If Phishing Email Can Kill NY Power Grid, Lack Of Cybersecurity Legislation Is Not The Problem
from the oh-come-on dept
We’ve been talking about the faux urgency to pass some cybersecurity legislation coming from the federal government, with plenty of fear mongering from politicians who never seem to want to point out any factual basis for why we need such new laws. Instead, it’s all been about Hollywood movie script-style scenarios about planes falling from the skies. It appears that the White House is heavily involved in this bogus fear mongering as well, having recently set up a “simulated cyberattack on New York City’s power supply” to convince elected officials to move forward on the legislation.
During a classified briefing in the Office of Senate Security, Homeland Security Secretary Janet Napolitano and White House counterterrorism adviser John Brennan showed lawmakers how a hacker could breach control systems of the city’s electric system and trigger a ripple effect throughout the population and private sector, according to a source familiar with the scenario.
“The fact that we could be subject to a catastrophic attack under the right circumstances and we now know some of the things that would help us to protect against such an attack, that’s why it’s important now for the Congress to take this up,” Napolitano said in an interview with POLITICO.
Now that’s interesting. Just how could a hacker breach control systems of the power grid? Apparently with an email phishing attack:
During the simulation, the hacker gains access to the electric supply’s control system through a simple “spearphishing” attack, in which a worker merely clicks on a link in an email that appears to be from someone they know.
Um, there’s your problem. If the NYC power grid is attached to the public internet in such a way that it can be taken down, then um, shouldn’t we take it off the internet? This isn’t about cybersecurity, this is about common sense, where things like the power grid should not be accessible via the internet — and I’m pretty sure they’re not (back here in reality). But in the world where we need fear, uncertainty, doubt and the ability for the federal government to spy on private networks, we have to pretend such a scenario is likely.
Of course, I also question why the White House chose NYC as the showcase for the simulation and suggested that there would be deaths and other massive harm from such a power grid takedown. After all, it was just about a decade ago that the power grid in the Northeast did, in fact, fail. It was an inconvenience for many people, certainly, but it was hardly damaging in the way the White House seems to have implied with this scare tactic.
So, once again, can we take a step back and ask some simple questions: what’s the real threat and the real risk here? If it’s that the NYC power grid is accessible by a simple password over the public internet, then the problem isn’t cybersecurity, it’s whoever was stupid enough to connect the power grid to the internet. Let’s fix that. But let’s not regulate and spy on large segments of the public internet to cover for a few bad decisions.
Filed Under: cybersecurity, fear mongering, hype, nyc, phishing, power grid, terrorism, white house
Comments on “If Phishing Email Can Kill NY Power Grid, Lack Of Cybersecurity Legislation Is Not The Problem”
If large numbers of utility and industrial systems were connected to the Internet, then we would hear about large numbers of utility and industrial systems grinding to a halt with each virus infection that spreads across the world. (Iranian uranium fuel enrichment plants and Bradley Manning aside)
My only hesitation about this is that management PHBs are sure to have cut funding for _extra_ workstations to keep the two networks separate in those utilities and industries.
The real problem is not that legislation is needed, even if there is a danger present. It is that training is needed for employees who operate these systems so that they recognize the threats that they could potentially transmit.
Now, this is a tall order. I just saw an article about the military warning soldiers not to post pictures on the Internet taken with smartphones, and not to use social networks that use the same geolocation services that smartphones offer. They offer the example of someoone posting a picture of a new fleet of helicopters on the Internet, which, of course, contained geolocation data, which was followed by a mortar attack that destroyed four of the helicopters.
You would think that it would be a no-brainer for someone to understand, “Hey guys, please don’t call in a mortar attack on yourselves, pretty please?” But that is the real problem that we face. Technology is so complex that the average person cannot understand the FULL implications of his actions. Hey, I have problems with it, and I bet you’ve been nipped in the wringer once or twice (understatement).
Re: Re:
Until we can legislate smarter people behind keyboards, there’s no point in your fancy cyber-whatsits laws.
