US Grid At Rising Risk To Cyberattack, Says GAO 69
Distribution systems within the U.S. electrical grid are increasingly vulnerable to cyberattack, a government watchdog said in a report released Thursday. The Hill reports: In the report, the Government Accountability Office (GAO) noted that the Department of Energy's cybersecurity strategy has predominantly focused on generation and transmission systems. The watchdog recommended further attention to risks facing distribution systems, those parts of the grid that actually carry power directly to customers. Those aspects of the grid, the report states, "are becoming more vulnerable to cyberattacks, in part due of the introduction of and reliance on monitoring and control technologies." "However, the scale of potential impacts from such attacks is not well understood," it states.
Distribution systems' vulnerability is increasing due to their industrial control systems, which have increasingly been incorporating remote access. As a result, they can give bad actors access to them. The systems the report analyzed generally are not covered by federal cybersecurity standards but have in some cases taken independent action on them. Energy Department officials told GAO investigators they were unaware of any assessments underway analyzing how a cyberattack would affect distribution systems, saying the impact would likely be less significant than on generation and transmission. However, the report notes, depending on which distribution was affected it could have nationwide effects.
Distribution systems' vulnerability is increasing due to their industrial control systems, which have increasingly been incorporating remote access. As a result, they can give bad actors access to them. The systems the report analyzed generally are not covered by federal cybersecurity standards but have in some cases taken independent action on them. Energy Department officials told GAO investigators they were unaware of any assessments underway analyzing how a cyberattack would affect distribution systems, saying the impact would likely be less significant than on generation and transmission. However, the report notes, depending on which distribution was affected it could have nationwide effects.
And in other news .. (Score:1)
Re: (Score:2)
To some extent it's true - and to take control of a grid or any other industrial system then you'd target the PLC nodes. One of the problems here is that in an industry there are just a few persons that knows how to handle them in the specific solution. Maybe only one. And each installation is pretty unique.
Re: (Score:2)
To take it down is a whole lot easier than to take it over, just shoot up substations, relay stations, insulators, and repair personnel. Anyone who has ever worked in the industry knows that, hundreds of thousands of people worldwide, and yet it never happens. Is it just possible that the fearsome terrorists that we're supposed to be so frightened of don't know that? Or is it more likely that they're just not what we've been told?
Re: And in other news .. (Score:2)
Terrorism works through large scale acts that sow fear. It's like punching your enemy really hard to make them reconsider their position. I don't think it's generally effective against modern nation states.
What you describe is a Gurellia war. In this case the objective is totally different. It's to beat the adversary into submission or create the ground work for a coup/invasion. No enemy really wants to do this to us. It's why states are more likely to interferon and hope our nation implodes. Then when
Re: (Score:2)
Terrorism works through acts that sow fear.
FTFY. Nothing "large scale" necessary. The DC Snipers, two guys with a rifle and a beat up old car, shut down much of Washington DC for a couple of weeks. One person with a bin of thermite could shut down most of the rail in the US just by targeting random curves on multiple lines. If COVID hadn't already shut down the movie theaters one person could have done so by targeting the air intake of a couple of them.
People have the bizarre idea that each act has to s
Re: (Score:2)
Fair points.
Re: (Score:2)
Plenty of governments have the capability and some are known to be actively gaining access/capability.
The thing is doing this would be treated as an act of war, so they're no more likely to just do it out of the blue as they are to start dropping bombs on the capital.
Big concern is what happens if you do end up at war with them....
Re: (Score:2)
Shooting up a substation requires physical presence and leaves physical evidence. There are significant risks to the attacker.
Attacking SCADA can be done remotely through indirection.
Re: (Score:2)
Shooting up a substation requires physical presence and leaves physical evidence. There are significant risks to the attacker.
Attacking SCADA can be done remotely through indirection.
SCADA systems are almost all air gapped from the Internet, you'd have to go to a site, plug into something, probably spoof a MAC address, and then know what you're actually touching and what to do with it. "Oh, look! A Lantronix serial converter box! Let's send it some random commands! Did it do anything? Can't tell. There's a PLC, what do you think it controls? Dunno, send it some commands. That opened the garage door for the motor pool." It's not a Windows or Linux server with nice named folders
Re: (Score:2)
All right SlashDot, your ASCII art filter sucks now.
