How to Prevent a Digital 9/11
It starts on a cold November night. You went to sleep, comfortably warm, after listening to the late news: a nor’easter coming through, the worst storm in several years. You go to bed, quietly excited at the thought of the fairly certain snow day — build a snowman with the kids, maybe work through the email that has piled up, and do a little online shopping; after all Christmas is coming.
That’s not the way it works out, though — about 3 a.m., you awaken, cold. The house is too cold. You get out of bed — the hardwood floor icy against your feet — and when you flip the hall light switch, nothing happens. Odd, the power is out. Automatically, you look out the window and realize the whole neighborhood is dark; in fact, there is no sky glow — usually, you can see the red shimmer of New York City on a cloudy night. It’s darker than you’ve ever seen it.
Sounds like a Tom Clancy novel, doesn’t it? It’s all too realistic, though. This is based on a scenario that was war-gamed by the “U.S. Professionals for Cyber Defense” in the months after 9/11. I talked it over with Dr. John McHugh, Canada Research Chair in Privacy and Security of the faculty of computer science at Dalhousie University in Halifax, Nova Scotia, one of the members of the committee. They investigated whether or not there was a credible threat from a first-strike cyberattack. Their answer was frightening.
Railroads are largely controlled by computers; change a switch while a train is passing over it and you have an instant derail. Gas pipelines are also computer controlled; to my surprise, you can blow them up entirely by computer control — reverse the pumps on the ends, pressure builds up in the middle, and something, somewhere, will eventually give way.
Traffic flow, the electrical system, all much the same. To give the most effect, attack during a major storm — the nor’easter — and apply a few “kinetic” attacks (read “bombs”) at critical points. Dr. McHugh says they found the most credible attacks combined large-scale cyberattacks with a few small conventional acts of terrorism at vulnerable points, in order to surgically cause the most damage. The attacks were low effort, but high skill, and they could cripple the U.S. economy for years.
You have to fumble in the dark to find the phone; it’s dead. You try your cell phone; no service. And the house is getting colder.
You were better prepared than a lot of people: you have a portable radio and flashlight combination, and it’s even one of the ones that can be hand-cranked. It’s more work than you thought to crank it up, but now you’re getting nervous. You turn it on — and you need to search for a station. You finally find a distant station, CJCL in Toronto. They are reading news, in a hushed and controlled voice. Power out over large parts of the East Coast, in California, and across the Midwest. Explosions reported in Texas and Oklahoma, trains derailed all over the country, the tunnels into Manhattan closed. Telephone systems out over much of the country — and the president will be speaking soon. He’s been moved to a secret, secured location. Once again, like on September 11, 2001, the world wonders: is it war?
Software is not purchased from Microsoft, it is licensed, and the license precludes indemnification for damages caused by goofy coding. Without that legal twist, Microsoft would have gone bankrupt many years ago.
Why, Mr.Martin, are those computers that control gas pipelines and trains and power all accessible over the telephone lines? I have never understood why that is, but there must be a simple explanation. Perhaps there is a simple remedy?
Well as one Air Force guy put it. About 500 lbs of explosive on an offending ISP would discourage a lot of attacks.
Frankly we can’t keep doing this self defense stance all the time. It is past time to go on the offense. The basic problem is a lack of political will.
Product liability, please, spare me.
Instead of — or along with — this CSIS proposal, let’s make a change in the product liability law. After some date certain, say in five years, make suppliers of critical software and systems liable for consequential damages.
Sounds good, but there are some problematic details: What about damages caused by fundamental flaws in network protocols and not the implementation? Or flaws found in 3rd party libraries used by applications (i.e. weak crypto library used by a browser).
Also, there are security risks and flaws in both Mac OS and Unix/Linux, the just are not exploited as often. Every system has the potential for vulnerabilities. And the system as a whole. As bad as 9/11 was to communications, the Baltimore tunnel fire was much worse when it came to damage to the core network along the East Coast.
