Hackers Have Penetrated Energy Grid, Symantec Warns (fortune.com) 69
An anonymous reader quotes a report from Fortune: Hackers have been burrowing their way inside the critical infrastructure of energy and other companies in the U.S. and elsewhere, warns cybersecurity giant Symantec. In a new report, Symantec claims that the threat of cyberattack-induced power outages in the west has elevated from a theoretical concern to a legitimate one in recent months. "We're talking about activity we're seeing on actual operational networks that control the actual power grid," Eric Chien, technical director of security technology and response at Symantec, told Fortune on a call. Reports surfaced over the summer of hackers targeting staff at nuclear energy facilities with phishing attacks, designed to steal login credentials or install malware on machines. The extent of the campaign as well as the question of whether the attackers had breached operational IT networks, rather than merely administrative ones, was unclear at the time. Symantec is now erasing all doubt. "There are no more technical hurdles for them to cause some sort of disruption," Chien said of the hackers. "All that's left is really motivation." Symantec detailed its findings in a report released Wednesday morning. The paper tracks the exploits of a hacker group that Symantec has dubbed DragonFly 2.0, an outfit that the company says it has linked to an earlier series of attacks perpetrated between 2011 and 2014 by a group it dubbed DragonFly.
they (Score:2)
Re:they (Score:5, Informative)
Maybe there is a reason, despite these continuously 'escalating attacks', that we are not seeing any power outages in the US. Maybe it is because our methods to prevent them from being successful are effective. Maybe because we know about all these attacks before they are doing any harm is also a sign our methods are effective.
We can't let our guard down, but we don't have to fall for the hype.
Re:they (Score:4, Funny)
also, the only way symantec is going to detect/know about anything is if a snail mail letter is delivered to their headquarters from the self aware botnetwork.
Re: they (Score:1)
Symantec is a 'security giant' because they make an antivirus product that runs in userspace on Windoze clients.
I remember Symantec C++, back when they were a tech company.
Re: (Score:2)
i guess they are back to their "scareware" tactics to move products. some people always bought their products for some reason.
Re: (Score:2)
Re: (Score:2)
yes it also takes that same dumbass to hit the off switch, no hacking required.
Re: (Score:2)
Yes, there are ways to breach air gaps, and the human eleme
Re: (Score:2)
Interesting your take on the fact they didn't say control network to mean they didn't breach to the controls layer. They said:
"We're talking about activity we're seeing on actual operational networks that control the actual power grid"
"The extent of the campaign as well as the question of whether the attackers had breached operational IT networks, rather than merely administrative ones, was unclear at the time."
I read actual operational network and operational IT networks as they were saying the controls n
Re: (Score:2)
I did not mean to assert when they meant, but meant to point out that there is good reason, based on the vagueness coupled with hyperbole, to be very skeptical
Re: (Score:2)
I don't really understand the difference between operational and control, they both translate to the same german word.
I assume with 'operational' you mean the buisiness part? Well, it is easy to hack the 'control' part by feeding wrong information into the business part.
E.g. that your company just made a successful deal at the spot market and is supposed to feed in 1GW extra into the grid from next hour on ... your 'operational' grid will react to that and power up the plants close to the feed in point and
Re: (Score:2)
Of course we could guess at what they mean all day. That's the problem, they are intentionally vague, and every time we see that the reality is m
Re: (Score:2)
Re: (Score:2)
USB ports are usually disabled.
You are not allowed to bring laptops into the facility.
Your laptop would not get any access to the network, as it has an unknown MAC.
Try again ...
Re: (Score:3)
USB ports are usually disabled.
Probably in some cases, not the ones I worked on.
You are not allowed to bring laptops into the facility.
False. I (and every other contractor, including those that actually applied the programming to DCS.) brought our laptops on-site every day. One part
Re: (Score:2)
USB ports active and external Laptops allowed in your facilities ...
Not fase in general.
