At How Much Risk Is the US's Critical Infrastructure?

itwbennett writes: There is growing evidence that intrusions into the power grid and other critical infrastructure by hostile foreign nation states are real and happening. But there's "much less agreement over how much of a threat hackers are," writes Taylor Armerding. "On one side are those – some of them top government officials – who have warned that a cyber attack on the nation's critical infrastructure could be catastrophic,"writes Armerding. Others are crying FUD, including C. Thomas, a strategist at Tenable Network Security, who got some attention when he argued in an op-ed that the biggest threat to the U.S. power grid not a skilled hacker, but squirrels, are crying FUD. Who has it right? Agreement seems to coalesce around two points: 1) the cyber security of industrial control systems remains notoriously weak and 2) hostile hackers will improve their skills over time. So, while we haven't reached "catastrophe" yet, a properly motivated terrorist group could become a cyber threat.

From neglect or from hackers?

[NotDrWho]

Because the former is WAY greater a threat than the latter.

Re:

[tlambert]

QFT. Flint, MI says hi. Public works and infrastructure require a lot of maintenance, and they're not always getting what they need. Over time things end up neglected and you see the inevitable result.

Is this why the Proserpina dam, built by the Romans in the first century AD, is still in use today?

Or do people who work on public works intentionally do a crappy job so that they will have continued work in the future in the form of maintenance?

Re:

[Hognoxious]

I suspect I detect a whiff of sampling bias here.

Re:

[tnk1]

Yes, and no. Yes, there are many Roman bridges and engineering works that are long gone. There are also changing needs.

On the other hand, it shows that you *can* make things that last, which tends to make me wonder why, with modern technology, we haven't. It's not just luck, either. The Pons Fabrico, a bridge built in Rome in 62 BC is still in use, mostly unchanged in all of those two thousand years, and actively in use that entire time. We know how the Romans made things last, and although there are l

Re:

[EmperorArthur]

Fun fact, the Romans DIDN'T have problems with lead in their drinking water. This is because the water is so hard that lime scale quickly builds up in the pipes. Heck, they had people who's full time job was to chip scale out of aqueducts. It also means that they had to occasionally lay new pipes as old ones got clogged.

The lesson is twofold. First, some Roman engineering required regular maintenance. Second, the cause to Flint, MI's problem might be the solution to it as well.

Re:

[jbengt]

Fun fact, the Romans DIDN'T have problems with lead in their drinking water.

Fun fact, the Romans DID purposefully put lead in their drinking wine, to make it taste sweeter, and used it in cosmetics and other things.

This is because the water is so hard that lime scale quickly builds up in the pipes. . . the cause to Flint, MI's problem might be the solution to it as well.

Lead leeching into Flint MI's water is apparently because the water is corrosive enough to remove the lime scale and dissolve lead from t

Re:

[EmperorArthur]

The more you know. Apparently there's a sweet spot for water. Too soft and no scale coats the pipes, but too hard and it's acidic enough to dissolve the lead in the pipes. Guess the Romans got lucky. Not that they would have cared.

Re:

[Z00L00K]

Every item built needs to be maintained to work in the long run. A dam doesn't see the same amount of wear as a road, but there's some work needed now and then.

When it comes to infrastructure it's a continuous work since people have a tendency to move around.

Re:

[cayenne8]

When it comes to infrastructure it's a continuous work since people have a tendency to move around.

It also takes a bit of intelligence and forethought.

I mean, WHOSE bright idea was it, to put critical infrastructure controls on the internet for God's sake? Let's not get into the fact they often put things up very insecurely, but the bigger question is, why are such components ON the fucking internet to begin with?

Not everything needs to be connected, you know.

Re:

[ultranova]

Not everything needs to be connected, you know.

You could make equipment unconnected, but then it requires on-site support personnel to handle any problems, so you'll be "wasting taxpayer money".
Or you could make it remotely connected via a dedicated channel, but then you'd need to pay for that channel, and it's not necessarily secure.
Or you could just put the controls on the Internet, fire most of your staff, be hailed as a business genius and earn a huge bonus. And, if you're so inclined, make yourself

Re:

[ultranova]

Is this why the Proserpina dam, built by the Romans in the first century AD, is still in use today?