This wasn’t a virus, it was a social engineering attack, akin to someone claiming to be the pizza guy so you buzz them through your apartment complex’s security door. Bigger locks aren’t the solution here. The solution is a frozen-pizza only apartment complex, or possibly an in-building pizzeria.
Mmm, cyberpizza.
Re: Re: Re:
Re: Social engineering vs. viruses….
When your ship is blown out of the water, it doesn’t matter what got you, just that you’ve been had.
I was responsible for security as a Data Center Manager. Our approach was wide spectrum, from code deficiencies to not pointing out the location of the Data Center on public tours. Physical security is the first rank of protection. Every aspect of security has to be addressed.
If we start to compartmentalize security, then we end up with the same sorry mess that Congress is looking at. It’s all or nothing! I cannot succeed if you fail, so we all have to address the issues.
That is why it is so painfully obvious that the Congressional move is a smoke-screen: it only addresses one small part of the security problem.
Re: Re: Re:
>or possibly an in-building pizzeria.
Man, if someone built an apartment complex with one of those, and then rented it out to college students… they could charge anything they wanted and they’d still be out of available apartments inside a week of opening.
Re: Re:
How about posting up a link to this article you mentioned involving the helicopters…..
Re: Re: Re:
Never mind, I found it. However, I know when I deployed, we were prohibited from using personal mobile phones while we were in theater. Not to mention that there wasn’t any service in western Iraq, although that may have changed.
Re: Re: Re:
For others who are curious, I saw this link on Groklaw. The article is on Digital Journal, the title is “U.S. army warns soldiers of dangers of Facebook geotagging”
http://digitaljournal.com/article/320997
We are the government
And being competent is not what your tax dollars are paying for.
The sad part is a big chunk of the population will still fall for it despite all the facts against any further regulation.
Awareness is power as the SOPA/PIPA events clearly showed us. The best we can do is rise awareness of this fear mongering tactic and tell the ppl to ask the Govt the real question: are you that incompetent that you actually linked the power grid to the Internet and think you can solve it with laws instead of action?
I work in a factory, nothing is connected to the net. Not even the computers in the office. We don’t even have an IT department at all and have no problems. I would hope something as vital as the power grid were not connected to the net.
Re: Re:
Well then, we need to make you the new CyberSecurity Czar! Or else you need to take a closer look at your company. I’m not sure which.
It isn’t what you know about your company that will get you in trouble. It isn’t the documented architecture that provides the loophole to allow the bad guys to enter. It is the work-arounds that people have put in place to allow them to do their jobs because what was installed doesn’t address how they do their jobs. Or it is the gaps in the architecture that the designers just didn’t see.
I’ve seen this at every company I’ve ever been at. At one Fortune 100 company, if we found a problem outside the scope of our technology (something that would obviously never be a problem at a Fortune 100 company) I would get on the modem, dial up my BBS, and download some tool that would fix said problem. Then other people in IT started doing the same thing. What are you going to do about something like that?
Re: Re: Re:
If that’s happening, you need to seriously re-evaluate your IT Security policy.
Re: Re:
How did you post this at 8am on a Monday morning without being connected to the internet from your workplace?
Did you send it from a smartphone? Ok, now your factory is connected to the internet via your smartphone.
Re: Re: Re:
The diffence being is that his smartphone doesn’t control any of the factory machines.
Re: Re: Re:
Except it isn’t. His phone being connected to 3g does not make his work station connected to 3g. The virus he gets on his phone will not transfer to the work computers.
Re: Re: Re: Re:
But if he decides he needs to recharge the battery vampire, aka smartphone, and plugs a USB cable into his XP workstation, which will conveniently mount it as a USB drive, then his whole company is jacked because he didn’t realize that recharging could transfer a virus.
Re: Re: Re:2 Re:
If he did this where I work, then his employment would be at risk. It’s expressly prohibited as it is (or should be) pretty much anywhere else.
Re: Re: Re:2 Re:
All that would depend on the smartphone in question. The majority, and I speak from extensive experience repairing smart phones, DO NOT get mounted automatically.
