backtop

Print 41 comment(s) - last by CENGJINYIWEI.. on Jan 31 at 8:58 AM
Cyber attacks against power plants and other vital infrastructure may be higher than previously believed

A new study [PDF] that interviewed power plant operators and other "critical infrastructure" indicates more than 50 percent of all U.S. power plants have had to deal with an increase in cyber attacks.

Security company McAfee funded the research, speaking with 600 IT managers and executives from 14 different nations.  

Around 54 percent of those interviewed said some type of network "stealthy infiltration" took place, with the same number of executives noting they faced massive denial-of-service attacks on their networks at one point in time.

The threat of cyber attacks scare most computer users to be worried about potential data and bank theft -- but security experts and government analysts note cyber attacks could be a national security issue as well.

Brazil had several high-profile blackouts in late 2009, which allegedly are tied to cyber attacks against the country's IT infrastructure.  Brazilian officials denied cyber terrorism caused the outages, but it's a major issue now that the 2016 Summer Olympic Games will  be held in Rio de Janeiro.

The threat of cyber attacks are even more serious now with China, North Korea, and Russia either hiring hackers directly to launch attacks, or are funneling money to hacker groups.

These types of issues will be handled by Howard Schmidt, President Barack Obama's hand-picked cyber czar, who will work with security experts in an effort to keep the country safe from state-sponsored attacks.

The FBI and Secret Service also are attempting to combat cyber terrorism, especially if the attack appears to be coordinated by a foreign government.


Comments     Threshold


This article is over a month old, voting and posting comments is disabled
Putting a thorn in perfectly healthy foot...
By AstroGuardian on 1/29/2010 8:22:42 AM , Rating: 5
What the hell kind of strategy is putting vital systems connected to the world wide web? I can't seem to understand the need for a power plant's production systems to be connected to any external network...




By mofo3k on 1/29/2010 9:15:59 AM , Rating: 2
I used to work for a power utility and from what I understand, they did have some pc's set up to receive information from their regional group to monitor and set limits on how much power to produce. I suppose if that was to go down then they wouldn't know how when to increase or reduce supply. I'm not sure if their actual controls were networked or not but definitely their monitoring.


RE: Putting a thorn in perfectly healthy foot...
By Sahrin on 1/29/2010 10:02:35 AM , Rating: 5
One that results in a functioning electric grid.

How do you think power plants get information? Over the phone? For a grid that is timed to the trillionth of a second using atomic clocks? Right.

Don't comment if you don't have any idea what you're talking about. That you may be right doesn't mean you're right. (Take a minute to think about that sentence before you respond).


RE: Putting a thorn in perfectly healthy foot...
By namechamps on 1/29/2010 10:36:14 AM , Rating: 1
No reason they can't be put on a private network.

The US military has a SIPRNet. It operates on TCP/IP using normal routers & networking hardware but ...... <DRUMROLL> operates similar to the public internet not interconnected with it.

While the level of security & isolation for a power info net doesn't need to be as sophisticated and robust as SIPRNet, the SIPRNet could be used as a model.

All the elements of the "power information grid" could create a private secure network using off the shelf equipment and isolated from public threats.

So....
"Don't comment if you don't have any idea what you're talking about."


RE: Putting a thorn in perfectly healthy foot...
By Sahrin on 1/29/2010 11:02:39 AM , Rating: 3
Likewise, my friend.

Do you have any idea how much it costs to install and deploy a network like that? The fundamental assumption of "power plants connected" is that you do it in a cost-effective manner. Otherwise, you should just build an independent grid for every neighborhood, powered by its own plant. The REASON you have an integrated grid is to increase cost efficiency and reliability; these goals are directly at odds with a completely independent physical network.

Add to that the fact that there are MAYBE 100 sites on the entire SIPRnet (probably far fewer than that - just domestic military and then a secure layer over MILSAT/. For an independent power grid 'internet' you'd be talking on the order of 100,000 (probably more) sites on the power plant network. You're going to make *independent* cable runs to every single one of these sites, with absolutely no revenue to support it? I've got some oceanfront property in Omaha to sell you.