The dam is a huge pile of earth and stones with basically static load pushing on it. There's a lot of material to remove and relatively little erosion doing so. Of course it's going to last a while. By contrast, the aqueduct it was built to supply didn't [wikipedia.org].

Or do people who work on public works intentionally do a crappy job so that they will have continued work in the future in the form of maintenance?

Most publ

Re:

[tlambert]

Is this why the Proserpina dam, built by the Romans in the first century AD, is still in use today?

Yes, it's why it's still in use today. Because it's been maintained

Amortized over its entire working lifetime, what is its overall maintenance loading, per year, in terms of a percentage of cost of initial construction, compared to similar public works in the U.S.?

Thought so.

Yes, things have to be maintained.

No, shovel-monkeys do not all need continuous full-time employment, merely because they are not qualified to perform other tasks. That is what the idea of Universal Basic Income is designed to deal with.

Re:

[PopeRatzo]

QFT. Flint, MI says hi. Public works and infrastructure require a lot of maintenance

It wasn't lack of maintenance that caused the environmental disaster and poisoning of 100k people in Flint. It was an attempt to run government on "free market" principles. An emergency manager appointed by Gov Rick Snyder (R-Atlas Shrugged) decided to change the water source to a polluted river to save money, punish Democratic voters and kill poor people.

It was a Republican governor sending small pox infected blankets to

Re:

[jbengt]

I agree that poor people take the brunt of the government incompetence, but that's simply because the rich people have folks on the government payroll looking out for their interests when resources get tight.

FTFY

Actually, though I doubt the state government purposefully lead-poisoned the citizens of Flint (they would have known it would be a scandal), you are underestimating the capacity of those in power to hold the working poor in contempt and being OK with letting those freeloaders get hurt: After a

Re:

[blue9steel]

Personally I think canceling corporate subsidies would be a better choice, but sure the idea is sound.

I'd worry more about the squirrels

[dlleigh]

But they aren't very organized. Once they set up a twitter feed, or at least unionize, I'll start being concerned.

Re:I'd worry more about the squirrels

[110010001000]

What are you, nuts?

Re:

[aaarrrgggh]

Squirrels are good for business! One gift-horses us a $2MM project a few years back when things were tight... God save the squirrels... or at least make them very sexually active!

Re:

[JD-1027]

They are in the education phase of their grand schemes. [twitter.com]

The real risk

[rsilvergun]

Is a lack of funding after 30 years of minimal tax cuts for workers and massive tax cuts for the folks at the top. Look at Flint Michigan.

Re:

[Z00L00K]

Not to mention downsizing of workforce so that maybe only 2 persons understand the whole infrastructure network while the rest are hired by the hour for short term work. Documentation only reaches to a certain limit, it shows how things was done, rarely why.

We used to solve that problem

[rsilvergun]

With federal grants. Now a days we just sorta abandon folks to their fate...

Washington DC

[110010001000]

I live in Washington DC. The power goes out regularly because the power lines are overhead and not buried. Arguably DC is a "critical" city in the US. Yet we all survive. The country probably does better when DC is out of commission, like it will be next week with the big snow storm coming. You still need to pay your tribute on time, I mean taxes.

Re:

[Z00L00K]

That's one thing that amazes me - I'm from Europe and overhead lines are only used out in the boondocks. As soon as you are in a village then they are put below ground, same with telephony and internet where I live. But in almost every village and town in the US they are above ground cluttering the view and put at great risk for influence from the elements, accidents and possible sabotage.

Re:

[110010001000]

Right...most new development uses underground cables, but not everywhere here. They are eventually going to bury our cables here in DC, but it will likely take a few billion dollars and decades.

Re:

[blue9steel]

We built ours first, there are downsides to being an early adopter.

Re:

[Z00L00K]

No, it wasn't any difference, it was started roughly simultaneously on both sides of the Atlantic, in the 1880's, so that's actually not a reason.

