Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Power Security United States

At How Much Risk Is the US's Critical Infrastructure? (csoonline.com) 162

itwbennett writes: There is growing evidence that intrusions into the power grid and other critical infrastructure by hostile foreign nation states are real and happening. But there's "much less agreement over how much of a threat hackers are," writes Taylor Armerding. "On one side are those – some of them top government officials – who have warned that a cyber attack on the nation's critical infrastructure could be catastrophic,"writes Armerding. Others are crying FUD, including C. Thomas, a strategist at Tenable Network Security, who got some attention when he argued in an op-ed that the biggest threat to the U.S. power grid not a skilled hacker, but squirrels, are crying FUD. Who has it right? Agreement seems to coalesce around two points: 1) the cyber security of industrial control systems remains notoriously weak and 2) hostile hackers will improve their skills over time. So, while we haven't reached "catastrophe" yet, a properly motivated terrorist group could become a cyber threat.
This discussion has been archived. No new comments can be posted.

At How Much Risk Is the US's Critical Infrastructure?

Comments Filter:
  • by NotDrWho ( 3543773 ) on Friday January 22, 2016 @10:26AM (#51350447)

    Because the former is WAY greater a threat than the latter.

  • by dlleigh ( 313922 ) on Friday January 22, 2016 @10:30AM (#51350463)

    But they aren't very organized. Once they set up a twitter feed, or at least unionize, I'll start being concerned.

  • by rsilvergun ( 571051 ) on Friday January 22, 2016 @10:31AM (#51350469)
    Is a lack of funding after 30 years of minimal tax cuts for workers and massive tax cuts for the folks at the top. Look at Flint Michigan.
    • by Z00L00K ( 682162 )

      Not to mention downsizing of workforce so that maybe only 2 persons understand the whole infrastructure network while the rest are hired by the hour for short term work. Documentation only reaches to a certain limit, it shows how things was done, rarely why.

  • by 110010001000 ( 697113 ) on Friday January 22, 2016 @10:33AM (#51350481) Homepage Journal
    I live in Washington DC. The power goes out regularly because the power lines are overhead and not buried. Arguably DC is a "critical" city in the US. Yet we all survive. The country probably does better when DC is out of commission, like it will be next week with the big snow storm coming. You still need to pay your tribute on time, I mean taxes.
    • by Z00L00K ( 682162 )

      That's one thing that amazes me - I'm from Europe and overhead lines are only used out in the boondocks. As soon as you are in a village then they are put below ground, same with telephony and internet where I live. But in almost every village and town in the US they are above ground cluttering the view and put at great risk for influence from the elements, accidents and possible sabotage.

      • Right...most new development uses underground cables, but not everywhere here. They are eventually going to bury our cables here in DC, but it will likely take a few billion dollars and decades.
      • We built ours first, there are downsides to being an early adopter.
        • by Z00L00K ( 682162 )

          No, it wasn't any difference, it was started roughly simultaneously on both sides of the Atlantic, in the 1880's, so that's actually not a reason.

          The reason has more to do with the willingness to realize that the long term maintenance costs are a lot lower with buried lines.

          • The reason has more to do with the willingness to realize that the long term maintenance costs are a lot lower with buried lines.

            The fact that they got to rebuild after having most of their infrastructure bombed to rubble was much more influential. Europeans don't have any better long term focus than the US, a common failing of representative governments.

    • I read an article from a few years ago that digging to place utility lines underground can be a bitch at times, especially if the fiber optic link for the CIA gets cut and armed men in black SUVs taking over the construction zone.
      • The letter agencies in DC use microwave comms not fiber. Fiber can be easily tapped.
        • Microwaves coms can be intercepted just as well.
    • The primary issue between overhead and underground is the time and cost. The conversion cost from overhead to underground is tremendous and quite frankly, rate payers don't want to pay for it. When the conductor fails (or insulator for underground), the time for repair is also significantly higher. Regarding reliability, redundancy is how most utilities address it. Power feed redundancy can be addressed on distribution circuits can be fed from either end, midpoint ties and reclosers. However, you'll ne
      • Rate payers don't want to pay for it, but they sure do want to bitch about the overhead lines when the power goes out. It comes down to penny wise-->pound foolish.

      • Well said. 66kV lines should be on steel poles, but neighborhood 5-25kV lines are easier to maintain in the air. Underground lines are nice when you have a low water table and a lot of wind/snow.

        Honestly, people should just expect less from the electrical utility at this point-- get yourself a grid-tie battery that can isolate itself, and a little portable generator if reliability is important to you. Nobody wants to pay for a reliable utility.

  • OMG (Score:4, Funny)

    by 110010001000 ( 697113 ) on Friday January 22, 2016 @10:37AM (#51350515) Homepage Journal
    OMG Critical infrastructure should never be connected to the intertubes!!!!!
    • by Z00L00K ( 682162 )

      Many electrical substations are connected via radio to a control center. But most control centers have internet access. And today there are a lot of possibilities to intrude on the radio links due to the large availability of cheap radios on the net.

      Go buy a Baofeng radio (or what they are called this week), program it to an unauthorized frequency. Oops, that frequency was used by the power company for controlling your local substation. Once in a while when you transmit you may actually disrupt something at

  • I work in the industrial control world, some anecdotal things to share...

