US Unveils Plan To Protect Power Grid From Foreign Hackers

The White House unveiled on Tuesday a 100-day plan intended to protect the U.S. power grid from cyber-attacks, mainly by creating a stronger relationship between U.S. national security agencies and the mostly private utilities that run the electrical system. From a report: The plan is among the first big steps toward fulfilling the Biden administration's promise to urgently improve the country's cyber defenses. The nation's power system is both highly vulnerable to hacking and a target for nation-state adversaries looking to counter the U.S. advantage in conventional military and economic power. "The United States faces a well-documented and increasing cyber threat from malicious actors seeking to disrupt the electricity Americans rely on to power our homes and businesses," Secretary of Energy Jennifer Granholm said. Although the plan is billed as a 100-day sprint -- which includes a series of consultations between utilities and the government -- it will likely take years to fully implement, experts say. It will ask utilities to pay for and install technology to better detect hacks of the specialized computers that run the country's power systems, known as industrial control systems. The Edison Electric Institute, the trade group that represents all U.S. investor-owned electric companies, praised the White House plan and the Biden administration's focus on cybersecurity. "Given the sophisticated and constantly changing threats posed by adversaries, America's electric companies remain focused on securing the industrial control systems that operate the North American energy grid," said EEI president Tom Kuhn.

Outsourcing!

[lessSockMorePuppet]

Outsource it to the cheapest cloud provider, multiplied by the ratio of their bribes to the whole of the bribes paid to legislators.

Re:Outsourcing!

[cayenne8]

Why not do it the simple, effective way?

Disconnect the damned grid from the internet!!!

WTF is/was it ever connected in the first place?

Re: Outsourcing!

[bumblebees]

Ofcource it is. Stipid people connect everything to the internet. Aperantly even uranium enritchment facilities...

Re:

[gtall]

Because you are ignorant of how the grid works.

Re:

[arglebargle_xiv]

Yup, and that's why this initiative is at best a band-aid, at worst an empty gesture. It's trying to fix half a century of patched-together grid automation where even the people running it don't know what half the stuff does (this is hiding about three pages of detail). It needs to be sorted, but I doubt this will do any more than deal with a bit of low-hanging fruit. You don't fix it with a 100-day sprint, you fix it with a long-term commitment to addressing the problem. We're talking years if not deca

Re:Outsourcing!

[cusco]

A long term commitment is unfortunately not in the cards. With executives swapping offices and industries every few years in their game of Billionaire Musical Chairs it's seen as far more important to simply not be the one sitting in the hot seat when issues arise. Why would they approve spending X-thousands of dollars to fix a problem when they'll most likely be looting an entirely different industry when it's finally exploited? We're no better prepared for a Carrington Event today than we were in 1990 because the executives all know that the next one will almost certainly occur on someone else's watch.

Just look at the Texas electrical grid's performance this winter, the last similar weather conditions were in 2011 and everyone assumed they would use that lesson to protect their companies from the next storm. Everyone not in the executive suites at least thought that, but those in charge knew they would not be at the company the next time. Why would they spend money that would reduce the value of their stock options when the beneficiaries would be some other exec? (And rate payers of course, but who cares about them?)

I'm not optimistic about this producing anything more than some nice press releases.

Re:

[arglebargle_xiv]

I'm not optimistic about this producing anything more than some nice press releases.

Sadly, that's my feeling as well. The one thing it may achieve is that a few people/business units that have been asking for more resources to deal with the issue will finally get some allocated to them, which is better than nothing but not by much.

Connected to internet not a solution

[aberglas]

by itself.

The Iranian centrifuges were not connectedm but Stuxnet still got 'em.

But I suspect that the current systems are so insecure that a 100 day push might address the biggest holes. Make the Chinese and Russian hackers work harder for their chaos.

Re:

[arglebargle_xiv]

Iran is a prime example of Mossad doing Mossad things to you [usenix.org], except that in this case it literally was Mossad. However, if you're that level of target then nothing you do will stop the attack, and in particular China and Russia won't be stopped at all. What it will, or at least may, stop is opportunistic script-kiddies.

Having said that, with something this insecure there's an argument that we need attacks by opportunistic script kiddies to point out how had it is. Once they lock out the basic script ki

Re:Outsourcing!