The reason has more to do with the willingness to realize that the long term maintenance costs are a lot lower with buried lines.

Re:

[blue9steel]

The reason has more to do with the willingness to realize that the long term maintenance costs are a lot lower with buried lines.

The fact that they got to rebuild after having most of their infrastructure bombed to rubble was much more influential. Europeans don't have any better long term focus than the US, a common failing of representative governments.

Re:

[Z00L00K]

Not all of Europe, Sweden wasn't involved and powerlines are buried here as well.

Re:

[110010001000]

Yeah. I am pretty sure you are wrong on that. I live in DC, and the average home price in my neighborhood is $900k. We have overhead cables. You are just one of the suburban types who thinks new plastic houses are the "good" area of town.

Re:

[Zak3056]

Europe has plenty of old areas. Many of them were bombed back into the stone age 70 years ago, and had a chance to build new infrastructure when they were reconstructed. When someone does an ROI calculation, it's a lot easier to get things done when the choice is "Spend 20% more to install buried lines rather than overhead lines" vs "spend 120% more to replace existing, working, overhead lines with buried lines."

Not saying this is right, but it is reality. It's probably why the US infrastructure is in su

Re:

[__aaclcg7560]

I read an article from a few years ago that digging to place utility lines underground can be a bitch at times, especially if the fiber optic link for the CIA gets cut and armed men in black SUVs taking over the construction zone.

Re:

[110010001000]

The letter agencies in DC use microwave comms not fiber. Fiber can be easily tapped.

Re:

[__aaclcg7560]

Microwaves coms can be intercepted just as well.

Re:

[110010001000]

The microwave comms are encrypted. You can intercept them if you like, but they are point to point and this can be detected. It isnt very easy to detect a tapped cable. In fact that is why agencies choose to tap cables.

Re:

[AF_Cheddar_Head]

The microwave comms are encrypted. You can intercept them if you like, but they are point to point and this can be detected. It isnt very easy to detect a tapped cable. In fact that is why agencies choose to tap cables.

The fiber cable comms are encrypted too and how to you detect that microwave transmissions are intercepted?

If your cables are in PDS it is very, very easy to determine that someone has penetrated the PDS and is possibly tapping your cable, also tapping if not done perfectly can result in signal degradation.

Re:

[IT.luddite]

The primary issue between overhead and underground is the time and cost. The conversion cost from overhead to underground is tremendous and quite frankly, rate payers don't want to pay for it. When the conductor fails (or insulator for underground), the time for repair is also significantly higher. Regarding reliability, redundancy is how most utilities address it. Power feed redundancy can be addressed on distribution circuits can be fed from either end, midpoint ties and reclosers. However, you'll ne

Re:

[AF_Cheddar_Head]

Rate payers don't want to pay for it, but they sure do want to bitch about the overhead lines when the power goes out. It comes down to penny wise-->pound foolish.

Re:

[aaarrrgggh]

Well said. 66kV lines should be on steel poles, but neighborhood 5-25kV lines are easier to maintain in the air. Underground lines are nice when you have a low water table and a lot of wind/snow.

Honestly, people should just expect less from the electrical utility at this point-- get yourself a grid-tie battery that can isolate itself, and a little portable generator if reliability is important to you. Nobody wants to pay for a reliable utility.

OMG

[110010001000]

OMG Critical infrastructure should never be connected to the intertubes!!!!!

Re:

[Z00L00K]

Many electrical substations are connected via radio to a control center. But most control centers have internet access. And today there are a lot of possibilities to intrude on the radio links due to the large availability of cheap radios on the net.

Go buy a Baofeng radio (or what they are called this week), program it to an unauthorized frequency. Oops, that frequency was used by the power company for controlling your local substation. Once in a while when you transmit you may actually disrupt something at

Needs Prodding

[Hoorayforthings]

I work in the industrial control world, some anecdotal things to share...

