US Government Warns Of 'Ongoing' Hacks Targeting Nuclear and Power Industries (reuters.com) 101
An anonymous reader quotes Reuters:
The U.S government issued a rare public warning that sophisticated hackers are targeting energy and industrial firms, the latest sign that cyber attacks present an increasing threat to the power industry and other public infrastructure. The Department of Homeland Security and Federal Bureau of Investigation warned in a report distributed by email late on Friday that the nuclear, energy, aviation, water and critical manufacturing industries have been targeted along with government entities in attacks dating back to at least May. The agencies warned that hackers had succeeded in compromising some targeted networks, but did not identify specific victims or describe any cases of sabotage. The objective of the attackers is to compromise organizational networks with malicious emails and tainted websites to obtain credentials for accessing computer networks of their targets, the report said.
According to the report, the Department of Homeland Security "has confidence that this campaign is still ongoing and threat actors are actively pursuing their objectives over a long-term campaign."
According to the report, the Department of Homeland Security "has confidence that this campaign is still ongoing and threat actors are actively pursuing their objectives over a long-term campaign."
Well.. (Score:5, Interesting)
Re: (Score:3, Insightful)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
You'd think spending $6 trillion dollars (that's $6,000,000,000) on international affairs would fix things...
LOL!
https://www.google.by/search?q... [google.by]
Re: (Score:1)
Re: (Score:2)
You are really, really slow to catch up. This is way beyond governments, this is actual corporate wars. Take out a competitors computer system and you can seriously screw them up and cost them a ton of business which you can then grab.
The idiots keep saying Russia this and China that and because they wanted to play stupid global political games, they ignored the reality, it was Russian Oligarchs and Chinese Oligarchs and of course US Oligarchs and EU Oligarchs and well, many corporations from all over the
Re: (Score:2)
Isn't it too bad we behave so poorly in the role of Superpower that several to many sovereign nations would be on the suspect list.?.?.?
Your naivete would be charming if we weren't talking about international politics. You can't make all the other nations behave by just being nice. There is no nation on the planet which wouldn't be happy to pick the USA apart in order to get just a few percentage points stronger.
Re:Well.. (Score:4, Interesting)
You can't make all the other nations behave by just being nice.
That's as true a statement as You can't make all the other nations behave.
What we could do better is lead by example. The US is a microcosm of the World as a whole: many different nationalities, religions, races, ideas, and belief sets. I'd say working to make the melting pot work, instead of crippling ourselves with rabid partisan infighting, would be a great first step.
If it can't be done here, in this unprecedented era of peace and prosperity, the World's prospects are bleak.
Re: (Score:1)
Re:Well.. (Score:4, Interesting)
What, precisely, did we do to these nations? I mean, why do you believe that they are attacking us?
The USA has a large enough military to crush any nation it chooses and yet we don't. We have embassies all over the world, like any other nation. If some nation has a grievance against us they can start talks in these embassies in their own nation or that of a neutral third party. Have you actually listened to their demands?
These nations don't ask that we leave them alone. They want us dead. Take North Korea as an example, what do they want? The Kim family wants to rule the world, and they can't do that so long as we have our troops in South Korea and Japan. Take your pick of Muslim nations, what do they want? They want the world to bow to Mecca. That's not going to happen so long as America is able to defend itself. What about Russia? They want to restore the Soviet Union, where the sun never sets on their empire.
The USA is hated because we live free from their rule. They attack us over the internet because they cannot drop bombs on our heads. We've been fighting off Muslim invaders since before America was even a nation. The Barbary Wars were fought to keep these Muslims from taking American ships and enslaving the passengers and crew. They attacked us because they attacked everyone that didn't pay tribute.
Tell me, how should the only megapower on Earth be acting right now? What do you believe we should be doing to stop their attacks? I believe these attacks will not stop so long as free people stand to oppose communism and Islam. We can stop the attacks but that would mean destroying them or submitting to their rule. I don't like the status quo but it's better than the alternatives.
