US One Step Closer To Electric Grid Cyberguards 74
coondoggie writes "The US Department of Energy this week officially opened up the bidding for a National Electric Sector Cyber Security Organization that would protect the nation's electrical grid from cyber attacks. According to the DOE, the agency has set an aggressive goal to meet the nation's need for a reliable, efficient, and resilient electric power grid, as well as improved accessibility to a variety of energy sources for generation. In order to achieve this, an independent organization is needed (PDF) to provide executive leadership to facilitate research, development, and deployment priorities; identify and disseminate best cybersecurity practices; organize the collection, analysis, monitoring, and dissemination of infrastructure vulnerabilities and threats; and enhance cybersecurity of the electric grid, including control and IT systems."
Easy (Score:3, Insightful)
Disconnect those systems from the internet and make sure the networks they connect to are not connected to the internet.
If they want to be able to monitor, then add sensors as needed and connect that system to the internet.
Dumbasses, all around.
Re: (Score:3, Insightful)
Um... Ok, you have a closed network over hundred miles of wires, what stops me from doing a "on the wire" attack? Just because something is not connected to the internet does not make it physically safe. unless you wrap your communications wire with high voltage power wires... then, it would be rather difficult to perform a physical attack.
Re: (Score:2)
Ok, you have a closed network over hundred miles of wires, what stops me from doing a "on the wire" attack?
The fact that you're in China. We're talking about cyber attacks. For everything else, there's a rather expensive military.
Re: (Score:2)
And the only attacks you have to worry about are from people who are overseas and couldn't possibly get here or have contact with sympathizers here?
Re: (Score:2)
As JesseL points out - an agent or thousands of agents in the US can gain access, despite the fact that they are furriners. I'll go a wee bit further - much of the "command and control" being installed today is wireless. From a military point of view, wireless has ALWAYS been the least secure method of communications. You'll find that this has been doctrine since the earliest wireless sets. Whatever you broadcast is going to be recieved by the enemy, to be decoded at his leisure. With wire, at least yo
Re: (Score:2)
> With wire, at least you can detect that your signal is being intercepted.
Not necessarily, search around...
Re: (Score:2)
Hmmmm. Depending on your hardware, and your capability with your hardware. Let's say that in more than 99% of cases, any security oriented agency, such as the military, knows when one of their lines is open. With any wireless transmitter, you KNOW the line is open to interception. No guesswork involved with that! ;^)
Re: (Score:3, Interesting)
And then someone splices onto an ethernet connection of the trusted network and brings the whole thing down. Which is easy, since that network is all over the place.
An air-gap solution is one quick and simple line of defense, sure. But I'd rather have real cryptographically-secure authentication on all the relevant systems than an air-gap defense.
Re: (Score:1)
Re: (Score:2)
"An air-gap solution is one quick and simple line of defense, sure. But I'd rather have real cryptographically-secure authentication on all the relevant systems than an air-gap defense."
How about we go back to pure switch-controlled stuff, and get rid of the network completely? You want it safe, make it so the ONLY way to fuck with the system is to either dig up a wire and cut it (enjoy your electrocution knowing most moronic terrorists) or actually be at the control booth flipping the switches.
Seriously, t
Re: (Score:2)
Khyber should be modded "insightful" - but he will probably be modded down, if at all. The problem is, everyone thinks in terms of cost efficiency today. And, that is the very reason everything has been networked. No one is willing to position a human being, with all the inherent costs, somewhere that he can manually control anything.
Which is weird, since we have millions of Americans sitting around in their Mama's basements and/or in the projects, contributing nothing to society, sucking in those welfar
Re:Easy Not quite (Score:3, Informative)
Disconnect those systems from the internet
Remember, a lot of these are old school systems. I know that a lot of remote SCADA (Supervisory Control and Data Acquisition) equipment was never on the Internet. Why? Because it had a modem instead. The electric utilities upgrade their stuff at glacial speed. I bet a lot of that stuff is still out there, and still has a modem connected and has weak to no security.
Re: (Score:1, Interesting)
Sigh. You just don't understand. You're right, but you don't get it. SCADA systems are STUPID. Really stupid. Most of the people that work with them, being programmers are also stupid.