Here in Germany you can not even bring a phone or a pad, and often not even an eBook reader into a facility.
Regardless if the facility is nuclear or not ...
Great! (Score:2)
In other news, (Score:2)
electrical grids to switch to McAfee security products.
Re: (Score:2)
Yeah, my power company uses McAfee, no probl^#&^%&!)+!#&*!%#& NO CARRIER
Reliability (Score:5, Insightful)
I would need to see this confirmed by a competent, reliable source.
Re: (Score:3)
Dude you forgot to wr{#`%${%&`+'${`%&NO CARRIER
Re: (Score:2)
If he was dying he wouldn't bother to carve 'Aggghh', he'd just say it. [youtube.com]
Re: (Score:2)
Despite the breathless reporting, there is no "energy grid" that can be hacked. Individual servers and routers can be hacked. Unprotected SCADA systems can be hacked. But it would take far more than this to bring down the electric system in the US. It's not contiguous or synchronous. It's not impervious either (see 2003 blackout) but it doesn't work the way it's described here.
That's the impression many seem to have. It takes a tremendous effort just to bring down one small part of the grid, the rest will hum along just fine as the grid is designed to deal with disturbances. The 2003 blackout is well studied and many improvements and changes have been made to prevent the same from recurring. Isolation should happen before a cascade of failures. Although we haven't had any events to test it, the causes were quite clear and therefore we can have good confidence.
Re: (Score:2)
and many improvements and changes have been made to prevent the same from recurring.
Oh horsepucky. 2003 wasn't the first cascade failure and it won't be the last. It's been 14 years and these power companies are padding their exec bonus packages like nothing ever happened and the unions are padding the pension schemes and the grid rots. Meanwhile developers develop and lines get extended and plants get uprated and the margins get incrementally smaller and smaller until ping! Some tree branch outside Deplorableville, PA shorts a high tension line or a long overdue for service transforme
Re: (Score:2)
and many improvements and changes have been made to prevent the same from recurring.
Oh horsepucky. 2003 wasn't the first cascade failure and it won't be the last. It's been 14 years and these power companies are padding their exec bonus packages like nothing ever happened and the unions are padding the pension schemes and the grid rots. Meanwhile developers develop and lines get extended and plants get uprated and the margins get incrementally smaller and smaller until ping! Some tree branch outside Deplorableville, PA shorts a high tension line or a long overdue for service transformer welds itself together and the North East goes dark for a day.
And then we'll have ourselves another "investigation" that concludes with nothing of note beyond "Moare Money!" and another round of "never let this happen again" from the prevailing notables. Rinse. Repeat. All this story contributes is a possible reordering of the list of failure modes; sabotage jumps up a few notches and perhaps approaches the level of neglect and incompetence.
Well, that's quite a ranting list of assumptions.
Re: (Score:2)
Well, that's quite a ranting list of assumptions.
And every single one is individually more plausible than any part of your "prevent the same from recurring" platitude.
But, maybe ... (Score:2)
"There are no more technical hurdles for them to cause some sort of disruption,"
But maybe, they're here to help. IT COULD HAPPEN !!! :-)
Clever Marketing. Recent Solar CME (Score:2)
Any power outages caused by the recent CME eruption from our sun might scare people into purchasing 'protection'.
http://spaceweather.com/ [spaceweather.com]
Mostly Russians and some Chinese (Score:2)
While there are a few North Koreans hacking the grid, it's mostly been Russian state hackers and Chinese state hackers. In point of fact, we made a deal with China to hold off on that, so now it's mostly just the Russians.
Source: various agencies. No, not linking it.
On the plus side, residential and commercial building solar and wind power systems are mostly not hacked.
Far more risk factor from fires, quakes, floods, and storms, actually.
This is what I meant. (Score:2)
I've argued in favor of decentralized off-grid solar power because centralized power is vulnerable to attack. People either don't grasp what I mean or write it off as paranoia but this is a prime example of the vulnerability that centralized power systems create.
