If Phishing Email Can Kill NY Power Grid, Lack Of Cybersecurity Legislation Is Not The Problem

from the oh-come-on dept

We've been talking about the faux urgency to pass some cybersecurity legislation coming from the federal government, with plenty of fear mongering from politicians who never seem to want to point out any factual basis for why we need such new laws. Instead, it's all been about Hollywood movie script-style scenarios about planes falling from the skies. It appears that the White House is heavily involved in this bogus fear mongering as well, having recently set up a "simulated cyberattack on New York City's power supply" to convince elected officials to move forward on the legislation.
During a classified briefing in the Office of Senate Security, Homeland Security Secretary Janet Napolitano and White House counterterrorism adviser John Brennan showed lawmakers how a hacker could breach control systems of the city’s electric system and trigger a ripple effect throughout the population and private sector, according to a source familiar with the scenario.

“The fact that we could be subject to a catastrophic attack under the right circumstances and we now know some of the things that would help us to protect against such an attack, that’s why it’s important now for the Congress to take this up,” Napolitano said in an interview with POLITICO.
Now that's interesting. Just how could a hacker breach control systems of the power grid? Apparently with an email phishing attack:
During the simulation, the hacker gains access to the electric supply’s control system through a simple “spearphishing” attack, in which a worker merely clicks on a link in an email that appears to be from someone they know.
Um, there's your problem. If the NYC power grid is attached to the public internet in such a way that it can be taken down, then um, shouldn't we take it off the internet? This isn't about cybersecurity, this is about common sense, where things like the power grid should not be accessible via the internet -- and I'm pretty sure they're not (back here in reality). But in the world where we need fear, uncertainty, doubt and the ability for the federal government to spy on private networks, we have to pretend such a scenario is likely.

Of course, I also question why the White House chose NYC as the showcase for the simulation and suggested that there would be deaths and other massive harm from such a power grid takedown. After all, it was just about a decade ago that the power grid in the Northeast did, in fact, fail. It was an inconvenience for many people, certainly, but it was hardly damaging in the way the White House seems to have implied with this scare tactic.

So, once again, can we take a step back and ask some simple questions: what's the real threat and the real risk here? If it's that the NYC power grid is accessible by a simple password over the public internet, then the problem isn't cybersecurity, it's whoever was stupid enough to connect the power grid to the internet. Let's fix that. But let's not regulate and spy on large segments of the public internet to cover for a few bad decisions.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cybersecurity, fear mongering, hype, nyc, phishing, power grid, terrorism, white house


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    artp (profile), 12 Mar 2012 @ 7:50am

    If large numbers of utility and industrial systems were connected to the Internet, then we would hear about large numbers of utility and industrial systems grinding to a halt with each virus infection that spreads across the world. (Iranian uranium fuel enrichment plants and Bradley Manning aside)

    My only hesitation about this is that management PHBs are sure to have cut funding for _extra_ workstations to keep the two networks separate in those utilities and industries.

    The real problem is not that legislation is needed, even if there is a danger present. It is that training is needed for employees who operate these systems so that they recognize the threats that they could potentially transmit.

    Now, this is a tall order. I just saw an article about the military warning soldiers not to post pictures on the Internet taken with smartphones, and not to use social networks that use the same geolocation services that smartphones offer. They offer the example of someoone posting a picture of a new fleet of helicopters on the Internet, which, of course, contained geolocation data, which was followed by a mortar attack that destroyed four of the helicopters.

    You would think that it would be a no-brainer for someone to understand, "Hey guys, please don't call in a mortar attack on yourselves, pretty please?" But that is the real problem that we face. Technology is so complex that the average person cannot understand the FULL implications of his actions. Hey, I have problems with it, and I bet you've been nipped in the wringer once or twice (understatement).

    link to this | view in chronology ]

    • icon
      Eponymous Coward (profile), 12 Mar 2012 @ 9:06am

      Re:

      Until we can legislate smarter people behind keyboards, there's no point in your fancy cyber-whatsits laws.

      This wasn't a virus, it was a social engineering attack, akin to someone claiming to be the pizza guy so you buzz them through your apartment complex's security door. Bigger locks aren't the solution here. The solution is a frozen-pizza only apartment complex, or possibly an in-building pizzeria.

      Mmm, cyberpizza.

      link to this | view in chronology ]

      • icon
        artp (profile), 12 Mar 2012 @ 10:18am

        Re: Re:

        Re: Social engineering vs. viruses....

        When your ship is blown out of the water, it doesn't matter what got you, just that you've been had.

        I was responsible for security as a Data Center Manager. Our approach was wide spectrum, from code deficiencies to not pointing out the location of the Data Center on public tours. Physical security is the first rank of protection. Every aspect of security has to be addressed.