Let's start with monitoring. Most of the hardware that does control has only a single port. The really expensive pieces may have a few. They communicate over a proprietary protocol that I guarantee you there is almost no standard for. Various standards *may* exist by industry, but almost nobody implements it correctly.
Re: (Score:2)
Disconnect those systems from the internet and make sure the networks they connect to are not connected to the internet.
Unfortunately, most of today's management will interpret this as a physical, wired connection. We see that in some of the replies already, which assure us that an "air gap" is a solution.
But this computer I'm typing on has no wires connecting it to anything, and it's on the Internet. I could have pulled my "smart phone" out of my pocket and typed this reply on it. The days in which an a
Re: (Score:1)
What you propose is so common sense, and yet they make it sound like great feats of engineering to come up with them....seriously all they need is to control access to the systems, and limit the apps on each machine, no chat clients or internet, your less bound to use them for other things then monitor power grid consumptions etc...
Also, I tend to think you under simplified the problem....dumb-asses need to go, and get some real geeks in place
3 step plan (Score:3, Insightful)
1. Don't put key systems on the internet
2. ???
3. PROFIT!
Re: (Score:3, Insightful)
Re: (Score:1, Interesting)
The issue here is cyber-security. How else would the government cause outages to blame on pedophiles^W terrorists^W China? How else would they be able to cut the power to Michigan and Montana when the popular revolts begin?
Are you suggesting that the government should send teams to every substation to flick the switches? What is this, the dark ages?
-- Ethanol-fueled
Re: (Score:2)
Just because a network isn't on the internet, doesn't mean it's not vulnerable to attack, especially when those nodes may be hundreds of miles away.
What exactly is the job of the military, again?
Re: (Score:3, Interesting)
Re: (Score:2)
"The thing is, you've got remote substations, lines, generators, etc... that all have to communicate with your control system. Just because a network isn't on the internet, doesn't mean it's not vulnerable to attack, especially when those nodes may be hundreds of miles away."
I seem to remember this magical thing called broadband over powerline. Yes, let's see you tap into a 75,000kV line and get access to that data.
Re: (Score:1)
Re: (Score:3, Interesting)
I have a great way to protect against cyber-attack (Score:3, Insightful)
I have a great way to protect the power grid against cyber-attacks: Don't connect it to the internet!
If there's no route to the power grid's control computers via the internet, then there's no way that a cyber-attack could affect it. And no, this doesn't mean that power companies can't connect to the internet to accept bill payment or requests to connect/disconnect service - just that they shouldn't allow anything critical to be CONTROLLED over the internet - and it also doesn't mean that they can't have a private TCP/IP network that for sharing information among their various systems, which obviously is something that they will want to optimize the power grid and power production to get maximum return on their high capital investments.
Re:I have a great way to protect against cyber-att (Score:4, Interesting)
No, we should have both a secure infrastructure and an infrastructure that benefits from connecting to the public Internet. And a public Internet that benefits from connecting to the secure infrastructure.
What you're saying is like saying we shouldn't run railroads across the Wild West because it's Wild. We needed both complete railroad networks, and a governable West. And we got both. And then we got everything else that could follow on a governable, railroad accessible West.
The American Way is to do some things because not because they're easy, but because they're hard. Because those hard things yield the greatest rewards. Including proving we can do anything worthwhile we want, even when the easy cop out beckons.
Re: (Score:1)
Too bad there are barely any indians left to kill.
(I don't think people living today are particularly responsible for the crimes of history, but we can choose what we glorify)
Re: (Score:3, Funny)
Re: (Score:2)
This time around we don't kill the "indians". Instead of invading and genociding the cultures already on the Internet, we secure our lines on them. Unlike material domains, there's infinite room on the Internet for everyone. But we should allow anyone who wants to live there securely that option, even if people want to live out in the open at their own risk.
Re: (Score:1)
I wasn't criticizing your point about securing the internet, I was pointing out that it is pretty crass to talk about the taming of the West in these terms:
The American Way is to do some things because not because they're easy, but because they're hard. Because those hard things yield the greatest rewards. Including proving we can do anything worthwhile we want, even when the easy cop out beckons.