[genixia]

Well, your forceful language, "damned", "WTF", certainly expresses a certainty of opinion. It is, unfortunately the opposite of insightful, and your signature as ironic as your ignorance in this instance. Since you asked:

The Operational Technology environments need to exchange data with large numbers of other systems for many reasons. Engineering departments need to be able to program control systems. Operation departments need to be able to run them. Notifications need to be sent as appropriate, reports generated and distributed too. Energy suppliers need to be able to communicate with energy distributors, and they to consumers. Energy needs to be tracked from the fusion of an atom to the spin of your energy meter, so that your bill can be calculated. Substations need monitoring, pump/generator energy storage systems need to react to changes in demand because nuclear power stations don't respond quickly, and too much supply with too little demand leads to really bad things happening, as does the opposite. Things either go bang, or they go off. When someone crashes into a power pole and your power goes down and you want to know when you can expect power back, the service person answering your call, or the web page displaying that information to you, both rely on operational data.

Networking is absolutely essential to the operation of the power grid. Like the internet, the grid isn't owned by one entity, but made up of many interconnected sub-grids. Those entities need to cooperate in order to provide reliable service, and they need to be able to exchange operational data that originates within their OT environments. Note that the OT environments are not usually connected directly to the public facing internet. They sit behind layers of firewalls. Remote devices sit behind VPN gateways and/or data diodes, or on the end of a leased line where appropriate. Dial-up modems were used extensively in the past, but have mostly been phased out.

I'm barely scratching the surface here.

Re:

[lessSockMorePuppet]

Tracking (reading) data can* be okay. And a number of methods exist for it. What you don't want is the introduction of an input vector from Public Facing Internet Land. Read only, no writes. And only a limited set of data. If you want inputs, go down the chain of command in person until you get to the operator. That should be the only valid way to make inputs to your machinery.

Re:Outsourcing!

[lessSockMorePuppet]

To take it a step further, understand that someone can be well-intentioned and TRY to only have obvious input channels. But things like SPECTRE illustrate how an attacker can abuse a "read-only" channel to coerce inputs. (The key thing to note is that a request to read a bit of data is an input and needs to be treated as such. Things like systems that broadcast their state without accepting queries don't have that issue.)

Re:

[lessSockMorePuppet]

And, because offering a problem without a solution is usually bad form, the mitigation is as another commenter wrote elsewhere: use a dumb data logger. Have it unicast/broadcast data at a system that categorizes, indexes, and accepts queries. That way, you can have your reporting without having an inadvertent attack vector if your input sanitizer or logic is faulty--and the more code, the higher the probability. Minimizing the channel and forcing it to be physically unidirectional is the trick. For electr

Re:

[arglebargle_xiv]

Thanks, saved me typing up at least some of it. Two more factors that you didn't mention are that most of this stuff needs close to 100.0% uptime so scheduling service windows is close to impossible, and has operational lifetimes sometimes measured in decades, so the upgrade cycle is extremely slow. I was at a meeting in 2019 where they were talking about upgrading a single piece of control gear (meaning one device but used in lots of locations) that was scheduled to complete by 2030. That's not due to l

Re:

[cayenne8]

So, how did our grid work at all prior to the internet?

For some reason, I seem to recall having plenty of steady and dependable electricity prior to 1992.

Re:

[classiclantern]

Your oversimplication is oversimplified.

industrial control systems don't run in cloud

[Joe_Dragon]

industrial control systems don't run in cloud they need to run directly on hardware in the field.
And if Cell is down you are not getting data to that substation or recloser. And if you make then very dumb then the LAG can just take so long that the hard LINE fuses blow.

Re:

[lessSockMorePuppet]

Whoooosh.

I guess you really need that /s. Poe's Law is such an obnoxious hindrance to parody. How fucking ridiculous would it be to distribute contracts to the lowest bidder weighted by the best bribers? I mean, do you really think I was serious?

Re:

[lessSockMorePuppet]

(In case it wasn't clear, every single point in my original post was full-on parody. Of course cloud computing for a utility that needs SCADA and PLCs running things is absurd. And yet, managers STILL connect critical infrastructure to the Internet!)