I've seen access to PLC's running critical water structure completely available via a web browser from anywhere in the world...since fixed. There is movement to close all these holes but the industrial control world moves very slow. It's very conservative, thinking "if it ain't broke, don't fix it" with the definition of broke being physically destroyed. It's easy to be critical of them for this but industrial controls are typically

Re:

[silas_moeckel]

I've had vendors tell me water/sewage gear in a mid sized city did not support routing. OK sure I can see them sending arp requests for the gw they have set when I inject traffic at them, but who knows maybe they have some funky L2 broadcast component. I'm voting for the vendors looked at old gear and went the answer is no get new stuff for anything it was not currently doing.

I had those same vendors tell me their gear did not support running through a tagged vlan, as in no change but moving their uplink

Neither

[entropy01]

Neither hackers nor squirrels. Physical attacks have already happened in California. A relative few attacks coordinated to occur simultaneously on multiple power stations would do the trick.
I can't remember where I saw it, but in a story about EMPs the author noted that the components that are used to build the transmission stations are only manufactured by one or two companies overseas. The build time on these components is 3-5 years. They don't have spares sitting around.

What's this "US Infratstucture" Thing ?

[Qbertino]

What's this "US Infratstucture" Thing you keep talking about?
SCNR :-)

It's worst than we think

[U2xhc2hkb3QgU3Vja3M]

...the biggest threat to the U.S. power grid not a skilled hacker, but squirrels...

Wait until we get squirrel hackers. Then we're in trouble.

Answer: both

[Obfuscant]

"A cyber-attack could be catastrophic."

"The biggest risk is squirrels."

Do these people not understand that these two statements are not contradictory? Does anyone here understand that? The question "who is right" is trivial to answer. Both are.

A cyber attack could be catastrophic, albeit rare. And squirrel outages, due to the comparatively high rate of occurrence combined with the level of damage, are a bigger risk.

Hacker Squirrels!

[antdude]

Imagine that. :O

New law Critical Infrastructure must made in USA /

[Joe_Dragon]

New law Critical Infrastructure parts must made in USA / other non China places / or at very least have no overseas coders in the mix / full code review with the US GOV.

Better to do it now then later by force of martial law.

Industrial controls are having their "XP Moment"

[ErichTheRed]

I work with lots of serial-to-Ethernet stuff, various gateways, etc. in an industry with a lot of old technology. The truth is that the vendors of this stuff make it easy to set up, open access by default, and almost never updated. Patches for known things like ssh vulnerabilities or kernel bugs take months. What often happens is some lowest-bid contractor is hired by the utility company to implement control systems, leaves them wide open and the company has no idea how to secure them.

Remember Windows XP SP

Re:

[jasno]

> serial-to-Ethernet stuff

Haha, I worked at a company whose bread and butter were devices like that... then they got into payment processing as well.

Products were barely cobbled together by people with not enough time or understanding to make a secure system. I left, and they tried to get me back to do some consulting.. I asked em about what kinds of security testing they do... 'well we use openssl'... hahaha ok... sure.. jesus.

Don't even have to read the article to know the

[bravecanadian]

answer is:

VERY at risk.

Like all infrastructure, management and budgeting is done on a by crisis basis.

The rest of the time it is ignored to make the numbers look good and keep the bonuses flowing.

Re:

[myowntrueself]

answer is:

VERY at risk.

Like all infrastructure, management and budgeting is done on a by crisis basis.

The rest of the time it is ignored to make the numbers look good and keep the bonuses flowing.

The correct answer, depending on your perspective, might be:

NOT ENOUGH!

but that'd be foolish. Its already plenty at risk.

Just wondering...

[clickclickdrone]

"a properly motivated terrorist group"
As opposed to what, a lazy one? Do they have motivational away days for the team to get them all fired up?

Re:

[myowntrueself]

"a properly motivated terrorist group"

As opposed to what, a lazy one? Do they have motivational away days for the team to get them all fired up?

Thats what sting operations are for!

Cyber attach the best options for 3d world enemies

[Larry_Dillon]

There are a good number of countries that wish the US ill will. Few of them have the means for direct military conflict and all are an ocean away. They have very few ways they can directly attack the US, short of a 911-style incident. We are also in economic competition with our "friends". Malicious hacking is one of the few available avenues, with a relatively low barrier to entry. It's also more difficult to prove who launched the attack or even to prove that it wasn't a "rouge individual" versus a gov

Accidentally Some Words

[Isarian]

Others are crying FUD [...] are crying FUD.

