Spring Cyberattack on US Power Grid 'Probably Just Some Script Kiddie' (eenews.net) 62
The electric utility non-profit NERC has posted a "Lessons Learned" document detailing a March 5th incident that Environment & Energy News calls "a first-of-its-kind cyberattack on the U.S. grid". While it didn't cause any blackouts -- it was at a "low-impact" control center -- NERC is now warning power utilities to "have as few internet facing devices as possible" and to use more than just a firewall for defense.
puddingebola shared this report from Environment & Energy News: The cyberthreat appears to have been simpler and far less dangerous than the hacks in Ukraine. The March 5 attack hit web portals for firewalls in use at the undisclosed utility. The hacker or hackers may not have even realized that the online interface was linked to parts of the power grid in California, Utah and Wyoming. "So far, I don't see any evidence that this was really targeted," said Reid Wightman, senior vulnerability analyst at industrial cybersecurity firm Dragos Inc. "This was probably just an automated bot that was scanning the internet for vulnerable devices, or some script kiddie," he said, using a term for an unskilled hacker...
In the March episode, a flaw in the victim utility's firewalls allowed "an unauthenticated attacker" to reboot them over and over again, effectively breaking them. The firewalls served as traffic cops for data flowing between generation sites and the utility's control center, so operators lost contact with those parts of the grid each time the devices winked off and on. The glitches persisted for about 10 hours, according to NERC, and the fact that there were issues at multiple sites "raised suspicion." After an initial investigation, the utility decided to ask its firewall manufacturer to review what happened, according to NERC, which led to the discovery of "an external entity" -- a hacker or hackers -- interfering with the devices. NERC stressed that "there was no impact to generation...."
Wightman said the "biggest problem" was the fact that hackers were able to successfully take advantage of a known flaw in the firewall's interface. "The advisory even goes on to say that there were public exploits available for the particular bug involved," he said. "Why didn't somebody say, 'Hey, we have these firewalls and they're exposed to the internet -- we should be patching?'"
Large power utilities are required to check for and apply fixes to sensitive grid software that could offer an entry point for hackers.
puddingebola shared this report from Environment & Energy News: The cyberthreat appears to have been simpler and far less dangerous than the hacks in Ukraine. The March 5 attack hit web portals for firewalls in use at the undisclosed utility. The hacker or hackers may not have even realized that the online interface was linked to parts of the power grid in California, Utah and Wyoming. "So far, I don't see any evidence that this was really targeted," said Reid Wightman, senior vulnerability analyst at industrial cybersecurity firm Dragos Inc. "This was probably just an automated bot that was scanning the internet for vulnerable devices, or some script kiddie," he said, using a term for an unskilled hacker...
In the March episode, a flaw in the victim utility's firewalls allowed "an unauthenticated attacker" to reboot them over and over again, effectively breaking them. The firewalls served as traffic cops for data flowing between generation sites and the utility's control center, so operators lost contact with those parts of the grid each time the devices winked off and on. The glitches persisted for about 10 hours, according to NERC, and the fact that there were issues at multiple sites "raised suspicion." After an initial investigation, the utility decided to ask its firewall manufacturer to review what happened, according to NERC, which led to the discovery of "an external entity" -- a hacker or hackers -- interfering with the devices. NERC stressed that "there was no impact to generation...."
Wightman said the "biggest problem" was the fact that hackers were able to successfully take advantage of a known flaw in the firewall's interface. "The advisory even goes on to say that there were public exploits available for the particular bug involved," he said. "Why didn't somebody say, 'Hey, we have these firewalls and they're exposed to the internet -- we should be patching?'"
Large power utilities are required to check for and apply fixes to sensitive grid software that could offer an entry point for hackers.
Up to date patches are defense #1 by far (Score:5, Insightful)
The VAST majority of attacks are script kiddies. Like 99.99%. They scan for machines with well known vulnerabilities - which have patches available in the vast majority of cases. Therefore simply keeping your devices up to date will prevent well over 99% of attacks from succeeding.