The majority can however simply be charged by just plugging them in. No harm, or transferring of files, to your computer.
As far as XP goes, most smart phones wouldn’t even be recognized at plug in. You’d have to install the necessary drivers, software or both to get it recognized. Vista or Windows 7 is another story. Also, you fail to recognize the fact that the majority of smart phones first require that you change a setting in the phone itself that results in it being auto mounted and read whenever being plugged in.
Which is of course overlooking the fact that depending where you work, some auto run and mount options are disabled from the start to prevent just such problems, like viruses, from happening. Not too mention that what few ACTUAL smartphone viruses there are ONLY target and infect…. SMARTPHONES.
I’m not going to call you an alarmist or misinformed, but suffice it to say that you’re really grasping at straws.
Battlestar Galactica anyone?
Didn’t anybody learn anything from Battlestar Galactica (besides Apollo being a terrible actor)? The Luddite Bill Adama refuses to connect to the grid; Cylons infiltrate the defense systems; world ends; Adama’s ship Galactica survives. Duh.
Mike, if we didn’t regulate and spy on large segments of the population to cover for a few bad decisions then we’d never regulate or spy on large segments of the population. And what kind of a world would we be living in then?
Re: Re:
A good one?
Re: Re:
Still waiting for a ‘not funny’ button.
Re: Re: Re:
Though it would be rather big, I think ‘should be funny but isn’t’ would be more appropriate.
My government scares me more than hackers ever will.
They have to be connected to the internet. The reason they did is that they watched the Simpsons, followed Homer’s example, and wamt to start pressing Y on their home terminal all day instead of actually doing their jobs.
Hopefully, at least one of them is fat enough to block the reactor before it blows.
Re: Re:
*wamt, should be wanted
If the power grid fails, then there is no way to hack stuff.
Re: Re:
Unless the hackers are hacking from, I dunno, say, any other place in the world
or have access to a generator.
Promulgating fear in order to dismantle our Constitution and Bill of Rights sounds an awful lot like terrorism to me. ‘Security’ is just a convenient justification. If this keeps up, our soldiers sacrificed themselves for absolutely nothing. What is an American if not free?
Perhaps if they made phishing attacks illegal, that would take care of the problem. Oh, wait…
Guess we better just make another law.
Cause of the 2003 blackout
I remember the Eastern blackout well. I was on tour at the time, or else I would have been in the dark, too.
Amid all the talk about “cyberterrorism,” it’s important to remember what actually happened to cause that blackout:
So it seems that, if anything, legislation should focus on the bad actors in the power industry (such as FirstEnergy), and not on any sort of “cyberattack.”
Here’s a good place to start:
Re: Cause of the 2003 blackout
Along with this was the constant suggestion that it might have something to do with a terrorist attack.
The first response in the face of anything out of the ordinary is ZOMG Terrorists!
The people running the powergrid have no idea they are not about to get millions from a Nigerian Prince. The problem is not that scammers will try, it is that we refuse to demand isolated systems and penalties for people who violate those rules. Rather than lay blame on the people stupid enough to get spearfished, we make more rules and try to lock down every thing else. It is not peoples fault they are stupid greedy bastards, it is the fault that bad people will try.
Stuxnet never would have worked if not for people sticking random flash drives into their machines. If the systems running the facility were actually isolated from outside things, it never would have worked. If the control systems were not kept as archaic secrets, someone could try to harden those systems.
Instead we have security through obscurity, we create rules and laws to solve problems better solved in demanding personal accountability. We focus on the unknown, the what-ifs rather than real things we can do to avoid the issues. But then this is more about getting more control over citizens lives, and moving more towards an Orwellian dystopia where no one can think a bad thought without them knowing and stopping it.
I agree
I think I should also be able to leave my valuables unprotected outside. I should be able to play a few bars of gold on my front lawn and let laws take care of making sure my gold is protected. If my gold gets stolen, there is a law protecting me so I’m don’t have to take responsibility for my losses. The public should foot the bill.
