Senate Passes Cybersecurity Bill To Decrease Grid Digitization, Move Toward Manual Control (utilitydive.com) 140
On June 27, the U.S. Senate passed a bipartisan cybersecurity bill that will study ways to replace automated systems with low-tech redundancies to protect the country's electric grid from hackers. Called The Securing Energy Infrastructure Act (SEIA), the bill establishes a two-year pilot program identifying new security vulnerabilities and researching and testing solutions, including "analog and nondigital control systems." The U.S Department of Energy would be required to report back to Congress on its findings. Utility Drive reports: The increase in distributed energy resources can serve load more efficiently, but also offers potential attackers more potential entry points. "Our connectivity is a strength that, if left unprotected, can be exploited as a weakness," Sen. Angus King, I-Maine, who sponsored the bill with Sen. Jim Risch, R-Idaho, said in a statement. Sens. Susan Collins, R-Maine, Martin Heinrich, D-N.M., and Mike Crapo, R-Idaho cosponsored the bill. The House measure is being introduced by Reps. Dutch Ruppersberger, D-Md., and John Carter, R-Texas.
Names (Score:1)
[...] [...] Mike Crapo, R-Idaho cosponsored the bill.
Y'know, I think some places just vote for people because their names make them giggle.
"Vote for Crapo! He'll get shit done!"
Maybe it explains John Hickenlooper [hickenlooper.com]. Heck, I'd be giggling whenever his name got mentioned...
Re: (Score:2)
Re: (Score:3)
"Then there's Mayor Butt, the presidential candidate with no visible qualifications for office other than being gay."
At least we'd be sure he did never grab people 'by the pussy'.
Governors tend to win POTUS elections (Score:2)
Mayor Butt, the presidential candidate with no visible qualifications for office
Experience as the elected chief executive of a political entity (such as a mayor or governor) is certainly a relevant qualification. Executive experience is why governors have tended to beat even U.S. senators in general elections to a first term as President of the United States. I concede, however, that I don't know enough of the first 40 Presidents' backgrounds to know which mayors have run in order to estimate to what extent a governor's advantage extends to a mayor.
Re:Alternate reality? (Score:5, Funny)
We're also going to replace the automated internet routers with manual controls in order to stop hackers. There is a side effect of increasing employment as well. Stop lights will also be replaced by volunteer traffic directors, and calls from smartphones will be directed to call operators ("give me Klondike-656, on the double!").
In short, we've made great improvements in transmission and distribution grids, and all this efficiency is just too good for us modern slugs so we're going back to the 70s when life was perfect, disco was just taking off, and Nixon hadn't yet gone to China.
Re: (Score:1)
I'll stick with pre-industrial 17th century technology as God intended.
Re: (Score:2)
"give me Klondike-656, on the double!"
Young whippersnappers. “Klondike” would’ve been the name of the particular central exchange, and would’ve only replaced the first two digits of the number. So it would’ve been more like “give me Klondike 6-5512!”
I was a little kid as all that was going away, but I still remember television ads where the company would list their number in that form e.g. KL6-5512.
“KL6-5512! That’s KL6-5512! Call now and receive a complimentary toaster!”
Re: (Score:2)
My mother remembers when growing up that two long rings meant that the call was for for them.
Re: Alternate reality? (Score:5, Interesting)
There's a well known company here in New York that employs a small brigade of button pushers.
The button pushers manually control certain critical financial infrastructure. They work on air-gapped terminals in a control bunker in Manhattan (and a couple other sites). Their terminals are connected to the critical infrastructure (in the 'burbs and elsewhere) by private buried network cables (not a TCP/IP network fwiw). These secure systems can only be accessed over the private lines (or presumably from within the datacenter bunkers where they are located).
Does this provide perfect security? Of course not! Is this measure a prudent example of defense in depth? Yup. Does it make hacking the financial infrastructure really much more difficult? Yup, sure does.
Now there's a very legitimate question to be asked, whether the infrastructure of the global financial markets is a benefit to mankind, or merely an instrument of mass oppression. Do the markets serve us, or do we serve them? This important sociopolitical question is however orthogonal to the technical question of the effectiveness of security measures.