If you're worried about more advanced attackers, they too are likely to *start* with the same known vulnerabilities. So patching is one of the best things you can do to make their job harder.
Source -
As a 20 year security professional, I've analyzed tens of thousands of attacks, and have data of some sort on far more.
Re: Up to date patches are defense #1 by far (Score:1)
Re: (Score:2)
"So far, I don't see any evidence that this was really targeted," said Reid Wightman, senior vulnerability analyst at industrial cybersecurity firm Dragos Inc. "This was probably just an automated bot that was scanning the internet for vulnerable devices, or some script kiddie," he said, using a term for an unskilled hacker.
Re: (Score:2)
Thank god it was an unskilled hacker? Jesus Christ. We'd be up to our eyeballs in catastrophic damage and suffering otherwise amiright?
Tighten up your shit energy grid. Get it together and be thankful this was just a "test".
Do i have to s-p-e-l-l i-t o-u-t
Re: (Score:2)
Relax, hackers will never be able approach the level of damage done regularly to the grid by weather, trees, and animals (e.g. squirrels).
Re: (Score:2)
If management of infrastructure aka power plants is done via "internet", then yes: hackers can do much damage.
No idea why the infrastructure is not on a private network, like everywhere else in the world. Private as in: not even physically connected to the public internet.
Re: (Score:2)
hackers will never be able approach the level of damage done regularly to the grid by [...] squirrels [...]
Damn! My super secret squirrel army has been spotted! We'll lose our acorns over this!
Allene? I thought you were stuck in the Negative Zone
Re: Up to date patches are defense #1 by far (Score:1)
It's more likely the first stage of probing and testing malware effectiveness. Who knows, there could be malware present waiting to be triggered at a later time in tandem with a future attack.
It isn't farfetched that an enemy nation state may have a "Stuxnet" of their own.
Re: (Score:2)
Sorry, forgot to cite: https://cybersquirrel1.com/ [cybersquirrel1.com]
Re: (Score:3)
This event appea
Re: (Score:2)
We have bigger phish to fry.
A small wind farm isn't going to compromise the grid.
Re: (Score:2)
How about all small wind farms? The problem is that most industries tend to congregate around the same sets of vendors, companies will specialize on a specific industry and thus you get the same products being used in all hospitals or all power facilities or all lawyers offices even though many are perfectly replaceable with anything but just because their peers are using something specific, upper brass thinks it will fit their company as well.
So it wouldn't surprise me that a specific rather unknown firewa
Re: (Score:2)
Would it surprise you that most SCDA system and be manually overridden?
That they can have redundant "Sanity Checks" put in place for monitoring?
Re: (Score:1)
That is true, to a point. When Ukraine was hacked in 2015 they went to all manual to bring things back on line where devices were bricked. But there's not the kind of staff in the power system now to do that on a really widespread basis. There are also many manual systems where the procedure to do it manually hasn't been tested or trained on for a long time. The plant I worked in was for black start, and there was training of operators to synch units and close in manually, but doing that 2 or 3 times in 15
Re: (Score:2)
Blackstart plans are in place, which is the important thing, and validated to the extent practical. Syncing manually isn't typically that big of an ask for a trained operator, in the highly unlikely event it is needed. A procedure guides you through it.
Re: (Score:1)
"Validated to the extent practical"... You talk like you have a concept of what you're talking about... please go on, describe what you know about this. Yes, RTFM is the very first step in recovering from the blackout. They do a lot of reading by flashlight during a 2003 type blackout.
So as a former tech supervisor and plant electrical engineer for a black start plant - the one that restarts the southern chunk of New York State, so therefore NYC - I can tell you there are a lot of vulnerabilities th
Re: (Score:2)
But you have small wind farm operators and such that are throwing them up and using internet to send data, even monitor for maintenance, and they can't all be trusted to do a great job.
Except not. OEMs like Vestas install the wind farms and infrastructure and are responsible for maintaining them for a contracted period (typically 3-5 years). The "operators" own the wind farm from day 1 but aren't actually operating it until the OEM hands over the reins... then they can't be trusted to do a great job.