Re:Well.. (Score:4, Informative)
The US does not represent the worst possible outcome for the rest of the World as its preeminent Superpower. Far from it.
For starters, though, it would be nice to measure our worth by how much better we could be doing, as opposed to setting the bar at how much worse we could be.
Re: (Score:1)
Ah, yes, the good old "measure America against an imaginary Utopia, instead of measuring it against all the other countries that exist in reality." That argument never gets old, because it is literally unachievable and you never get to stop bashing America with it.
Utopia literally means, "no place". It is impossible to get there no matter what.
Re: (Score:2)
Re: (Score:2)
The USA has a large enough military to crush any nation it chooses and yet we don't.
You basically answered your own question. We don't crush them with our military because by conducting virtually anonymous cyberattacks disassociated from any official government, they have a chance at causing real harm risk free.
Re: Well.. (Score:2)
Re: (Score:2)
The USA isn't a superpower. Hasn't been for a long time. It's a megapower, we've surpassed superpower status. And the USA is the only megapower.
How many aircraft carriers are there in the world with a displacement over 100,000 tons? Eleven. How many of those does the USA own? Eleven. Each one carries about 60 jet fighters, and each jet can carry about 8 tons of weapons. That's just the start of the military power.
To back up that military is an economic power that produces 20% of the world's wealth.
Re: Well.. (Score:2)
Microsoft's fault (Score:2, Informative)
Re: (Score:1)
Good point! But which would be harder, finding flaws in Microsoft Libraries or finding flaws in Microsoft Libraries and Linux Librararies and BSD libraries and other System Libraries? Microsoft isn't known for supporting other System Libraries as far as I know.
Re: (Score:1)
The old adage of putting all your eggs in one basket comes to mind here. No one in the US would be stupid enough to bet solely on one company.
Re: (Score:2)
Re: (Score:3)
Is that your security philosophy? If that's the case then you're an idiot. Pulling a cable doesn't make something secure. You need an entire culture of security to do that.
None whatsoever!
Oh I see now you don't actually work in the industry. Sorry but there's a myriad of reasons that these systems need to be networked over a wide scale, the least of which isn't that they don't work otherwise.
If you need constant monitoring of stuff, give someone a job to monitor.
Err no. Get a clue.
Re: (Score:2)
Pulling the cable makes something more secure. It drastically diminishes the number of potential intruders. Having no physical connection is the best kind of firewall. Anything that doesn't need to be on the Internet shouldn't have a connection, so instead of a good firewall, you should chose the best firewall.
This 'need to be networked' thing is nice on paper, but in fact, a lot of these 'needs' are not your own (company's) needs.
If you think everything has to be on the Internet, then in your words 'you ar
Re:Pull that cable! (Score:4, Interesting)
Pulling the cable makes something more secure. It drastically diminishes the number of potential intruders.
Not necessarily. Quite often pulling the cable makes everything less secure as it breeds a culture of complacency at best and breeds a better kind of idiot at worst. Pulling a cable is absolutely no substitute for actually having security thought through in the organisation, and I'll take well thought out firewall / VPN infrastructure any day over the pull the cable approach which by its nature necessitates bypassing the airgap.
Anything that doesn't need to be on the Internet shouldn't have a connection, so instead of a good firewall, you should chose the best firewall.
You've lost. Everything needs a network connection somewhere, and every network eventually needs a connection to the internet. The key is segregation in the design stage. Otherwise you'll end up with what we call box-rot, a set of computer systems isolated constantly being connected to and from with various mechanisms or best yet, ignored completely with security issues more wide open than a $2 hooker.
This 'need to be networked' thing is nice on paper
That paper is often one of the following:
- Legal requirement
- Technical limitation
- Geographical limitation
- Operational limitation
Most organisations would be unable to operate a local compressor without some access to a wider network let alone a country wide wind farm, energy grid, etc.
