Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Government Power Security The Almighty Buck United States Politics Technology

Department of Energy Invests $50 Million To Improve Critical Energy Infrastructure Security (helpnetsecurity.com) 51

Orome1 shares a report from Help Net Security: Today, the Department of Energy (DOE) is announcing awards of up to $50 million to DOE's National Laboratories to support early stage research and development of next-generation tools and technologies to further improve the resilience of the Nation's critical energy infrastructure, including the electric grid and oil and natural gas infrastructure. The electricity system must continue to evolve to address a variety of challenges and opportunities such as severe weather and the cyber threat, a changing mix of types of electric generation, the ability for consumers to participate in electricity markets, the growth of the Internet of Things, and the aging of the electricity infrastructure. The seven Resilient Distribution Systems projects awarded through DOE's Grid Modernization Laboratory Consortium (GMLC) will develop and validate innovative approaches to enhance the resilience of distribution systems -- including microgrids -- with high penetration of clean distributed energy resources (DER) and emerging grid technologies at regional scale. The project results are expected to deliver credible information on technical and economic viability of the solutions. The projects will also demonstrate viability to key stakeholders who are ultimately responsible for approving and investing in grid modernization activities. In addition, the Department of Energy "is also announcing 20 cybersecurity projects that will enhance the reliability and resilience of the Nation's electric grid and oil and natural gas infrastructure through innovative, scalable, and cost-effective research and development of cybersecurity solutions."
This discussion has been archived. No new comments can be posted.

Department of Energy Invests $50 Million To Improve Critical Energy Infrastructure Security

Comments Filter:
  • $50 million? (Score:5, Insightful)

    by PopeRatzo ( 965947 ) on Tuesday September 12, 2017 @10:47PM (#55185913) Journal

    They better add a few zeroes to that.

    • by ls671 ( 1122017 )

      This is just PR, what is really critical is the Strategic Petroleum Reserve of the United States ;-)

      https://en.wikipedia.org/wiki/... [wikipedia.org]

    • Yeah, like China did recently, [nytimes.com] on top of the investments they've been making already for the last decade at least.

    • early stage research and development

      If "early stage research and development" of something costs $50M plus a few zeroes, then that "something" must be either warp drive research or the cure for death. I don't think this is it.

      • If "early stage research and development" of something costs $50M plus a few zeroes, then that "something" must be either warp drive research or the cure for death. I don't think this is it.

        The F-35 "fighter" jet program will cost $1.1 trillion, and doesn't include a warp drive or immortality.

        • It does not? include a warp drive?
          I'm disappointed.

          What did the Apollo program cost in 'modern dollars'?

        • Those $1.1 trillion is not "early stage research and development", though. I was under the impression that that was the total cost of everything associated with the program until EOL. Not just the physical airplanes, but fixing them for fifty year, paying for the pilots etc. etc.
    • They better add a few zeroes to that.

      This. $50mil is is like change stuck in the couch of the Federal Government, not enough to do anything but maybe fund a study that will produce a paper in 8 months that nobody will read. And then there's that "up to" part to really let the air leak out of the balloon.

      This is a big country, with a huge, interconnected, antiquated power grid that needs complete re-thinking in a world of public and private solar, heat waves, hurricanes, hackers and insecure control equipment, and a population more dependent

  • by GerryGilmore ( 663905 ) on Tuesday September 12, 2017 @10:47PM (#55185915)
    Seriously - The Economist magazine recently had a great article (https://www.economist.com/news/world-if/21724908-huge-potential-impact-rich-countries-prolonged-loss-electricity-disaster) highlighting A) the catastrophic effect on civilized life and B) the ridiculously low cost of preventive measures and C) as always, the lack of political will, coupled with a lack of technical knowledge across broad swaths of our populace and - especially! - politicians married with a "gubmint regulations are bad, M'Kay!" mentality and you have potential disaster looming. Don' worry, though, the latest version of Apple's iPhone will have an app to fix that! :-)
  • And I'll just take your electrical grids off the fucking internet. There, highly secure (physical attacks only.) Saved you 40 million so you can play with figuring out the oil and gas side of things.