Re: (Score:2)
It's that "almost" part that presents a problem. Like that story right here on /. about the attempt to dump way too much NaOH into drinking water in Fl.
Re: (Score:2)
Again that was probably a "What does this do?" rather than an actual attempt to cause damage. (I'm of the opinion it was someone's kid had found their parent's unlocked work laptop and was fooling around, but haven't followed the story.)
Want to do actual damage to a potable water system? Dump a barrel of paint residues just upstream of the water intake. More often than not the best way to damage high tech installations is with a low tech attack. There may be guards, firewalls, multi-level failure modes,
Re: (Score:2)
It'll take a lot more than a barrel of paint residue to measurably contaminate a city water supply. People shooting substations would have to compete with people stealing copper from substations.
Re: (Score:2)
There are substations, and substations. The one near your neighborhood that might have a spool of wire that can be stolen may have half a dozen or a few more transformers and a relay bank or two. Copper theft is a financial issue first and logistical second, destruction of transformers and relays are a logistical problem first and financial second. Transformers and relay banks are designed to last 20 years or more, no one keeps a lot of spares because they're not normally necessary. A dozen destroyed tr
Re: (Score:2)
I have no doubt that the paint residue will cause plant maintenance problems, but for a large municipality you'll need to dump a lot of paint in a lot of places. A small municipality won't make a blip on the news, so worthless for a terrorist. High chance of getting caught.
A deer rifle can certainly cause problems, but you're not going to cause a massive blackout with one. You'll probably end up on 'candid camera'
Re: (Score:2)
Work in the industry for a few years and you'll find out out that the things that keep power engineers awake at night aren't covered in the Fatherland Security bulletins.
Re: (Score:2)
And that is relevant to the article how?
Or are you just using it as a sandbox to spout your particular world view?
Re: The indirect attack is already here (Score:1)
What site do you think this is?
Re: (Score:2)
News for nerds, stuff that matters?
But yes, I get it. Slashdot is no longer for people who follow logic and reasoning, the masses have arrived with their conspiracy theories, spouted with no logic or reasoning.
I miss the old days of Slashdot.
Re: (Score:1)
The old Slashdot is stil there and it's the only reason to keep coming back. You even occasionally see people like Bruce who have been here for time eternal and has even commented this year. It was never nearly perfect, this is where the G N-A A originated that are so hated by the management that I can't even find a way to name them readably without hitting the lame-ness filter and there was always a massive level of spam.
The future grid will have to have more storage. More power will be created local
Re: The indirect attack is already here (Score:1)
The claim isn't that little Greta is in bed with the Kennedy clan trying to stop the wind farms, or that Al Gore or John Kerry's daughter who's lying down in front of bulldozers putting in gas pipelines is allied with Michael Shellenberger and Extinction Rebellion.
The claim is that in the current hashtag-first, critical thinking-last climate that has infected everything from slashdot comments to the media to the federal government, *any* serious attempt at making a robust electrical grid will require an abs
Re: (Score:2)
Oh, good grief. Any attempt at "making a robust electrical grid" will hit the unmoving barrier of corporate executives first. Electrical engineers have been warning about the fragility of the grid to physical attacks, weather, and another Carrington Event since the 1970s, but nothing has been done. Do you know why? Building in resilience costs money, which reduces the stock price, which reduces the value of executives' stock options, which is why every single attempt will be torpedoed before it leaves t
Re: The indirect attack is already here (Score:1)
This is a testable claim. The test is to see if for-profit generating stations and distributors/utilities have less robust infrastructure than government/municipal generators and utilities like TVA for an example of the former and municipal light departments as an example of the latter.
Spoiler alert: they all suck ass whether they're skimming off the top of the taxpayers or are gaming the capitalist patriarchy.
Re: (Score:2)
Locally the Snohomish County Public Utility District and Puget Sound Energy both serve Snohomish County. For some reason consumers seem to prefer the lower prices and higher reliability of the SnoPUD rather than paying a premium to support the 'free market'.
Re: The indirect attack is already here (Score:1)
I'm sure that's true. But are your power outage stats any better than in a place with regulated monopolies for transmission, or are your power lines strung through tree branches with the occasional rotting wooden post that's actually two or three rotted posts bolted together the same way there are in Massachusetts towns that run their own electric utilities and the ones that allow private companies to own the poles?