If you think everything has to be on the Internet, then in your words 'you are an idiot'.
But I repeat myself: Oh I see now you don't actually work in the industry.
Re: (Score:2)
Your whole post boils down to the false claim, "Everything needs a network connection somewhere, and every network eventually needs a connection to the internet."
If you turn your conclusions into presumptions all you do is go in a circle like an idiot.
Re: (Score:2)
Your whole post boils down to the false claim
The claim is only false outside of the industry and backed up by 4 key points you see coming up over and over again.
But I repeat myself: Oh I see now you don't actually work in the industry. ... Wait you're not the OP, well then clearly there's more of you.
Re: (Score:2)
Oh I see now you don't actually work in the industry
What industry is that? I didn't mention it in this comment. Did you read the part I wrote that said
If you turn your conclusions into presumptions all you do is go in a circle like an idiot.
So you want to be more truthy by forming an idiotic belief about what industry I work in? That wouldn't make your comments any more considered.
What industry do you imagine a person would need to work in to know that "Everything needs a network connection somewhere, and every network eventually needs a connection to the internet" is a false statement? It seems actually that anybody who works in any industry th
Re: (Score:2)
What industry is that?
Fuck me, it's not like the industry isn't written in the title bar of your browser right now!
Re: (Score:2)
You weren't responding to the title bar of your browser... were you? Oh.
Re: (Score:2)
>Quite often pulling the cable makes everything less secure as it breeds a culture of complacency at best and breeds a better kind of idiot at worst.
Strawman. I didn't mean neglecting security patches or just any software upgrades. Upgrade offline, if you have a bug that is confirmed fixed by a patch. But never allow a 3rd party to issue a half-decent patch which will be silently applied on your production environment. Oh, wait, "i see you are not working in the industry"
>That paper is often one of th
Re: (Score:2)
Pull the cable to the internet. There is NO excuse to hook up critical infrastructure to the internet. None whatsoever! If you need constant monitoring of stuff, give someone a job to monitor. Do not, I repear, do NOT hook your systems up to the internet just to save a quick buck!
Articles like this would have you think that nuclear power plant control systems are connected to the internet, but they are not. The authors use intentionally vague wording.
Re: (Score:2)
Brilliant, companies can damn well create their own private networks to manage their distributed systems. They should be able to recreate their own private internets in about, what, a year or two in your pink unicorn world? No doubt they'll be able to all hire the best network engineers to pull off this task. The fortune 100 companies can all create their own internets, 100 of them. That will surely lower the attack surface!!! Wow! Have you told these companies how to make their distributed systems secure?
Re: (Score:2)
Any bets the majority of compromised computers ran a version of windows? We need to stop using Windows in these environments.
And THIS is the exact kind of thinking that causes big gaping security issues for companies. The idea that there's a single solution rather than an entire philosophy to security is not only absurd, it's absolutely downright dangerous.
Not running Windows protects you from random online malware designed specifically to attack as large of an install base as possible to maximise return. It does NOTHING for a targeted attack. Have you learnt nothing from the likes of Stuxnet? A piece of malware coded specificall
Re: (Score:1)
And THIS is the exact kind of thinking that causes big gaping security issues for companies. The idea that there's a single solution rather than an entire philosophy to security is not only absurd
I never suggested a single solution. I only commented that windows is a bad solution. It is less secure then other platforms. It is more vulnerable then bsd or osx. We need to move to more secure platforms. We need to stop making it easy for foreign hackers. I am not sure why you think Windows is a secure platform.
Have you learnt nothing from the likes of Stuxnet?