        If we start to compartmentalize security, then we end up with the same sorry mess that Congress is looking at. It's all or nothing! I cannot succeed if you fail, so we all have to address the issues.

        That is why it is so painfully obvious that the Congressional move is a smoke-screen: it only addresses one small part of the security problem.

        link to this | view in chronology ]

      • icon
        That One Guy (profile), 13 Mar 2012 @ 6:12am

        Re: Re:

        >or possibly an in-building pizzeria.

        Man, if someone built an apartment complex with one of those, and then rented it out to college students... they could charge anything they wanted and they'd still be out of available apartments inside a week of opening.

        link to this | view in chronology ]

    • icon
      Dementia (profile), 12 Mar 2012 @ 9:19am

      Re:

      How about posting up a link to this article you mentioned involving the helicopters.....

      link to this | view in chronology ]

      • icon
        Dementia (profile), 12 Mar 2012 @ 9:23am

        Re: Re:

        Never mind, I found it. However, I know when I deployed, we were prohibited from using personal mobile phones while we were in theater. Not to mention that there wasn't any service in western Iraq, although that may have changed.

        link to this | view in chronology ]

      • icon
        artp (profile), 12 Mar 2012 @ 10:23am

        Re: Re:

        For others who are curious, I saw this link on Groklaw. The article is on Digital Journal, the title is "U.S. army warns soldiers of dangers of Facebook geotagging"

        http://digitaljournal.com/article/320997

        link to this | view in chronology ]

  • icon
    silverscarcat (profile), 12 Mar 2012 @ 7:51am

    We are the government

    And being competent is not what your tax dollars are paying for.

    link to this | view in chronology ]

  • icon
    Ninja (profile), 12 Mar 2012 @ 7:54am

    The sad part is a big chunk of the population will still fall for it despite all the facts against any further regulation.

    Awareness is power as the SOPA/PIPA events clearly showed us. The best we can do is rise awareness of this fear mongering tactic and tell the ppl to ask the Govt the real question: are you that incompetent that you actually linked the power grid to the Internet and think you can solve it with laws instead of action?

    link to this | view in chronology ]

  • identicon
    John Everyman, 12 Mar 2012 @ 7:58am

    I work in a factory, nothing is connected to the net. Not even the computers in the office. We don't even have an IT department at all and have no problems. I would hope something as vital as the power grid were not connected to the net.

    link to this | view in chronology ]

    • icon
      artp (profile), 12 Mar 2012 @ 9:12am

      Re:

      Well then, we need to make you the new CyberSecurity Czar! Or else you need to take a closer look at your company. I'm not sure which.

      It isn't what you know about your company that will get you in trouble. It isn't the documented architecture that provides the loophole to allow the bad guys to enter. It is the work-arounds that people have put in place to allow them to do their jobs because what was installed doesn't address how they do their jobs. Or it is the gaps in the architecture that the designers just didn't see.

      I've seen this at every company I've ever been at. At one Fortune 100 company, if we found a problem outside the scope of our technology (something that would obviously never be a problem at a Fortune 100 company) I would get on the modem, dial up my BBS, and download some tool that would fix said problem. Then other people in IT started doing the same thing. What are you going to do about something like that?

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Mar 2012 @ 9:26am

      Re:

      How did you post this at 8am on a Monday morning without being connected to the internet from your workplace?

      Did you send it from a smartphone? Ok, now your factory is connected to the internet via your smartphone.

      link to this | view in chronology ]

      • icon
        PlagueSD (profile), 12 Mar 2012 @ 9:46am

        Re: Re:

        The diffence being is that his smartphone doesn't control any of the factory machines.

        link to this | view in chronology ]

      • identicon
        Anonymous Coward, 12 Mar 2012 @ 10:30am

        Re: Re:

        Except it isn't. His phone being connected to 3g does not make his work station connected to 3g. The virus he gets on his phone will not transfer to the work computers.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 12 Mar 2012 @ 11:40am

          Re: Re: Re:

          But if he decides he needs to recharge the battery vampire, aka smartphone, and plugs a USB cable into his XP workstation, which will conveniently mount it as a USB drive, then his whole company is jacked because he didn't realize that recharging could transfer a virus.

          link to this | view in chronology ]

          • icon
            John Fenderson (profile), 12 Mar 2012 @ 12:34pm

            Re: Re: Re: Re:

            If he did this where I work, then his employment would be at risk. It's expressly prohibited as it is (or should be) pretty much anywhere else.

            link to this | view in chronology ]

          • identicon
            Anonymous Coward, 12 Mar 2012 @ 2:14pm

            Re: Re: Re: Re:

            All that would depend on the smartphone in question. The majority, and I speak from extensive experience repairing smart phones, DO NOT get mounted automatically.

            The majority can however simply be charged by just plugging them in. No harm, or transferring of files, to your computer.