Re: (Score:2)
And because this is a financial system there's a lot of money to pay for these people, and financial incentive to provide peace of mind to customers. A power compnay however doesn't have the incentive or money to have some guys sitting at each substation just standing by on a radio waiting to call team members when they see some spurious activity. "Hey Joe, we've just got a big spike in demand and things are shutting down so you should cut us off before it cascades down to ... oh you got a blackout while
Re: Yup sure does (Score:2)
Now you've got James Bond stealing maps from HQ, digging holes with a backhoe in suburban New Jersey, then compromising encrypted communication over an obscure network protocol - all without anyone noticing.
That's an awful lot more resources and risk for the attacker, compared with having a couple dudes sitting in a comfortable office in $foreign_city crack your systems remotely.
Re: (Score:1)
Oh Christ! Will you people PLEASE start asking the important questions be rushing to judgement here?
For instance "Who stands to make a Metric Fuck-Ton of money on this"?
That question will point you towards the utilities, specifically the Very Large Utility (VLU) companies and the proliferation of Tiny Utility (TU) companies sprouting up all over.
You see, the VLU will be given all sorts of government funding to upgrade their infrastructure, probably far in excess of what they actually need to do the job. The
Re:Alternate reality? (Score:4, Interesting)
Re: (Score:2)
But a network may be necessary to prevent cascading blackouts or brownouts. Not a lot of good analog networks being used in control systems.
Re: (Score:1)
But a network may be necessary to prevent cascading blackouts or brownouts. Not a lot of good analog networks being used in control systems.
Basically yah. By shifting some things back to analog controls you lose the bad and the good, just as you alluded. Secure networks exist. They aint that hard, provided you do it right. Basically you probably need a collection of secure networks, likely with the secure networks using professional encryption equipment when it transitions to the internet, and in some cases using dedicated data lines. The interconnect points need very well defined and locked down interfaces so they can communicate so as to
analog dialup or point to point links? (Score:2)
analog dialup or point to point links?
Re: (Score:2)
Re: (Score:2)
Sure, but a rolling blackout works too.
Re:Stupid Headline (again) (Score:5, Interesting)
Stupid. What's important is not that it isn't digital, but that it is totally isolated from the net. Why anyone thought it was a good idea to connect it to the net in the first place is totally beyond me.
OTOH, I understand that not having remote controls will be annoying. You need to come into the plant to manage the power. But really, that's the only sensible way to do it. The work-arounds all have security holes. (And remotely accessible analog isn't secure either.)
Re: (Score:3)
Stupid. What's important is not that it isn't digital, but that it is totally isolated from the net.
Re: (Score:3)
The problem with isolated networks is that just because they are intended to be isolated doesn't mean that design intention won't be violated. Computers that can be tied into a network and also accessed remotely are really tiny and cheap these days.
Such a thing could be installed for malicious purposes at any time and just sit there watching until the installer is thousands of miles away and in another country.
Or it could be installed by someone who is willing to "bend the rules a little" if it makes his jo
Comment removed (Score:5, Interesting)
Re: (Score:3)
the easiest way to do it would be to park a few subs off shore in key places and launch low altitude cruise missiles against key points on the power network. If done properly, it would take months for anyone to figure out what happened and gather any kind of proof
You might remember there was this thing called the Cold War? No one's getting a sub anywhere near the US coast without being detected and intercepted. Nor is anyone going to launch a cruise missile near the coast without that being quite obvious. Heck, when we've dropped cruise missiles on power stations in the third world, it's been live on CNN.
Re: (Score:2)
Re: (Score:2)
A guy with 20Lbs of C4 in a backpack can walk right up to one of these towers in the wilderness.
That's a much better example. But it only takes down one line, which would be repaired soon enough. We totally suck at building infrastructure in this century, but it's not quite so bad that one line takes a whole grid down.
A couple dozen guys with ATVs can cause months long outages without ever being seen by another living soul.
Great movie plot! [wikia.org]
We're much more likely to have a mass outage due to unusual solar activity than a coordinated attack by dozens of terrorists over a large area that somehow doesn't get infiltrated.
Not that that should stop us from building grid redundancy back to where it was 50 years
Re: (Score:2)
Thx for the "movie plot" link. Interesting. I followed a link there to "Terrorists Don't Do Movie Plots" on Schneier's blog and will spend a bit of time reading what looks to be sane security considerations.