Next you'll suggest that everyone just install a small nuclear reactor in every home and office in America. They you don't even NEED a grid, much less a secure way to communicate with them.

The implication of my post isn't that communications can't be made more secure, it's that the internet is the best way (weighing all options) to synchronize the grid.

Again, please have any idea what you're talking about before you reply.


RE: Putting a thorn in perfectly healthy foot...
By DopeFishhh on 1/30/2010 2:28:09 AM , Rating: 2
They'll have to make a separate network eventually, you can't possibly do so fast enough in the event of a cyber war or terrorist attack.

Not separating the networks is obviously the product of a business man taking a "nah it'll never happen to us" approach in order to save a few dollars.


By Sahrin on 1/30/2010 7:50:39 AM , Rating: 4
The complete security you're imagining if an independent network was built is a fantasy. There is *no* way to make a completely secure network. An independent network isn't even vastly more successful at achieving it's goal than using the public internet.

Look at SIPRnet, as referenced above. It is arguably the most secure network in the world - and yet still, intelligence and information leaks off of it and into enemies' hands and the public eye. It fails to achieve its goal, even at unbelievable expense to the taxpayer.

The point of that example is not to say, "people will leak the control codes and we'll all die" it's if there's anything 200 years of engineering experience has taught us, it's that complex systems fail. Always. Not most of the time - they always fail.

Successfuly protecting one from catastrophe is a matter of design, not implementation.

That's the ultimate argument of the 'independent network.' You see a complex problem and think, 'simple solution.' But the solution doesn't even remotely address the problems involved, including the single most dangerous possibility: that of a coordinated and organized attack against the system. An independent network only makes this *easier* by linking all the stations together in a secure (and likely underprotected fashion).

Again, it's much better to design the system to be failure resistant than it is to build it to be failure proof. Failure proof will cost 100 times more and get you exaclty 0 extra practical security.

And finally, my opinion is not that of a businessman, it's of an engineering student and an analyst.


RE: Putting a thorn in perfectly healthy foot...
By JediJeb on 1/29/2010 10:52:06 AM , Rating: 2
That may be true, but still something this important should be running on their own isolated network instead of the public internet. I know it would cost money to run cabling but it isn't like there aren't already towers to run the lines on, just piggyback them to the power transmission towers that link the plants already. Have an internet capable or satellite connection as backup in case of a physical disconnect but at least it would take some type of physical attack to interrupt the communications instead of someone sitting in China hacking in to do it.

I understand that the internet was originally setup the way it is to provide layers of backup in case of physical attacks, but a lot of its benefits went out the window when it became public instead of purely a governmental system. There should be a totally separate and isolated system for critical infrastructure communications that even uses a different protocol that normal people don't have( something different than TCP/IP ). The idea of getting everything in the world connected for convience is terrible for security.


RE: Putting a thorn in perfectly healthy foot...
By Sahrin on 1/29/2010 11:09:34 AM , Rating: 3
The expense is not in digging trenches, it's in the hardware. You'd have to deploy completely seperate routers and distribution hardware.

On top of that, all of it's pointless if the power plant is still connected (even if it's only 'physically') to the public internet. How hard is it for someone to walk in and slap a 3G USB Modem into a device? Win7 will support it natively.

The goal should be to harden the networks we have, not build a ridiculously expensive and completely redundant network. Your solution is like moving into a new house with a lock on the front door and then burning down the house because you don't think it's safe.

Maybe try installing a lock first?


RE: Putting a thorn in perfectly healthy foot...
By chagrinnin on 1/29/2010 1:19:55 PM , Rating: 2
Could you say that again but,... this time with a car analogy? :P


RE: Putting a thorn in perfectly healthy foot...
By Sahrin on 1/29/2010 2:16:14 PM , Rating: 2
I'll take a what at it:

Your solution is like almost getting in a car wreck while not using the safety features of the car, and hiring an armored limo service to drive you everywhere because you don't feel safe.

