or else' schemes?"

A bigger threat

[brian0918]

A bigger threat than terrorists is arbitrary government restriction on competition in the electric grid [theobjectivestandard.com], which is what led to the rolling blackouts in California.

In any case, this winter could be bad - probably a good time to get a generator.

Re:Old Axiom

[ShieldW0lf]

I have always believed that if you rely on systems that cannot be entirely your own, but require the co-operation of your fellows, the only way to mitigate the vulnerability of your dependence is to work on that system with your own two hands, and to have as clear a picture of how it operates as your personal faculties permit without any barriers between yourself and the system in question.

If you are trading paper notes for electricity that "just works" and not involved in the operation of the utility, you are UTTERLY vulnerable. You have no idea what's going on, you have no idea if someone is neglecting or sabotaging the system, you are too ignorant of what's going on to recognize when someone is neglecting or sabotaging the system, you have no idea how to fix it if it stops working, and you have no idea how to recreate the system if it is necessary.

How much more vulnerable can you get than that?

View from a US citizen living in Brazil.

[Mark_in_Brazil]

I've been living in São Paulo for over 9 years. I was without electrical power for a few hours last night.

The timeline on this is pretty entertaining. On the 7th, there were a bunch of stories saying the 2007 blackouts in Brazil were caused by crackers (the articles say "hackers"). On the 9th, there were strong denials all around, accompanied by stories saying that no, the 2007 blackouts were caused by "sooty insulators." On the 10th, Brazil suffered a blackout much worse than the ones in 2007. That looks to me like crackers saying "sooty insulators? We'll show you sooty insulators!"

By the way, power failures are normally abrupt, but the one last night was not. I usually go from lights to no lights almost instantaneously, but last night, the lights were flickering for a while. After a few minutes, I thought it was going to stabilize, because my compact fluorescents stayed on while my UPS beeped a lot to tell me it wasn't getting enough juice. The larger fluorescents in the kitchen couldn't start, but the compact fluorescents gave me some light in the living room.

Re:One word: Enron

[Shakrai]

I'm having more and more difficulty determining which is worse, this new American flavor of capitalism - where monopolies are legislatively created and protected - or terrorists.

I'm gonna go with option A. I can shoot terrorists. If I shoot the CEO of my local cable monopoly I'm probably going to go to jail......

Threats to Grid overstated.

[tjstork]

I would say that threats to the power grid tend to be overstated.

a) Power grids in the USA are regional affairs, so, the worst that can happen is one section of the country might get whacked.
b) Power companies frequently operate their own private physical networks for control... at least, that's the way it was in the early 2000's when I was into it. Our company had built their own private fiber optic loop.
c) Extremely critical stuff is done with a phone call by people that know each other. Like, "turn the generator off", is something done not so automatically.
d) There are loads of incompatible stuff out there in the field for remote control and SCADA. So, if you could go out there, and tell every customer to turn off all their equipment, remotely, you'd be so rich from just building a product that could do that, you would not want to go to jail, when you could be a billionaire. Just reading a power meter has dozens of protocols, formats, etc, and many of them are actually just wired up with a dumb phone line.

It's not impossible, I'm sure.. but, its not like hacking into a machine knowing that its running either Linux / Apache or Windows / IIS and going from there. All these pieces of embedded equipment have their own stuff, and the knowledge tends to be very specialized.

Re:Plural: It's Grids, not Grid.

[OzPeter]

The lower 48 CONUS actually has 3 power grids, not just a singular grid

Maybe not for long .. check out the Tres Amigos project [fastcompany.com]

Re:One word: Enron

[houstonbofh]

I'm gonna go with option A. I can shoot terrorists. If I shoot the CEO of my local cable monopoly I'm probably going to go to jail......

How? When handguns are even prohibited to military people on a military base, what chance do we have?

Re:How vulnerable is *your* power grid?

[dpilot]

Won't deny a thing you say about *our* grid and infrastructure, in fact I generally agree with you.

But what makes you think that *your* grid and infrastructure are in any better shape or state of maintenance?

