If Phishing Email Can Kill NY Power Grid, Lack Of Cybersecurity Legislation Is Not The Problem

from the oh-come-on dept

We’ve been talking about the faux urgency to pass some cybersecurity legislation coming from the federal government, with plenty of fear mongering from politicians who never seem to want to point out any factual basis for why we need such new laws. Instead, it’s all been about Hollywood movie script-style scenarios about planes falling from the skies. It appears that the White House is heavily involved in this bogus fear mongering as well, having recently set up a “simulated cyberattack on New York City’s power supply” to convince elected officials to move forward on the legislation.

During a classified briefing in the Office of Senate Security, Homeland Security Secretary Janet Napolitano and White House counterterrorism adviser John Brennan showed lawmakers how a hacker could breach control systems of the city’s electric system and trigger a ripple effect throughout the population and private sector, according to a source familiar with the scenario.

“The fact that we could be subject to a catastrophic attack under the right circumstances and we now know some of the things that would help us to protect against such an attack, that’s why it’s important now for the Congress to take this up,” Napolitano said in an interview with POLITICO.

Now that’s interesting. Just how could a hacker breach control systems of the power grid? Apparently with an email phishing attack:

During the simulation, the hacker gains access to the electric supply’s control system through a simple “spearphishing” attack, in which a worker merely clicks on a link in an email that appears to be from someone they know.

Um, there’s your problem. If the NYC power grid is attached to the public internet in such a way that it can be taken down, then um, shouldn’t we take it off the internet? This isn’t about cybersecurity, this is about common sense, where things like the power grid should not be accessible via the internet — and I’m pretty sure they’re not (back here in reality). But in the world where we need fear, uncertainty, doubt and the ability for the federal government to spy on private networks, we have to pretend such a scenario is likely.

Of course, I also question why the White House chose NYC as the showcase for the simulation and suggested that there would be deaths and other massive harm from such a power grid takedown. After all, it was just about a decade ago that the power grid in the Northeast did, in fact, fail. It was an inconvenience for many people, certainly, but it was hardly damaging in the way the White House seems to have implied with this scare tactic.

So, once again, can we take a step back and ask some simple questions: what’s the real threat and the real risk here? If it’s that the NYC power grid is accessible by a simple password over the public internet, then the problem isn’t cybersecurity, it’s whoever was stupid enough to connect the power grid to the internet. Let’s fix that. But let’s not regulate and spy on large segments of the public internet to cover for a few bad decisions.

Filed Under: , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “If Phishing Email Can Kill NY Power Grid, Lack Of Cybersecurity Legislation Is Not The Problem”

Subscribe: RSS Leave a comment
69 Comments
artp (profile) says:

If large numbers of utility and industrial systems were connected to the Internet, then we would hear about large numbers of utility and industrial systems grinding to a halt with each virus infection that spreads across the world. (Iranian uranium fuel enrichment plants and Bradley Manning aside)

My only hesitation about this is that management PHBs are sure to have cut funding for _extra_ workstations to keep the two networks separate in those utilities and industries.

The real problem is not that legislation is needed, even if there is a danger present. It is that training is needed for employees who operate these systems so that they recognize the threats that they could potentially transmit.

Now, this is a tall order. I just saw an article about the military warning soldiers not to post pictures on the Internet taken with smartphones, and not to use social networks that use the same geolocation services that smartphones offer. They offer the example of someoone posting a picture of a new fleet of helicopters on the Internet, which, of course, contained geolocation data, which was followed by a mortar attack that destroyed four of the helicopters.

You would think that it would be a no-brainer for someone to understand, “Hey guys, please don’t call in a mortar attack on yourselves, pretty please?” But that is the real problem that we face. Technology is so complex that the average person cannot understand the FULL implications of his actions. Hey, I have problems with it, and I bet you’ve been nipped in the wringer once or twice (understatement).

Eponymous Coward (profile) says:

Re: Re:

Until we can legislate smarter people behind keyboards, there’s no point in your fancy cyber-whatsits laws.

This wasn’t a virus, it was a social engineering attack, akin to someone claiming to be the pizza guy so you buzz them through your apartment complex’s security door. Bigger locks aren’t the solution here. The solution is a frozen-pizza only apartment complex, or possibly an in-building pizzeria.

Mmm, cyberpizza.

artp (profile) says:

Re: Re: Re:

Re: Social engineering vs. viruses….

When your ship is blown out of the water, it doesn’t matter what got you, just that you’ve been had.

I was responsible for security as a Data Center Manager. Our approach was wide spectrum, from code deficiencies to not pointing out the location of the Data Center on public tours. Physical security is the first rank of protection. Every aspect of security has to be addressed.

If we start to compartmentalize security, then we end up with the same sorry mess that Congress is looking at. It’s all or nothing! I cannot succeed if you fail, so we all have to address the issues.

