US power grid vulnerable to foreign hacks

Posted: December 21, 2015 by oldbrew in Energy, government
Tags:

Not-so-smart meter? [image credit: heartland.org]

Not-so-smart meter? [image credit: heartland.org]


A top US official admits: “we are not where we need to be” on cybersecurity in the power generation sector, as phys.org reports. An investigation also says smart meters and remotely-sited renewables are giving hackers new chances to cause trouble.

Security researcher Brian Wallace was on the trail of hackers who had snatched a California university’s housing files when he stumbled into a larger nightmare: Cyberattackers had opened a pathway into the networks running the United States power grid.

Digital clues pointed to Iranian hackers. And Wallace found that they had already taken passwords, as well as engineering drawings of dozens of power plants, at least one with the title “Mission Critical.”


The drawings were so detailed that experts say skilled attackers could have used them, along with other tools and malicious code, to knock out electricity flowing to millions of homes. Wallace was astonished. But this breach, The Associated Press has found, was not unique.

About a dozen times in the last decade, sophisticated foreign hackers have gained enough remote access to control the operations networks that keep the lights on, according to top experts who spoke only on condition of anonymity due to the sensitive nature of the subject matter.The public almost never learns the details about these types of attacks—they’re rarer but also more intricate and potentially dangerous than data theft.

Information about the government’s response to these hacks is often protected and sometimes classified; many are never even reported to the government. These intrusions have not caused the kind of cascading blackouts that are feared by the intelligence community.

But so many attackers have stowed away in the systems that run the U.S. electric grid that experts say they likely have the capability to strike at will. And that’s what worries Wallace and other cybersecurity experts most.

Some [smart meters] can be hacked by plugging in an adapter that costs $30 on eBay, researchers say.

The FBI…warned the U.S. energy sector in an unclassified bulletin last December that a group using Iran-based IP addresses had targeted the industry.

Phys.org report: Investigation: US power grid vulnerable to foreign hacks

Note: the full report has a lot more detail than shown here.

Comments
  1. ivan says:

    The main point that should be emphasised is that smart meters have ALWAYS been vulnerable to hacking as well as letting anyone know when the home-owner is out. In fact anyone with evil intent could shut down large swathes of the country just by sending the ‘switch off’ signal to the smart meters – not such a good idea from the Goracal and his smart meter company.

    As for power stations, it is the bean counters that are responsible if any machinery gets hacked because they are the ones that think they need the second by second information available at head office and hence insist that the controllers be web connected rather than being on an air gaped subnet. This sort of problem only arose when engineers were supplanted by office staff mangers that know just enough about engineering to be dangerous.

  2. oldbrew says:

    Will renewables-loving governments try to blame hackers if/when ‘the lights go out’ ?

  3. I find it bizarre that businesses – especially utilities – make use of the internet!

    Why not use leased lines?

    If you must use the internet, then robust encryption via hardware modules is a minimum.

  4. Petrossa says:

    years ago France adopted a law that made it mandatory to have a smartmeter. The end date was 2015. Luckily everything in France happens 15 years later so by that time i’m already way to senile to care.

  5. oldbrew says:

    New UK gov’t. paper on smart meters (dated 17 Dec. 2015) says:

    ‘Most trajectories of energy demand and supply to 2050 anticipate significant new system
    challenges as we incorporate more low carbon generation, and meet increases in peak
    demand (typically 4-8pm on winter weekdays), driven largely by the extent to which
    transport and heating become increasingly electrified.’
    http://www.gov.uk/government/uploads/system/uploads/attachment_data/file/486362/Towards_a_smart_energy_system.pdf

    For ‘significant new system challenges’ read:

    Q. ‘Where’s the peak period power coming from when it’s not windy?’
    A. ‘Nobody knows.’

    One idea: ‘Consumers could store electricity in batteries.’
    This is what we call progress in the 21st century:/

  6. TA says:

    Ivan wrote: “As for power stations, it is the bean counters that are responsible if any machinery gets hacked because they are the ones that think they need the second by second information available at head office and hence insist that the controllers be web connected rather than being on an air gaped subnet. This sort of problem only arose when engineers were supplanted by office staff mangers that know just enough about engineering to be dangerous.”

    Exactly. Our vital infrastructure does not have to be connected to the internet. And as another poster said, if these infrastructure *have* to be connected, they can be connected in other ways than through the internet.

    If the controls of our powergrids are not on the internet, then they can’t be hacked.

    Dams and powerplants worked just fine before the internet era, and if the internet poses a danger, then we should disconnect the control mechanisms of our vulnerable infrastructue from the internet.

    TA

  7. E.M.Smith says:

    Internet: cheap sunk cost.
    Leased Line: Order from telco, cost $100 month guess (depends on speed) +$200 equipment if not leased +about $1000 one time cost of staff to design and set up.

    So bean counter says “Use the internet and save $1200 and $100 a month.”
    Engineer says: ” Internet has security issues…”
    Manager says: “Use the internet, the engineer can deal with security, and I want a cost reduction bonus.”

    That is the only reason this “problem” exists.

  8. Graeme No.3 says:

    Personally I think that the US Electricity Grid is most at menace from the Obama virus.

  9. BoyfromTottenham says:

    You are right there, E.M.Smith – I worked on a banking project fairly recently which aimed to link several major banks’ systems together, and instead of simply using a handful of leased lines with military grade crypto, the “chief architect” insisted on using the Internet! I was the security architect and you wouldn’t believe how much software and hardware $$$ was needed to secure the bank systems from Internet threats, compared to the far cheaper and more secure leased lines and crypto boxes alternative. Fortunately the project scope ran out of control and it was killed off. Personally, BTW I also think the whole “smart meter” idea is a crock, as well as being a giant security hole that exposes consumers and the supplier to

  10. oldmanK says:

    Ivan said “As for power stations, it is the bean counters that are responsible if any machinery gets hacked because they are the ones that think they need the second by second information available at head office and hence insist that the controllers be web connected rather than being on an air gaped subnet. This sort of problem only arose when engineers were supplanted by office staff mangers that know just enough about engineering to be dangerous.”

    Very true, but how quickly they lose interest in the works when they see the mess the created!

    From TA “Dams and powerplants worked just fine before the internet era”. In the right hands the internet would be an optimiser; In the wrong hands……it makes for blood curdling stories. But then if you have a monkey in the works it doesn’t have to be the internet, somehow it will always end badly.

  11. DD More says:

    Cyberattackers had opened a pathway into the networks running the United States power grid.

    Did that pathway get routed thru the Clinton Foundation and Hillary home server? Lots of non-secure data there for a number of years.

  12. jim says:

    As to the bean counters, its a manpower issue. The power company had people working the load adjustments and line maintance before. Now, the first adjustment was to add a computer, you could do without meters and two people. Internet control, now means one or two people in the plant to clean the dust off the floor, if a boss wants to visit or send a representative to view the plant guards.

  13. oldbrew says:

    It’s ‘only 0.2 percent of yearly US energy consumption’ but…

    ‘US Christmas lights use more energy than entire countries’
    http://phys.org/news/2015-12-christmas-energy-entire-countries.html

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s