Why not just try using the seatbelt?

(The earlier example should have said: "WithOUT" a lock, not "With" a lock).


RE: Putting a thorn in perfectly healthy foot...
By Sahrin on 1/29/2010 2:18:04 PM , Rating: 2
And this should've said "whack" not "what."

Maybe not so much with the blasting through the 'preview' screen for me anymore...


RE: Putting a thorn in perfectly healthy foot...
By mindless1 on 1/29/2010 10:36:27 PM , Rating: 1
I don't know how to break it to you, but there was a time, probably long before your time, when we didn't have an internet, yet still had a functional power grid.

Imagine that and how it defies your claims.


RE: Putting a thorn in perfectly healthy foot...
By Sahrin on 1/30/2010 7:43:43 AM , Rating: 1
I like how you wrote this reply without noticing the person who wrote the exact same thing directly below you, 5 hours earlier (and then my reply to him). I don't want to repost it here because it would be a waste of space. Here's a link:

http://www.dailytech.com/Article.aspx?newsid=17550...


RE: Putting a thorn in perfectly healthy foot...
By mindless1 on 1/30/2010 5:57:18 PM , Rating: 2
I like how you assume someone is obligated to read every post someone else makes (on the whole internet too?? I mean how far do you stretch this concept, maybe just other DT articles?).

You and I, we are not obligated to read anything someone else writes, but thanks for whining.


By geddarkstorm on 1/29/2010 3:38:14 PM , Rating: 2
And how'd they do it before the advent of PCs and the internet? The idea that somehow things /wouldn't work/ without a network is ridiculous. Just dust off the old procedures from 20 years ago, and sure, it may not be as convenient, but it /works/!

Something as critical as infrastructure must be more robust, that means able to handle any eventuality, and network hacking is one such eventually. We have to be able to continue functioning without a functioning network.


By Sahrin on 1/29/2010 6:07:03 PM , Rating: 2
...They didn't. Computer controlled grids offer *vast* benefits over their 'dumb' counterparts (mainly efficiency - isntead of running an extra plant full-time to maintain the extra capacity, and only kicking it in when there is a measurable drop in power going over the grid, you can spin up and down hot spares, saving you a *Huge* amount of expense in fuel).

Thus, electricity is both cheaper and more efficient - not to mention the reliability issues that are resolved with computer control.

They used to not have stoplights as well, but people kept dying in intersections. Can we use stop signs effectively? Yes. Does that mean we should go back to stop signs at every major intersection (doubling the commute time of just about everyone in the country)?

*sigh*

We don't need to trade 'robustness' for 'complexity.' It's possible to have both. Hell, we have complexity right now *without* robustness, so how hard can it be?

What we *don't* need is a giant and ridiculously expensive private network for power.


RE: Putting a thorn in perfectly healthy foot...
By Regected on 1/29/2010 1:01:01 PM , Rating: 2
The power grid uses microwave communication to transfer data. Anyone with a free to air satellite system knows this because there are 5-6 channels in the K band with regional power grid information. This article sounds more like the corporate side of things rather than the industrial side. Executives don't need a direct line to the information about the current state of the power grid.

Bad reporting and sensationalizing on the side of Dailytech on this one.


By Chernobyl68 on 1/29/2010 1:37:28 PM , Rating: 2
I agree, Bruce Willis movies aside, I don't think you can take down a generating station from the internet.


By Jalek on 1/29/2010 2:51:14 PM , Rating: 2
It depends on how they've implemented it.
The latest initiatives forced companies with decades of experience with microwave hops and old 1200 baud simplex links that were still working to hire contractors to replace their entire SCADA system with systems regulators (and anyone else) can log into to see what's going on.

Sure the control systems should be isolated from the internet monitoring, but you're relying on contractors to know what they're doing. It only takes 2-3 bogus signals for automated systems to respond and take plants offline.


By gmljosea on 1/29/2010 8:20:35 PM , Rating: 2
I think you mean the Internet. It's not quite the same thing as world wide web.


