Security optimize

Is our power grid vulnerable to cyberattacks?

On 1/22/08, the CIA reported that hackers had caused a power outage that ended up affecting multiple cities outside the United States.

On Jan. 22, 2008, the CIA reported that hackers had caused a power outage that ended up affecting multiple cities outside the United States. There was no announcement of responsibility, but there was evidence that an extortion attempt had been made by the hackers who gained control of the power infrastructure. Officials suspect that inside information would have been necessary to pull off the attack, but no suspects have been named or arrested.

CIA: Cyberattack caused multiple-city blackout (News.com)

On Jan. 17, 2008, the Federal Energy Regulatory Commission approved eight standards intended to keep the U.S. power grid safe from cyberattacks, this list included identifying and physically securing cyberassets, training personnel, and planning for recovery of critical cyberassets. The Air Force alone has plans for 5,000 to 10,000 workers in its "Cyber Command" office by October of 2008. Even the civilian world is not immune to infrastructure concerns, as FAA officials fear the possibility of hackers intercepting and perhaps manipulating the data stream between the new Boeing 787 Dreamliner and ground stations.

Group Defines Cyberattack Prevention Rules for U.S. (PC World)

Head of Air Force Cyber Command discusses new role, cyberattack defenses (Network World)

FAA worries on-board Net opens jets to cyberattack (USA Today) I always figured that critical infrastructure installations were kept off of the commodity Internet and not allowed to connect except through privately-leased lines, until I read a recent report (which I can't find at the moment) that many pieces of critical national infrastructure were put onto unsecured networks to keep costs down and as testbeds for future applications. In my opinion, critical infrastructure elements for things like the power grid should remain off of the Internet, despite the higher costs involved in the leased lines. No matter what security has been implemented, eventually it can be compromised, leading to attacks that may severely affect millions. What do you think needs to be done to protect these infrastructure elements?
11 comments
S,David
S,David

The reason the public is not showing much concern about this is they don't understand power generation and distribution any better than network security. I am certainly no expert in either, but I try to keep up with it as best I can. Articles on TR are *still* warning people that MAC filtering is not security, and when you ask people where electricity comes from, they usually tell you "the power company." With this kind of apathy it does not surprise me that there is no outcry for power systems security. For instance, the video of the generator blowing smoke that surfaced a few months back. I presume that it was being caused to run in parallel but out of sync with some other power source, but there are a lot of people that would not understand what that means, even if I am right. I also presume that in the real world (not a test) safety equipment would trip out to protect dynamos and transformers. I can't believe that this kind of thing has not happened by accident at least once. Right? Wrong? Surely, grid interconnection points see wild swings in power flow. I find that kind of thing interesting, but nobody else in my family does. Or, the blackout that hit the northeastern US in, I think, 1973, where the power was off for days after a cascading overload took generators off-line. I would love to know more about how you bring back a system that was not designed to be shut off. I know, "very carefully, and a little at a time." But, most people are not interested in this, as long as the lights are still on, and they don't have to change the default admin accounts on any of their stuff.

JCitizen
JCitizen

there just about wasn't any emergency; as pressured interstate piping is way forgiving for load changes - but electrical generation is instantaneously unforgiving in more than one factor. Just thinking about it give me a headach!

JohnMcGrew
JohnMcGrew

...on which we all now rely for our basic existence. The electricity comes from the power company. The water comes from the water company. The milk comes from the grocery store. My paycheck comes in the mailbox, etc. We like to think we live in a "democracy". And yet how can that construct be viable when most people are so ignorant of the nature of our most vital services?

JCitizen
JCitizen

I'm not surprised at the news. However the public is apparently very interested in the subject and USA Today was a good publication to get this out to the general public. I've had many questions from people on the street about this, but I don't know how interested us tech types are in the subject. Ironic? Maybe more stories like these will attract the general public to TR. I feel they should educate them selves in all things tech related.

Neon Samurai
Neon Samurai

One reason that the general public is up in arms but the tech types seem uninterested could be that we're not really surprised. Uh Oh.. the media's new bogeyman may be able to effect our power grids; not news, nothing new. "Oh Nos! The bogeyman may be coming for our power stations along with our identities and stored information!" we've been living in a networked world at a technical level for so long that system security seems like a given consideration and the idea that someone could effect power systems through a network connection is as old as.. well, War Games. "Would you like to play a game?" I personally am very interested to hear more and was interested to hear the CIA admitting what was already common knowledge as a potential among most people. Give the politician and business love of the highest complicated system from the lowest bidder; I'm cynical about the actual "protection" but the announcement that it's possible comes as no surprise. That's just my overtired two cents on the subject. (Edit to Add); All your power station are belonging too us. (hehe.. I amuse myself at least.. ok.. my sleep deprived brain is outa here)

JCitizen
JCitizen

I would probably have been knee deep in this subject as I almost snagged some jobs related to the power industry more than once. Ahh! But for the lack of one more tidbit of knowledge! Thats the way it goes! :)

Andy Moon
Andy Moon

Aside from the obvious solution of taking all of these systems off of the internet, what should be done to assure that our power infrastructure cannot be compromised by cyberattacks?

seanferd
seanferd

Most of it is way outdated, and some power companies are poorly managed. First Energy in Ohio, anyone? Edit: And let's not forget Lonnie Charles Denison, disgruntled former temporary employee at CAISO who simply walked into a facility and hit the emergency off switch. Very poor security in that respect: No one stopped him, and he still had palm-print security access.

boxfiddler
boxfiddler

Bigtime. Add mother nature and you have mega-disaster looming most menacingly on the immediate horizon. Age, general human lack of foresight, improper maintenance of both facilities and lines, BOOM! Perhaps obviously we have been subject to numerous significant and long-lasting outages in my neck of the woods lately.

JCitizen
JCitizen

in this industry. But it could take years if ever for it to happen - unless new energy saving technology drives a change in this reality. Make it expensive enough to the customer and reality will beg for change; maybe even better security!

robo_dev
robo_dev

The (US) Federal Energy Regulatory Commission (FERC) on January 17th approved a final set of security standards designed to protect the US electric grid against a cyber attack. The eight security standards include: * Critical cyber asset identification * Security management controls * Personnel and training * Electronic security perimeters * Physical security of critical cyber assets * System security management * Incident reporting and response planning * Recovery plans for critical cyber assets So I'm sure that some qualified political appointee like ex-FEMA chief Mike Brown will take over and in ten or so years, there might even be a website with the security standards posted on in!