That is why it is so painfully obvious that the Congressional move is a smoke-screen: it only addresses one small part of the security problem.

Ninja (profile) says:

The sad part is a big chunk of the population will still fall for it despite all the facts against any further regulation.

Awareness is power as the SOPA/PIPA events clearly showed us. The best we can do is rise awareness of this fear mongering tactic and tell the ppl to ask the Govt the real question: are you that incompetent that you actually linked the power grid to the Internet and think you can solve it with laws instead of action?

artp (profile) says:

Re: Re:

Well then, we need to make you the new CyberSecurity Czar! Or else you need to take a closer look at your company. I’m not sure which.

It isn’t what you know about your company that will get you in trouble. It isn’t the documented architecture that provides the loophole to allow the bad guys to enter. It is the work-arounds that people have put in place to allow them to do their jobs because what was installed doesn’t address how they do their jobs. Or it is the gaps in the architecture that the designers just didn’t see.

I’ve seen this at every company I’ve ever been at. At one Fortune 100 company, if we found a problem outside the scope of our technology (something that would obviously never be a problem at a Fortune 100 company) I would get on the modem, dial up my BBS, and download some tool that would fix said problem. Then other people in IT started doing the same thing. What are you going to do about something like that?

Anonymous Coward says:

Re: Re: Re:2 Re:

All that would depend on the smartphone in question. The majority, and I speak from extensive experience repairing smart phones, DO NOT get mounted automatically.

The majority can however simply be charged by just plugging them in. No harm, or transferring of files, to your computer.

As far as XP goes, most smart phones wouldn’t even be recognized at plug in. You’d have to install the necessary drivers, software or both to get it recognized. Vista or Windows 7 is another story. Also, you fail to recognize the fact that the majority of smart phones first require that you change a setting in the phone itself that results in it being auto mounted and read whenever being plugged in.

Which is of course overlooking the fact that depending where you work, some auto run and mount options are disabled from the start to prevent just such problems, like viruses, from happening. Not too mention that what few ACTUAL smartphone viruses there are ONLY target and infect…. SMARTPHONES.

I’m not going to call you an alarmist or misinformed, but suffice it to say that you’re really grasping at straws.

Karl (profile) says:

Cause of the 2003 blackout

I remember the Eastern blackout well. I was on tour at the time, or else I would have been in the dark, too.

Amid all the talk about “cyberterrorism,” it’s important to remember what actually happened to cause that blackout:

In February 2004, the U.S.-Canada Power System Outage Task Force released their final report, placing the causes of the blackout into four groups:

First, that FirstEnergy and its reliability council “failed to assess and understand the inadequacies of FE?s system, particularly with respect to voltage instability and the vulnerability of the Cleveland-Akron area, and FE did not operate its system with appropriate voltage criteria”. Second, that FirstEnergy “did not recognize or understand the deteriorating condition of its system”. Third, that FirstEnergy “failed to manage adequately tree growth in its transmission rights-of-way”. Finally, the “failure of the interconnected grid?s reliability organizations to provide effective real-time diagnostic support.”
Wikipedia

So it seems that, if anything, legislation should focus on the bad actors in the power industry (such as FirstEnergy), and not on any sort of “cyberattack.”

Here’s a good place to start:

On November 19, 2003, U.S. Energy Secretary Spencer Abraham said his department would not seek to punish FirstEnergy Corp for its role in the blackout because current U.S. law does not require electric reliability standards. Abraham stated, “The absence of enforceable reliability standards creates a situation in which there are limits in terms of federal level punishment.”

That Anonymous Coward (profile) says:

Re: Cause of the 2003 blackout

Along with this was the constant suggestion that it might have something to do with a terrorist attack.

The first response in the face of anything out of the ordinary is ZOMG Terrorists!

The people running the powergrid have no idea they are not about to get millions from a Nigerian Prince. The problem is not that scammers will try, it is that we refuse to demand isolated systems and penalties for people who violate those rules. Rather than lay blame on the people stupid enough to get spearfished, we make more rules and try to lock down every thing else. It is not peoples fault they are stupid greedy bastards, it is the fault that bad people will try.

Stuxnet never would have worked if not for people sticking random flash drives into their machines. If the systems running the facility were actually isolated from outside things, it never would have worked. If the control systems were not kept as archaic secrets, someone could try to harden those systems.

Instead we have security through obscurity, we create rules and laws to solve problems better solved in demanding personal accountability. We focus on the unknown, the what-ifs rather than real things we can do to avoid the issues. But then this is more about getting more control over citizens lives, and moving more towards an Orwellian dystopia where no one can think a bad thought without them knowing and stopping it.