Incidentally, a few years back I participated in a table-top exercise modeling a "potential cyber-incident". One of the people present was an IT guy who manages the job for *my* power grid. The guy knew his stuff, and the things he said made me feel really good about the command and control for *my* power grid. For one thing, there's no linkage between the internet and the command and control network. But he had some real horror stories regarding auditing some other power networks. In one place they recommended routing a network connection through a firewall machine. Later when viewing the results of their recommendations, they saw the ethernet cable go in one side of the firewall machine - and out the other. (physically, not electrically or logically)

Re:One word: Enron

[dkleinsc]

Hey now. Don't leave out FirstEnergy Corp, which managed to (through poor maintenance combined with efforts to hide rather than fix problems) take out electricity for Ohio, Ontario, Quebec, New York, Pennsylvania, and New England in 2003.

Re:Speaking for generation, NOT VULNERABLE

[rift321]

These auditors are exactly the individuals that benefit from pointing out inadequacies in security. I covered the "company laptop" and "USB" issue - if people have physical access to a system, then obviously, it's vulnerable. What does "100% isolated" mean? Controlled using rubber gloves behind a glass window of a clean room? These guys are simply pointing out that you can't make something 100% secure, which is a universal truth. All you can do is make it uneconomical or unrealistic, or at least very difficult. The auditor you heard had a whole lot to say about nothing.

And it's not necessary to begin your post with "uhhh... right."

Re:Speaking for generation, NOT VULNERABLE

[sampson7]

How long ago was this talk? Only in the past year or so have power plants been subject to mandatory Cyber Infrastructure Protection standards (CIP standards -- another acroynm to impress your friends with). Another set of standards is set to take effect January 1, 2010. The new standards require maintenance of a physical permimeter around all critical cyber assets, as well as controlled computer access. My experience (with a large company owning generation stations) is that cyber security has come a long way in even the past six months, and that your auditor talk may be slightly out of date.

Also, my own personal opinion is that several of the DHS "studies" of grid vulnerability are not entirely reliable, and in some cases were fairly overblown. It's one thing to "attack" a power plant in a controlled laboratory environment, and another to execute such a scheme in the real world.

That being said, there is always room for improvement, and it's something we take seriously. And all of the incentives are to improve security. First, the plant loses money every time it don't operate. And not just immediate revenues, but future revenues are often based on past on-line performance metrics. Second, a cyber attack could cause millions in physical hardware damage -- these are incredibly complicated machines, and one little disturbance could cause serious damage that could keep it off-line for weeks or months. Third, in some cases, power plants are subject to up to $1 million a day per incident in fines if we don't comply with cyber regulations.

Re:One word: Enron

[radtea]

Should the day come though I won't be cowering under a desk waiting to be murdered by some mental case or Mumbai copy-cat.

In the meantime, while waiting for one of those highly improbable fantasy scenarios to occur, you and your handgun will be a danger to everyone around you. The risk from improper/accidental/intentional use of an available handgun in mundane circumstances is far greater than the reduction in risk due to its value in an Hollywood fantasy scenario.

As the Fort Hood shootings demonstrate, being in a heavily armed environment does not necessarily make anyone safer (I'm assuming American military bases are heavily armed environments.)

I'm generally in favour of an armed citizenry, and I know that statistically there has been a correlation between armed citizens and reductions in certain types of crime, but there is also an increase in accidental deaths and the use of handguns in crimes of passion and opportunity.

Invoking highly improbable fantasy scenarios in the context of concealed carry laws, and at the same time not mentioning the much more significant increase in deaths due to mundane occurences, completely misses the point about why the right to keep and bear arms is important.

Re:One word: Enron

[Foolicious]

I'd like to add that many municipal regulations and even state laws violate their own state's bills of rights. It's easy enough to be distracted at a federal level by the great comma/militia debate, but the states' bills of rights are nearly always more explicit than the federal 2nd amendment.

