In a wide area outage there are,of course, many more issues, but its not as if it is impossible. One of the complaints I often hear about the transmission system is that it is outdated. As far as Im concerned thats as much a feature as a bug, in my experience the older eqipment is much more durable and more immune to these type attacks.

I will agree with you, the grid has its vulnerabilities. This is shown everytime a mother nature decides to laugh at global warming. But, considering the number of floods, tornadoes, hurricanes, snowfalls, freezing weather, fires and human error that assaults the grid every year. I think the grid as a whole is much more stable than often appriciated. The utilities that care for the grid should be applauded.

Just to be clear, Im not discounting the article. Im simply saying that the dangers needs to be kept in perspective.

Anyway, just my two cents. Have a great Christmas

So let me beat the dead horse one more time: the problem is the author (and the folks he cites) claiming that anyone could pull of a massive distributed attack numbering thousands (if not more) of disparate, distributed systems, each of them with widely differing vulnerabilities (saying “I know of plants that indeed have vulnerable outside connections” is just another way of saying “there are others that don’t”) and have a 100% success rate all on the same evening.

Kabud, thanks for the nice words on Solaris, I have a lot of friends in the Solaris Security group. The thing about an EMP attack is that it takes a pretty overt act: a fission bomb in the upper atmosphere. We would have some idea how to react to that. If someone could, in effect, simulate that in software, what would we do?

Scott, the point about particular points is well-taken. Generally port 23, for example, ought to be blocked — but there are a lot of things that still depend on plain telnet.

Control systems etc engineer, I’m sorry, but you’re simply wrong. Many of those systems are indeed available through the net — or via dial-in — so that operators can troubleshoot remotely. Go read the stuff on USPCD.

Obviously, the scenario presented raises issues that require somebody (somebody? anybody?) to think way outside the box–like the bad guys do.

I think our entire physical infrastructure, in addition to the ISP issues referenced here, is incredibly vulnerable. I’m beginning to wonder when the bad guys will figure out just how vulnerable: water, power, food distribution, energy transmission lines, etc. We are sitting ducks at every level, and with the nincompoop PC administrators and regulatory agencies that run them, I wonder if the wakeup will come in time.

One of the reasons we were so very grateful to get out of Mexifornia when we did, many years ago, was because we always knew (with a slight chill) that there were really only about 4 roads of any size out of there…and we always knew as well that local supplies (groceries, fuel) were never more than a 4-5 day provision.

This is flat scary. I hope people who understand the issues are doing more than creating storylines about it.

I cant comment on control of the grid itself, but I just cant bring myself to believe the hollywood image of some supervillain dailing in and taking control of “the grid”.
I think most people would be surprised at how decentralized and fractured power distribution in this country is. There is good and bad in that.

When I have suggested a very simple regulation for the web people start screaming at me about constitutional rights and free speech on the web. But what is a constitutional right to free speech worth when some nerdy hacker can wipe a person’s hard drive because he does not like something they posed?

Maybe, maybe not:
http://www.nationaljournal.com/njmagazine/cs_20080531_6948.php

I personally think the first instance described, the northern/midwest blackout in 2003, was triggered by a hack that cascaded out of control thanks mostly to shoddy maintenance and procedures. Power plant systems are under constant cyber attack via any connection to the Internet, so someone likely just got lucky, especially since the blackout came just a day or so after a report was published that was critical of the installation of insecure remote monitoring systems at power plants.

The second one in Florida does raise more issues — that does sort of look like the possible result of a high end hack that was intended only to probe for data but then ended up going awry.

My products are sold into large government and private institutions. Most of these folks carefully manage how they allow the internet to interact with their intranets. In many cases they do not allow even trusted service partners remote access to their machine rooms. They use “dark links” – dedicated, private lines to interconnect data centers and remote offices. And yes, they do allow Mister Softie’s products in these operations and somehow manage to keep them in line.

Obviously, this is still not a perfect world. Tapes fall out of the back of trucks and insiders abuse their trusts. Humans are still human and they will find ways to subvert the system or foul things up.

I suspect that we already have plenty of laws in place to address negligence , fraud, and liability. Yet, I cannot recall any of the airlines involved in 9/11 being prosecuted for the negligent security lapses that enabled that disaster.

I know developers that work control systems for the grid. They speak in ladder-logic on systems without an operating system. To them, the internet is a toy (I tend to agree with them on that one) and they understand the security aspects of what they are doing.

The rest of us *should* have a crank radio/flashlight and a personal security plan for the times when things go wrong. If you expect the government to protect you during those times you come over to my place for a news update or a glass of water.