Computer security by nature is very difficult, and it is practically impossible to achieve high security without physical barriers (behind locked doors with no contact with the Internet or removable storage devices). I whole heartedly agree that we need to tighten things up, but inserting liability will stifle development, raise prices and allow the trial lawyers to mess with technology just as they have with our health care system.
A crank radio is one of those things you never think about until you really need it. Here’s one from the National Geographic store:
http://shop.nationalgeographic.com/product/195/2485/126.html
Apple and Unix? Give your argument some rigor, and tell us the viral damage per system sold, or the inverse. Microsoft bashing destroys your argument’s credibility.
One of Bush’s more enduring legacies will be that braindead settlement deal his people at the DOJ came up with to end years of antitrust wrangling with Microsoft over their competition crushing, market manipulating, bullying, and overall monopolistic ways. The settlement ignored a roomful of evidence upon evidence documenting Microsoft’s misbehavior, and Microsoft’s success at getting off without essentially any punishment (the settlement amounted to no more than a tap in the wrist with the admonition, “Go forth and sin no more, lest ye receive another tap to thy wrist.”) basically killed the general commercial software industry for business in this country. All-Microsoft offices, already common then, became more or less standardized for non-international companies.
There was then no incentive for anyone to come up with competing commercial products to Microsoft: aside from them getting the “3rd party” stigma in trying to fit in with a system of MCSE’s who really only knew how to install and maintain Microsoft stuff, there was the serious risk of the products being undermined either in compatibility or function arbitrarily by Microsoft if there was any perceived threat. Hence the main competitors in the US to Microsoft became glacially developed open source products like Firefox and Open Office. Other products of Microsoft like their “Visual” and .NET programming tools also became standardized.
The net result? A widescale software infrastructure of bloated, poorly constructed, highly insecure, really crappy, really buggy software courtesy of there not being nearly enough competition to keep things lean, mean and robust. Way back when in the early days of computers and programming, it was a point of pride to wrote highly efficient and effective code — those days are long gone in the Microsoft environment, but in the virus writing realm, not so much: the coding has become more and more highly efficient and very clever, especially by elite hackers. At a given moment there are more and more undetectable bugs in circulation, and an entire blackmarket industry forming around botnets controlling millions of computers.
Microsoft’s response has been essentially an endless stream of duct tape, cardboard and glue to patch their inherently leaky software, and to never really fundamentally fix things at their core. And why should they? — mainstream business will buy their stuff anyway because, well, most have no idea that there even are alternatives, few though they be. There’s much more profit in planning the next version of Office/IE and to implement more “features” that do little aside from to better lock out serious challenges.
The Bush administration’s response has been a myriad of disparate efforts doing little or nothing (aside from the FBI and maybe one or two others) beyond sucking up millions, if not billions of dollars, especially by that disaster known as “DHS”.
The next time you notice bogus charges on your credit card statement or a news report of another big successful computer break-in, think warm thoughts of Bush and Bill Gates.
This column fails to acknowledge the degree to which infrastructure vulnerabilities are a system problem that spans many products. Short-term market-only solutions don’t have a good track record of quickly and effectively addressing the externalities such problems entail.
Readers might want to know that our infrastructure vulnerabilities are being identified, scoped and addressed by significant efforts on the part of the Institute for Infrastructure Protection (I3P), a major consortium of research universities, national laboratories and non-profit organizations which is run out of Dartmouth (www.i3pc.org).
Apologies – the I3P is the Institute for INFORMATION Infrastructure Protection.
“(when did you last here of a damaging Macintosh or UNIX virus?)”
When was the last time Macintosh or UNIX had a 90% market share of desktop computers running their stuff?
Look, as a software developer, I agree that critical systems need more attention to security, but considering that Microsoft’s products are target one simply because of their market share, I don’t think they do that badly. I’m very familiar with many of the issues they must face, and they’ve got some very smart people.
