Browse
Engage
Research
As I recently blogged, the security firm IOActive warns that the Smart Grid is vulnerable to the kind of attacks that have bedeviled Internet sites and ordinary users for years. These include "common security vulnerabilities such as protocol tampering, buffer overflows, persistent, and non-persistent rootkits and code propagation," the firm says.
A year ago at the the critical infrastructure SANS SCADA Summit in New Orleans, the CIA said that hackers had already hacked into the networks of power companies overseas. The site SecurityFocus reported:
The cases involved unknown attackers compromising a utilities company's network and then demanding ransom from the firm. In at least one case, the attack cause a power outage that affected multiple cities, the CIA analyst said.The attacks were launched via the Internet. Here's the full statement that the CIA official gave, according to the SANS Institute:
"We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyber attacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet."The entire Smart Grid will be based on Internet technology, which means that it will be potentially more vulnerable that the existing grid to hackers.
SecurityFocus had an article saying that a significant vulnerability through which hackers can crawl may well be people's homes. The site noted that researcher Travis Goodspeed, who discovered the Smart Grid vulnerabilities along with IOActive, has blogged about how easy it is to hack into devices that use the Zigbee wireless protocol. Home area networks that control home power consumption use Zigbee. You can read Goodspeed's blog post here.
All this is scary stuff. But it's good that it's coming out now, rather than after the grid is built. There are signs that the grid's security vulnerabilities are being taken seriously. For example, the National Science Foundation funds the Trustworthy Cyber Infrastructure for the Power Grid (TCIP). TCIP is a venture using the brainpower of researchers from the University of Illinois at Urbana-Champaign, Cornell University, Dartmouth College, and Washington State University. Its goal, according to its Web site, is to "protect the nation's power grid by significantly improving the way the power grid infrastructure is built, making it more secure, reliable, and safe."
Design
Hackers
I am not surprised. Hackers are quite resourceful!
RT
www.privacy-tools.us.tc
Decentralize!
Smart or dumb, the grid is vulnerable because it it so bg and centralized. A far better solution is to generate as much of your own power on-site (wind, photovoltaics, solar water heating and so on) combined with greatly improved conservation measures. There's a lot of low-hanging fruit in terms of what homeowners especially can do. A lot of energy is used to do things that don't really require electricity at all; instead one can heat water and living space directly. Some of these devices are dead simple, cheap to make, and have NO moving parts! See for instance:
http://www.builditsolar.com/Projects/SpaceHeating/Space_Heating.htm
This one is typical: http://www.builditsolar.com/Projects/SpaceHeating/GregAircol/AirCol.htm
The Smart Grid may have some virtues, but in many ways it's a Rube Goldberg approach, complicated, vulnerable, expensive, a clever answer to the wrong question.
CIA
CIA is not the most reliable source on anything, considering how they torture people to get confessions. Undoubtedly this was one such case where the evidence was obtained through torturing people, since there's not a sane person who would plug power plant controlling computers to the internet.
Realtime power control is no place for commercial software, hdwr
Auto manufacturers discovered long ago that relying on off-the-shelf hardware and software is an invitation to hacking.
The phone company discovered, a little late, that they should shred their proprietary information, not just throw it in the dumpster.
Commercial off-the-shelf hardware and software is just not safe enough to manage gigawatts.
I've seen a reboot screen on a commuter train ticket vending machine and a self-contratulatory operating system's error message overalying the video on a bus's "Transit TV" screens.
May such wretched software never enter the realm of trusted real time control.
Intelligent actions to stop internet destruction
Want to drive a car without being subject to jail time? Get a license.
Want to be married, with all the good things accorded by society? Get a license.
Want to steal my identity, send bogus information or make a million dollars from a thousand people who can't detect bad intentions? Hide behind the idea of "Free speech for internet users without a license."
Want to get the internet back in the hands of people who demand free speech? Get a license.
RSVP?
Why not private networks?
There's very little info on exactly what the exploit was or the attack vector used (thank goodness), but when the story talks about "hackers", one envisions remote users accessing sites across the Internet.
If this is what happened, my question is, why is there a connection between the electric grid control network and the public Internet? Why isn't the grid control line physically isolated?
Plenty of mission-critical networks exist in the world. One of the core pillars of security for these networks is to limit and control the network's points of entry.
If access to the network can only occur from a workstation physically located in a secured area of the electric company, that would reduce vulnerability by a huge amount.
If that's already the case, and the "hacker" penetrated both physical site security and computer security to hijack the controls...well, you've got a very clever (and ballsy) hacker on your hands. Or you've got a screwed up security situation. Or both.
Your tv online
check http://yourtvonline.com