    • by Bob the Super Hamste ( 1152367 ) on Wednesday September 13, 2017 @08:14AM (#55187285) Homepage
      I see someone has no idea of what they are talking about in this regard. Here is the current standard [nerc.com] that grid operators have to comply with. Also here is what is currently being asked of suppliers [energy.gov] by the grid operators when getting a new system. Add in that the systems be benchmarked against these [cisecurity.org] or these [nist.gov] is also becoming written into the contracts now. I would assume that operators in the oil and gas industry either have similar things or are at least smart enough to re-purpose the above as the effort to do so would be minimal. A lot of the security efforts for securing the grid are not to protect it from the general internet, they are already separated and if not the company fucked up really bad and if NERC finds out the company will be paying some huge fines so let NERC know [nerc.com]. Instead the security is to protect the control system from stupid users who find a USB rubber ducky [hakshop.com] in the parking lot, connects their corporate laptop to the control network, someone doing malicious things out at some remote substation that then gets into the main control system [sans.org], or malicious insider. The people going after the grid are professionals and more often than not state actors not little Timmy from down the street who just found out about Low Orbit Ion Cannon or Armitage.
      • I see someone has no idea of what they are talking about in this regard.

        Please, stop with the facts. Its more fun to just assume 'its all connected to the internet', so we can all say how stupid and negligent they are. We don't need to have a clue, its /.

      • by Khyber ( 864651 )

        "I see someone has no idea of what they are talking about in this regard."

        I see someone fails to remember how IBM researchers hacked and gained remote control of a nuclear fucking reactor.

        You think these power companies are actually complying with regulations? You better open your eyes, sonny boy. If the penalty for non-compliance the profits made from non-compliance, they will choose to not comply. This is how you have companies like Oncor in Texas fucking things up royally.

        • by Khyber ( 864651 )

          Fucking inserting HTML when I select plain text. Thanks, Slashdot. If the penalty of non-compliance is less tan the profits gained by non-compliance, they'll choose non-compliance.

          • Well considering that NERC CIP penalties can be $1,000,000 a day for each violation they are taken seriously. The IBM incident you mention was actually one of the many has been a big driving force for the successive NERC CIP regulation updates that have come since. My major complaint about the NERC CIP regulations is that they are too open to interpretation by auditors and there is a bit too much cozyness between the auditor and the operator. Thankfully in the last few years power companies have started to
  • Well (Score:5, Interesting)

    by buss_error ( 142273 ) on Wednesday September 13, 2017 @12:26AM (#55186113) Homepage Journal

    I'm all for that. But how expensive is it to block port 23 and changing the BIOS of SCADA systems so that the first thing to be configured is a password?

    I have seen power, water, sewer, and traffic systems put into production with an internet gateway that had telnet open, with default admin credentials that are well known.

    I have a few "go to" things for the rare occasions I'll take a consulting gig on.

    1. nmap the device. Secure the open ports.
    2. No default passwords, and it's best if you can change the admin account name to something non-standard.
    3. patch patch patch
    4. Secure SSH so that only ssh key access is allowed. No username/password.
    5. Create a key for each device. Best if you create the key with a password - I usually use the serial number of the device obfuscated. So if the serial number is 123, then the password for that key would be zyx or some simple transposition. I usually use a 10 letter word whose letters don't repeat. INTRODUCES, BLOCKHEADS, CORNFLAKES - and I usually say order them so it doesn't spell a word. EG: BLOCKHEADS to ABCDEHKLOS. And change the key based on the third or second to last number.
    6 firewalls, firewalls firewalls. Limit port access to only those IP's you know and control.
    7. Trust nothing completely. Defense in depth.
    8. Construct "alarm" data and configure deep packet inspection to look for those alarm data and trigger an alert.
    9. Ensure you have a panic button to shut down the network.

    There are other things, a bit more subtle to go into.

    • by Anonymous Coward

      You forgot some points but I won't pedantically bore everyone pretending I'm the authority on them.