I learned a lot from stuxnet. These attacks are a beachhead. They might not be directly connected to critical infrastructure, but they have information about said infrastructure. It is fe
Re: (Score:2)
Lots of control systems incorporate HMIs and other software that not only requires Windows; they often require very specific back-versions of Windows supplied by the systems vendors themselves. It's easy to say "don't run Windows" or "if you must run Windows, keep it updated and patched," but that's not realistic. And that's for some very good reasons: software that controls machines simply must be tested to a far higher standard than software that humans will use, because machines aren't as adaptable as hu
Probably just the DHS' pen testing again? (Score:2)
Re: (Score:2)
Errmmm....you mean the Ukranian power plants? They got zapped or did you not get the memo?
sophisticated hackers (Score:3)
Why are they connected at all? (Score:1)
When read stories like this I wonder:
Why were these facilities ever hooked up to the Internet at all?
Why did they not use a computing system that is compatible with anything else?
Answers
1. There are benefits to adding computers and internet connections to such facilities, probably a long list a very big benefits
2. A proprietory or unique computing system would lose out the benefits of ongoing major advances in computing occurring is 'mainstream' computing, driven by billions of dollars and millions of human
Re: (Score:2)
Re: (Score:2)
A person with the required skills could watch an entire network.
That would free up spending on wages, pensions and having to deal with unions.
The result was a rush to use contractors to network entire regions. Contractors vs 24/7 union workers.
The air gapped protections and workers on site got replaced with new internet facing networks.
Years later reality sets in. The random int
How can we tell? (Score:2)
Don't worry retard APK will tell us about hosts (Score:1)
Don't worry I'm sure that retard APK will tell us about how his hosts file will stop all this.
I guess (Score:2)
EMP attacks on the grid were too difficult to do right.
Re: (Score:1)
Why would you assume that? It's a major escalation to accomplish that kinetically. To do so in "unattributed" hackerspace and then play pussy is much less risky.
Donald Trump can't deny a bomb, even if he can (pretend to be dumb enough to) deny Putin is an adversary otherwise.
Honeypots (Score:1)
I'd like to see many more honeypots set up. Make 'em think they're doing something, and put the real stuff on highly encrypted VPNs and stuff.
Start a fight... (Score:5, Insightful)
Re: (Score:2)
Why did the NSA and CIA start a cyber arms race when the USA is the most vulnerable to the kinds of attacks it's creating and therefore provoking from non-USA aligned countries?
Hacking doesn't necessarily favor the poor, underdeveloped, cash-strapped nation-states; yet, it does level the playing field a bit.
A relatively small fraction of a Superpower's military budget can be allocated to achieve successful cyber disruption.
Re: (Score:2)
That this a plain and simple lie.
Re: A cyber what now? (Score:1)
Re: A cyber what now? (Score:1)
They claimed 1100 cases of fraud based on their research, yet that number is highly deceptive at best, and more frankly not true. Their own research: https://www.brennancenter.org/... [brennancenter.org] makes their claims look ridiculous, and in fact makes a v
Re: (Score:1)
Re: (Score:3)
Errr...because other countries were going to do it regardless of what the U.S. did?
It really is a shame!! (Score:1, Interesting)
The US has been waging war against its citizenry since its inception. Free thought itself is even outlawed in its very Constitution. Read Article 1, Section 8, Clause 8 if you don't believe the government doesn't want to regulate freedom of thought in the country.
Re:U.S. ... Denounced (Score:2)
Well, no, it just means that military planning for contingencies is happening. Hey, it's called 'preparedness', and isn't an act of war. Stockpiling of food, water, blankets against times of catastrophe isn't starting a disaster, either.
I dare you hackers!! (Score:2)
Come and try ti hack the power company here in Puerto Rico. You will fail miserably!!!
More of a problem for those small grid renewables (Score:2)
I'm assuming that critical energy infrastructure is airgapped from the Internet. Any single large-scale generating plant is easy to isolate, because all the maintenance is being done by permanent onsite staff.
But how do you isolate the grid itself? It inherently has to be controlled as a network, which you dutifully isolate at the outset from all other networks. Still, the vast array of spread-out components in a grid comes into close contact with possible malefactors at many points, most of which are unma
Controll systems om publicly accessable networks (Score:1)
Ongoing hacks targeting critical infrastructure .. (Score:1)