Be it a tree or hacker, centralized power systems a vulnerable to attack. (We shouldn't have pissed off the trees.)
Re:This is what I meant. (Score:4, Interesting)
I've argued in favor of decentralized off-grid solar power because centralized power is vulnerable to attack.
It seems every time solar is brought up there is a mention of a "smart grid" to address issues of this thing called "night" that keeps solar collectors from providing 24/7 power. So, which is it? Do we get cheap solar energy from a "smart grid" or do we have expensive decentralized power?
If you want energy that is cheap, reliable, and decentralized then solar power cannot make any significant portion of the grid. Solar is only cheap if it is connected, and that means there's some centralized utility. If you take solar off the grid then you need storage, and that costs money.
I've argued in favor of decentralized off-grid solar power because centralized power is vulnerable to attack.
I live in the US Midwest, and we have a lot of "attacks" on the power grid. It was quite interesting to work the late shift at a call center in the middle of a rainstorm when a nearby lightning strike took out the grid power. We sat in the dark for a few seconds until the backup diesel generators started up. If that call center had decentralized solar power then the lightning strike would not have taken out the power, but that's because we'd have been running on the diesel generators since sundown.
I'm not too concerned about attacks on the power grid since we get them all the time and people have the means to deal with them. If a hacker wants to shut down a grid for a while then what does that mean in the end? Not much really.
I remember some idiot in California tried shooting up a large transformer with a rifle and was almost successful in creating a pretty big blackout. It was only because the guy goofed and missed out on cutting all the control wires for diverting power that he was not successful in making the substation go up in sparks and flames. Of course you then had some US senators call for more gun control (because in California the gun ban didn't work so we have to ban them again) and to armor up all substations (because utility prices aren't high enough already).
How do you protect solar panels from an attack? Wouldn't an idiot with a rifle be even more successful in attacking solar panels than a coal, nuclear, or natural gas power plant? I mean we can (and do) put a nuclear power plant in a big concrete dome to protect it from attack but we can't do that to solar panels. What of a hail storm? Wouldn't that turn your precious decentralized solar panels into a worthless (and toxic) busted up mess? Without a tie to the grid then how are these people supposed to get power until the solar panels are repaired? I know the answer, on site diesel generators, kind of like how we deal with grid outages now.
I'm sure that there's a lot of things we could do to secure our electrical supply. I'm also sure that solar power isn't one of those things.
Re: (Score:2)
Solar is only cheap if it is connected, and that means there's some centralized utility. If you take solar off the grid then you need storage, and that costs money.
Careful or facts might get in the way. [bloomberg.com] It's called economies of scale and it's helped us before. [forbes.com]
Wouldn't an idiot with a rifle be even more successful in attacking solar panels than a coal, nuclear, or natural gas power plant?
The point is the reduce amount of damage that can be done by one person. With shingles they could use a shitload of ammo to destroy the power system for one house but they can't do that to millions of houses. Even if one guy shot a bunch of solar panels, you can just go to wal-mart and buy a new panel.
I mean we can (and do) put a nuclear power plant in a big concrete dome to protect it from attack but we can't do that to solar panels. What of a hail storm?
Oh those pesky facts [youtube.com] are at it again!
Without a tie to the grid then how are these people supposed to get power until the solar panels are repaired? I know the answer, on site diesel generators, kind of like how we deal with grid outages now.
With solar shingles, you would have to take them all out to reduce power
Re: (Score:2)
I have a video with those pesky facts too.
https://www.youtube.com/watch?... [youtube.com]
What will your windmill or solar panel look like after a plane crashes into it? I don't care if your solar panels are bulletproof, they are never going to hold up to the abuse that a concrete bunker can.
This isn't rocket science.
I'm pretty sure rocket science was involved in the survivability tests of a nuclear power plant.
The point is the reduce amount of damage that can be done by one person.