Re: (Score:2)
Indeed. If a script-kiddie can get in, it will sooner or later. These people have basically nothing except endurance. Keeping them out is easy, but costs some money and you need to have some IT security people with a clue about technology. The often-found "policy enforcers" will not do it.
Re: (Score:2)
How about not permitting your Internet facing firewall to be managed from the Internet?
What a bunch of incompetent arseholes! They should all be lined up in the parking lot and shot.
Re: (Score:1)
Or better yet, having the channel bank that carries Direct Transfer Trip (the signal opening a breaker on the other end of a transmission line for faults it can't necessarily see itself) have a management port that can be accessed remotely? Funny story, NERC CIP didn't cover telecoms even in version 5 and it still hasn't been rolled out now.
Just a script kiddie? (Score:4, Funny)
Was it at least a Russian or Iranian Script Kiddie?
Re: (Score:2)
Well that Script Kiddie can become an juvie and see the system before getting an lifetime blacklist.
Re: (Score:2)
Since they have no idea who it was....
Re: (Score:2)
Give your self up and that is the deal or you can add escape to your list of changes.
Re: (Score:2)
I will just take you down as stupid and illiterate then....
Re: (Score:2)
obviously
Well that's reassuring... (Score:2)
Re: (Score:2)
Right, let's get outraged over a "cyber attack" that caused no power outages and would have been unknown to anyone outside of the affected utility if they hadn't reported it to federal and state regulatory agencies.
On the other hand we have China turning the sky black from it's electricity generation. There's nations in Europe driving up it's energy costs with their increasing reliance on unreliable energy sources. And there are at least one billion people without access to electricity.
The USA really need
Re: (Score:2)
And starting next year NERC requires reporting of any even that even looks like it might be an attack, regardless if it was successful or had any impact at all. So we'll get to see headlines like "There has been a huge increase in reported cyber events", inevitably taken out of context.
Re: (Score:2)
But, over-reaction is the status quo.
And starting next year NERC requires reporting of any even that even looks like it might be an attack, regardless if it was successful or had any impact at all. So we'll get to see headlines like "There has been a huge increase in reported cyber events", inevitably taken out of context.
I'm not so sure if overreaction is a thing when it comes to hacking sensitive infrastructure and elections.
Re: (Score:2)
But, over-reaction is the status quo.
And starting next year NERC requires reporting of any even that even looks like it might be an attack, regardless if it was successful or had any impact at all. So we'll get to see headlines like "There has been a huge increase in reported cyber events", inevitably taken out of context.
I'm not so sure if overreaction is a thing when it comes to hacking sensitive infrastructure and elections.
When it happens, let me know.
Re: (Score:2)
Re: (Score:2)
I don't understand why you bring up environmental concerns.
I don't understand why you see my complaint as only an environmental concern. My concern is that many nations are driving up costs while reducing reliability. This is a concern on economics and threats of outages by poor management. Yes, indeed, my complaint on China's pollution is an environmental concern. My other complaints are of costs and availability.
They are irrelevant to this topic, and you're digressing from the main takeaway - that *just some script kiddie* managed to get into an infrastructure control center.
A "script kiddie" that managed only to rattle some doorknobs, not actually open any doors. If some kids were able to jump my fence to peak in some w
Re: (Score:2)
Blind, you know I always love your shit.
But we should probably consider this a threat.
And I don't mean panic and spend shit loads of money and pass a bunch of legislation for no reason.
I mean we should quietly and systematically secure our shit as quickly as possible.
When you start to look at security you have a whole shit ton of low hanging fruit.
These "script kiddies" are picking cider apples from the ground.
But someone that knows what they are doing doesn't need any help.
Re: (Score:2)
But we should probably consider this a threat.
Sure. Whatever. My point is that if we address issues like earthquakes, forest fires, or ice storms that can take down a power line then we've automatically addressed the issue of some "script kiddie" that happened to hack into a utility switchyard and opened up some switches.
And I don't mean panic and spend shit loads of money and pass a bunch of legislation for no reason.