This sound about right?
Re: I agree
Since we’re talking about the power grid – a public utility – I’m not sure that your private valuables have anything to do with the discussion.
Re: Re: I agree
So you’re saying a public utility shouldn’t have to use even basic protections and should only use the law to “protect” them?
I think my extremely simple point just went “whoosh” on you.
Re: Re: Re: I agree
Totally agree with you…i mean, power grid gets stolen all the time, people can just pocket them and walk away….
Re: Re: I agree
So the Smithsonian Institute should just leave their doors option night and day without any security guards… nobody would ever steal or damage a national treasure, as there are laws to prevent that from happening.
It Was Just A Matter Of Time...
Given the amount of calls to the help desk from people asking where the “any” button was, does it suprise anyone to learn that the power grids are on the Internet? Would it suprise you to learn that our entire fleet of nuclear missiles are also on the Net, one phishing email away from being launched? Sure wouldn’t suprise me any. Good times.
Mike the power grid isn’t on the “public internet”. It’s a private network, but the PC that was compromised is on that network. A hacker can attack a network without having direct access to that network through a variety of exploits in web browsers, PDF files, etc… That’s why I don’t click on links in emails unless it goes to a site I am familiar with and even then I often go to their main site and search instead of relying on someone else to provide a link. I never click on unsolicited links in emails, you’re just asking for trouble then.
Re: Re:
A secure system would mean no node would be on both networks.
The network controlling the grid should be an isolated network. An isolated network would require a physical security vulnerability in addition to a information security vulnerability.
Re: Re:
If there are computers connected to both the public Internet and the “private” power grid network, then the power grid network is on the Internet.
Re: Re: Re:
And THAT’S what needs to be fixed…Not more legislation.
Re: Re:
So this PC is connected to the internet…and to the power regulation modules? That would mean this PC is forming a bridge connecting the power grid controls to the internet. There are ways to make that not so. I know, I do this stuff for a living.
Everything I need to know about the internet I learned by watching “Hackers.”
Re: Re:
It is much better if you watch it backwards.
Its about a buncha kids who fix then Gibson and then go back to their shitty lives.
Re: Re:
Too bad the government learned all they know from war games.
Reductio'd, but the absurdum is already there
This argument in essence is: “The government sucks so badly at IT security that the government must take over more IT security”.
Re: Reductio'd, but the absurdum is already there
is this fallout from the idea that everyone gets a ribbon and there are no losers?
We want to make sure that even the most inept hacker can have the rush of hacking into a system.
And what about us in the Southwest last year???
http://en.wikipedia.org/wiki/2011_Southwest_blackout
You forget about us?? All we lost was a few million dollars of perisable foods.
“The outage caused significant losses to restaurants and grocery stores, which were forced to discard quantities of spoiled food; perishable food losses at grocery stores, eating establishments and households were estimated at $12 million to $18 million.”
There were no deaths in the “millions” reported. No world ending events. Hell during the 11 hours we didn’t have power, I was still on the internet chatting with my buddies on the east coast on my laptop for 3 of those hours while my UPS kept my router and cable modem powered up.
Also, for the AC that posted this:
“Mike the power grid isn’t on the “public internet”. It’s a private network, but the PC that was compromised is on that network. A hacker can attack a network without having direct access to that network through a variety of exploits in web browsers, PDF files, etc…”
ANY computers that have ANYTHING to do with the power grid shouldn’t even be able to receive email or browse the web. They’re used to control the grid…Not surf the net. If you can get email on a terminal that controls the power grid, THERE’S YOUR PROBLEM!!!
Simulation transcript
-Good morning, Powerco superbig main control room, Fred speaking.
–Hi Fred, this is Bill Nefario, Powerco password enforcement division. We need to verify all current passwords on your system.
-That sounds a little suspicious to me. I don’t think I should…
–(clicks through Linkedin search results) It’s ok, Tom in information security gave me authorization.
-Oh, you know Tom? Ok, here you go.
You can’t legislate away stupidity.