But if you’re going to add that kind of onus on software providers, they will charge more for their product. They’ll have to, because they will in turn put more pressure on their developers and especially their testers. And they won’t be able to get those people to take these kinds of projects unless they pay them much, much more.
I know I wouldn’t touch a project like that with that kind of liability for any amount of money. I’m simply not good enough. In my entire career I’ve known maybe two or three people who are.
Product liability, Charlie? You propose defending ourselves by having more lawsuits after the fact? This is the dumbest thing I’ve read in years. Computers, networks and software and their combinations are complicated, constantly moving targets. Any liability that could be researched and proven would be a snapshot in time.
Because of the complexity, pre-disaster market forces will not prevent this type of scenario.
If you knew anything, ANYTHING about technical systems, you might be qualified to write an article about this.
“…there are security risks and flaws in both Mac OS and Unix/Linux, the just are not exploited as often. Every system has the potential for vulnerabilities.”
That’s like saying that if someone is shooting at you, Kevlar body armor, like an old T shirt, has its weaknesses, too. Of course nothing is perfect. But Linux and BSD are much, much harder to crack than is MS Windows. There are many thousands of Microsoft-equipped computers that are being controlled remotely and used for criminal purposes, all without the knowledge of their owners. Not true of Linux/Mac OS X.
http://www.telegraph.co.uk/news/3201146/Hackers-could-target-mobile-phones-security-experts-warn.html
I have an idea.
Why don’t we just do away with the Internet?
I mean, didn’t Microsoft and Bill Gates and George Bush. . . .uh, I mean Al Gore (Sorry!) have something to do with it?
Or maybe we can just pass a law forcing people to use Linux and Mac OS X.
Yeah, I think we should do that.
At the very least — couldn’t we require the government, all the media, and all liberal non-profit organizations to use Linux and Mac OS X and nothing else in their software?
/sarcasm off
You know, I think there is a reason Bill Gates is where he is and Charlie Martin is where he is.
Here’s a simple, non-military solution. Define civilian critical infrastructure as the following:
1) Power plants
2) Transportation systems
3) Public utilities
4) Hospital equipment
Make it a felony for anyone to authorize those systems to be connected to a network that is accessible from the public Internet. Give the groups under that regulation 3 years to comply, and an unlimited set of tax write offs to pay for the transition.
Give the military a similar 5 year mandate to separate all networks rated SECRET and above from the networks connected to the Internet.
On the Apple and Linux virus or worm question, yes, having a dominant position means Microsoft has a bigger “attack surface”, but it’s not like there are no Mac or Linux boxes to attack. But can you name any self-propagating attacks against either one? I can only think of about one in the last ten years or so. (Or course, before that was the Morris Worm, which is what focused the attention of the UNIX community long ago.)
The issue is that the Microsoft family of operating systems has specific architectural vulnerabilities built in, because of specific things they wanted to make easy, things like scripting, cut-and-paste, and weak isolation of process images because of the way DLLs are handled. Beyond that is the sheer size of the thing: it is arguable that Windows is the biggest artifact ever made by humanity.
Why are things like pipeline control computers available by phone or on the Internet? Because the people who use them with authorization need to talk to them too. But then, DoD isolates its networks pretty intensively; they’ve just suffered an attack that came in via infected flashdrives.
AP, I understand your point, honest. I’ve been working in “trusted systems” for more than 20 years; it’s not easy. I also kind of hate to let trial lawyers into the mix. But a “cybersecurity czar” is going to add similar costs, or greater.
Moll, if that’s the dumbest thing you’ve read in years, you need to get out more.
Microsoft’s penchant for writing secure operating systems is not one of them. Microsoft never planned ahead when developing the APIs for Windows 9X, which they ported over from Windows NT, and now they’re suffering from it. Most Windows software is so badly written from a security perspective because of the patterns that Microsoft allowed to become mainstream, that it cannot run as fully functional software without being run as an administrator.
But… you clearly knew that. I’m not sure why I’m lecturing you on some of the technical details of why Microsoft is totally screwed unless they break compatibility with most of the Windows software written in the last 15 years or so.