            As far as XP goes, most smart phones wouldn't even be recognized at plug in. You'd have to install the necessary drivers, software or both to get it recognized. Vista or Windows 7 is another story. Also, you fail to recognize the fact that the majority of smart phones first require that you change a setting in the phone itself that results in it being auto mounted and read whenever being plugged in.

            Which is of course overlooking the fact that depending where you work, some auto run and mount options are disabled from the start to prevent just such problems, like viruses, from happening. Not too mention that what few ACTUAL smartphone viruses there are ONLY target and infect.... SMARTPHONES.

            I'm not going to call you an alarmist or misinformed, but suffice it to say that you're really grasping at straws.

            link to this | view in chronology ]

  • icon
    GMacGuffin (profile), 12 Mar 2012 @ 8:05am

    Battlestar Galactica anyone?

    Didn't anybody learn anything from Battlestar Galactica (besides Apollo being a terrible actor)? The Luddite Bill Adama refuses to connect to the grid; Cylons infiltrate the defense systems; world ends; Adama's ship Galactica survives. Duh.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Mar 2012 @ 8:06am

    Mike, if we didn't regulate and spy on large segments of the population to cover for a few bad decisions then we'd never regulate or spy on large segments of the population. And what kind of a world would we be living in then?

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Mar 2012 @ 8:06am

    My government scares me more than hackers ever will.

    link to this | view in chronology ]

  • icon
    Rikuo (profile), 12 Mar 2012 @ 8:06am

    They have to be connected to the internet. The reason they did is that they watched the Simpsons, followed Homer's example, and wamt to start pressing Y on their home terminal all day instead of actually doing their jobs.



    Hopefully, at least one of them is fat enough to block the reactor before it blows.

    link to this | view in chronology ]

  • identicon
    fb39ca4, 12 Mar 2012 @ 8:24am

    If the power grid fails, then there is no way to hack stuff.

    link to this | view in chronology ]

    • icon
      Endtimer (profile), 12 Mar 2012 @ 7:38pm

      Re:

      Unless the hackers are hacking from, I dunno, say, any other place in the world

      or have access to a generator.

      link to this | view in chronology ]

  • identicon
    Michael, 12 Mar 2012 @ 8:27am

    Promulgating fear in order to dismantle our Constitution and Bill of Rights sounds an awful lot like terrorism to me. 'Security' is just a convenient justification. If this keeps up, our soldiers sacrificed themselves for absolutely nothing. What is an American if not free?

    link to this | view in chronology ]

  • identicon
    Pixelation, 12 Mar 2012 @ 8:27am

    Perhaps if they made phishing attacks illegal, that would take care of the problem. Oh, wait...

    Guess we better just make another law.

    link to this | view in chronology ]

  • icon
    Karl (profile), 12 Mar 2012 @ 8:29am

    Cause of the 2003 blackout

    I remember the Eastern blackout well. I was on tour at the time, or else I would have been in the dark, too.

    Amid all the talk about "cyberterrorism," it's important to remember what actually happened to cause that blackout:
    In February 2004, the U.S.-Canada Power System Outage Task Force released their final report, placing the causes of the blackout into four groups:

    First, that FirstEnergy and its reliability council "failed to assess and understand the inadequacies of FE’s system, particularly with respect to voltage instability and the vulnerability of the Cleveland-Akron area, and FE did not operate its system with appropriate voltage criteria". Second, that FirstEnergy "did not recognize or understand the deteriorating condition of its system". Third, that FirstEnergy "failed to manage adequately tree growth in its transmission rights-of-way". Finally, the "failure of the interconnected grid’s reliability organizations to provide effective real-time diagnostic support."
    - Wikipedia

    So it seems that, if anything, legislation should focus on the bad actors in the power industry (such as FirstEnergy), and not on any sort of "cyberattack."

    Here's a good place to start:
    On November 19, 2003, U.S. Energy Secretary Spencer Abraham said his department would not seek to punish FirstEnergy Corp for its role in the blackout because current U.S. law does not require electric reliability standards. Abraham stated, "The absence of enforceable reliability standards creates a situation in which there are limits in terms of federal level punishment."

    link to this | view in chronology ]

    • icon
      That Anonymous Coward (profile), 12 Mar 2012 @ 9:06am

      Re: Cause of the 2003 blackout

      Along with this was the constant suggestion that it might have something to do with a terrorist attack.

      The first response in the face of anything out of the ordinary is ZOMG Terrorists!

      The people running the powergrid have no idea they are not about to get millions from a Nigerian Prince. The problem is not that scammers will try, it is that we refuse to demand isolated systems and penalties for people who violate those rules. Rather than lay blame on the people stupid enough to get spearfished, we make more rules and try to lock down every thing else. It is not peoples fault they are stupid greedy bastards, it is the fault that bad people will try.