Bengie says:

I agree

I think I should also be able to leave my valuables unprotected outside. I should be able to play a few bars of gold on my front lawn and let laws take care of making sure my gold is protected. If my gold gets stolen, there is a law protecting me so I’m don’t have to take responsibility for my losses. The public should foot the bill.

This sound about right?

simple simon says:

It Was Just A Matter Of Time...

Given the amount of calls to the help desk from people asking where the “any” button was, does it suprise anyone to learn that the power grids are on the Internet? Would it suprise you to learn that our entire fleet of nuclear missiles are also on the Net, one phishing email away from being launched? Sure wouldn’t suprise me any. Good times.

Anonymous Coward says:

Mike the power grid isn’t on the “public internet”. It’s a private network, but the PC that was compromised is on that network. A hacker can attack a network without having direct access to that network through a variety of exploits in web browsers, PDF files, etc… That’s why I don’t click on links in emails unless it goes to a site I am familiar with and even then I often go to their main site and search instead of relying on someone else to provide a link. I never click on unsolicited links in emails, you’re just asking for trouble then.

PlagueSD says:

After all, it was just about a decade ago that the power grid in the Northeast did, in fact, fail.

And what about us in the Southwest last year???

http://en.wikipedia.org/wiki/2011_Southwest_blackout

You forget about us?? All we lost was a few million dollars of perisable foods.
“The outage caused significant losses to restaurants and grocery stores, which were forced to discard quantities of spoiled food; perishable food losses at grocery stores, eating establishments and households were estimated at $12 million to $18 million.”

There were no deaths in the “millions” reported. No world ending events. Hell during the 11 hours we didn’t have power, I was still on the internet chatting with my buddies on the east coast on my laptop for 3 of those hours while my UPS kept my router and cable modem powered up.

Also, for the AC that posted this:
“Mike the power grid isn’t on the “public internet”. It’s a private network, but the PC that was compromised is on that network. A hacker can attack a network without having direct access to that network through a variety of exploits in web browsers, PDF files, etc…”

ANY computers that have ANYTHING to do with the power grid shouldn’t even be able to receive email or browse the web. They’re used to control the grid…Not surf the net. If you can get email on a terminal that controls the power grid, THERE’S YOUR PROBLEM!!!

Eponymous Coward (profile) says:

Simulation transcript

-Good morning, Powerco superbig main control room, Fred speaking.

Hi Fred, this is Bill Nefario, Powerco password enforcement division. We need to verify all current passwords on your system.

-That sounds a little suspicious to me. I don’t think I should…

(clicks through Linkedin search results) It’s ok, Tom in information security gave me authorization.

-Oh, you know Tom? Ok, here you go.

You can’t legislate away stupidity.

ECA (profile) says:

sTANDARD oPERATING PROCEDURE(sop)

In any Work place..
When you wish to do LESS..after you end 1 job, you TRY to look busy. Keep bouncing around, make it look as if you are doing something.

THEN when the BOSS, has a FAILURE…what happens..
IT GETS BURIED.. he gets everyone to work around the mess, until you cant see what happened…as well as MAYBE, destroying the evidence or it gets FIXED along the way.

So, what do the law makers DO, after everything else is DONE..they cant go home. It would look like they were OVER PAID and doing nothing.

LOGIC isnt at the top any more. And something is happening, that is Probably, being hidden. This is the 5-6th time they are passing something SIMILAR?

I will point out something about the USA..WE ALREADY HAVE A RESTRICTED MARKET PLACE..and its not by the government..
They finally LIMITED the use of RECORDABLE Material for movies(the VCR is gone). go look at what they are TRYING to give you to record programs.
1. you need a tuner for sat or cable that will select a channel YOU AINT watching.
2. record to hard drive(NOT ENCRYPTED)
3. COPY to DVD for a collection(that you can play on ANY machine).
4. IN GOOD quality formats.
5. be able to play OTHER FORMATS, DVI, AVI,DIVX, …

They wont release such a product in the USA..UNLESS(you wont get all these options) you pay GOOD MONEY..
This is the CORPS, ruling this nation. THEY ARE FIGHTING US thru our OWN government.

Its time to send our leaders HOME…

Anonymous Coward says:

there is no desire for governments to do any of this. they are just using excuses to implement the bills that will allow them to watch what ordinary citizens are doing during every second of their ordinary daily lives. they aren’t even worried about what ‘other groups’ are doing and how dangerous it may be, as long as they can keep tabs on their own people. there is no progress in the USA now, only regression to the days of ‘reds under the bed’ etc. ridiculous!

ArkieGuy (profile) says:

Push the big red button.

The thing that blows me away is the best they could come up with was a ?spearphishing? attack (while certainly the most likely, it’s not exactly a technology problem).

