Hackers Turn Out the Lights

[Kanastrous]

WASHINGTON - Hackers literally turned out the lights in multiple cities after breaking into electrical utilities and demanding extortion payments before disrupting the power, a senior CIA analyst told utility engineers at a trade conference.

All the break-ins occurred outside the United States, said senior CIA analyst Tom Donahue. The U.S. government believes some of the hackers had inside knowledge to cause the outages. Donahue did not specify what countries were affected, when the outages occurred or how long the outages lasted. He said they happened in "several regions outside the United States."

"In at least one case, the disruption caused a power outage affecting multiple cities," Donahue said in a statement. "We do not know who executed these attacks or why, but all involved intrusions through the Internet."

A CIA spokesman Friday declined to provide additional details.

"The information that could be shared in a public setting was shared," said spokesman George Little. "These comments were simply designed to highlight to the audience the challenges posed by potential cyber intrusions."

Donahue spoke earlier this week at the Process Control Security Summit in New Orleans, a gathering of engineers and security managers for energy and water utilities.

The Bush administration is increasingly worried about the little-understood risks from hackers to the specialized electronic equipment that operates power, water and chemical plants.

In a test last year, the Homeland Security Department produced a video showing commands quietly triggered by simulated hackers having such a violent reaction that an enormous generator shudders as it flies apart and belches black-and-white smoke.

The recorded demonstration, called the "Aurora Generator Test," was conducted in March by government researchers investigating a dangerous vulnerability in computers at U.S. utility companies known as supervisory control and data acquisition systems. The programming flaw was fixed, and equipment makers urged utilities to take protective measures.

http://www.msnbc.msn.com/id/22734229/

[KlavoHunter]

Physically. Separated. Networks.



*sigh*.

[Shroom Man 777]

DIE HAAAAARD!!!

Wait, so the vital systems of the government are connected via the Internet? Don't they have their own separate and secure network? How can they possibly shut down stuff that's not in the USA?

[Phantasee]

Physically. Separated. Networks.



*sigh*.

But then how will the operators watch porn to pass the time during their shifts?

[bilateralrope]

All the break-ins occurred outside the United States, said senior CIA analyst Tom Donahue. The U.S. government believes some of the hackers had inside knowledge to cause the outages. Donahue did not specify what countries were affected, when the outages occurred or how long the outages lasted. He said they happened in "several regions outside the United States."

"In at least one case, the disruption caused a power outage affecting multiple cities," Donahue said in a statement. "We do not know who executed these attacks or why, but all involved intrusions through the Internet."

So there was a power outage in multiple cities, yet they can't tell us which country it was in ?

And no other news source has picked up on the power outage ?

Tell me why I should believe this.

[Phantasee]

I'm thinking, poorer countries where power outages can be expected occasionally, and where there's a population that can be lied to a little easier.

[Raw Shark]

WASHINGTON - Hackers literally turned out the lights in multiple cities after breaking into electrical utilities and demanding extortion payments before disrupting the power, a senior CIA analyst told utility engineers at a trade conference.

All the break-ins occurred outside the United States, said senior CIA analyst Tom Donahue. The U.S. government believes some of the hackers had inside knowledge to cause the outages. Donahue did not specify what countries were affected, when the outages occurred or how long the outages lasted. He said they happened in "several regions outside the United States."

Given the speaker, the audience, and the lack of details, I find it probable that the speaker was referring to all such documented incidents ever.

[RIPP_n_WIPE]

I remember watching a dateline or some such on the SCADA systems that control the water, power, and natural gas in North America. There was some test done where a comp sci student hacked a solar plant I believe in nevada and made the panels point away from the sun. The security is really weak. Think the only reason that the show gave for why no one does it regularly is that apparently, if you're in North America it's really easy to find you and second, the SCADA systems are so horrendously complex it's hard to pinpoint any one locale so you sorta randomly choose what you want to bring down.

[Sea Skimmer]

DIE HAAAAARD!!!

Wait, so the vital systems of the government are connected via the Internet? Don't they have their own separate and secure network? How can they possibly shut down stuff that's not in the USA?

How exactly did you reach the conclusion that vulnerabilities in commercial civilian power plants mean the article is actually talking about US government networks?

[Thag]

I remember watching a dateline or some such on the SCADA systems that control the water, power, and natural gas in North America. There was some test done where a comp sci student hacked a solar plant I believe in nevada and made the panels point away from the sun. The security is really weak. Think the only reason that the show gave for why no one does it regularly is that apparently, if you're in North America it's really easy to find you and second, the SCADA systems are so horrendously complex it's hard to pinpoint any one locale so you sorta randomly choose what you want to bring down.