Re: Simulation transcript
“Legislate up, stupid!”
Re: Simulation transcript
You can’t legislate away stupidity.
Should read “You can’t patch stupid.”
And what is the government doing to prevent terrorist psychics from hacking the minds of power grid employees?
Re: Anti-Terrorist Mind Control Law
Way ahead of you on that one. They’re working on a new super-secret law that will make any unauthorized use of minds illegal.
Re: Re:
Easy, you see all the crazy stuff they keep trying to push isn’t meant to actually pass, instead it’s designed to make people more and more paranoid, until finally ‘poof’, everyone is wearing tin-foil hats, and are therefor terrorist psychic proof.
sTANDARD oPERATING PROCEDURE(sop)
In any Work place..
When you wish to do LESS..after you end 1 job, you TRY to look busy. Keep bouncing around, make it look as if you are doing something.
THEN when the BOSS, has a FAILURE…what happens..
IT GETS BURIED.. he gets everyone to work around the mess, until you cant see what happened…as well as MAYBE, destroying the evidence or it gets FIXED along the way.
So, what do the law makers DO, after everything else is DONE..they cant go home. It would look like they were OVER PAID and doing nothing.
LOGIC isnt at the top any more. And something is happening, that is Probably, being hidden. This is the 5-6th time they are passing something SIMILAR?
I will point out something about the USA..WE ALREADY HAVE A RESTRICTED MARKET PLACE..and its not by the government..
They finally LIMITED the use of RECORDABLE Material for movies(the VCR is gone). go look at what they are TRYING to give you to record programs.
1. you need a tuner for sat or cable that will select a channel YOU AINT watching.
2. record to hard drive(NOT ENCRYPTED)
3. COPY to DVD for a collection(that you can play on ANY machine).
4. IN GOOD quality formats.
5. be able to play OTHER FORMATS, DVI, AVI,DIVX, …
They wont release such a product in the USA..UNLESS(you wont get all these options) you pay GOOD MONEY..
This is the CORPS, ruling this nation. THEY ARE FIGHTING US thru our OWN government.
Its time to send our leaders HOME…
there is no desire for governments to do any of this. they are just using excuses to implement the bills that will allow them to watch what ordinary citizens are doing during every second of their ordinary daily lives. they aren’t even worried about what ‘other groups’ are doing and how dangerous it may be, as long as they can keep tabs on their own people. there is no progress in the USA now, only regression to the days of ‘reds under the bed’ etc. ridiculous!
Push the big red button.
The thing that blows me away is the best they could come up with was a ?spearphishing? attack (while certainly the most likely, it’s not exactly a technology problem).
Consider the following scenario:
Phone ring…
Control Room: Control room, John speaking.
Caller: Hi John, this is Tom in management, I need you to go push the big red button that says “self destruct” for me.
Control Room: Ummm, are you sure? I was told never to do that.
Caller: Yup, I just got the ok from the CEO.
Controll Room: Well, ok then. Give me a second.
Like someone else said, you can’t fix stupid! But, just like in the above example, if there aren’t other fail safes in place (like two keys on the self destruct button or maybe air gaped networks), stupid can become a technology problem.
Common sense does not apply
This isn’t about cybersecurity, this is about common sense, where things like the power grid should not be accessible via the internet — and I’m pretty sure they’re not (back here in reality).
Critical infrastructure (including nuclear power plants) is, in fact, connected to the internet, generally for SCADA (Supervisory Control and Data Acquisition) software, which can have security vulnerabilities.
Here’s Wikipedia’s article (check the “Security issues” section):
http://en.wikipedia.org/wiki/SCADA
Here’s a Forbes article:
http://www.forbes.com/2007/08/22/scada-hackers-infrastructure-tech-security-cx_ag_0822hack.html
And here’s a Cracked article which includes several other things that shouldn’t be hackable but are, including car brakes and pacemakers:
http://www.cracked.com/article_19412_8-things-you-wont-believe-can-be-hacked.html
Re: Common sense does not apply
Well then they are doing it wrong you can have two networks running, one for process control eg SCADA and the other for corporate computers.