Right, and no single person is going to take down a nuclear power plant, or any significant portion of the electrical grid. A hail storm
Re: (Score:2)
What will your windmill or solar panel look like after a plane crashes into it? I don't care if your solar panels are bulletproof, they are never going to hold up to the abuse that a concrete bunker can.
Are you concerned about planes crashing into your house? I've never had that problem. Do you live in a concrete bunker in fear of planes?
Right, and no single person is going to take down a nuclear power plant, or any significant portion of the electrical grid
Did you not see what the article was about? it doesn't matter if your power supply could withstand a kinetic orbital strike if a single hacker can destroy the entire electrical grid infrastructure via computer network.
If a bunch of solar panels and windmills get busted up then Walmart is going to run out of both real quick.
If only there was a way to move such large items from one town to the next! -_-
you show graphs of solar panels getting cheaper but can't nuclear power get cheaper too?
If it hasn't happened in the last 70 years, why do you think it would start
Re: (Score:2)
Are you concerned about planes crashing into your house? I've never had that problem. Do you live in a concrete bunker in fear of planes?
No, but I do make sure my truck is parked in a garage if hail is mentioned in the weather forecast. I've seen what hail can do to a solar panel, and to a patch of concrete. The concrete looks pretty much the same afterwards, the solar panel not so much.
Did you not see what the article was about? it doesn't matter if your power supply could withstand a kinetic orbital strike if a single hacker can destroy the entire electrical grid infrastructure via computer network.
I read the article and it's a bunch of crap, and so is the mention of trying to address the problem with decentralized solar power. A hail storm busting up a bunch of solar panels is many orders of magnitude more likely to disrupt power than any computer a
Re: (Score:2)
I didn't mean to quote the same line twice. The second quote was supposed to be:
Be it a tree or hacker, centralized power systems a vulnerable to attack.
For some reason I didn't catch it in the preview.
Re: (Score:2)
Better grid protection from Orkin or Symantec? (Score:5, Funny)
Re: (Score:2)
Don't you mean "nemeses"? There's more than one you know.
Re: (Score:2)
This gets modded funny, but I'd like to see the security freaks respond to this someday. Hey security guy, let's say I'm a power company exec --Why should I pay you twice what the guys battling the squirrels get? How about I fire you and hire two more squirrel fighters...
This is our Government (Score:1)
I'll need more credibility (Score:2)
i need more than just Symantec saying so, since they themselves verge on malware.
For some reason, I'm not worried much (Score:2)
2. If this is actually more than just FUD, then why isn't, for instance Cal ISO issuing a press release about it? I'd think they'd know before anyone else would.
Re: (Score:2)
The US moved to build networks into its grid to replace union workers on site.
A few people with computer networks could replace a lot of workers on site per state/city.
But few experts expected the networks to just stay in place over years once connected to the internet.
New upgrades have to be sold to make the networks better and more secure.
The news cycle mo
Re: (Score:1)
Humans join unions and new wage costs get passed onto poor communities.
Then ban the unions.
If people join a union to make demands then fire them all. Unions are their own worst enemy. They'd actually be useful if they didn't get so full of themselves and threaten a work stoppage to make their point. Breaking up the troublesome unions will cause a short time cost at first but in the end everyone is better off, including the workers.
Film at 11... (Score:2)
After the break, barber claims long hair causes cancer.
Bad SSL Certs? (Score:1)
Symantec Mis-issuing 30,000 SSL Certificates [arstechnica.com]
Just sayin'...
Stuxnet (Score:2)
Need an ethical hacker? (Score:1)
Bullshit, and what? (Score:2)
First off, what in the hell would Symantec AV stuff be doing on infrastructure-critical machines that can affect said infrastructure (versus just looking at data points)? Secondly, this isn't something that would be announced by a company unless it was trying to sell a product. They would responsibly notify the infrastructure officials and have them take control of the situation, IF IT EXISTED.
This reeks of a ploy to induce fear and sell their amazing product that cane "detect things like this" magically.