By Shining Arcanine on 1/30/2010 12:04:07 PM , Rating: 2
All they need to do is use a white-list of IP addresses, plug all known holes under the assumption they do not use a white-list to prevent man in the middle attacks and have a good set of procedures in place for what happens when the internet is down. Problem solved.


Foul!
By gmyx on 1/29/2010 9:21:20 AM , Rating: 2
quote:
Security company McAfee funded the research, speaking with 600 IT managers and executives from 14 different nations.


Well that makes me believe the study! They just want to sell more products!




RE: Foul!
By chagrinnin on 1/29/2010 1:05:05 PM , Rating: 2
Right,...like the guy with the gas can and the bic lighter trying to sell you fire insurance. :P


RE: Foul!
By mindless1 on 1/29/2010 10:38:40 PM , Rating: 2
Well to be fair, letting the IT managers and executives speak to McAfee at all was in itself a security breech. You don't air your dirty laundry to 3rd parties except for law enforcement or contractual, liability-attached improvement purposes.


Typo
By tigz1218 on 1/29/2010 8:07:53 AM , Rating: 2
"These types of issues will be handled by Howard Schmidt, President Barack Obama's hand-picked cyber czar, who will worth with..."

Should be "work".




RE: Typo
By Sahrin on 1/29/2010 10:03:23 AM , Rating: 3
I don't really think it's right to point out a speach impediment like that.


dumbarses...
By Moishe on 1/29/2010 8:18:20 AM , Rating: 2
The U.S. needs to stop sitting on their hands and create a non-political process to create, implement, test, and enforce certain network security standards for all infrastructure. Even something as simple as ensuring that all control computers for utilities are not physically connected to the internet would do a lot.

As a citizen, I don't care a bit if the non-critical computers go down at the local power plant, but I do care if the control computers go down. There should be no way to breach those control computers except through physical entry.




By PAPutzback on 1/29/2010 9:44:15 AM , Rating: 2
They work anonymously and are getting funneled cash from all over. No one source of cash knows if there enemy is providng cash to the same group. Only thing is, one of the members in a group will rat out the others for a big payout when he gets beat in a CSS match.




Actually...
By Marlonsm on 1/29/2010 11:08:31 AM , Rating: 2
quote:
Brazil had several high-profile blackouts in late 2009, which allegedly are tied to cyber attacks against the country's IT infrastructure. Brazilian officials denied cyber terrorism caused the outages, but it's a major issue now that the 2016 Summer Olympic Games will be held in Rio de Janeiro.

It was just our weak infrastructure, as most non-government specialists are saying.




Cheap online shopping
By fasfdhfd0000 on 1/29/10, Rating: 0
Cheap online shopping
By sdfasdgdhasdf on 1/30/10, Rating: 0
ohp
By PINGDIGUO on 1/29/10, Rating: -1
RE: ohp
By ChrisDoughmanDesign on 1/29/10, Rating: -1
RE: ohp
By ChrisDoughmanDesign on 1/29/10, Rating: -1
RE: ohp
By chagrinnin on 1/29/2010 1:02:10 PM , Rating: 1
The majority of people that frequent this site would rather be involved in trashing your site than ever purchasing anything from you. The game your playing is called "Shoot myself in the Foot". Good luck with that....


RE: ohp
By mindless1 on 1/29/2010 10:42:18 PM , Rating: 2
Is it just me or is it getting a bit annoying that more work isn't being done to clamp down on the increase in spam over recent months?

Mind you, I'm not complaining about DT specifically, I've seen an increase on several 'sites. Are these spammers so genuinely stupid as to think anyone will click-through and buy something from the represented companies, or is their agenda just to be tards?


Cheap online shopping
By sdfasdgdhasdf on 1/30/10, Rating: -1
"Spreading the rumors, it's very easy because the people who write about Apple want that story, and you can claim its credible because you spoke to someone at Apple." -- Investment guru Jim Cramer











botimage
Copyright 2012 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki