Story here (Fox News)

Apparently a several foreign countries have had there power grids shut down and held for ransom by hackers. Scary. I sent the link up to my brother, he's in charge of power grids up in Alaska and may have an insiders view of this.

-Blast

Here is my brother's reply:

"Thanks for the link. I sent it on to the other engineers here.

The article lacks much detail, but hacking into power grid control equipment is definitely a concern. Our control center used to be entirely hard wired to the substation control centers, but as technology has progress we are starting to use more and more local internet (intranet) connections. They all have multiple security features but if there is someone on the inside, like the article mentions, then they might be able to open up the network to the outside and allow hackers in.

We are a bit slow to replace our technology, but other larger utilities probably have made more use of intranet for their control functions. It is definitely a concern, and I expect that most utilities have active security in place to try to prevent any hacking. As with any computer security though, there may be a loophole or some access that the system operators don’t know about that the hackers can exploit. Just like taking out a big internet site, I’m sure a hacker would love to be able to take credit for shutting down a city."

In other words, "Yep, it's possible."

-Blast

I can't understand why power grids (etc) are tied into the internet at all. Why would they need to be? Why would they WANT to be?

I just googled news info on power grids and hackers, and the only things that came up were a very few like the one cited above. Our CIA is passing out the info that SOME power grid in SOME foreign country was hacked into. So why wasn't it news in that country or surrounding countries?

Watch their OTHER hand....

Sue

It saves money.

-Blast

I thought you guys were supposed to be smart.

1) Fox news is not renowned for its impartial and cogent reportage.
2) The article was not an investigative report by Fox news, it was a regurgitation of some material from the CIA.
3) No facts were stated, therefore these stories cannot be independently verified: 'Donahue did not specify what countries were affected, when the outages occurred or how long the outages lasted. He said they happened in "several regions outside the United States."'

In other words, what was the point of the article, and what was the point of bringing it up?

A

Ame,

The article alerted me to a possible threat. I then contacted an expert in the power grid who confirmed that the threat is real.

You know, I once saw a a news report on Fox about possible hurricane dangers to Houston, but thanks to you I now know I can ignore that possibility. Thanks!

-Blast

Izzy,

Thanks for reminding me about Estonia. California's power grid was also attacked but the hackers failed.

Of course, the report was on CNN and we know how biased they are.

-Blast

Humm...
No city named, no country mentioned, only one news organization reporting...I think I'll focus on a more realistic threat, like waking up in a bathtub full of ice and no kidney.

Bisc.

Um, what, are Estonia and California are imaginary places? Okay, I've never been to Estonia but have been to a place where the car license plates said "California".

But hey, to each there own. Personally, I'm not too worried about bird flu, Nalgene bottles, peak oil, genetically modified foods, capitalism or global climate change.

-Blast

I'd bet two things 1) They are referring to the NE blackout that crippled a good chunk of North America. It also hit Britain, Sidney and several other major cities in series.

2) They are not being honest when they say the internet was used (unless it was those Governments doing it to themselves).


Why would they even mention it? What is the solution they propose? Take the grid off the internet or during the next emergency 'Temporarily shutdown the internet to protect the infrastructure'?


-NIM

P.S. I must be getting jaded. This thing screams psyop/military."

You know what, my buddy was driving last night and I had the luxury of having a couple more than usual. I was being an … well the rules of this forum don’t allow for the description, but you seem smart enough to fill in the gray area here. For that I apologize.

That being said, it seems to me that if someone hacked into the grid of a European country and shut it down, there would be more coverage from more news outlets (Fox, CNN, ABC, NBC, CBC, TASS, Saturday Night Live), and that the coverage would be more complete. It would at least cite a country. The article referenced stated that Estonia’s “Russian Hackers had been blamed” but it failed to mention who was doing the blaming, and made mo mention of an attack on their power grid. The article on California stated that the attack did not affect power distribution.

Of course none of this really matters. When I lived in Boise, all of the power downtown was shut down by a squirrel that found its way into a substation.

Is a malicious attack on the power grid possible? I’m sure it is. But If I lived in a community that was fifty or so miles north of the Gulf, twenty or so miles south of the San Jacinto river, a hundred feet or so above sea level, on three highway arteries that are notoriously clogged with traffic, and I felt that the hacking was a risk, logic would dictate that I be worried about infectious diseases (bird flu is but one) because of the constant presence of stagnant water and global climate change (because I would be potentially hemmed in between the gulf and a river near the gulf with no reliable way north) because they to would be a risk as well.

I’m not trying to argue here, I’m honesty interested in how one (not just you, but anyone) calculates threat, and then decides how to insulate one’s self from it. What information does one retain, what information does one discard? How does one attach a value to the risk (perceived or actual)? I look forward to a discussion on the subject if you are interested.

Respectfully,
Biscuits

Since we're on the topic of electric plants, hackers aren't the only thing they're worried about.