    I've seen access to PLC's running critical water structure completely available via a web browser from anywhere in the world...since fixed. There is movement to close all these holes but the industrial control world moves very slow. It's very conservative, thinking "if it ain't broke, don't fix it" with the definition of broke being physically destroyed. It's easy to be critical of them for this but industrial controls are typically

    • I've had vendors tell me water/sewage gear in a mid sized city did not support routing. OK sure I can see them sending arp requests for the gw they have set when I inject traffic at them, but who knows maybe they have some funky L2 broadcast component. I'm voting for the vendors looked at old gear and went the answer is no get new stuff for anything it was not currently doing.

      I had those same vendors tell me their gear did not support running through a tagged vlan, as in no change but moving their uplink

  • Neither hackers nor squirrels. Physical attacks have already happened in California. A relative few attacks coordinated to occur simultaneously on multiple power stations would do the trick.
    I can't remember where I saw it, but in a story about EMPs the author noted that the components that are used to build the transmission stations are only manufactured by one or two companies overseas. The build time on these components is 3-5 years. They don't have spares sitting around.

  • What's this "US Infratstucture" Thing you keep talking about?
    SCNR :-)

  • ...the biggest threat to the U.S. power grid not a skilled hacker, but squirrels...

    Wait until we get squirrel hackers. Then we're in trouble.

  • Answer: both (Score:5, Insightful)

    by Obfuscant ( 592200 ) on Friday January 22, 2016 @11:06AM (#51350755)
    "A cyber-attack could be catastrophic."

    "The biggest risk is squirrels."

    Do these people not understand that these two statements are not contradictory? Does anyone here understand that? The question "who is right" is trivial to answer. Both are.

    A cyber attack could be catastrophic, albeit rare. And squirrel outages, due to the comparatively high rate of occurrence combined with the level of damage, are a bigger risk.

  • New law Critical Infrastructure parts must made in USA / other non China places / or at very least have no overseas coders in the mix / full code review with the US GOV.

    Better to do it now then later by force of martial law.

  • I work with lots of serial-to-Ethernet stuff, various gateways, etc. in an industry with a lot of old technology. The truth is that the vendors of this stuff make it easy to set up, open access by default, and almost never updated. Patches for known things like ssh vulnerabilities or kernel bugs take months. What often happens is some lowest-bid contractor is hired by the utility company to implement control systems, leaves them wide open and the company has no idea how to secure them.

    Remember Windows XP SP

    • by jasno ( 124830 )

      > serial-to-Ethernet stuff

      Haha, I worked at a company whose bread and butter were devices like that... then they got into payment processing as well.

      Products were barely cobbled together by people with not enough time or understanding to make a secure system. I left, and they tried to get me back to do some consulting.. I asked em about what kinds of security testing they do... 'well we use openssl'... hahaha ok... sure.. jesus.

  • answer is:

    VERY at risk.

    Like all infrastructure, management and budgeting is done on a by crisis basis.

    The rest of the time it is ignored to make the numbers look good and keep the bonuses flowing.

    • answer is:

      VERY at risk.

      Like all infrastructure, management and budgeting is done on a by crisis basis.

      The rest of the time it is ignored to make the numbers look good and keep the bonuses flowing.

      The correct answer, depending on your perspective, might be:

      NOT ENOUGH!

      but that'd be foolish. Its already plenty at risk.

  • "a properly motivated terrorist group"
    As opposed to what, a lazy one? Do they have motivational away days for the team to get them all fired up?
    • "a properly motivated terrorist group"

      As opposed to what, a lazy one? Do they have motivational away days for the team to get them all fired up?

      Thats what sting operations are for!

  • There are a good number of countries that wish the US ill will. Few of them have the means for direct military conflict and all are an ocean away. They have very few ways they can directly attack the US, short of a 911-style incident. We are also in economic competition with our "friends". Malicious hacking is one of the few available avenues, with a relatively low barrier to entry. It's also more difficult to prove who launched the attack or even to prove that it wasn't a "rouge individual" versus a gov

  • Others are crying FUD [...] are crying FUD.

    Slashdot, never change.

  • It's not like the US hasn't had a shitload of enemies for a long time who would have loved to have turned off the lights. They were willing to fly fucking planes into buildings.

    Even your basic basement hacker might have an interest in this, if only for the thrill of knowing you were responsible for a blackout.

    Even if you argue that major state actors wouldn't do this until they "needed" it at some crisis moment, that doesn't exclude more generic non-state actors interested in more immediate results.

    So why

    • by tnk1 ( 899206 )

      Mostly because it requires coordination and some special skills. The 9/11 terrorists needed to learn how to fly just enough to hit buildings and that required a number of attackers, good organization, and backing. That doesn't mean that the capability didn't exist for planes to fly into buildings for decades, it just wasn't used.

      You will also note that hijackings are not a "thing" like they were in the 70s and 80s. 9/11 was both the worst case scenario, and immediately made hijacking much, much harder af

      • by swb ( 14022 )

        I would think that the ability to knock out the grid, or parts of it, would be something that wouldn't have a long shelf life.

        Components get replaced, security systems change, the people managing it do stuff differently, accounts get removed/added/changed, patches get installed, operating systems change, etc.

        Some remote exploits may allow more durable penetration, but I would bet a fair amount just might expire, making maintaining the capability a long-term prospect involving greater exposure and more risk.

  • Seriously, the west should be going back to having decent security. That means not just govs, but businesses, esp. when they are critical. 20 years ago, we are decent on that. Not anymore. Yet, Russia, China, North Korea, etc are hard core on their security because they still in a cold war mentality.

Technology is dominated by those who manage what they do not understand.

Working...