I suppose you could wave your hands around and say that isn't what you were doing, but that's what I saw.
Re: (Score:3, Insightful)
What you're saying is like saying we shouldn't run railroads across the Wild West because it's Wild. We needed both complete railroad networks, and a governable West. And we got both. And then we got everything else that could follow on a governable, railroad accessible West.
I'm afraid your analogy breaks down because no one is suggesting we don't provide electrical service to homes that have Internet service, which is what your train analogy would imply. They are just suggesting that grid control systems not be run by computers connected to the Internet, which is quite a reasonable proposition.
Re: (Score:2)
No, they're suggesting we don't put the power network on the Internet, because the Internet is too dangerous to secure. Just like they might have said don't put the railroad network in the Wild West, because the Wild West is too dangerous to secure. They might have said "stick to the coasts" or "just one secured corridor across the country": a private rail network that could be secured from the Wild West. Or a private power network that could be secured from the Internet.
Instead we built a rail network that
Re: (Score:2, Funny)
We needed both complete railroad networks, and a governable West. And we got both.
You haven't been to the west, have you?
Re: (Score:3, Interesting)
I thought Texas was just a honeypot for Teabaggers.
Re: (Score:2)
I lived there for years, in the Northern California that was created by the rail network, and which still cradles any number of outlaw cultures. That "Western independence" myth is for people from Glennbeckistan.
I also lived in Louisiana for years. That is an ungovernable wilderness.
Re: (Score:1)
Re:I have a great way to protect against cyber-att (Score:3, Interesting)
Don't connect it to the internet!
"and it also doesn't mean that they can't have a private TCP/IP network that for sharing information among their various systems"
:
Knowing that boundary is becoming increasingly difficult with our interconnected society. Not to mention, things like social engineering, rogue media (flash-drives etc...) are increasingly hard to regulate internally. A lot of these security issues also stem off an even more pivotal attack vector, the human element.
The engineers, programmers, and designers may be well aware of security practices and threats, but a blue-collar operator may not be as well versed in these areas. This
Re:I have a great way to protect against cyber-att (Score:3, Informative)
I have a great way to protect the power grid against cyber-attacks: Don't connect it to the internet!
I work in Industrial Automation, IE the kind that is used in Power Plants, Manufacturing Plants and basically anything else that is automated. The equipment and software is generally controlled by third party manufacturers. Of course as no software is really bug free, these manufacturers are continually releasing updates (although I have reported some of those practices on The DailyWTF) and they release these updates via .. The .. Internet.
Fine, so how do I get my updates in a timely manner? Perhaps I sh
Re: (Score:2, Informative)
I have a great way to protect the power grid against cyber-attacks: Don't connect it to the internet!
Nothing on the grid is, or will be connected to the Internet. Yes, you may find it amazing, but the IT folks in the energy sector have already figured this out, even without your advice! Duh..
However, if you think that's all it takes to secure the grid you're even more naive than you sound.
All of the transmission organizations I've worked with have their grid networks completely isolated from their "business" networks that may have some external connectivity. Most won't even allow a simple serial (as in
Re: (Score:1)
InfraGard (Score:5, Interesting)
Re: (Score:1)
Here's a quote from their website.
"Gain access to an FBI secure communication network complete with VPN encrypted website, webmail, listservs, message boards and much more."
"Learn time-sensitive, infrastructure related security information from government sources such as DHS and the FBI."
Do I need to say more? Why are normal citizens able to get this type of data so they can spy on their neighbors and report t
Dont we need a grid worth defending first? (Score:3, Interesting)
All I want to know is... (Score:3, Interesting)
... who will monitor the cyberguards?
Re: (Score:1)
Re: (Score:2)
Tron.
Re: (Score:1)
Big red button (Score:2)
The US's electricity grid needs a big red button that reads - "Disconnect from the internet." This new organisation will then spend years and millions on communities and finally decide to push that button. Then the bunnies and little kids will live happily ever after.
Seriously guys, use the Internet for getting diagnostic data back but for the love of god do not hook in any control systems. We're talking both at the state and city level. If you have to send a guy down there in a van to flip a switch then fr
Re: (Score:2)
Seriously guys, use the Internet for getting diagnostic data back but for the love of god do not hook in any control systems.