For example IL Article 1, Sec. 22 states: Subject only to the police power, the right of the individual citizen to keep and bear arms shall not be infringed. WI Article 1, Sec. 25 states: The people have the right to keep and bear arms for security, defense, hunting, recreation or any other lawful purpose. Some states also also have specific amendments that state a right to trap, fish and hunt, like WI's Article 1, Sec. 26, which gets intertwined in the whole firearms issue.

I recognize that if one doesn't like guns, he probably doesn't care about paltry state constitutions. But if that's the case, then change these articles, so that one doesn't even have to worry about being intellectually dishonest, even if he is not so practically-speaking.

Re:I wasn't affected, fortunately, and followed it

[Jungle guy]

It was pretty scaring in Rio de Janeiro. Traffic lights were gonne, and today I learned that the police had some work to do in a couple neighbourhoods. Subway and trains stopped. I was at home, but suddenly all my food in the refrigerator could spoil, and I had no air conditioning in a freaking hot night. Landline phones were gone, too. The mobile phone from TIM network was not working, but I could make some calls from a phone from Claro (after some atempts). Surprinsingly, I could use use a HSDPA modem and a notebook to have access to the internet. Then I realized it was not happening only in Rio or other cities, but the lights had gone out in half of the country.

Re:Speaking for generation, NOT VULNERABLE

[nonsequitor]

You sound like someone who's never met a DoE red team. Is your utility looking at the new shiny smart grid technology? There's a blackhat talk about worm propagation through the smart grid wireless mesh.

A worm wouldn't be so bad except for the fact these smart meters are built with a remote disconnect feature. A an engineer for a major utility, maybe you can tell the class what would happen if a hacker turned off power to 100,000 homes at the same time, all that current has to go somewhere.

Stop living in a fantasy world.

[the_raptor]

You live in a delusion created by far right commentators. The TSA profiles (compare how often "suspicious looking" passengers get searched per trip vs white grandmas). The police profile (compare rates of "random searches" and imprisonment for minor offences by race and socio-economic status). Only focusing on "suspicious people" and leaving your honest wholesome law abiding white picket fence self alone only tells the bad people how to get past the gate keepers. There are Muslims of European descent. There are Muslims that can pass for Italian-Americans or Hispanic-Americans. Not to mention that exclusively harassing one group of people, a sub-set of who are criminals, only engenders favor and support for the criminals amongst them. Or the fact that militant Muslims weren't the first people to blow up planes, nor will they be the last.

Given the current tensions over Obama the next terrorist attack in America is likely to be another McVeigh. Possibly carried out by a white grandmother. Or it could be a college aged female animal liberationist who has decided that direct action is the answer.

Re:One word: Enron

[Shakrai]

It is not at all clear that prohibiting carrying of *concealed* guns is in any way a violation of the second amendment.

The right is the right to keep and bear arms. If the state wants to outlaw concealed carry then it should allow open carry.

It is fairly easy in both of the states you mention explicitly (Il & WI) to legally obtain firearms.

Bullshit. In IL you can't obtain any sort of firearm unless you have a firearm owners identification card issued by the state police. Somehow I don't think you'd agree that the spirit of the 1st amendment was being upheld if you needed permission from the state before you could buy a printer or use the connection.

Re:Pay me or else?

[Narcocide]

Actually compared to a heater conventional fireplaces are remarkably inefficient and these days in modern homes are rarely installed for anything but decorative use. The bulk of the useable heat they generate is infra-red, which is quite effective if you are in line-of-site and within about 10 feet or so, but while lit the fire is blowing most its hot air (along with the smoke) right out a huge hole in the roof (the chimney) and sucking cold air in through every other hole, actually dramatically lowering the overall temperature of the house while in use and making a basically uninsulated hole in the ceiling at all other times.

Re:One word: Enron

[houstonbofh]

All you and your gun nut buddies end up doing is drive up the sale of No Handguns Allowed signs. That and create 'friendly-fire' casualties when you overreact.

With all these "friendly fire casualties" you talk about, you would think one would make the paper. But all I see is Fort Hood, Virginia Tech, and so on... All gun free zones. I guess the didn't have enough signs.