My movie plot is where teh ebil turrists travel throughout the large, dry vegetation areas of the US in summer in nondescript cars with stolen/fake license plates, flickin' cigarettes out the window as they go.
It would take a bit more sophistication to actually work, but no more than arranging to hijack
Re: (Score:2)
Stupid. What's important is not that it isn't digital, but that it is totally isolated from the net.
False. Isolated from the net is not security. Worse, it provides a false sense of security thanks to people saying "what's important" meaning that there's a general culture of air-gap and be done with it. This leads to many weaknesses throughout an organisation.
What is important is defense in depth with training and thought put in at every level.
Re: (Score:2)
Stupid. What's important is not that it isn't digital, but that it is totally isolated from the net.
Tell that to Iran.
Why anyone thought it was a good idea to connect it to the net in the first place is totally beyond me.
OTOH, I understand that not having remote controls will be annoying. You need to come into the plant to manage the power. But really, that's the only sensible way to do it. The work-arounds all have security holes. (And remotely accessible analog isn't secure either.)
Power generation facilities on the same grid have always been networked in one way or another and supporting non-dispatchable sources like wind and solar absolutely requires it.
Re: (Score:2)
If you mean "smart meters" are a bad idea, I agree. But they shouldn't have any connection with management of the power generators. That should be done locally by demand sensing.
So. There should be no control path from the meters to the generators, so your argument fails...with good design.
Re: (Score:2)
All and all, this is a good thing. If we did move to an analog failover for things like floodgates, it would mean more jobs, and more security since an attacker would have to compromise one of the employees, and with a "two key" system (which worked for Russia in the Soviet era to keep malfeasance los), an attacker would have a lot more to compromise than just getting control of a SCADA system.
There are just some things which should not be online, or even in an air-gapped network. Having manual control, a
Re: (Score:2)
Brilliant, the report will be a grid hacker guide. (Score:2, Insightful)
So we are going to spend two years hacking our own grid and writing reports on vulnerabilities.
This report will undoubtedly be kept on same poorly protected computer or worse, given to congress, we all know how well they hang on to top secret information.
It's all a bad Dilbert cartoon.
Get a generator and solar panels now before they start the research.
Re: (Score:1)
No offense, but you're kind of a huge moron. Yes it's a GOOD THING to penetration edge test their systems and make a report of what they find. This is SOP to good practices, and long overdue as most people seem to grasp.
The report itself won't contain anything the actual attackers don't already know, and since it's a general report for Congress it will no doubt be a summary of the actual data. Congress actually hasn't leaked "all that" much TSC info.
You know nothing about this and needed to crow ya lil'
Re: Brilliant, the report will be a grid hacker gu (Score:2)
It is naive to suppose pen testing of critical infrastructure control systems is something new. Not everyone who works for Uncle Sam is a fool.
Source: I've met a few of these folks, socially.
Re: (Score:2)
" we all know how well they hang on to top secret information" No we don't know that. Congress has committees that meet for top secret briefings all the time. I fail to see any plethora of leaks coming from them. On the other hand, no one is stupid enough to let the la Presidente in on anything top secret after the last time he blabbed.
Re: (Score:2)
https://www.centerforsecurityp... [centerfors...policy.org]
Some would say that it is "Dangerous to share intelligence with congress."
And I won't even wade into the list of NSA zero-day exploits now running wild and destroying computers all over the world
https://en.wikipedia.org/wiki/... [wikipedia.org]
I am assuming that our grid is similar to other grids.
I am also assuming that the NSA has or will develop grid hacking tools based on the report.
I am also assuming that this report and the tools will be stolen and released.
I am also assuming that ther
Re: (Score:2)
I've got a Westinghouse CO-9 relay [ebayimg.com] that I could afford to part with for the right price.
This is a greate idea... (Score:2)
... until hackers unleash an analog virus on our power grid.
Then the next thing we know, *all* of the giant potentiometers across the system will simultaneously get set to "11".
Re: (Score:2)
You don't really understand analog systems, do you?
Re: (Score:2)
All I know is that with analog systems, you open a whole new frequency domain to hackers. All of your poles and zeros are exposed.
Re: (Score:2)
I wish I had mod points!
They're going full Russian (Score:2)
Moscow is to typewriters as Washington is to a manual transfer switch.
