Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
United States Government Power Security

US Grid At Rising Risk To Cyberattack, Says GAO 69

Distribution systems within the U.S. electrical grid are increasingly vulnerable to cyberattack, a government watchdog said in a report released Thursday. The Hill reports: In the report, the Government Accountability Office (GAO) noted that the Department of Energy's cybersecurity strategy has predominantly focused on generation and transmission systems. The watchdog recommended further attention to risks facing distribution systems, those parts of the grid that actually carry power directly to customers. Those aspects of the grid, the report states, "are becoming more vulnerable to cyberattacks, in part due of the introduction of and reliance on monitoring and control technologies." "However, the scale of potential impacts from such attacks is not well understood," it states.

Distribution systems' vulnerability is increasing due to their industrial control systems, which have increasingly been incorporating remote access. As a result, they can give bad actors access to them. The systems the report analyzed generally are not covered by federal cybersecurity standards but have in some cases taken independent action on them. Energy Department officials told GAO investigators they were unaware of any assessments underway analyzing how a cyberattack would affect distribution systems, saying the impact would likely be less significant than on generation and transmission. However, the report notes, depending on which distribution was affected it could have nationwide effects.
This discussion has been archived. No new comments can be posted.

US Grid At Rising Risk To Cyberattack, Says GAO

Comments Filter:
  • .. the sun rises in the east and sets in the west.
    • by Z00L00K ( 682162 )

      To some extent it's true - and to take control of a grid or any other industrial system then you'd target the PLC nodes. One of the problems here is that in an industry there are just a few persons that knows how to handle them in the specific solution. Maybe only one. And each installation is pretty unique.

      • by cusco ( 717999 )

        To take it down is a whole lot easier than to take it over, just shoot up substations, relay stations, insulators, and repair personnel. Anyone who has ever worked in the industry knows that, hundreds of thousands of people worldwide, and yet it never happens. Is it just possible that the fearsome terrorists that we're supposed to be so frightened of don't know that? Or is it more likely that they're just not what we've been told?

        • Terrorism works through large scale acts that sow fear. It's like punching your enemy really hard to make them reconsider their position. I don't think it's generally effective against modern nation states.

          What you describe is a Gurellia war. In this case the objective is totally different. It's to beat the adversary into submission or create the ground work for a coup/invasion. No enemy really wants to do this to us. It's why states are more likely to interferon and hope our nation implodes. Then when

          • by cusco ( 717999 )

            Terrorism works through acts that sow fear.

            FTFY. Nothing "large scale" necessary. The DC Snipers, two guys with a rifle and a beat up old car, shut down much of Washington DC for a couple of weeks. One person with a bin of thermite could shut down most of the rail in the US just by targeting random curves on multiple lines. If COVID hadn't already shut down the movie theaters one person could have done so by targeting the air intake of a couple of them.

            People have the bizarre idea that each act has to s

        • Plenty of governments have the capability and some are known to be actively gaining access/capability.

          The thing is doing this would be treated as an act of war, so they're no more likely to just do it out of the blue as they are to start dropping bombs on the capital.

          Big concern is what happens if you do end up at war with them....

        • by sjames ( 1099 )

          Shooting up a substation requires physical presence and leaves physical evidence. There are significant risks to the attacker.

          Attacking SCADA can be done remotely through indirection.

          • by cusco ( 717999 )

            Shooting up a substation requires physical presence and leaves physical evidence. There are significant risks to the attacker.

            Attacking SCADA can be done remotely through indirection.

            SCADA systems are almost all air gapped from the Internet, you'd have to go to a site, plug into something, probably spoof a MAC address, and then know what you're actually touching and what to do with it. "Oh, look! A Lantronix serial converter box! Let's send it some random commands! Did it do anything? Can't tell. There's a PLC, what do you think it controls? Dunno, send it some commands. That opened the garage door for the motor pool." It's not a Windows or Linux server with nice named folders

            • by cusco ( 717999 )

              All right SlashDot, your ASCII art filter sucks now.

            • by sjames ( 1099 )

              It's that "almost" part that presents a problem. Like that story right here on /. about the attempt to dump way too much NaOH into drinking water in Fl.

              • by cusco ( 717999 )

                Again that was probably a "What does this do?" rather than an actual attempt to cause damage. (I'm of the opinion it was someone's kid had found their parent's unlocked work laptop and was fooling around, but haven't followed the story.)

                Want to do actual damage to a potable water system? Dump a barrel of paint residues just upstream of the water intake. More often than not the best way to damage high tech installations is with a low tech attack. There may be guards, firewalls, multi-level failure modes,

                • by sjames ( 1099 )

                  It'll take a lot more than a barrel of paint residue to measurably contaminate a city water supply. People shooting substations would have to compete with people stealing copper from substations.