Consider the following scenario:

Phone ring…
Control Room: Control room, John speaking.
Caller: Hi John, this is Tom in management, I need you to go push the big red button that says “self destruct” for me.
Control Room: Ummm, are you sure? I was told never to do that.
Caller: Yup, I just got the ok from the CEO.
Controll Room: Well, ok then. Give me a second.

Like someone else said, you can’t fix stupid! But, just like in the above example, if there aren’t other fail safes in place (like two keys on the self destruct button or maybe air gaped networks), stupid can become a technology problem.

Anonymous Coward says:

Common sense does not apply

This isn’t about cybersecurity, this is about common sense, where things like the power grid should not be accessible via the internet — and I’m pretty sure they’re not (back here in reality).

Critical infrastructure (including nuclear power plants) is, in fact, connected to the internet, generally for SCADA (Supervisory Control and Data Acquisition) software, which can have security vulnerabilities.

Here’s Wikipedia’s article (check the “Security issues” section):
http://en.wikipedia.org/wiki/SCADA

Here’s a Forbes article:
http://www.forbes.com/2007/08/22/scada-hackers-infrastructure-tech-security-cx_ag_0822hack.html

And here’s a Cracked article which includes several other things that shouldn’t be hackable but are, including car brakes and pacemakers:
http://www.cracked.com/article_19412_8-things-you-wont-believe-can-be-hacked.html

Faetan says:

Re: Common sense does not apply

Well then they are doing it wrong you can have two networks running, one for process control eg SCADA and the other for corporate computers.

That is how it should be done PCN networks should be locked down completely with no internet access and also locked down form users doing almost anything with them if not they need a new IT department.

Faetan says:

Re: Common sense does not apply

Well then they are doing it wrong you can have two networks running, one for process control eg SCADA and the other for corporate computers.

That is how it should be done PCN networks should be locked down completely with no internet access and also locked down form users doing almost anything with them if not they need a new IT department.

Al Bert (profile) says:

i haven't bitched in a while, forgive me.

American terrorism wears a suit and tie.
It has hands in government and a face on television
and full control of a dangerously gullible population.

I don’t know why, but i am always compelled to restate the obvious. There’s a whole nation of media-insulated technophobes out there. Sometimes i get the impression that these discussions fail to recognize how effective such absurd lies and suggestions are against the rest of the country

Anonymous Coward says:

Re: WARNING..

Alright, after skimming over your last post and this one I just have to say this: if you expect to be taken seriously, at all, lay off the caps button.

Used to that extent, or even half that much, it doesn’t help your arguments, it just makes you look like a kid who doesn’t know decent spelling and punctuation.

ECA (profile) says:

Re: Re: WARNING..

Lets add something here..

USA makes more food then it could ever eat, every year..Over 80% is shipped out…
Do you think they take out the peanut oil from the shipments?
Do they add fillers to any of the food?
Do those Poor countries, pa as much as we do for the SAME food?

Why do we get products that BREAK?
Simple answer..Profit..Its cheaper to make, as they Auction for the Best prices..
And computers make it Easy.
Laptop batteries went to court.
The corps were programming them to Quit, after a certain time. Just like your PRINTER Cartridges.
Why is this happening? EASY..we dont STOP them.

Do you have a choice? Not really.
Corps say you have CHOICE. Go ahead, tell them what you want. and watch them either say:
NO
Restricted
Or Charge you thru the nose for it.

Copyrights should fail/fall to everyone..
Do you really think that a Side load washer should cost $1000…For that price, you could get a commercial one, with a GREAT warranty. But it used to be, that when they shipped them to the USA, they sent PARTS with them for repairs. Not now. they have to be ordered, at SPECIAL prices.. It used to be easy/cheap to fix our appliances..Not now.

Al Bert (profile) says:

Re: Re: Re: WARNING..

Oh, I hear you. It’s a horrid bitch to fix consumer products anymore. Half the time you literally need a machine shop and engineering experience to rebuild that which was designed to fail.

But go back to the days when things could be easily fixed by users. Take your modern consumer. If they had been given a spare defrost timer, dryer belt, tuner module, vacuum tube, or even spark plugs as might be associated with such vintage expectations… could most people even muster the effort to try and fix it themselves? For the most part, the answer is no.

The “corps” as you put it have the power to fuck people over because people accept being fucked daily. I’m not pointing my finger at you or other people in the vicinity of this comment, but next time you’re out among the technophobes and whitney-watchers, look around and think about it.

Gerald Robinson (profile) says:

SCADA and the 'net

There is no reason to connect SCADA systems to the internet except laziness, parsimony and convenience. AQ laqw that specifically address security of SCADA systems and of any vendor systems which can access them either over the ‘net or out of band makes sense. A law that sets security standards for automotive and transportation systems including hardening makes sense. A separate law which requires that GPS sold in the US not be susceptible to off band interference makes sense. A single buckshot law with broad effect makes no sense.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...