    • by Anonymous Coward

      I'm all for that. But how expensive is it to block port 23 and changing the BIOS of SCADA systems so that the first thing to be configured is a password?

      I have seen power, water, sewer, and traffic systems put into production with an internet gateway that had telnet open, with default admin credentials that are well known.

      I have a few "go to" things for the rare occasions I'll take a consulting gig on.

      1. nmap the device. Secure the open ports.
      2. No default passwords, and it's best if you can change the admin account name to something non-standard.
      3. patch patch patch
      4. Secure SSH so that only ssh key access is allowed. No username/password.
      5. Create a key for each device. Best if you create the key with a password - I usually use the serial number of the device obfuscated. So if the serial number is 123, then the password for that key would be zyx or some simple transposition. I usually use a 10 letter word whose letters don't repeat. INTRODUCES, BLOCKHEADS, CORNFLAKES - and I usually say order them so it doesn't spell a word. EG: BLOCKHEADS to ABCDEHKLOS. And change the key based on the third or second to last number.
      6 firewalls, firewalls firewalls. Limit port access to only those IP's you know and control.
      7. Trust nothing completely. Defense in depth.
      8. Construct "alarm" data and configure deep packet inspection to look for those alarm data and trigger an alert.
      9. Ensure you have a panic button to shut down the network.

      There are other things, a bit more subtle to go into.

      If the 'the grid' control networks looked like a corporate network, this might make sense. But 'the grid' is really a huge number of segmented and isolated networks, of varying levels of actual control or risk, most of which have much of the security you describe. Some improperly isolated networks or ones missing some protections probably exist, but they are outliers and can't bring down the greater system.

      There is a need for communication between some of the networks across the grid, and that is where ext

    • My favourite admin user/password is:
      User: 'Ruth'
      Passwd: 'geh heim' :P

    • by Anonymous Coward

      Most SCADA systems are commisioned and qualified at great expense and left to run for decades. Upgrades are extremely expensive to perform. Think $millions.

      Patching and bios upgrades need to be vendor-qualifed before installation - no-one will take the risk of the lights going out because of an unqualified patch. Vendors are getting better about independent patch releases, but that doesn't help older systems.

      Your key protection is retarded. You've reduced the search space to 26!/17! which is searchable i

  • Here is a rough estimate as of 2015 from Quora: [quora.com]

    For long haul, my rule-of-thumb (based on 35k miles of "thumb" over the last 20 years) is about $175k/mile for two conduit and 144 fiber. Note: this is good for optical ground wire on long-haul electrical transmission lines, as well as buried.

    So $50 million buys .285714285714 of a mile, or 1508.57142857 feet or 459.8126 meters.

    Thank god we're saved!!

    • Here is a rough estimate as of 2015 from Quora: [quora.com]

      For long haul, my rule-of-thumb (based on 35k miles of "thumb" over the last 20 years) is about $175k/mile for two conduit and 144 fiber. Note: this is good for optical ground wire on long-haul electrical transmission lines, as well as buried.

      So $50 million buys .285714285714 of a mile, or 1508.57142857 feet or 459.8126 meters.

      Thank god we're saved!!

      Incorrect.

    • Here is a rough estimate as of 2015 from Quora: [quora.com]

      For long haul, my rule-of-thumb (based on 35k miles of "thumb" over the last 20 years) is about $175k/mile for two conduit and 144 fiber. Note: this is good for optical ground wire on long-haul electrical transmission lines, as well as buried.

      So $50 million buys .285714285714 of a mile, or 1508.57142857 feet or 459.8126 meters.

      Thank god we're saved!!

      Costs $175k/mile, and $50 million gets a little over a quarter mile? Sign me up for that contract! That's a nice profit margin.

  • Disconnect it from the internet, and give me my $50 million.
  • Here is my bid: you cannot secure that stuff, just unplug it from the net.

    Where do I collect my $50 million?

Keep the number of passes in a compiler to a minimum. -- D. Gries

Working...