                  • by cusco ( 717999 )

                    There are substations, and substations. The one near your neighborhood that might have a spool of wire that can be stolen may have half a dozen or a few more transformers and a relay bank or two. Copper theft is a financial issue first and logistical second, destruction of transformers and relays are a logistical problem first and financial second. Transformers and relay banks are designed to last 20 years or more, no one keeps a lot of spares because they're not normally necessary. A dozen destroyed tr

                    • by sjames ( 1099 )

                      I have no doubt that the paint residue will cause plant maintenance problems, but for a large municipality you'll need to dump a lot of paint in a lot of places. A small municipality won't make a blip on the news, so worthless for a terrorist. High chance of getting caught.

                      A deer rifle can certainly cause problems, but you're not going to cause a massive blackout with one. You'll probably end up on 'candid camera'

                    • by cusco ( 717999 )

                      Work in the industry for a few years and you'll find out out that the things that keep power engineers awake at night aren't covered in the Fatherland Security bulletins.

  • Cyberattack, for when mother nature learns to use a computer.

  • Basically the USA has just made a public announcement that they fully intent to launch a cyberattack on the Russian electrical grid, most likely targeting the Crimea.

    • That is what you got out of the article? What evidence or precedent leads you to this conclusion?

      • by rtb61 ( 674572 )

        What evidence, are you nuts, If I had evidence I would be in gitmo bay already, Cuban surfing or dead. Clearly it is projection and the US has a really solid track record for this. Why the Crimea, you know the silly kind of shite they can use to justify it, it is part of the Ukraine and the Ukraine gave us permission to do it. So not an act of war against Russia, really silly bullshit (they will likely be more hesitant now). Those with evidence get arrested and tortured or killed, how fucking dare you even

        • So you're reading the peyote chunks at the bottom of your teacup?
        • by gtall ( 79522 )

          Ya, it is well known the U.S. is taking squits like you and locking them up at Gitmo. They must have millions of Americans down there now. Cuba's upset because they are spoiling the beaches.

        • Holy shit. The US announced that they are just going to attack another country (or 2). Mars is actually starting to look like a viable option.

    • by HiThere ( 15173 )

      Well, no. But it's probably true that someone in the GAO had a fantasy about doing that, and wrote it up in an acceptable form. Then others looked at it and said "Yes, this is a serious problem.". And they were right. Obviously right. Things are connected to the net that should never have been put on the net, and industrial control systems need better security and....

      If you think that when someone points out a serious problem, the correct thing to do is close your eyes, then I don't agree. OTOH, this

  • by Gravis Zero ( 934156 ) on Friday March 19, 2021 @09:08PM (#61178022)

    It seems to me that if a system being taken down is a threat to national security then it should be subject to involuntary penetration testing. Failing such a test should result in a fine proportional to how egregious the flaw. The government has been far to easy and relied heavily on voluntary compliance which obviously works as well as it did for the Boeing 737 Max. It's time we got serious about ensuring security.

    • Just remember any testing of the power grid could affect you. Still game?

      • Just remember any testing of the power grid could affect you. Still game?

        The purpose of a pen test is to try and gain control, not cause an outage. There is literally no reason a pen test would cause any adverse effects.

        • Interesting perspective on the distribution system attack surface. I performed cybersecurity assessments at several generation and transmission facilities in the U.S. and Canada several years ago. NSA was promoting their Perfect Citizen program https://en.wikipedia.org/wiki/... [wikipedia.org] around that time to encourage utilities to provide non-attribution transparency in order to identify malicious actors and quietly harden systems. If they aren’t already in the distribution system business, they will be soon.
        • by HiThere ( 15173 )

          The problem is that breaking in often requires breaking something. Of course it's desired that the "something" not be noticeable, but mistakes happen. IIUC, they happen quite frequently in pen testing.

          • The problem is that breaking in often requires breaking something.

            That's absurd. They are accessing remote systems, not sneaking onto the site.

            • by HiThere ( 15173 )

              Sorry it you don't think of "breaking communications protocols" as breaking something, but if it slips through without being noticed, it's breaking security, and if it's noticed because it makes the system misbehave, it make well break some physical things. Clearly this is not the intent, but it's a risk.

              • I sounds like you are unaware of the isolation measures that are put in place. There are two different networks which are supposed to be isolated. One is connected to the internet while the other is supposed to isolated (e.g. airgapped). If they get into the internet connected network then that is bad. If they into the internal network then someone fucked up.