That may have been the case. However, I remember reading an article while I was on co-op a couple years ago where several utility groups were looking at grafting networked windows-based interfaces onto the SCADA system to improve user-friendliness. The article then went to point out that the complexity of SCADA made it more secure, and the new interfaces would essentially put a big "Hit Me" sign on whatever system they were attached to.

[RIPP_n_WIPE]

So instead of just training people on how to use the system, they dumb it down and leave massive security gaps?

[Darth Wong]

So instead of just training people on how to use the system, they dumb it down and leave massive security gaps?

You obviously have no experience with management. Anyone who did have experience dealing with corporate upper management would know that this kind of thing is completely predictable.

When you ask a manager to set aside time and funds for a project which will not generate profit, you've got a hard sell in front of you. If he is pre-inclined to like the idea, you're OK. But if he is not inclined to like it, or if he just doesn't like you, or if he has a chip on his shoulder about techies, or if his wife won't suck his dick and he's frustrated as hell, then nothing you say can convince him. If you dumb it down, he can tell you're not being truthful or he might think you're being condescending, and get angry. If you give him the hard facts, many of which will fly over his head, he will think you are trying to snowjob him with jargon.

The easiest thing to do is tell a manager that he's already on the right track, which is why most employees do precisely that. The hardest thing to do is convince a manager that he needs to change his mind about something.

[RIPP_n_WIPE]

*blink*

But it makes the network less secure.

Honestly, what the fuck is it with management and not thinking long term? Dur hur weez gettin' profats!!! Dur hur!! Meanwhile some comp sci student gets pissed off because he can't get porn and shuts down your power.

Please don't tell me that that's how most managers think. It makes me want to start a company just for the sake of them being competant.

[Kanastrous]

if he is not inclined to like it, or if he just doesn't like you, or if he has a chip on his shoulder about techies, or if his wife won't suck his dick and he's frustrated as hell,

I'm pretty sure it was Robert Anton Wilson who proposed that a great deal of conflict and bloodshed and destruction over the course of history could have been preempted by a few dozen strategically administered blow jobs...

[Sarevok]

It would be funny if the country turned out to be Bangladesh. After the recent hurricane Sidr the entire grid failed for 24 hours. One hurricane hit away took out everyplace in the country. Official PDB explanation blamed the weather. But the same thing happened on clear sunny days next few months....

Conspiracy nuts think it's someone's attempt to discredit the goverment. The power sector is second only to real estate in corruption. Now that a military goverment is in power like Pakistan the political parties are similarly pissed. Some say they tried this electric failure and other acts of sabotage to create unrest. The goverment itself is very vogue on what caused total countrywide failures, blaming incompetent design by previous administration.

[Terralthra]

*blink*

But it makes the network less secure.

Honestly, what the fuck is it with management and not thinking long term? Dur hur weez gettin' profats!!! Dur hur!! Meanwhile some comp sci student gets pissed off because he can't get porn and shuts down your power.

Please don't tell me that that's how most managers think. It makes me want to start a company just for the sake of them being competant.

Yes, that's exactly how most managers think. Everyone who's even moderately technically inclined could tell you at least one story where a manager ignored the technical implications of a decision because s/he just didn't give a shit, or was in a bad mood, etc.

[Admiral Valdemar]

That's great. So a firesale on the US as "exposed" by John McLane is a real threat. If the US can't get this right, then I imagine elsewhere is screwed just as much.

If ever you needed another reason to have your own, decentralised power source...

[Praxis]

I'm curious how the hackers expected to get the money. It's not like the government is able to track bank deposits and withdrawls, and if you try to meet in person to collect cash, not only is it a lot of cash to carry, but you're probably just going to get arrested.

[phongn]

That's great. So a firesale on the US as "exposed" by John McLane is a real threat. If the US can't get this right, then I imagine elsewhere is screwed just as much.

As it happens, the North American Electric Reliability Council published eight standards for cybersecurity, and the Federal Energy Regulatory Commission just made them mandatory.

(As a minor note, in many US fields and industries, there are non-government organizations such as NERC, AASHTO and NFPA that tend to define standards, which are then given force of law by the government, in case anyone was wondering why FERC just didn't do it themselves)

[Thag]

I managed to find the article I was remembering. It's from back in 2003, so you may want to salt slightly: Link