Are software companies going to be forced to offer “secure” software for critical systems? Why would anyone want to be in that market, with almost guaranteed financial disaster 5 years later?
There would be a military response against the usual suspects in the event of such a calamity:
“Nuke ‘em all and God sort ‘em out.”
Admittedly only a GOP administration would do that but, if such a calamity happens during a Democratic administration, it would be the last Democratic administration for a very long time.
The US Government uses simulations of its own vulnerabilities in order to better attack the infrastructure of other nations. This was done in Iraq in 1991, when the US bombed Iraqi infrastructure (the entire electrical system and water treatment installations) with the aim to cause epidemies and death. A UNICEF study reported that this resulted in the deaths of about 500,000 children.
The US Government is widely believed to have also orchestrated the mass murder of 9/11.
The claims that private, amateur terrorists, can inflict serious damage to the US economy, to its computer infrastructure or to its infrastructure, are ludicrous. The only real threat to the US economy would be if most foreign states will stop using the dollar as the main trading currency. This is one of the reasons why Iraq was bombed and why the US is threatening Iran: Both were contemplating to change their oil contracts into Euro.
Part of the problem with Microsoft is inertia. They’ve been doing things one way for so long, it’s taking them forever to get moving in a different direction.
One of the enhancements that was supposed to be brought out with Vista was that all the underlying code was supposed to be completely rewritten in .Net. Now, there is a lot to scoff about with .Net, but they got some things right with it, thanks to the high profile of Java. One of them is the sandbox. If the underlying DLLs for Vista had truly been rewritten in .Net, then they would have been able to take advantage of the CLR and sandboxing. This would have been an enormous leap forward in security for Windows.
Alas. It wasn’t meant to be. There were so many “features” yanked out of Vista it got to be a running joke in my OS class in grad school. The fact of the matter is, there are too many people at Microsoft, especially in the OS division, who don’t know how to “Think Different”, especially in management. They haven’t learned how to drive their teams to produce what’s needed. They’ve reshuffled at the VP and Senior Director levels a couple of times, and have some people in now who may be able to rattle enough cages to make a difference over time. But the old way is still profitable. Too many people have too many cushy jobs to want to change the way they do business. It’s taking too long to shift the paradigm, to over-use a hackney’d phrase.
Time to step away from the keyboard, Elias.
In the extreme, this is almost impossible. That means a whole second set of cables (fiber, copper, whatever) and if they go everywhere they can be tapped. (Quantum methods may prevent that, but we’re at least five years from being able to deploy them freely; right now we’re demonstrating that they are practicable.)
What we can do is ensure that everywhere safety-critical stuff goes outside of the ‘safe’ zone, it is heavily encrypted. Re-encrypting mingled encrypted streams will probably make the result stronger.
Then we need to make sure that there is enough redundancy in the network. Deregulation hurt us badly here. When AT&T was forced to allow other carriers to access its network (no complaint there) the solution that the judges and lawyers worked out was connection at isolated points, which undid a decade’s worth of work on making the phone network more redundant. I believe that we are seeing this problem unwound now, but I’ve been away from it for a while.
Worse, you don’t know what physical route your bits are taking. Again, I’ve been out of the business for a while, but there were many stories of a company buying connectivity (phone, data) from two different vendors, only to find that both companies ran the bits over the same wire at some critical point (along a bridge, parallel to a rail line, etc.)
Once upon a time, your phone line was powered from the telephone central office. If the AC mains failed, the CO had giant tanks of sulfuric acid with lead and lead sulphate plates in them–giant storage batteries down in the basement. (There are reliable accounts of people who dropped wrenches across the high-current main conductors; the steel wrenches were vaporized by the short circuit, which bothered the batteries not at all.) Now your phone line is probably powered off a SLC (Subscriber Loop Carrier box, pronounced “slick”). The SLC has at most limited backup power, and in a prolonged outage, the telco has to hook up portable generators. There are many cases of these generators being stolen (which, IMO, should be treated as looting, and punished very, very harshly). Cell control points and cell transmitters have the same problem. (The transmitter is at the tower, and typically six transmitters are under one control point.)