Centralize Attack Surfaces into one doc plz

[AcidFnTonic]

Centralize Attack Surfaces into one doc plz.

Then the adversaries can just hack one computer to know the architecture and software versions of *every* utility across the country. The hard work was figuring out each individual one but the government should be centralizing that soon into a single master password list or something.

homer simpson is the password manager!

[Joe_Dragon]

homer simpson is the password manager!

Re:

[sound+vision]

Knowing what version they're running isn't an issue, unless they're relying on security through obscurity.

They probably are, and they hardly need the government for that. Technical details are absent from the article, except that they will "pay for and install technology to better detect hacks."

Nothing about reducing the attack surface, nothing about disconnecting systems from the internet, but they'll make sure some contractor gets paid. America, leading the world in Cloud, Cyber, and the Stems.

Re:

[gtall]

Ya, making utilities pay for upgrades is really opening up the swamp. Do you read?

Re:Good luck

[BeerFartMoron]

Hacking the Texas grid, it isn't connected to anything else!

So secure it hacks itself!

Re:

[kot-begemot-uk]

That is incorrect. It actually has a couple of interconnects. They proved woefully insufficient.

Change the password?

[fermion]

I mean at least go from password to 123456. https://www.cyberscoop.com/flo... [cyberscoop.com]

Re:

[cayenne8]

I mean at least go from password to 123456.

Hey!!

That's the combination to my luggage!!!

UNPLUG IT FROM INTERNET..

[BardBollocks]

.. and remote access.

Rule 1

[JBMcB]

This +100

Rule 1 should be, SACADA shall not be on the internet in any way, shape, or form.

If you need to do monitoring, have it dump via a dumb data logger over RS232 to an internet-connected machine.

If you *need* remote control, dedicated 56k leased lines are pretty cheap these days. How much bandwidth do you need to tell something to turn on and off?

Re:Rule 1

[Strider-]

It can be a little more complex than that.

I operate the network for a very small, private power operation that's not connected to the grid. For better or worse, there's no way that we could stand up a completely separate network for this kind of thing. The cost of new fiber, trenching, etc... would simply put us out of bus. Instead, I have all that stuff off on its own VRF and VLANs, with a tightly controlled firewall.

But our system is small, with just one generating station and a half dozen SCADA units I need to watch, so it's relatively easy to secure. It doesn't span half a continent.

Re:Rule 1

[JBMcB]

For better or worse, there's no way that we could stand up a completely separate network for this kind of thing. The cost of new fiber, trenching, etc... would simply put us out of bus.

How did it all work before it was on the internet? What parts have to be networked together? Thanks for responding, by the way, this stuff is fascinating to me.

My wife works for a major industrial corporation, and we have similar discussions about why their plant floor systems need to be on the internet. It usually boils down to separating the controls network out would be annoying. They got a bunch of memos about changing corporate policy after Honda got a few factories shut down by a ransomware attack. That sounds a lot more annoying than futzing with the network.

Re:Rule 1

[Strider-]

In our case, we've built a significant load shedding system that can match the grid load to the generating capacity. The generating system is a small hydro-electric system, and the available power from the generator varies hour by hour due to changes in flow of the creek feeding the system.

What we have done is put all the large loads serviced by the generator (hot water tanks, heating systems primarily) under centralized computer control, and the system can turn these loads on and off to keep the turbine from stalling out.

The system doesn't need to be on the internet, and in our case, isn't, but it operates over the same fiber optic distribution system as the corporate network.

Re:

[rally2xs]

How about microwave communications? See the movie "The Hummingbird Project."

and the phone co are killing analog lines + tappin

[Joe_Dragon]

and the phone co are killing analog lines + tapping them can be an issue.

Re:

[JBMcB]

and the phone co are killing analog lines + tapping them can be an issue.

The power companies own the power poles that the phone cables are on, so if the phone company abandons them, the power company can just take them over. Really, power companies already, kinda, own giant networks.

As for tapping, that's also an issue on the internet, and can be solved with basic encryption, just like on the internet. It could be even more secure, as you could do private key encryption, since you have direct control over both sides of the network.