I agree. It sounds like the utility that was the victim of the attack made note of it as required by law and is working to prevent it from happening in the future. Again, the electrical grid in the USA is doing quite well right now
Re: (Score:2)
Sure. Whatever. My point is that if we address issues like earthquakes, forest fires, or ice storms that can take down a power line then we've automatically addressed the issue of some "script kiddie" that happened to hack into a utility switchyard and opened up some switches.
We cannot control the weather but we can control the security.
I agree. It sounds like the utility that was the victim of the attack made note of it as required by law and is working to prevent it from happening in the future. Again, the electrical grid in the USA is doing quite well right now. Compared to other nations it's doing exceedingly well.
The biggest complaints I see are the problems in California created by the mismanagement from the government. There's more power outages from this government
Re: (Score:2)
I don't understand why you bring up environmental concerns. They are irrelevant to this topic, and you're digressing from the main takeaway - that *just some script kiddie* managed to get into an infrastructure control center.
Just an internet troll trying to shift the conversation. Surprised they didn't bring old white guys into the mix.
But yeah - calling the hacker "just a script kiddie" merely says that any higher level of competence on the part of the hacker, and the grid is pwned.
Re: (Score:2)
If Skynet is going to incubate anywhere it's China.. especially considering they actually have software to monitor their citizens called "Skynet".
https://www.abacusnews.com/who... [abacusnews.com]
https://en.wikipedia.org/wiki/... [wikipedia.org]
The lead engineer was a huge fan of the Terminator series, it's why he called it "Skynet"
Re: (Score:2)
And there are at least one billion people without access to electricity.
On which planet? Hint: we have 2019, if you use christian calendar, not 1970.
First-of-its-kind cyberattack on the U.S. grid? (Score:1)
Aug 2003: Blaster worm linked to severity of blackout [computerworld.com]
Aug 2003 Slammer worm crashed Ohio nuke plant net [theregister.co.uk]
So a script kiddie can get this far? (Score:3)
Do these people not even have basic IT security figured out? Sure, this amateur did not do much damage and may not even have targeted the power-grid, but what if somebody with actual skill comes along next time?
Re: (Score:2)
Yes they do. This was a low level event that impacted nothing.
Maybe read the docs and see who this was an outer ring of firewalls?
You say this amateur, but if you read the report, it clearly isn't.
Re: (Score:2)
Do these people not even have basic IT security figured out? Sure, this amateur did not do much damage and may not even have targeted the power-grid, but what if somebody with actual skill comes along next time?
You apparently don't have basic IT understanding, because you are making assumptions without the information needed. You don't even know where these firewalls resided in the scheme, and what other layers of protection were beneath them.
power utility company (Score:5, Interesting)
Re: (Score:2)
Re: (Score:1)
NERC CIP regs require credentials of workers on the ICS (industrial control system) to be removed in a really short time frame or else you face major fines from NERC. Now say I'm a technician supervisor, and I happen to be out on vacation when one of my technicians threatens someone else onsite and gets canned. We need to remove his credentials from all of the relays, PMU's, DFR's, comm systems SCADA, etc. in a very short time. As the manager might not be around, HR and other biz people need to be able to d
Re: (Score:2)
NERC CIP regs require credentials of workers on the ICS (industrial control system) to be removed in a really short time frame or else you face major fines from NERC. Now say I'm a technician supervisor, and I happen to be out on vacation when one of my technicians threatens someone else onsite and gets canned. We need to remove his credentials from all of the relays, PMU's, DFR's, comm systems SCADA, etc. in a very short time. As the manager might not be around, HR and other biz people need to be able to do this independently. Our HR person isn't authorized to go in the control room. She doesn't have access to a ICS computer.
Sooo.... the genius solution is to have the HR people in the biz net process it in a special application that then deactivates those credentials on the ICS... meaning all of the ICS credentials are visible in the business system. This was one of the big nono's from Ukraine, and there's a couple of applications sold in the US to do exactly this. In this particular case, NERC is actually the problem.
