Utilities Racing To Secure Electric Grid 113
FreeMichael61 writes "In the latest episode of Spy vs. Spy, China rejects accusations it's hacking U.S. companies to steal IP or bring down the grid. But there's no doubt the grid can be hacked, CIO Journal's Steve Rosenbush and Rachael King report. Industrial control networks are supposed to be protected from the Internet by an air gap that, it turns out, is largely theoretical. Internal security is often lax, laptops and other devices are frequently moved between corporate networks and control networks, and some SCADA systems are still directly connected to the internet. What security standards actually exist are out of date and don't cover enough, and corporations often use questionable supply chains because they are cheaper."
Happens all the time (Score:5, Informative)
Do you think that the energy industry is any easier on IT folks than anybody else?
Big dollar consultants instead of trained employees, given full unescorted access because the manager doesn't want to have to sit in the datacenter and escort them to the restrooms and such.
My SCADA datacenter still allows a cleaning crew in unescorted.
And electricians, and HVAC contractors and so on.
I found out they were PAINTING my datacenter the day that my storage started freaking out with heat alarms. Went running downstairs to find the facilities team had left a painting crew in the datacenter to cover all of my cabinets (and vented tiles) with tarps.
So these devices might not start connected to the internet, but a USB key here, a rogue cellular wi-fi bridge there, and some wild stuff can happen.
I've heard of other shops that had their SCADA people upset that they couldn't work from home, so they set up "secret" networks that only they knew about so they could still get in. Secret to their co-workers/management, but easy to find for the people who do that for a living.
Going anon for good reason.
Re:it always baffles me (Score:5, Informative)
... why are mission critical devices connected to the internet
sure we know that the weakest link is the meatware, not the hardware, but still...
They aren't, at least, not directly. They are however generally connected at various points to the "business" network which is connected to the Internet (people gotta email). The literal air gap is largely fiction. The business network is hacked, then some vulnerability exploited in the bridge points or routers (it's a network of networks!). Why connect the SCADA to the business network at all? To get the data out to do reports, send email alarms etc. in theory this data exporting should be secure. Problem is that who is hacking your SCADA system? It's not the usual suspects; there is no money in it and the barrier of entry is too high for the script kiddies. It's other countries wanting to perform espionage. How the hell do you protect against that? Look at stuxnet, I mean really look at how that took down the centrifuges. Governments have resources that the average hacking group simply doesn't (or SCADA group). They also have no reason to reveal a compromised system. There could be sleeper, targeted, custom malware sitting on every SCADA server in the US, just waiting for the a time where it will be useful to activate. It's a brave new world!
Re:The best defence is interdependence (Score:3, Informative)
China benefits from a functional United States
"Functional" is a very broad term. Everything could be "functional" and still be wired for demolition (in the virtual sense) at the push of a button halfway around the world, and furthermore laced with failsafes so that any attempt to tamper with it blows it all up in our faces. It could be that way right now and nobody knows it (or is telling us about it). Change the names around and think about it a moment: Someone infiltrates Iran's industrial control infrastructure in this way, and once it's completely irrevocable, issue what amounts to a blackmail notice. If it all worked as designed then Iran has no choice but to give in to any demands made, or have irrecovable damage done to their country. Now make this about the U.S. and China instead..
..oh, and here comes some dickheads modding me down to "-1, troll" or "-1, flamebait". Yeah, yeah, whatever.
Re:The best defence is interdependence (Score:4, Informative)
Mapping out electrical utilities is not a big deal, it is trivial. It is perfectly legal to drive around the country following power lines and they can find agents who blend in and can claim to be on vacation, looking for property or whatever. If there were a serious danger of attack on us via our infrastructure someone would have done it already because it is so very unprotected.
Drive around the country? Google Maps, my friend. You can follow power lines all over the place from the comfort of your living-room.
Re:it always baffles me (Score:2, Informative)
Cut the crap.
Thereare millions of mission critical things that are online for good reasons.
Just do it right.
Assuming,you don't have to do it right,because there's a air gap or anything else the sales guy would say when explaining why you don't have to hire an expensive network security guy will just get you in trouble.
It's like trusting a car salesman that this car is cheaper because it uses full synthetic oil so you never have to change it again.