Re: (Score:2)
When you cross the county line the difference between the two companies is obvious. PSE has cut back on its maintenance and tree trimming budget to improve profits. like all the corporations, and what trimming they still do is contracted out to the lowest bidder. Sno PUD still has their own staff, and the trimming around their facilities and lines is brutal but efficient. The result is that when we get the occasional wind or ice storm the PUD's customers are back online well before PSE's, and once they'r
Re: (Score:2)
A place for AARP members to bitch about how they dislike everything new.
Re: (Score:2)
That Keystone pipeline leaks oil like a sieve. http://boldnebraska.org/keysto... [boldnebraska.org]
Re: (Score:2)
I thought it was the fearsome Muslim terrorists we were supposed to be afraid of, instead it's the folks who sit around the campfire and sing "Kumbaya"? I'm so confused now.
Re: The indirect attack is already here (Score:1)
If that's what you think, you must have believed your side's propaganda about our side's propaganda. You shouldn't believe propaganda; small-s skepticism and critical thinking are a better bet almost all the time.
Re: (Score:1)
So we have your propaganda claiming that the muslim terrorists were the other side's propaganda and now you are innocently telling us to ignore the propaganda. Sweet. So meta.
Re: The indirect attack is already here (Score:1)
"Muslim terrorists are dangerous, they bombed our embassies, the USS Cole, and killed 3000 on American soil, and military action against them abroad, and vigilance at home, are warranted" is as much a real idea as it is propaganda.
"zomg grab a rope and find a tree and check under your bed for bin Laden before you go to sleep" is propaganda ascribed to us by you that very very vaguely resembles the actual messaging if you squint just right.
Mother Nature discovers the internet. (Score:2)
Cyberattack, for when mother nature learns to use a computer.
Projection (Score:2)
Basically the USA has just made a public announcement that they fully intent to launch a cyberattack on the Russian electrical grid, most likely targeting the Crimea.
Re: (Score:2)
That is what you got out of the article? What evidence or precedent leads you to this conclusion?
Re: (Score:2)
What evidence, are you nuts, If I had evidence I would be in gitmo bay already, Cuban surfing or dead. Clearly it is projection and the US has a really solid track record for this. Why the Crimea, you know the silly kind of shite they can use to justify it, it is part of the Ukraine and the Ukraine gave us permission to do it. So not an act of war against Russia, really silly bullshit (they will likely be more hesitant now). Those with evidence get arrested and tortured or killed, how fucking dare you even
Re: (Score:2)
Re: (Score:2)
Ya, it is well known the U.S. is taking squits like you and locking them up at Gitmo. They must have millions of Americans down there now. Cuba's upset because they are spoiling the beaches.
Re: (Score:2)
Holy shit. The US announced that they are just going to attack another country (or 2). Mars is actually starting to look like a viable option.
Re: (Score:2)
Well, no. But it's probably true that someone in the GAO had a fantasy about doing that, and wrote it up in an acceptable form. Then others looked at it and said "Yes, this is a serious problem.". And they were right. Obviously right. Things are connected to the net that should never have been put on the net, and industrial control systems need better security and....
If you think that when someone points out a serious problem, the correct thing to do is close your eyes, then I don't agree. OTOH, this
Involuntary pen testing. (Score:3)
It seems to me that if a system being taken down is a threat to national security then it should be subject to involuntary penetration testing. Failing such a test should result in a fine proportional to how egregious the flaw. The government has been far to easy and relied heavily on voluntary compliance which obviously works as well as it did for the Boeing 737 Max. It's time we got serious about ensuring security.
Involuntary beta tester (Score:2)
Just remember any testing of the power grid could affect you. Still game?
Re: (Score:2)
Just remember any testing of the power grid could affect you. Still game?
The purpose of a pen test is to try and gain control, not cause an outage. There is literally no reason a pen test would cause any adverse effects.
Re: (Score:1)
Re: (Score:2)
The problem is that breaking in often requires breaking something. Of course it's desired that the "something" not be noticeable, but mistakes happen. IIUC, they happen quite frequently in pen testing.
Re: (Score:2)
The problem is that breaking in often requires breaking something.
That's absurd. They are accessing remote systems, not sneaking onto the site.