Business LANs can be segregated as well, and have its own restrictions with manager only access. Its not hard to figure out who likely has credentials, I can read a linkedn profile and figure it out for some people just because of their job. But I agree the fast termination requirement is kind of ridiculous, it makes sense for sudden for cause terminations, but person doesn't suddenly become a risk when they retire or even take another job. They are more likely to steal info or something while still employ
Re: (Score:2)
Then they are doing it right. Infrastructure should have never been tied to the internet. It would be fairly trivial to just syn flood command and control points and inflict severe damage. Hire a botnet and voila, take a city power/water system out.
CIP stands for "Critical Infrastructure Protection". That is what needs protection and in general there are no"ties" to the internet. There are layers of protections, electronic and physical, segmentation, and other methods in place.
There is plenty of non-critical infrastructure where it makes sense to use the internet and save money while incurring minimal risk. If you want distributed generation wind farms, you should embrace ways to reduce their cost. In reality, something can use the internet for co
Re: (Score:2)
Is it odd that I find this one of the most reassuring posts in regards to the security of our power network systems that I've read in the last 5+ years?
Are NERC recommendations serious? (Score:2)
"have as few internet facing devices as possible" and to use more than just a firewall for defense.
Any company not already doing this should fire it's CIO/CTO/CSO.
People who should be fired (Score:1)
A "script kiddie" is someone who uses someone else's script, is too stupid to write their own, and the public exploit exists and is easily used.
A computer professional is someone who works in the computer or IT industry and can prevent these PRE-EXISTING EXPLOITS from working.
A person who should be fired are the INCOMPETENT non-apologetic people who ran the machines and did nothing to prevent these exploits from being used.
WRONG: Yes we were robbed, but it was an amateur burglar and our front door was unloc
Re: (Score:2)
"Yes we were robbed, but it was an amateur burglar and our front door was unlocked and open and we had a big sign "gold inside.""
Actually, a more accurate simile would be:
No, we were not robbed. The front door was locked. Unfortunately the burglar used the key we had hanging from the chain on the doorknob to unlock the door and let himself in. However, the burglar did not have the correct 4 digit pin code to open the interior door. So we had to shut the whole thing down and do a nitrogen purge to get hi
'Script kiddie' is actually more concerning (Score:2)
Re: (Score:1)
not great not terrible (Score:2)
I have an idea. Let's make a web interface for raising and lowering the control rods to all the nuclear power plants in the country. So that the technicians controlling it don't have to even come into work to make adjustments. Obviously they are password protected and so there is absolutely no way that any unauthorized entities could use the online control interface. What a great idea! Sigh.
I think it is partly that the current system of hiring people based solely on experience and education where people do
Re: (Score:2)
Known flaw is the problem? (Score:2)
Well, they've been very lucky so far. But if they think that the real problem is that some unsophisticated attacker is aware of a known vulnerability, then they are in for a world of hurt in the future. The problem, people, is that YOU did not fix the known problem. If it's a "known problem" then you should not assume that attackers don't know about it, right? If there is any lack of sophistication that is the problem here, it is with the people who are supposed to be guarding the installation, not with
Re: (Score:2)
Well, they've been very lucky so far. But if they think that the real problem is that some unsophisticated attacker is aware of a known vulnerability, then they are in for a world of hurt in the future. The problem, people, is that YOU did not fix the known problem. If it's a "known problem" then you should not assume that attackers don't know about it, right? If there is any lack of sophistication that is the problem here, it is with the people who are supposed to be guarding the installation, not with some script kiddie. This is our power grid we are talking about.
Not lucky. If you understood the tremendous amount of continuous attempts to hack our grid for many years, and then thing that a 5 minute interruption of unneeded information has been the biggest success thus far in the US, then you are completely unaware of the realities in place to think it is just luck. You don't just get lucky and fend off the entire hacking world from successfully doing anything damaging on hundreds of thousands of devices in thousands of critical assets. Knowing that something might
That sounds alot like (Score:1)
Just some script kiddie (Score:2)
Lol 99% of today's government penetration testers are script kiddies
This week's massive NYC Optimum failure. (Score:2)