Wow. Thats cutting it pretty close.


http://my.earthlink.net/article/top?guid=20080123/4796c9d0_3ca6_1552620080123139565434

Dumb question. Why can they not use seawater?

LED,

Two reasons. First, salt in sea water is VERY corrosive to metal. If the alloys used in the system weren't designed to handle sea water then they'd be perforated with holes in a matter of weeks.

Second, the salt would also build up scale deposits on places, especially heat exchangers and anywhere the flow rate changes. This would ruin the effeciency or completely plug up the system in a manner that would be very difficult to un-plug.

-Blast

Oh man, lucky you! I'm usually stuck being the responsible one. Hmmm, though that might be because things tend to blow up when I get drunk.

My response was also a bit sharp. I wasn't drunk but I had had an excellent day at work and was feeling really, really smart. Yesterday I applied for another patent and also solved an unrelated chemistry problem that has been stumping people for over ten years. Definately not the time to question the intelligence an egotistic Ph.D.

The idea of a thread on threat assesment is a good idea indeed.

-Blast, still high on success

Lack of investment in electrical power generation and distribution rather than 'a hacker in a cave in Afghanistan' is much more likely cause of electrical power going down. Those countries that have a lack of investment in their electrical power distribution networks seem to have the most problems with blackouts and brownouts especially when having to cope with adverse weather conditions.

I don't remember any blackout in Britain after the North East American incident in 2003 , but some 500,000 Londoners had a 34 minute blackout on the 28th August 2003. I think that this might be what your probably refering to. As with anything that happens in London, it soon becomes a national emergency and is blown out of all proportion by the London based media.



The Estonian incident was a distributed denial of service DDoS attack on certain web servers based in Estonia. The webbots being mostly distributed in unsecure computers from US networks. This is completely different to a hacker gaining access by logging in to a secured network which may possibly have some controlling function within a power station or even the control room of the electrical distribution network. The chances of this are pretty remote without someone breaching the electricity companies strict security measures i.e someone with super user admin rights within the organisation.

But then again this reminds me of the story of a British hacker who wrote a simple cgi script which scanned through all the US Pentagons military .mil websites looking for login scripts and then reported back the ones which accepted UN=admin and PW=password. Even he was surprised how many Pentagon .mil websites/secure networks he was able to access.

The moral of the story is - If your using a wireless router turn on the wireless security and in addition if using a non-wireless router turn of the remote access to the router and change your routers default access Username and Password.

Install a firewall and monitor the programs and ports the programs are attempting to use to gain access to the internet.

Install a anti-virus prgram.

Install a spyware program.

Because if a terrorist is going to bring down the national electricity grid you don't want the Feds turning up at your door after tracking down your IP address.

I have always been curious - why do so many people refer to terrorists living in "a cave in Afghanistan" to poo-poo the notion that terrorists are capable of doing anything that requires advanced logistics, co-ordination, or technical expertise? Osama Bin Laden may have been holed up in a cave in Afghanistan, but he was certainly not some technically incompetent troglodyte.

As for cyber-warfare/cyber-terrorism, it's been known for quite a while that both military organizations and terrorist groups are very interested in using the Internet, not just for communications, propaganda and recruiting, but for launching attacks on critical infrastructure.

Many computer security experts (not just Bruce Schneier, he's just the most vocal about it) believe that the 2003 North American blackout was caused by the Blaster worm, which they suspect an employee - either maliciously or carelessly - introduced into the system.

Aum Shinrikyo, the friendly Japanese cultists who brought you "Sarin on the Subway", make a special effort to recruit computer science and mathematics students into their ranks. The cult is known to own at least five computer companies. In 2000, it was discovered that "A female member of the AUM Shinrikyo cult was involved in the development of online systems at Kiyo Bank", where she "was believed to have had access to the names of clients, as well as data on their assets, annual incomes and transaction records".
(http://findarticles.com/p/articles/mi_m0XPQ/is_2000_March_6/ai_59998378)

Plans to implement a computer system developed for the Japanese national police authorities were delayed indefinitely after it was discovered some of the software had been developed by a subcontractor that was owned by Aum Shinrikyo.

"...why do so many people refer to terrorists living in "a cave in Afghanistan"..."

Because it minimizes them as a threat emotionally.

Underestimating your enemy doesn't seem very smart, to me.

Sue

After my first roadside bomb strike, which left one of our 3 million dollar armoured vehicles burning on the side of the road while we gathered the pieces of our friends and stuffed them into bags…….. I quickly realized just how well organized, efficient and downright smart our Enemy could be. Even with our state of the art equipment and extensive training this happened to us almost every week . As fast as we could invent a way to counter what they were doing, they in turn would invent a new way to counter us. Any one who makes the mistake of thinking these terrorists are not as well organized as we are obviously doesn’t pay much attention to the news. This may be my own opinion buts it’s just a matter of time before they figure out how to take the fight to North American soil in a way worst than 911. If there is a way for them to shut down power or worst, via computers or any other means, they will find it and they WILL try it. They are smarter than most of us give them credit for.