Finally, the people who own the “applications”–the power grids, generating companies, distribution companies, the refineries, pipeline companies, etc., need to develop software that will stabilize the system, not destabilize it. This is hard, and I suspect that no matter what you do there is always some stimulus that can knock the system out of kilter. So you also have to be able to isolate and restore. Hard problems all, needing hundreds of billions of dollars of very skilled and creative manpower, over a decade or more, to solve.
Work has begun. But not all the work has begun; we need more. And we need regulators AND LAWMAKERS to recognize that the job has to be done and the expense has to be borne, and that providers who don’t do it shouldn’t be allowed to sell to consumers, no matter how cheap their service. As to selling to business: businesses have to make risk assessments. They should always have safety service, but whether or not they need to continue to operate in an emergency is a question they and their customers have to answer.
I actually thought you were a semi-intelligent and perhaps insightful professional unilt you started with the Microsoft bashing. Wake up and get over yourself.
Bush-bashing and Microsoft-bashing always come together.
And always from leftist bigots.
A number of years ago, Australia tried the product-liability thing: Their government decided that the right to sue for consequential damages was inalienable, meaning that you could not sign that right away in a contract.
The result? IBM Australia shut its doors immediately. I don’t know when they reopened, but basically their position was that if their customers could sue for consequential damages, they could not afford to stay in business.
Don’t think the same thing won’t happen with Microsoft.
This scenario is silly. Granted, all those vulnerabilities may exist, but the suggestion that someone could manage to coordinate them all together on the same evening is beyond laughable. As is (as long as I’m quibbling) the idea that no broadcast station in the greater NYC area has a backup generator for their transmitter.
Your concerns are real; you’d do better at getting them paid attention to with a more plausible presentation.
Kirk is almost right. This is silly, for all of his reasons, and in addition, because the elements of the power grid are largely autonomous, and don’t require a large amount of coordination.
Surely, someone here remembers the days before the internet. I seem to recall that we had electricity back then.
This is Y2K warmed over.
And to clarify an important point: the vast majority of the “computers” that control the industrial infrastructure aren’t Intel platform machines running windows or linux, or mac OS; they’re embedded processors running proprietary OSes, or no OS at all, and most aren’t even connected to the internet. Vulnerabilities of TCP/IP, windows, and linux notwithstanding, that’s just not relevant to most of these industrial cell controllers, which are using something more along the lines of what you’d find in a cell phone or a video game console.
Um, he started as a multimillionaire whose mom could introduce him to Tom Watson, and Gary Kildall went surfing on the wrong day?
Kirk, follow the links. I wish you were right.
And always from leftist bigots.
Goodness, I think I’ve just been called a leftist. Boy, that will surprise some people.
Can you give me a good reason why a power plant’s control systems would be connected to the Internet? I could see railroads being an issue, but that’s it. You’re seriously overestimating the problems here.
I’m quite the left-wing bigot, my support for laissez faire capitalism and general agreement with right-libertarians like Bob Barr and Ron Paul notwithstanding.
Care to back up your inane comment with some actual technical points in defense of Microsoft?
14. Mike T: “Give the military a similar 5 year mandate to separate all networks rated SECRET and above from the networks connected to the Internet.”
The military does have the networks rated SECRET seperate. It’s the SIPERNET vs. NIPERNET. Secret information is only allowed on the SIPER. We also have secure phone lines. The virus attack on the DoD was introduced via a thumb drive to the NIPERNET. They are banned now and the only way allowed to transfer data is with CD ROMS, one time copy, one time paste, then destroy. Hard drives from the SIPERNET are kept in vaults when not in someones possesion. You can’t even leave your desk to go to the bathroom if you have the hard drive in your SIPER.
Maybe other companies can follow the military’s lead.