I'd guess this will work about as well as with the electronic voting boxes in recent elections. Some of the stories here talked about the discovery that some of those boxes, when visibly "disconnected", still had a live IR port. There were demos of bringing a similarly-equipped laptop into the voting area, connecting via IR to those voting machines, and poking around inside them fro
Outsourced Government Security Monopoly? (Score:4, Interesting)
Some systems are properly a monopoly. The nation shouldn't have two Army services. In general security for a given political area, like nationwide, statewide or countywide are best (or perhaps just least badly) run by a monopoly governed by officials elected by the people. Certainly at the national level that is the case.
Outsourcing that job to a private corporation to hold the national monopoly is asking for trouble. There will be no pool of private competitors competing for that contract, because the national market supports only one vendor: the one who wins that contract. That circular setup means the benefits of competition to produce the best candidate will not.
There is plenty of room for outsourcing regional security work to vendors actually competing at that scale, if indeed there are multiple vendors of security to large power grids. Let the regional front line vendors compete to keep their contracts. But the monopoly at the top that actually manages those regions into a comprehensive, integrated national infrastructure defense should be within the government. Which is the only monopoly that has a chance to behave properly.
Re: (Score:2)
Isn't this what mandated open standards and "all your work is belong to US" kind of government IP contact designed to prevent against?
Re: (Score:2)
And I thought that when armies compete they just kill civilians and occasionally each other...
Re: (Score:2)
Some systems are properly a monopoly. The nation shouldn't have two Army services.
Ah, but here in the US, we have more than one. There's also that other one called the Marine Corps. And there's the one that used to be called Blackwater USA, then Blackwater Worldwide, and then recently renamed itself to Xe Services LLC so as to hide from all the bad publicity. I'll leave it open for other readers here to name a few of the other US Armies.
Re: (Score:1)
CZAR (Score:2)
We need an Electrical Grid Cybersecurity Czar. How can we get anything done without a CZAR?
As long as we have centralized power distribution (Score:1, Troll)
on a large scale, it's indefensible. If we had a thousand dams with many thousands of small generators, many thousand solar installations on every structure in the country where it made sense, many thousands of tiny wind farms, many thousands of small geothermal generators, and so on, with passive protection from overload for all, this wouldn't be an issue. For that matter, neither would fuel shortages, at least as far as electricity goes.
Can't wait! (Score:1)
Not the only problem (Score:3, Insightful)
Forget the power grid, all our communication infrastructure is equally if not more vulnerable.
A year ago, all of South San Jose suffered a communication outage due to this intentional fiber sabotage:
http://www.pcworld.com/businesscenter/article/162910/fiber_cuts_slash_silicon_valleys_internet_arteries.html [pcworld.com]
I was driving south on 101 to Morgan Hill to work. About 3 miles north of my destination, my cell phone call was lost. At work, we had power but no internet, phones, or cell phones. We had radio, that was about it. It was later blamed on the fiber lines cut, which happened coincidentally right after the AT&T union contract had expired. Might as well been a terrorist.
Re: (Score:1)
At work, we had power but no internet, phones, or cell phones. [...] Might as well been a terrorist.
Indeed; the thought of Internet connectivity issues is a truly terrifying specter.
More bureaucracy is NOT the answer (Score:2)
Greetings and Salutations.
The fact of the matter is that there is a lot of ANY countries infrastructure that can be easily disrupted if one can get access to them, either through physical access or through a network. There is little that can be done to prevent this, short of draconian measures that would be unacceptable to most Americans. Instead of creating an expensive bureaucracy that, very quickly, will graduate from protecting the country to perpetuating i
Reality Check (Score:2)
It would be nice to separate the electric generation, transmission, and distribution networks from the Internet, but it ain't happening. SCADA systems are being interconnected to each other and to proxies that deliver data to the Internet in real time, or near real time.
Nobody can avoid this. SCADA systems are delicious fountains of high fructose data that executive operations staff, researchers, and governments are finding hard to resist. The Smart Grid is only the latest of many wide eyed high tech applic
cybersecurity for power grids ain't possible. (Score:1)