Slashdot, never change.

If hacking a real risk, wouldn't it have happened?

[swb]

It's not like the US hasn't had a shitload of enemies for a long time who would have loved to have turned off the lights. They were willing to fly fucking planes into buildings.

Even your basic basement hacker might have an interest in this, if only for the thrill of knowing you were responsible for a blackout.

Even if you argue that major state actors wouldn't do this until they "needed" it at some crisis moment, that doesn't exclude more generic non-state actors interested in more immediate results.

So why

Re:

[tnk1]

Mostly because it requires coordination and some special skills. The 9/11 terrorists needed to learn how to fly just enough to hit buildings and that required a number of attackers, good organization, and backing. That doesn't mean that the capability didn't exist for planes to fly into buildings for decades, it just wasn't used.

You will also note that hijackings are not a "thing" like they were in the 70s and 80s. 9/11 was both the worst case scenario, and immediately made hijacking much, much harder af

Re:

[swb]

I would think that the ability to knock out the grid, or parts of it, would be something that wouldn't have a long shelf life.

Components get replaced, security systems change, the people managing it do stuff differently, accounts get removed/added/changed, patches get installed, operating systems change, etc.

Some remote exploits may allow more durable penetration, but I would bet a fair amount just might expire, making maintaining the capability a long-term prospect involving greater exposure and more risk.

It is not really about America's, but the west

[WindBourne]

Seriously, the west should be going back to having decent security. That means not just govs, but businesses, esp. when they are critical. 20 years ago, we are decent on that. Not anymore. Yet, Russia, China, North Korea, etc are hard core on their security because they still in a cold war mentality.

Re:

[__aaclcg7560]

Bernie Sanders builds roads and streets, and makes U.S. citizens pay for it because that is the right thing to do.

Re:It will all collapse

[__aaclcg7560]

The $800 billion stimulus bill was too small to make an impact and too many states used the money to pay for ongoing expenses rather than investing in infrastructure projects. It should have been two to three times larger. With the baby boomers retiring and the working taxpayers shrinking over the next 20 years, paying more taxes is an inevitable fact of life.

Re:

[__aaclcg7560]

What part of Keynesian economics don't you understand?

https://en.wikipedia.org/wiki/Keynesian_economics#Active_fiscal_policy [wikipedia.org]

Re:

[__aaclcg7560]

If you haven't noticed the financial news today, the US economy is stronger than the world economies because those other idiots choose to cut their budgets and strangle their recovery in the mistaken belief that government spending was bad. In fact, those other idiots are now embracing stimulus.

https://uk.finance.yahoo.com/news/world-stocks-oil-surge-central-125120140.html [yahoo.com]

Re:

[__aaclcg7560]

The claim that the American economy is stronger than most is obvious bunk.

That's not what The Wall Street Journal is telling me. Since Wall Street is taking a pisser for no obvious reason that's related to the US economy, I've been buying cheap shares of stock that are fundamentally sound.

Re:

[__aaclcg7560]

You're right. Hillary will be president for the next eight years.

Re:

[fluffernutter]

Yes.. because being indebted to China is a good way to go.

Re:

[Z00L00K]

And that they use the same password on all devices if they do use a password.

Re:OMG!!!

[interval1066]

As some one whose worked in industrial automation (PLCs and their ancillary products) the infrastructure is most definitely at risk. The only thing keeping terrorism at bay is the technical knowledge necessary to mess with it. Engineers at power stations are old farts, and they like things a certain way, the old way. PLCs communicate to other machines in the field using ancient serial protocols, proprietary back planes, and discreet data points. As Rockwell and Siemens and etc decide they need to wake up to the real world however they are putting more of their data over ethernet, but security is an afterthought, and there's your problem. They are designing security into newer protocols, I actually worked on something called DNP-3, and that specification does have an encryption layer in it. I come on to add AES-256 to an existing implementation. Again, afterthought. The effect out in the field of course is that new impl. will cause disruption, consuming devices will need to be upgraded, and etc. That costs money. And so on. Its rarely the case that one simply needs to add a password to an existing infrastructure. Even if that is all that's needed, it usually will still have a cascading effect.

