Friday, April 10, 2009

Hacking the Power Grid - Another Government Control Scheme

This obviously starts at the WSJ's rather excited article about the power grid being hacked. Go ahead and read it. You'll not no actual facts, names or anything to move forward investigating with. This isn't an article, but more of an editorial.
The spies came from China, Russia and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven't sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.

"The Chinese have attempted to map our infrastructure, such as the electrical grid," said a senior intelligence official. "So have the Russians."

The espionage appeared pervasive across the U.S. and doesn't target a particular company or region, said a former Department of Homeland Security official. "There are intrusions, and they are growing," the former official said, referring to electrical systems. "There were a lot last year."

Blah, blah, blah. Horse-Shit.

Anyone who remembers the Y2K horrors will understand we must act NOW NOW NOW or we're all DOOMED!!!!!

Or more likely not.

Schneier puts some perspective out on this.
Read the whole story; there aren't really any facts in it. I don't know what's going on; maybe it's just budget season and someone is jockeying for a bigger slice.

Honestly, I am much more worried about random errors and undirected worms in the computers running our infrastructure than I am about the Chinese military. I am much more worried about criminal hackers than I am about government hackers. I wrote about the risks to our infrastructure here, and about Chinese hacking here.

And I wrote about last year's reports of international hacking of our SCADA control systems here.

Read at some of the links. Some perspective is really needed here.

I'm not sure I'd be that laid back about the the topic, but there definitely is no reason to be freaking out like many of the MSM article writers appear to be.

There is little doubt that this won't be used, if it isn't already being used, to push Obama's Smart Grid controls. You remember that. Where the power grid is made smart and can turn down your thermostat when you're being bad.

Here are a couple of articles on the ONE moving us forward on the smart grid. I like this one:
Most smart grid stakeholders are well aware of this dilemma and have looked for hope in the various standards efforts at international bodies such as the IEEE's BPL, WiFi and WiMax processes (we found an IEEE smart grid interoperability slide presentation with more on that) as well as industry-led efforts such as the ZigBee Alliance, Europe's OPERA and the HomePlug Powerline Alliance.

But that's not enough. The whole smart grid needs to be fused with IP, high-level security and iron-clad interoperability standards -- and a new champion has come on the scene and is taking steps to get it done. His name is President Barack Obama.

Obama's predecessor was in favor of the smart grid but never seemed to show much awareness of the problems in the industry or much interest in getting them fixed. George Bush signed the Energy Independence & Security Act of 2007 (EISA) that included the first-ever smart grid language including setting money and efforts aside at DOE to get the smart grid done. Title 13 of that law sets out efforts to get interoperability standards created (more on that later in this story).

No doubt this was written by an Obot. You know that dummy Bush didn't do anything, but put a bunch of money toward developing the system. Stupid George. Now we have the brilliant Barry to drive this home and no doubt will code it all and make electricity free and unicorns will fart rainbows and.........

Isn't it wonderful that the savior walks the earth? [What an idiot.]

So what is really happening? Here's a link that actually gives you some information.
Operational Problems:
And there are other problems that are more deeply embedded in the day-to-day operations of a utility's business. Network control software that utilities buy from outside vendors often includes the ability to run Web servers and enable remote access and wireless access. Then there are configuration problems, such as routers and other systems that use default passwords, or worse, don't use passwords at all, according to Zatko and others who have tested the systems.

Many warnings have been sounded over the years. In 1999, Zatko compiled a list of about 30 utilities whose plant control networks could be accessed remotely, and he says many of them still have the same problems today. In 2004, Gartner did a report concluding that the use of IP networks for critical infrastructure could serve as bait for cyberattackers.

"It's painfully easy to exploit" the control systems, said Frank Heidt, chief executive of professional security services company Leviathan Security. "Energy management systems really can't be connected to the Internet. It's going to be painful for some companies, but they're going to have to change this."

Last year, a security expert at the RSA conference detailed how easy it is to break into power plants by downloading malware to employee computers through a socially engineered e-mail that directs them to a malicious server. Meanwhile, Core Security found a hole in the Suitelink software that is used to automate operations at power stations, oil refineries, and production lines.

Lewis of the CSIS acknowledged that using the Internet opens utilities up to cyberattack risks, but said there are "sound economic reasons" for them doing so.

"Most of the critical infrastructure on the Internet is there for legitimate business purposes," agreed John Bumgarner, a research director at the nonprofit U.S. Cyber Consequences Unit.

I'm still trying to figure out for what reason you would link key infrastructure to the internet. What "legitmate business reason" would there be?

I've a feeling that these companies are basically the same as most who don't see any reason for security or they don't balance the risks, or even address those risks before doing these things.

Read the article. There is a lot of history and related information there.

No comments: