Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Government United States Security

Senate Passes Cybersecurity Bill To Decrease Grid Digitization, Move Toward Manual Control (utilitydive.com) 140

On June 27, the U.S. Senate passed a bipartisan cybersecurity bill that will study ways to replace automated systems with low-tech redundancies to protect the country's electric grid from hackers. Called The Securing Energy Infrastructure Act (SEIA), the bill establishes a two-year pilot program identifying new security vulnerabilities and researching and testing solutions, including "analog and nondigital control systems." The U.S Department of Energy would be required to report back to Congress on its findings. Utility Drive reports: The increase in distributed energy resources can serve load more efficiently, but also offers potential attackers more potential entry points. "Our connectivity is a strength that, if left unprotected, can be exploited as a weakness," Sen. Angus King, I-Maine, who sponsored the bill with Sen. Jim Risch, R-Idaho, said in a statement. Sens. Susan Collins, R-Maine, Martin Heinrich, D-N.M., and Mike Crapo, R-Idaho cosponsored the bill. The House measure is being introduced by Reps. Dutch Ruppersberger, D-Md., and John Carter, R-Texas.
This discussion has been archived. No new comments can be posted.

Senate Passes Cybersecurity Bill To Decrease Grid Digitization, Move Toward Manual Control

Comments Filter:
  • [...] [...] Mike Crapo, R-Idaho cosponsored the bill.

    Y'know, I think some places just vote for people because their names make them giggle.

    "Vote for Crapo! He'll get shit done!"

    Maybe it explains John Hickenlooper [hickenlooper.com]. Heck, I'd be giggling whenever his name got mentioned...

  • So we are going to spend two years hacking our own grid and writing reports on vulnerabilities.
    This report will undoubtedly be kept on same poorly protected computer or worse, given to congress, we all know how well they hang on to top secret information.
    It's all a bad Dilbert cartoon.

    Get a generator and solar panels now before they start the research.

    • by Anonymous Coward

      No offense, but you're kind of a huge moron. Yes it's a GOOD THING to penetration edge test their systems and make a report of what they find. This is SOP to good practices, and long overdue as most people seem to grasp.

      The report itself won't contain anything the actual attackers don't already know, and since it's a general report for Congress it will no doubt be a summary of the actual data. Congress actually hasn't leaked "all that" much TSC info.

      You know nothing about this and needed to crow ya lil'

    • It is naive to suppose pen testing of critical infrastructure control systems is something new. Not everyone who works for Uncle Sam is a fool.

      Source: I've met a few of these folks, socially.

    • by gtall ( 79522 )

      " we all know how well they hang on to top secret information" No we don't know that. Congress has committees that meet for top secret briefings all the time. I fail to see any plethora of leaks coming from them. On the other hand, no one is stupid enough to let the la Presidente in on anything top secret after the last time he blabbed.

      • https://www.centerforsecurityp... [centerfors...policy.org]
        Some would say that it is "Dangerous to share intelligence with congress."

        And I won't even wade into the list of NSA zero-day exploits now running wild and destroying computers all over the world
        https://en.wikipedia.org/wiki/... [wikipedia.org]

        I am assuming that our grid is similar to other grids.
        I am also assuming that the NSA has or will develop grid hacking tools based on the report.
        I am also assuming that this report and the tools will be stolen and released.
        I am also assuming that ther

  • ... until hackers unleash an analog virus on our power grid.

    Then the next thing we know, *all* of the giant potentiometers across the system will simultaneously get set to "11".

  • Moscow is to typewriters as Washington is to a manual transfer switch.

    On a positive note, they're now learning that putting everything online for convenience might not be the best idea.

  • Finally (Score:5, Insightful)

    by Khyber ( 864651 ) <techkitsune@gmail.com> on Monday July 01, 2019 @10:39PM (#58859124) Homepage Journal

    This is what airgaps are for in critical infrastructure. Fuck "online security," as nobody even has the first three layers of the OSI model perfected, so you know they're going to fuck up on the additional piled-on OSI layers we've had to implement.

    Manual goddamned control with actual personal accountability all the way up the chain.

    • There is no (practical) way to go back to analog protection and control relays. Air gap is possible, but there will be a network because the protective functions dictate interconnections. I doubt a new mechanical 51/50 has been installed in decades by a utility.

    • Re:Finally (Score:5, Insightful)

      by serviscope_minor ( 664417 ) on Tuesday July 02, 2019 @02:25AM (#58859622) Journal

      This is what airgaps are for in critical infrastructure

      Try telling that to the Iranians. They are well aware an airgap isn't sufficient.

      • by Anonymous Coward

        This is what airgaps are for in critical infrastructure

        Try telling that to the Iranians. They are well aware an airgap isn't sufficient.

        Of course, but airgaps shut out the low-budget hackers. They may be brilliant, they may be able to find all sorts of unexpected vulnerabilities - in order to hack into somewhere on the other side of the globe.