Re:

[PPH]

if the phone company abandons them, the power company can just take them over

The phone company leases space on the poles. When they put their fiber up, they pull the copper down. Sure, the power company could lease the telco another space for the fiber. But there are construction codes and line clearances involved. And once you hang enough crap on a pole, often you have to put in a taller pole.

Another thing: Our power company sold off all of their poles to a property holding company. As a tax and regulation dodge. So they'd have to pick up the tab for the old phone company line spa

Re:

[Lonewolf666]

and if you have to access it from outside, use a VPN. But don't give any bum on the net the chance to access your infrastructure.

Re:

[takionya]

> Unplug from the Internet and remote access.

Exactly the required solution. Except since all that lobbying on Capitol hill most of the infrastructure is run on Microsoft Windows. Which is impossible to secure.

Thanks, jingoistic headlines!

[Entrope]

I personally would have tried to protect the power grid against all attackers, and that's what it sounds like it's actually being attempted. The headline makes it sound like the Biden administration has written off American hackers as incompetent, ultimately harmless bumblers.

(What do they know that they're not telling us?!)

Re:Thanks, jingoistic headlines!

[kot-begemot-uk]

No it is not a viable protection.

First of all, do you know how a grid is attacked? It is not attacked by hacking it. That is merely the "method" - not the goal. It is attacked by controlled switching on and off of load in a specific sequence to trigger safeties and cause grid dissolution into small islands. Half the islands starve and shut off, others have too much energy produced and the power plants have to go into emergency procedures. As a result, after a successful attack it may take days to bring it back up. If the attack does not recur. A proper attack attacks particular interconnects and load distribution points to ensure that the cut-offs perform the necessary "cutting of the grid into smaller non-viable pieces".

An attack like this is not just a matter of control and making the control hack-proof. Because, you know what? You can execute it physically - hit the key points in the right sequence with cheap drones and the result will be the same as hacking it.

It is a matter of having a viable mathematical model based on proven optimal control math describing how the grid behaves upon multiple higher than double failures as well as failures timed to a particular strategy. I am not sure that there is any grid out there which has that now. USSR and some of the Warsaw pact countries had it in the 70es and 80es. I used to know people who computed some of it and they had a computation for "what it takes to kill the USA grid" at the time too.

Today? With all the deregulation? I am willing to bet that there is no grid which will survive a correctly designed attack. And no amount of hack-proofing will help.

Well Documented

[tinkerton]

Ok, so what are these well documented cyber attacks on the power grid anyone? Russia? That was a big story. Except if you check the reference [substack.com] it is listed as claim number 6 and it wasn't true . So who else? Really. China?

It's not a bad idea to make your power grid robust against cyber attacks so I'm not against this initiative in principle, except the part where inteligence agencies get to grab more power.

U.S. Power Grid

[Bloozguy]

With "National Security Agencies" involved odds on there will be a back door. The irony will be lost.

Heads up!

[chill]

Although the plan is billed as a 100-day sprint -- which includes a series of consultations between utilities and the government -- it will likely take years to fully implement, experts say. It will ask utilities to pay for and install technology to better detect hacks of the specialized computers that run the country's power systems, known as industrial control systems.

That sounds like a lot of gov't spending on firewalls and SIEM-type products. I need to redirect some of my investments. My 401K loves the smell of gov't pork in the morning!

Easy

[nospam007]

Just remove one of the tubes from the series of tubes that connect it to the internet.

About time!

[Kingazaz]

Better really really fucking late than never, eh?

Here's an idea

[eclectro]

Don't buy power grid equipment from countries that are antagonistic [pjmedia.com] with the US that are capable of engineering back doors into what they sell. [tomsguide.com]

So we think domestic hackers are competent enough?

[remoteshell]

I mean, the script kiddies in the US are decidedly not good enough. Nobody will hack it if we protect if from foreigners, and then where will we be?

Work with the existing FERC/NERC standards body

[jroysdon]

How about working within the existing FERC/NERC standards body? A huge shift has occurred in the past 15+ years with the Critical Infrastructure Protection (CIP) standards. More needs to occur, but we have a system to introduce these changes, and it should be used:

https://www.nerc.com/pa/stand/... [nerc.com]

Make Me Feel Better

[rally2xs]

Protect the grid from EMP first.. or too.