.NET isn’t enough by a long shot, though it would help similar to the way a tourniquet is a good first step. Microsoft still has a few major security holes it has to close:
1) Get rid of ActiveX!
2) Sandbox all pre-Vista applications similar to how WINE sandboxes them on Linux.
3) Browbeat their developers until they start writing normal applications that can be run as non-privileged users. As it currently stands, most Windows users don’t even know what a non-privileged user is because the security model that most Windows developer have used is so FUBAR.
The biggest reason Unix and MacOS X are significantly better on security is that developers have never had the liberty of assuming that most of their users will be able to run the software as root.
To Control systems/Electrical/Chemical engineer:
While the control systems for things like power plants are indeed either very simple logic circuits or proprietary systems, the deregulation of the electric industry caused power plants to commodities to be bought and sold by private energy companies. The big issue here was that these energy companies wanted to be able to control and monitor their power plants remotely, so they ended up installing Windows-based systems to that effect will little or no thought of the security consequences. See:
http://www.washingtonpost.com/wp-dyn/content/article/2008/05/20/AR2008052002354_pf.html
This comment has very little to do with cyber securiy. The circunstances described in the opening paragraph closely resemble what would happen in the event of a major EMP laydown. In the event af such a laydown even your hand cranked radio would useless because it would have been fried by the pulse, your car would not start because its’ electrical/electronic systems would also be destroyed. This would be the case for nearly every electrical/electronic device in the affected area. It would destroy the power grid and transportation dependent on the use of electricity.
BC, let me be perfectly clear (to borrow a phrase from the late, great R. M. Nixon): the GAO is jumping to rash conclusions. Yes, it’s true that some not-so-smart people have tied the physical layers of some controllers into the internet at some locations, and yes, that’s a dumb thing to do, and yes that even opens the theoretical possibility of an attack on these (if you read the article) very small hydro plants. But it takes more than just physical layer connectivity to make an attack realistically possible in practice.
The bigger point is that there most certainly isn’t any large-scale systemic vulnerability. At most, a few tiny turbines could theoretically be tampered with.
Known to me for the 8 years ukrainian underground resistance web site is smartly ran on SOLARIS Sun Microsystems’s enterprise-class software
which as i’ve heard is practically unbreakable
but still vulnerable to DOS attacks
so, there are solutions out there.
We should understand that hacking is actually nothing compared to EMP(electro magnetic pulse) generated at the time of nuclear exploision that can be executed above the USA territory, may be very high up
EMP will destroy all electronic devices just as a an electric surge can do.
>A large device detonated at 400–500 km (250 to 312 miles) over Kansas would affect all of the continental U.S. The signal from such an event extends to the visual horizon as seen from the burst point.(wiki)
There were at least 2 hearings in Congress on EMP threat.
IN one of them that was conducted last summer i heard voices of congressmen trembled out of fear of what they heard
Very interesting comments; I’ve learned a lot. BTW, as of August of this year, some folks who should know were saying that Vista was not just vulnerable, but hopelessly so — could not be patched. Even if that has been fixed now, which I doubt, it’s yet more evidence that Microsoft richly deserves all the bashing it gets, and more.
http://www.theinquirer.net/inquirer/news/933/1002933/vista-security-rendered-usless
Windows is simply dangerous. If you use it, you should not be on the internet, because you put both yourself and many others at risk. Your box can be literally taken over and used as part of a botnet — and you won’t even know it happened.
One idea is to insist on system redundancies and manual overrides on vulnerable controllers. These are basic precepts of naval battle damage control. For instance: A terrorist strike on a major substation, power plant or transmission lines should be able to be isolated and bypassed, manually if necessary (ie., somebody actually opening and closing circuit breakers). And Kabud is absolutely correct, EMP is the really scary one. The only defense is missile defense or preemptively vaporizing our enemies. I sure hope Obama changes his mind on this.
Charlie,
Please re-read what I said. I did not claim that individual vulnerabilities did not exist in various systems; I said that the notion that some group could manage to trip them all in one evening was farfetched. That’s a different matter.