Re:

[__aaclcg7560]

The only thing keeping terrorism at bay is the technical knowledge necessary to mess with it.

Doesn't take much technical knowledge to cut cables in an underground vault and shoot transformers with a sniper rifle.

http://www.npr.org/sections/thetwo-way/2014/02/05/272015606/sniper-attack-on-calif-power-station-raises-terrorism-fears [npr.org]

Re:

[Mr D from 63]

Engineers at power stations are old farts, and they like things a certain way, the old way. PLCs communicate to other machines in the field using ancient serial protocols, proprietary back planes, and discreet data points. As Rockwell and Siemens and etc decide they need to wake up to the real world however they are putting more of their data over ethernet, but security is an afterthought, and there's your problem..

Security is absolutely NOT an afterthought at power stations. At least not in the US. That's simply flat out wrong. And those old fart engineers know what keeps a plant running reliably, they have very good reasons and experience to have things a certain way. A smart noob would do well to ask the old engineer exactly why they like things a certain way. Now, there are always going to be better ways that come along, but they won't come through ignorance of what has been working well for quite some time.

Re:Security in various protocols

[mike.mondy]

[ Vendors ] are designing security into newer protocols...

That's nice... *today*. Well, assuming every protocol someone designs and that someone implements will be free of security flaws... But, "nice today" is not very useful long term.

Imagine, for example, that something is running using Windows XP or a decades old Linux distro. They could have had the best available security when they were built, but they would suck now. A decades old SSH would now be vulnerable.

It seems that historically, sites always end up with some sort of old cruft in existence. As lo

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[thegarbz]

They are designing security into newer protocols, I actually worked on something called DNP-3

I'm actually highly sceptical of this approach. I grilled one of Schneider's techs who worked on DNP-3 implementation about their long list of security advisories they published over the past few years. I flat out think that people who don't understand security shouldn't be in the business of designing security.

Give me a control system run over a VPN from a dedicated network / security vendor without any further encryption any day. A direct to internet connected device which is difficult to upgrade firmware

Re:

[tnk1]

As someone who has the daily job of making the case for security for my company, I can tell you that its not really laziness. It's an inability to understand and properly assign risk.

Businesses who don't understand risks make poor prioritization decisions.

Most places I have worked at do not complain about security, they just believe they have higher priorities for the time of the various staff and resources we have and don't assign the resources for all of the projects needed. And even I have to admit, it

Re:

[blue9steel]

Why is it a matter of assigning risk? Why isn't it just part of "Best Practices"?

Because if it's a low risk low impact item then spending money on it is poor prioritization. There are always more needs for resources than there are resources available.

Re:

[__aaclcg7560]

You can take down a power grid with an EMP bomb. Military installations are already hardened against EMP bombs. Civilian installations are not hardened because the government and the utilities are not willing to foot the bill for upgrading equipment.

Re:

[Mr D from 63]

You may be able to take down a portion of the grid with a very very big EMP.

Re:

[__aaclcg7560]

Russia and China already has that capability to take down the entire US power grid.

What would a successful EMP attack look like? The EMP Commission, in 2008, estimated that within 12 months of a nationwide blackout, up to 90% of the U.S. population could possibly perish from starvation, disease and societal breakdown.

http://www.wsj.com/articles/james-woolsey-and-peter-vincent-pry-the-growing-threat-from-an-emp-attack-1407885281 [wsj.com]

Re:

[Mr D from 63]

That statement speculates what might happen IF the whole grid was taken down by an EMP, but says nothing about what it would take to do so or if who has the capability. The article is paywalled so if it does specifically state what exactly China and Russia are going to use to take down the entire grid at once, I'd like for you to post it.

Re:

[blue9steel]

A couple of high altitude fairly large nukes would do the job just fine.