That is how it should be done PCN networks should be locked down completely with no internet access and also locked down form users doing almost anything with them if not they need a new IT department.
Re: Common sense does not apply
Well then they are doing it wrong you can have two networks running, one for process control eg SCADA and the other for corporate computers.
That is how it should be done PCN networks should be locked down completely with no internet access and also locked down form users doing almost anything with them if not they need a new IT department.
i haven't bitched in a while, forgive me.
American terrorism wears a suit and tie.
It has hands in government and a face on television
and full control of a dangerously gullible population.
I don’t know why, but i am always compelled to restate the obvious. There’s a whole nation of media-insulated technophobes out there. Sometimes i get the impression that these discussions fail to recognize how effective such absurd lies and suggestions are against the rest of the country
WARNING..
POWER WAS TAKEN away from government control..
It was released to be PRIVATELY run, by a CORP…FOR PROFIT..
ITS A CORP…
IF they SCREW UP, its THEIR FAULT.
LEt the gov, FINE them..
1. NOT supplying proper energy protections..
2. NOT upgrading facilities to maintain Proper POWEr structure
3. FOR being an F@#%#ing IDIOT..
Re: WARNING..
Alright, after skimming over your last post and this one I just have to say this: if you expect to be taken seriously, at all, lay off the caps button.
Used to that extent, or even half that much, it doesn’t help your arguments, it just makes you look like a kid who doesn’t know decent spelling and punctuation.
Re: Re: if you wanted to be constructive
You could go so far as to politely suggest tactful use of the simple HTML tags allowed by the comment form.
Re: Re: Re: if you wanted to be constructive
Point, after re-reading what I typed out I was a little overboard there, the last line especially, and for that I apologize to the one I was replying to.
Re: Re: WARNING..
Lets add something here..
USA makes more food then it could ever eat, every year..Over 80% is shipped out…
Do you think they take out the peanut oil from the shipments?
Do they add fillers to any of the food?
Do those Poor countries, pa as much as we do for the SAME food?
Why do we get products that BREAK?
Simple answer..Profit..Its cheaper to make, as they Auction for the Best prices..
And computers make it Easy.
Laptop batteries went to court.
The corps were programming them to Quit, after a certain time. Just like your PRINTER Cartridges.
Why is this happening? EASY..we dont STOP them.
Do you have a choice? Not really.
Corps say you have CHOICE. Go ahead, tell them what you want. and watch them either say:
NO
Restricted
Or Charge you thru the nose for it.
Copyrights should fail/fall to everyone..
Do you really think that a Side load washer should cost $1000…For that price, you could get a commercial one, with a GREAT warranty. But it used to be, that when they shipped them to the USA, they sent PARTS with them for repairs. Not now. they have to be ordered, at SPECIAL prices.. It used to be easy/cheap to fix our appliances..Not now.
Re: Re: Re: WARNING..
Oh, I hear you. It’s a horrid bitch to fix consumer products anymore. Half the time you literally need a machine shop and engineering experience to rebuild that which was designed to fail.
But go back to the days when things could be easily fixed by users. Take your modern consumer. If they had been given a spare defrost timer, dryer belt, tuner module, vacuum tube, or even spark plugs as might be associated with such vintage expectations… could most people even muster the effort to try and fix it themselves? For the most part, the answer is no.
The “corps” as you put it have the power to fuck people over because people accept being fucked daily. I’m not pointing my finger at you or other people in the vicinity of this comment, but next time you’re out among the technophobes and whitney-watchers, look around and think about it.
SCADA and the 'net
There is no reason to connect SCADA systems to the internet except laziness, parsimony and convenience. AQ laqw that specifically address security of SCADA systems and of any vendor systems which can access them either over the ‘net or out of band makes sense. A law that sets security standards for automotive and transportation systems including hardening makes sense. A separate law which requires that GPS sold in the US not be susceptible to off band interference makes sense. A single buckshot law with broad effect makes no sense.