Sorry if I am post in this category, but I am think it’s the most suitable.
Stay not long time before christmas and happy new years holidays. I am have big famaly and now I am even not know what kind of gifts make to my friends and famaly.
So my kids, husband, siters, brother and my and husban’s parents.
Who also don’t know what to present to they? What gifts (not expensive) I can present to my famaly? Any ideas?
What your friends and parent get from you on christmas?
Thank you!
I would advise the fortress-UNIX folks to stay alert. I manage a large development test lab of Unix boxes and I have been instructed by IT to disable certain TCP ports for security reasons.
My products are sold into large government and private institutions. Most of these folks carefully manage how they allow the internet to interact with their intranets. In many cases they do not allow even trusted service partners remote access to their machine rooms. They use “dark links” – dedicated, private lines to interconnect data centers and remote offices. And yes, they do allow Mister Softie’s products in these operations and somehow manage to keep them in line.
Obviously, this is still not a perfect world. Tapes fall out of the back of trucks and insiders abuse their trusts. Humans are still human and they will find ways to subvert the system or foul things up.
I suspect that we already have plenty of laws in place to address negligence , fraud, and liability. Yet, I cannot recall any of the airlines involved in 9/11 being prosecuted for the negligent security lapses that enabled that disaster.
I know developers that work control systems for the grid. They speak in ladder-logic on systems without an operating system. To them, the internet is a toy (I tend to agree with them on that one) and they understand the security aspects of what they are doing.
The rest of us *should* have a crank radio/flashlight and a personal security plan for the times when things go wrong. If you expect the government to protect you during those times you come over to my place for a news update or a glass of water.
To Control systems/Electrical/Chemical engineer:
Maybe, maybe not:
http://www.nationaljournal.com/njmagazine/cs_20080531_6948.php
I personally think the first instance described, the northern/midwest blackout in 2003, was triggered by a hack that cascaded out of control thanks mostly to shoddy maintenance and procedures. Power plant systems are under constant cyber attack via any connection to the Internet, so someone likely just got lucky, especially since the blackout came just a day or so after a report was published that was critical of the installation of insecure remote monitoring systems at power plants.
The second one in Florida does raise more issues — that does sort of look like the possible result of a high end hack that was intended only to probe for data but then ended up going awry.
Having been one of those computer guys who “cared” and who screamed warnings at the Emperpor’s New Clothes type folly of embracing almost security free technologies like the the www (not the internet which is a different and altogether more professionall conceived beast) and Microsoft’s early Windows offerings I congratulate you on summing up so well the absolute folly of entrusting the systems that society relies on to companies whose only qualification was their own self-certification of competence. Sadly the American electorate have just chosen a President on the same basis.
When I have suggested a very simple regulation for the web people start screaming at me about constitutional rights and free speech on the web. But what is a constitutional right to free speech worth when some nerdy hacker can wipe a person’s hard drive because he does not like something they posed?
As a Control Room Supervisor for Gas Turbine power plants I have to disagree with the idea that a cyber attack could severely damage a power plant’s control systems. From my personal experience, most plants have almost no connectivity between the internet and actual control systems. There are ways to dial in for remote assistance, but most every Control Room Operator I have ever know makes a point of ensuring they are plugged in only when absolutely necessary.(Being a control freak is part of the job.) Also, recent NERC regulations have laid down very strict rules concerning having control systems hooked up to the net or phone lines.
I cant comment on control of the grid itself, but I just cant bring myself to believe the hollywood image of some supervillain dailing in and taking control of “the grid”.
I think most people would be surprised at how decentralized and fractured power distribution in this country is. There is good and bad in that.
I have zero expertise and insight into software issues–but I cringe whenever anything involving the bureaucracy is presented as a solution to ANYTHING.
Obviously, the scenario presented raises issues that require somebody (somebody? anybody?) to think way outside the box–like the bad guys do.