On a positive note, they're now learning that putting everything online for convenience might not be the best idea.
Finally (Score:5, Insightful)
This is what airgaps are for in critical infrastructure. Fuck "online security," as nobody even has the first three layers of the OSI model perfected, so you know they're going to fuck up on the additional piled-on OSI layers we've had to implement.
Manual goddamned control with actual personal accountability all the way up the chain.
Re: (Score:2)
There is no (practical) way to go back to analog protection and control relays. Air gap is possible, but there will be a network because the protective functions dictate interconnections. I doubt a new mechanical 51/50 has been installed in decades by a utility.
Re:Finally (Score:5, Insightful)
This is what airgaps are for in critical infrastructure
Try telling that to the Iranians. They are well aware an airgap isn't sufficient.
Re: (Score:1)
This is what airgaps are for in critical infrastructure
Try telling that to the Iranians. They are well aware an airgap isn't sufficient.
Of course, but airgaps shut out the low-budget hackers. They may be brilliant, they may be able to find all sorts of unexpected vulnerabilities - in order to hack into somewhere on the other side of the globe.
Getting across airgaps is easy enough - but you have to be there or bring stuff there. The CIA has no problem sending operatives into Iran; script kiddies and somewhat smarter basement hackers don't have the funds for the trip. (Also, they are easily stopped by language barriers, fences and even the du
Re: (Score:2)
Getting across airgaps is easy enough - but you have to be there or bring stuff there.
Didn't happen. You should read about Stuxnet.
Re: (Score:2)
Manual control isn't adequate for modern power systems. Especially as the proportion of renewable energy goes up.
Manual control is a red herring. All that will happen is you have some bored guy with a control panel being told which button to press by the computer.
Re: Finally (Score:2)
"some bored guy with a control panel being told which button to press by the computer"
No. The bored guy - it is doubtless a very boring job - will have a (printed dead tree) runbook telling him what buttons to press in response to certain signals. He will be expected to have memorized the important parts of said runbook.
Re: (Score:2)
Ah, so you want to duplicate the networks, airgapped from the public networks, so they'll be Special Networks. No one would ever compromised those. Have you told anyone else about this?
Re: (Score:2)
Compromised Special Networks were never carefully examined and actually secured. Come get into mine. You couldn't even if you broke in while I was at work and you took every computer from my home network with you.
Re: (Score:2)
This is what airgaps are for in critical infrastructure.
Being unable to automate and respond to fast changing events? Yeah I hear you.
Re: (Score:2)
>not having automatic analog safety systems like breakers, fuses, and such installed to respond to fast-changing events.
I hope you're actually thinking about a properly-designed power system and not some ramshackle one you put in someone's house.
Re: (Score:2)
If the airgap is insufficient, you failed to properly physically secure the airgapped system. It's that simple, as your links demonstrate.
A properly-implemented airgap is highly sufficient for pretty much anything excepting dedicated state-level infiltration via a physical actor, and even then should be robust enough to make it nigh-impossible for said state-level actor to do anything without spending a lot of time and/or effort.
Re: Declining Society (Score:5, Insightful)
"Sometimes, sending Joe 40 miles down the road won't cut it."
That's why Joe needs to sit in his control room, as part of a 24/7/365 shift rotation.
Like many security-related jobs, it is boring 99% of the time. And may seem useless 99.99% of the time. But the immense payoff in that rare 0.01% instance makes it all worth while.
Re: (Score:2)
Like many security-related jobs, it is boring 99% of the time.
Joe could always spend his time surfing the web for porn.
Re: Declining Society (Score:5, Interesting)
Joe and his colleague in the control room - they never work alone - will only do things specified in the runbook. This is a basic sanity check.
They have a procedure to follow when they receive questionable orders. Social pen testers periodically test them, and they are rewarded for following procedure. Better to shut down the system out of caution than allow the infrastructure to be damaged.
It's a boring but important job, so it pays well for the skill level required.
Joe's boss will only ever call him on the private (not connected to a public exchange) telephone line. Running a phone cable is trivial for a company running large infrastructure.
Joe's boss can only order Joe to do certain things by phone. Things in the runbook, that engineers have spent serious effort thinking about.