        Getting across airgaps is easy enough - but you have to be there or bring stuff there. The CIA has no problem sending operatives into Iran; script kiddies and somewhat smarter basement hackers don't have the funds for the trip. (Also, they are easily stopped by language barriers, fences and even the du

        • Getting across airgaps is easy enough - but you have to be there or bring stuff there.

          Didn't happen. You should read about Stuxnet.

    • by AmiMoJo ( 196126 )

      Manual control isn't adequate for modern power systems. Especially as the proportion of renewable energy goes up.

      Manual control is a red herring. All that will happen is you have some bored guy with a control panel being told which button to press by the computer.

      • "some bored guy with a control panel being told which button to press by the computer"

        No. The bored guy - it is doubtless a very boring job - will have a (printed dead tree) runbook telling him what buttons to press in response to certain signals. He will be expected to have memorized the important parts of said runbook.

    • by gtall ( 79522 )

      Ah, so you want to duplicate the networks, airgapped from the public networks, so they'll be Special Networks. No one would ever compromised those. Have you told anyone else about this?

      • by Khyber ( 864651 )

        Compromised Special Networks were never carefully examined and actually secured. Come get into mine. You couldn't even if you broke in while I was at work and you took every computer from my home network with you.

    • This is what airgaps are for in critical infrastructure.

      Being unable to automate and respond to fast changing events? Yeah I hear you.

      • by Khyber ( 864651 )

        >not having automatic analog safety systems like breakers, fuses, and such installed to respond to fast-changing events.

        I hope you're actually thinking about a properly-designed power system and not some ramshackle one you put in someone's house.

  • by tquasar ( 1405457 ) on Monday July 01, 2019 @11:40PM (#58859328)
    I live near San Diego so there is no power coming from the west (Pacific Ocean) and a bit from the south(Baja Mexico). There are two main transmission lines coming from the north and east, over many miles of desolate and mostly uninhabited land. A few towers could be destroyed with explosives and the southern California area would be without electric power for a long time. Companies with generators would have power 'till their fuel was used up. Add a big earthquake and let the chaos begin.
  • Usually, countries stop nailing power lines to wooden posts _first_ before doing that.

    Otherwise, you can burn down half of California without any help from hackers.

    Or you get 'hacked' by termites and squirrels, thousands of times per year.

    Ditto for ice rain and heavy snow or a little bit of tornado.

    But now replacing computers with a switch from 1925 ain't 'making America great', no?

    • Oh, my sweet, summer child. Just come and try burying all the power lines in California. The fact is that PGE has been paid more than enough to do the maintenance they are contractually obligated to perform, but gives that money out to executives in the form of bonuses. PGE is a conspiracy to commit mass murder and destruction of property for profit.

  • Would it be good enough to put all the electric utilities on a dedicated network which is airgapped from all other networks? It would be expensive to run, but the utilities could still have some inter-facility automated response systems. E.g., Plant X goes off-line, so Plants Y and Z start ramping up. Even if you didn't use it for automated response, a dedicated network may still be useful as a voice comms network, especially with CallerID spoofing these days. Thus, an operator at Plant X can call Plant Y t
    • by Agripa ( 139780 )

      Would it be good enough to put all the electric utilities on a dedicated network which is airgapped from all other networks? It would be expensive to run, but the utilities could still have some inter-facility automated response systems. E.g., Plant X goes off-line, so Plants Y and Z start ramping up. Even if you didn't use it for automated response, a dedicated network may still be useful as a voice comms network, especially with CallerID spoofing these days. Thus, an operator at Plant X can call Plant Y to tell them about the shutdown, and operators at Plant Y will have confidence that it is Plant X that is actually calling.

      They used to do that with dedicated lines from the phone company or communication lines built into the power transmission lines. VPN connections could be just as secure now.

      I suspect the real problem is a lack of enforced separation between the network used for the control systems and the public network on hardware which has access to both and can act as a bridge. It would not surprise me if some software and hardware they now use *requires* access to the public network for purposes of DRM defeating every

  • Another case of SciFi being ahead of the curve on things.
    After all, if it's not a digitally controlled system, remote hacking becomes much more difficult. You have to have someone in the room with the system to truly take control.
    Needless to say, it takes the control over the grid out of digital overlords' hands, and puts it squarely into the realm of job security, I mean Security Jobs.

    Back to spies and moles again.

    Alas, "everything old is new again" keeps playing on loop.

  • Can we please require any political figure proposing a law to have it vetted by experts in the field for viability? The controls and automated systems are fine. The private networks are fine. It's the dumbass who puts two NICs in their computer and bridges the systems that is the problem.

    The solution to a problem involving human error isn't to remove the technology and introduce even MORE human error.

  • Comment removed based on user account deletion
  • There is an old saying that "simple devices fail simply". That is not to say that complex devices are bad. It's just that simplicity has its place, alongside complexity. The trick is to use the complex devices to attain highly-efficient operations and also use simple devices to place bounds on the control we cede to complexity. Then, when the complex devices run amok or are compromised, simple devices (e.g.fuses and limit switches) shut things down before damage occurs.

Avoid strange women and temporary variables.

Working...