I think our entire physical infrastructure, in addition to the ISP issues referenced here, is incredibly vulnerable. I’m beginning to wonder when the bad guys will figure out just how vulnerable: water, power, food distribution, energy transmission lines, etc. We are sitting ducks at every level, and with the nincompoop PC administrators and regulatory agencies that run them, I wonder if the wakeup will come in time.
One of the reasons we were so very grateful to get out of Mexifornia when we did, many years ago, was because we always knew (with a slight chill) that there were really only about 4 roads of any size out of there…and we always knew as well that local supplies (groceries, fuel) were never more than a 4-5 day provision.
This is flat scary. I hope people who understand the issues are doing more than creating storylines about it.
Kirk, I read what you said; I don’t have the confidence you do. The al-Qaeda folks managed to find 20 guys ready to die to hurt us; how many guys in pajamas can they find. The UPCD scenario involved picking a bad weather event, and a *few* “kinetic attacks”. Would it end civilization? No, but it could sure make for a bad could weeks.
Scott, the point about particular points is well-taken. Generally port 23, for example, ought to be blocked — but there are a lot of things that still depend on plain telnet.
Control systems etc engineer, I’m sorry, but you’re simply wrong. Many of those systems are indeed available through the net — or via dial-in — so that operators can troubleshoot remotely. Go read the stuff on USPCD.
rkeen, I know of plants that indeed have vulnerable outside connections, and no I’m not going to say which. But the power grid is far more vulnerable, and unstable enough I’m amazed it works as it is. (But then I’m a digital guy: power engineering is black magic.)
Kabud, thanks for the nice words on Solaris, I have a lot of friends in the Solaris Security group. The thing about an EMP attack is that it takes a pretty overt act: a fission bomb in the upper atmosphere. We would have some idea how to react to that. If someone could, in effect, simulate that in software, what would we do?
Charlie (Colorado), you can assert you read me, but your words belie that. What does 9/11 have to do with the author’s proposed scenario? They acted against 3 targets, using a somewhat novel method, and had a 33% failure rate. And I repeatedly stated that the individual threats are credible.
So let me beat the dead horse one more time: the problem is the author (and the folks he cites) claiming that anyone could pull of a massive distributed attack numbering thousands (if not more) of disparate, distributed systems, each of them with widely differing vulnerabilities (saying “I know of plants that indeed have vulnerable outside connections” is just another way of saying “there are others that don’t”) and have a 100% success rate all on the same evening.
Charlie (Colorado) – I am sure you are correct, there probably are many plants that have vulnerable connections, however, this has been a known issue within the power community for sometime. The point is, there is a limit to the physical damage that can be done to the plants themselves with a cyber attack , and its the physical damage that really matters. In the end, in an emergency, if I want my plant to operate, it will operate with or without a DCS.
In a wide area outage there are,of course, many more issues, but its not as if it is impossible. One of the complaints I often hear about the transmission system is that it is outdated. As far as Im concerned thats as much a feature as a bug, in my experience the older eqipment is much more durable and more immune to these type attacks.
I will agree with you, the grid has its vulnerabilities. This is shown everytime a mother nature decides to laugh at global warming. But, considering the number of floods, tornadoes, hurricanes, snowfalls, freezing weather, fires and human error that assaults the grid every year. I think the grid as a whole is much more stable than often appriciated. The utilities that care for the grid should be applauded.
Just to be clear, Im not discounting the article. Im simply saying that the dangers needs to be kept in perspective.
Anyway, just my two cents. Have a great Christmas
Mr. Martin, your scenario really happen recently in most of Monmouth county, NJ. The county went dark. House internet phone and cell phone had no connections, traffic lights suddenly went off, heat was off, refrigerator stuff melting. The safest place was in the car park in the driveway with flashlights, alternately run the car to keep warm and for light. Once we got use to the limited light, my two charges and I went back to the house and huddled in blankets and sang songs, close all the drapes and shades, did not open the refrigerator until the light came on several hours later.