                I would gladly weather any adverse effects to my own supply of electricity if it meant the company was forced to fix their fuck ups.

    • It seems to me that if a system being taken down is a threat to national security then it should be subject to involuntary penetration testing

      Or even remove it from the internet preemptively.

  • by Gription ( 1006467 ) on Friday March 19, 2021 @09:36PM (#61178100)
    We should hurry up and make sure all transportation is electric!

    (Having a civilization with a single point of failure is the modern "ecco" thing to do!!!)
    • Not like gas pumps need electricity or anything...

      • Yeah because no one has ever come up with a pump operated with a handle.
        • by gtall ( 79522 )

          I know at my local gas station you can go inside and get one of the handles they keep behind the counter for just such an emergency.

          • by HiThere ( 15173 )

            Poe's law. I can't tell whether you're serious or not. My local gas station shuts down pumps frequently because of some problem, but I've never seen them pull out a pump handle.

  • by misnohmer ( 1636461 ) on Friday March 19, 2021 @10:53PM (#61178270)

    Sadly, the government's hands are tied. They could hire a dictator like Musk (not necessarily him, just an example of someone who runs the show unilaterally) and pay a good price, but this will never fly in the current policical climate. Everyone's opinion must be heard and accepted, no matter how stupid, and no private company can make any profit on taxpayer's money.

    This problem could be solved. Nothing in the grid ever talks direct to the internet, nothing from the internet ever reaches the grid. Air-gap everything, except for highly secured interconnects. Apply zero-trust methodology on top of all that. It won't be cheap, but totally doable with a competent dictator. I talked with someone who runs a successful company that could do that - his answer, stay the fuck away from government contracts like this, takes forever to get paid, and in current polititical climate it's just asking for bad PR (remember the Google employee social outrage over a contract to secure pentagon firewalls?). Government contracts are for insiders, who get paid quietly but actually have to deliver (after all, nobody will stage social outrage over you securing government computers if you don't actually do it).

    • What is the internet other than a large network that is pre-built to let computers on opposite sides of it talk to each other?

      The problem is in that regard the grid absolutely talks to the internet, almost by necessity. Sure you could build a second country wide network, but who will pay for it? You and the fellow good old American who laugh at the cost of electricity and taxes in all other first world countries while you peruse the generators at Home Depot because you're sick of the power going out?

      Every p

      • You don't need a physically different network. You can use the existing internet to securely tunnel between dedicated gateways. However, there is no reason whatsoever for any computer on the grid control network to be able to reach an arbitrary IP address on the internet, only on its virtual network. Nor is there any reason for those computers to initiate or accept any unauthenticated, unencrypted connections (even though on virtual private network) - no exceptions for convenience of administration or sched

      • by suss ( 158993 )

        A second country-wide network already exists called Internet2.There's no reason there couldn't be a third, except for funding.

    • by gtall ( 79522 )

      Your imaginary world should meet the real world sometime. Go for a sense of proportion, you have none right now.

      • I bet you made the same comment when Elon took on creating Tesla and pushing the industry to EV's. No way anyone could start a brand new successful car company. I bet your sense of proportion predicted Tesla will never sell more than few hundred cars per year if they even survive. Well, lucky for the world, not everyone has your sense of proportion, or nothing big would ever be done.

  • Here are real world examples from the energy sector where the corporate drive for profit lead to mass murder. These fire incidents were due to lack of maintenance from cost saving measures.

    PG&E: 2010 San Bruno California explosion: 8 killed [wikipedia.org], 2015 Butte Fire: 2 killed , October 2017 Northern California wildfires: 44 killed [wikipedia.org], 2017 Tubbs Fire: 22 killed [wikipedia.org], 2018 Camp Fire: at least 85 killed [wikipedia.org].

    in January 2019 PG&E filed for bankruptcy [wikipedia.org] due to liabilities of over $30 billion from multiple fires including t

  • Simply make it a federal crime to allow remote write access to an electrical power/distribution system. Make it strictly read only if you absolutely have to have access to data, and be able to prove even if compromised, it is still read only . Maybe as secure as a camera looking at a gauge. Somehow they manage to send a lineman to a pole to replace fuses. I think they could send someone for something more important instead of typing at a remote keyboard. I mean we had a story a few weeks ago where someone A
    • by Anonymous Coward

      Texas being disconnected from the national grid is actually good for the rest of us because those morons would be the weakest link that brings it all down if they were connected.

Real programmers don't bring brown-bag lunches. If the vending machine doesn't sell it, they don't eat it. Vending machines don't sell quiche.

Working...