If Joe's boss wants to order something weird or potentially dangerous, he can come give the order in person. Or send his subordinates, with appropriate physical credentials and checking procedure, to order it in person.
Is this perfect security? Of course not. There is no "secure", only "more secure". But this sort of arrangement is a huge improvement over "just connect it all to the public internet!!!"
This stuff is conceptually simple. It is however laborious and expensive to implement. It requires devotion to minimax (https://en.wikipedia.org/wiki/Minimax) principles that may often be at odds with market incentives.
Re: Declining Society (Score:2)
That's why computers in the control room are air gapped, and the runbook is printed on dead trees.
Power Grid (Score:3)
Stone tablets can't be hacked into (Score:1)
Yabba Dabba Doo!
Re: (Score:1)
Those are vandals, not hackers.
Grid digitization? (Score:2)
Usually, countries stop nailing power lines to wooden posts _first_ before doing that.
Otherwise, you can burn down half of California without any help from hackers.
Or you get 'hacked' by termites and squirrels, thousands of times per year.
Ditto for ice rain and heavy snow or a little bit of tornado.
But now replacing computers with a switch from 1925 ain't 'making America great', no?
Re: (Score:2)
Oh, my sweet, summer child. Just come and try burying all the power lines in California. The fact is that PGE has been paid more than enough to do the maintenance they are contractually obligated to perform, but gives that money out to executives in the form of bonuses. PGE is a conspiracy to commit mass murder and destruction of property for profit.
Airgapped Network? (Score:2)
Re: (Score:2)
Would it be good enough to put all the electric utilities on a dedicated network which is airgapped from all other networks? It would be expensive to run, but the utilities could still have some inter-facility automated response systems. E.g., Plant X goes off-line, so Plants Y and Z start ramping up. Even if you didn't use it for automated response, a dedicated network may still be useful as a voice comms network, especially with CallerID spoofing these days. Thus, an operator at Plant X can call Plant Y to tell them about the shutdown, and operators at Plant Y will have confidence that it is Plant X that is actually calling.
They used to do that with dedicated lines from the phone company or communication lines built into the power transmission lines. VPN connections could be just as secure now.
I suspect the real problem is a lack of enforced separation between the network used for the control systems and the public network on hardware which has access to both and can act as a bridge. It would not surprise me if some software and hardware they now use *requires* access to the public network for purposes of DRM defeating every
Battlestar Galactia Defence System, anyone? (Score:2)
Another case of SciFi being ahead of the curve on things.
After all, if it's not a digitally controlled system, remote hacking becomes much more difficult. You have to have someone in the room with the system to truly take control.
Needless to say, it takes the control over the grid out of digital overlords' hands, and puts it squarely into the realm of job security, I mean Security Jobs.
Back to spies and moles again.
Alas, "everything old is new again" keeps playing on loop.
Wrong solution (Score:1)
Can we please require any political figure proposing a law to have it vetted by experts in the field for viability? The controls and automated systems are fine. The private networks are fine. It's the dumbass who puts two NICs in their computer and bridges the systems that is the problem.
The solution to a problem involving human error isn't to remove the technology and introduce even MORE human error.
Re: (Score:2)
Simple Devices (Score:2)
There is an old saying that "simple devices fail simply". That is not to say that complex devices are bad. It's just that simplicity has its place, alongside complexity. The trick is to use the complex devices to attain highly-efficient operations and also use simple devices to place bounds on the control we cede to complexity. Then, when the complex devices run amok or are compromised, simple devices (e.g.fuses and limit switches) shut things down before damage occurs.
Re: (Score:1)
"Another fucking asshole with a fake account who could not be bothered to read the goddamn article."
You must be new here, welcome!
Re: Why, oh why? (Score:3)
"There is the possibility to infect the systems with a flash drive or something, but still."
That's why the USB ports on the control terminals are removed or physically destroyed.
Re: (Score:2)
That's why the control terminals are big old chunks of sheet metal with buttons and things wired into them. The nearest thing that could potentially sport a USB port is locked safely away from idiots.
Re: Why, oh why? (Score:2)
+1 Retro-future
Re: (Score:2)
"There is the possibility to infect the systems with a flash drive or something, but still."
That's why the USB ports on the control terminals are removed or physically destroyed.
I just had an epiphany, Apple hardware everywhere! They do not have any usable physical ports.