Hi aardwolfe,



That really wouldn't surprise me at all. The first Blaster worm started making an appearance on the 11th August with the North Eastern Rolling Blackouts occouring on the 14th. The Blaster B variant worm was rewritten/modified by 18 year old Jeffrey Lee Parson from Hopkins, Minnesota. What is surprising in the fact that Jeffrey didn't have the intelligence not to get caught launching his modified worm.

The Blaster worm was a real pain at the time, but the problem wasn't really Jeffrey Lee Parson (why he didn't just email bill.gates@microsoft.com to tell him to get his windows security holes fixed instead, I don't know ), it was the fact that so many people using computers didn't really have any idea about even the most basic understanding of computer security, not even the folks at Microsoft whose XP SP1 and 2000 OS's were vunerable to worms such as the Blaster B. XP SP2 was released a year later, which then had the OS firewall turned on by default. Even more surprising is the fact that critical network infrastructures such as water, electrical power etc are using Microsoft OS's which were well known to be so full of security holes at the time.

My point from my earlier post was that if people are going to leave their computers vunerable to be hijacked and be used for DDoS attacks and for email spamming or left open becuase changing a default password was to much of a pain etc then there is a responsibility by everyone not make it easy to aid organised crime and terrorist organisations. Sorry to say, but most of the spam (the worm and virus vector) being generated world wide is from organised crime operating from within US network users.

The problem of the mole working on the inside is a much more difficult problem to solve. Most of these companies (including ISPs) now use outsourced companies based in countries such as India to manage their customers accounts and even IT backoffice functions purely to save on operating costs.

If the electrical power grid goes down because of a 'cyber attack', don't blame the 'terrorist', it really is just the electrical power companies fault, simply because of their lack of investment, their greed, their lack of personnel training, their lack of IT security procedures and their incompetence.

Estonia is all sorted out now. Looks like another case of sensationalist journalism rather than international conspiracy. Who'd have thought...?

http://www.theregister.co.uk/2008/01/24/estonian_ddos_fine/

http://politics.slashdot.org/article.pl?no_d2=1&sid=08/01/25/0120221

A

Interesting, a 20-year old loser and some of his friends managed to overload Estonian governmental, banking and police computer systems for almost ten days.

Um, is this supposed to make us feel better?

-Blast

The fact that they arrested one 20-year old ethnic Russian is hardly conclusive proof that he was solely, or even largely, responsible. That's like arresting some low-level drug mule in Miami and concluding that he and his frat buddies were responsible for all the cocaine in America, and that all this talk about Colombian cartels is just so much media hype.

Absence of proof is not proof of absence. The attacks in Estonia were highly organized, targeted, and sustained. Maybe it was just a group of disguntled ethnic Russian or maybe it was something more serious/sinister; we'll probably never know for sure.

What we can say is that, as long as critical infrastructure is vulnerable to cyber-attack, both terrorist organizations and national governments will be investigating ways to exploit this weakness. We'd be fools to assume otherwise.

I have been in the computer security auditing and remediation business for banks, municipalities, etc. since the late 80's.

Blast is correct. Hacking the power grid or just about any other public utility is a potential threat. If it is connected to the Internet, it is potentially at risk. Also, it doesn't take much for an insider to compromise even the most sophisticated security system.

However, as an individual, I would be more concerned about ever growing number of ways that you can have your identity stolen.

For example, we had a local fast food worker stealing debit card numbers using a hand-held card reader(skimmer). This is a fast growing problem, because it is so easy to do.

http://www.suburbanchicagonews.com/heraldnews/news/716130,4_1_JO28_CARDSWIPE_S1.article

GarlyDog, CISSP

Um, that's not an update. It is a repeat of the same devoid-of-any-content story.

A

Here's an update with some more information.

http://redtape.msnbc.com/2008/01/from-the-moment.html#posts

I would guess that power disruption to any of our homes is more likely from a local problem be it a squirrel, snow storm, hurricane, earthquake, lightning or the neighbor kid with his car hitting a pole down the street. Then it is from a terrorist, or hacker attack.

But that doesn’t mean we should ignore the possibly of a terrorist attack on the power grid. I don’t know that I have any say in any of the ways the power can be interrupted.

Hopefully understanding power can be loss, and that it will be done beyond our control and that it’s somewhat Vidal to our lives, we should work on a way to provide it when it’s disrupted. Be it a terrorist or the neighbor kid in his hot rod car it’s probably not going to be down more then 3-days.

A generator and fuel for a week and a plan to conserve electricity would probably get any one of us through an outage, even a terror or hacker attack.

You may become somewhat popular with your neighbors when they see the lights on at your home.

Stealth may be a consideration.