Re:

[Mr D from 63]

A couple of high altitude fairly large nukes would do the job just fine.

No, they would not.

Re:

[blue9steel]

https://en.wikipedia.org/wiki/... [wikipedia.org]

Re:

[Mr D from 63]

https://en.wikipedia.org/wiki/... [wikipedia.org]

Yup, EMPs have been created, nobody is arguing that. Now, where exactly does it say what it takes to take out the entire grid?

Re:

[__aaclcg7560]

If you enter "The Growing Threat From an EMP Attack" into Google, you can bypass the paywall to read the article for free. The Soviets during the Cold War could launch from space, the Chinese from an offshore freighter, or the North Korean with their missiles that are designed for mid-flight explosions. Of the three potential adversaries, China is the most likely, as there are Chinese freighters in every US port.

Re:

[Mr D from 63]

They say they have the 'primary ingredients for an EMP attack", but no where do they talk about what is required to completely knock out the entire grid. There seems to be an assumption this can be easily done if you have some missiles and warheads. There is some conclusion jumping going on, its nice to leave that stuff out when one is writing such an article because it dampens reactions.

Re:

[Gavagai80]

Russia and China could simple destroy all US cities with regular bombs, so who cares if they can knock out the power grid with an EMP bomb?

Re:

[__aaclcg7560]

You have to consider the environmental blow back from 2,000+ nuclear bombs being detonated in the atmosphere. A massive EMP attack would be much cleaner if the bombs are detonated in the upper atmosphere. Since the US military is harden against EMP attacks, a nuclear strike in retaliation becomes inevitable. Hence, mutual assured destruction keep the big players in check. Not so much for the terrorists.

And yet you ignore cascade failure

[aepervius]

As shown a few years ago a simple software bug in an operator room led to a breakup, which led to a cascade failure https://en.wikipedia.org/wiki/... [wikipedia.org] read the sequence of event. You may not even need a big emp, a few well placed C4 charge on important transformer and equipments in the power network may be enough as this above demonstrate.

Re:

[Mr D from 63]

But many improvements and changes in how the grid is managed were implemented after that event, and even that even did not take down the entire grid. Taking out a few pieces of equipment will certainly not do it. Now, if you simultaneously blew up 50,000 key components across the nation, yes, you could wreak some havoc.

Re:

[nospam007]

"You can take down a power grid with an EMP bomb."

No need for that. Every year thousands of outages are caused by termites, squirrels, birds, ice rain and drunks in the US and still power cables are nailed to the same wooden posts as 100 years ago.

Re:

[interval1066]

Not always.

Re:

[silas_moeckel]

But there is the rub in an effort to do things cheaper they are trying to do things like replace dedicated fiber with DSL and VPN's.

Re:

[Anonymous Coward]

Squirrels don't work in groups.

You are so, so very wrong.

The problem is that most people who know that squirrels work in groups are now dead. Very very dead. With Oak trees growing out of their rotting corpses.

Posting anonymously for obvious reasons...

Re:Well, C. Thomas got it wrong.

[110010001000]

Don't listen to him. He is clearly nuts. I am totally not a squirrel. You can trust me.

Re:

[Hognoxious]

No problem... until it rained and the corps got wet again

Marines should be used to that.

Re:

[AF_Cheddar_Head]

They used to but it is cheaper and probably more robust to rely on the Internet for communications paths. Not necessarily better but definitely cheaper.

Re:

[tnk1]

Where do you think they get critical security patches from? :)

And in case you don't recall, no one needed to hook up Iran's nuclear facilities to the Internet for Stuxnet to work.

Speaking as someone who had to clean viruses off of floppy disks before the Internet was really a thing, I can tell you that you don't need the Internet to get hacked if someone knows what they are doing and are dedicated to making it happen. The Internet makes remote intrusion and exploits many times more effective than otherwise

Re:

[Qzukk]

Unless the grid has a design flaw where a cascade can still cause the whole thing to go down

Nahhhhhh. That can't happen. [wikipedia.org] Twice. [wikipedia.org]