Re: (Score:2)
Sorry it you don't think of "breaking communications protocols" as breaking something, but if it slips through without being noticed, it's breaking security, and if it's noticed because it makes the system misbehave, it make well break some physical things. Clearly this is not the intent, but it's a risk.
Re: (Score:2)
I sounds like you are unaware of the isolation measures that are put in place. There are two different networks which are supposed to be isolated. One is connected to the internet while the other is supposed to isolated (e.g. airgapped). If they get into the internet connected network then that is bad. If they into the internal network then someone fucked up.
I would gladly weather any adverse effects to my own supply of electricity if it meant the company was forced to fix their fuck ups.
Re: (Score:2)
It seems to me that if a system being taken down is a threat to national security then it should be subject to involuntary penetration testing
Or even remove it from the internet preemptively.
From the "All eggs in one basket dept"... (Score:3)
(Having a civilization with a single point of failure is the modern "ecco" thing to do!!!)
Re: (Score:2)
Not like gas pumps need electricity or anything...
Re: (Score:2)
Re: (Score:2)
I know at my local gas station you can go inside and get one of the handles they keep behind the counter for just such an emergency.
Re: (Score:2)
Poe's law. I can't tell whether you're serious or not. My local gas station shuts down pumps frequently because of some problem, but I've never seen them pull out a pump handle.
Government's hands are ti3d (Score:3, Interesting)
Sadly, the government's hands are tied. They could hire a dictator like Musk (not necessarily him, just an example of someone who runs the show unilaterally) and pay a good price, but this will never fly in the current policical climate. Everyone's opinion must be heard and accepted, no matter how stupid, and no private company can make any profit on taxpayer's money.
This problem could be solved. Nothing in the grid ever talks direct to the internet, nothing from the internet ever reaches the grid. Air-gap everything, except for highly secured interconnects. Apply zero-trust methodology on top of all that. It won't be cheap, but totally doable with a competent dictator. I talked with someone who runs a successful company that could do that - his answer, stay the fuck away from government contracts like this, takes forever to get paid, and in current polititical climate it's just asking for bad PR (remember the Google employee social outrage over a contract to secure pentagon firewalls?). Government contracts are for insiders, who get paid quietly but actually have to deliver (after all, nobody will stage social outrage over you securing government computers if you don't actually do it).
Re: (Score:3)
What is the internet other than a large network that is pre-built to let computers on opposite sides of it talk to each other?
The problem is in that regard the grid absolutely talks to the internet, almost by necessity. Sure you could build a second country wide network, but who will pay for it? You and the fellow good old American who laugh at the cost of electricity and taxes in all other first world countries while you peruse the generators at Home Depot because you're sick of the power going out?
Every p
Re: (Score:2)
You don't need a physically different network. You can use the existing internet to securely tunnel between dedicated gateways. However, there is no reason whatsoever for any computer on the grid control network to be able to reach an arbitrary IP address on the internet, only on its virtual network. Nor is there any reason for those computers to initiate or accept any unauthenticated, unencrypted connections (even though on virtual private network) - no exceptions for convenience of administration or sched
Re: (Score:2)
A second country-wide network already exists called Internet2.There's no reason there couldn't be a third, except for funding.
Re: (Score:3)
Your imaginary world should meet the real world sometime. Go for a sense of proportion, you have none right now.
Re: (Score:2)
I bet you made the same comment when Elon took on creating Tesla and pushing the industry to EV's. No way anyone could start a brand new successful car company. I bet your sense of proportion predicted Tesla will never sell more than few hundred cars per year if they even survive. Well, lucky for the world, not everyone has your sense of proportion, or nothing big would ever be done.
Corporate Greed: Death for Profit (Score:2)
PG&E: 2010 San Bruno California explosion: 8 killed [wikipedia.org], 2015 Butte Fire: 2 killed , October 2017 Northern California wildfires: 44 killed [wikipedia.org], 2017 Tubbs Fire: 22 killed [wikipedia.org], 2018 Camp Fire: at least 85 killed [wikipedia.org].
in January 2019 PG&E filed for bankruptcy [wikipedia.org] due to liabilities of over $30 billion from multiple fires including t
Where a little government regulation is needed (Score:2)
Thankfully Texas is not connected... (Score:1)
Texas being disconnected from the national grid is actually good for the rest of us because those morons would be the weakest link that brings it all down if they were connected.