      Stuxnet never would have worked if not for people sticking random flash drives into their machines. If the systems running the facility were actually isolated from outside things, it never would have worked. If the control systems were not kept as archaic secrets, someone could try to harden those systems.

      Instead we have security through obscurity, we create rules and laws to solve problems better solved in demanding personal accountability. We focus on the unknown, the what-ifs rather than real things we can do to avoid the issues. But then this is more about getting more control over citizens lives, and moving more towards an Orwellian dystopia where no one can think a bad thought without them knowing and stopping it.

      link to this | view in chronology ]

  • identicon
    Bengie, 12 Mar 2012 @ 8:31am

    I agree

    I think I should also be able to leave my valuables unprotected outside. I should be able to play a few bars of gold on my front lawn and let laws take care of making sure my gold is protected. If my gold gets stolen, there is a law protecting me so I'm don't have to take responsibility for my losses. The public should foot the bill.

    This sound about right?

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Mar 2012 @ 8:47am

      Re: I agree

      Since we're talking about the power grid - a public utility - I'm not sure that your private valuables have anything to do with the discussion.

      link to this | view in chronology ]

      • identicon
        Bengie, 12 Mar 2012 @ 8:56am

        Re: Re: I agree

        So you're saying a public utility shouldn't have to use even basic protections and should only use the law to "protect" them?

        I think my extremely simple point just went "whoosh" on you.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 12 Mar 2012 @ 11:46pm

          Re: Re: Re: I agree

          Totally agree with you...i mean, power grid gets stolen all the time, people can just pocket them and walk away....

          link to this | view in chronology ]

      • identicon
        Anonymous Coward, 12 Mar 2012 @ 9:15am

        Re: Re: I agree

        So the Smithsonian Institute should just leave their doors option night and day without any security guards... nobody would ever steal or damage a national treasure, as there are laws to prevent that from happening.

        link to this | view in chronology ]

  • identicon
    simple simon, 12 Mar 2012 @ 8:48am

    It Was Just A Matter Of Time...

    Given the amount of calls to the help desk from people asking where the "any" button was, does it suprise anyone to learn that the power grids are on the Internet? Would it suprise you to learn that our entire fleet of nuclear missiles are also on the Net, one phishing email away from being launched? Sure wouldn't suprise me any. Good times.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Mar 2012 @ 8:49am

    Mike the power grid isn't on the "public internet". It's a private network, but the PC that was compromised is on that network. A hacker can attack a network without having direct access to that network through a variety of exploits in web browsers, PDF files, etc... That's why I don't click on links in emails unless it goes to a site I am familiar with and even then I often go to their main site and search instead of relying on someone else to provide a link. I never click on unsolicited links in emails, you're just asking for trouble then.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Mar 2012 @ 9:41am

      Re:

      A secure system would mean no node would be on both networks.
      The network controlling the grid should be an isolated network. An isolated network would require a physical security vulnerability in addition to a information security vulnerability.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Mar 2012 @ 9:52am

      Re:

      If there are computers connected to both the public Internet and the "private" power grid network, then the power grid network is on the Internet.

      link to this | view in chronology ]

    • icon
      Berenerd (profile), 12 Mar 2012 @ 10:00am

      Re:

      So this PC is connected to the internet...and to the power regulation modules? That would mean this PC is forming a bridge connecting the power grid controls to the internet. There are ways to make that not so. I know, I do this stuff for a living.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Mar 2012 @ 8:50am

    Everything I need to know about the internet I learned by watching "Hackers."

    link to this | view in chronology ]

    • icon
      That Anonymous Coward (profile), 12 Mar 2012 @ 9:09am

      Re:

      It is much better if you watch it backwards.
      Its about a buncha kids who fix then Gibson and then go back to their shitty lives.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Mar 2012 @ 11:48am

      Re:

      Too bad the government learned all they know from war games.

      link to this | view in chronology ]

  • icon
    Trails (profile), 12 Mar 2012 @ 8:56am

    Reductio'd, but the absurdum is already there

    This argument in essence is: "The government sucks so badly at IT security that the government must take over more IT security".

    link to this | view in chronology ]

    • icon
      That Anonymous Coward (profile), 12 Mar 2012 @ 5:20pm

      Re: Reductio'd, but the absurdum is already there

      is this fallout from the idea that everyone gets a ribbon and there are no losers?
      We want to make sure that even the most inept hacker can have the rush of hacking into a system.

      link to this | view in chronology ]

  • icon
    PlagueSD (profile), 12 Mar 2012 @ 9:14am

    After all, it was just about a decade ago that the power grid in the Northeast did, in fact, fail.


    And what about us in the Southwest last year???

    http://en.wikipedia.org/wiki/2011_Southwest_blackout

    You forget about us?? All we lost was a few million dollars of perisable foods.
    "The outage caused significant losses to restaurants and grocery stores, which were forced to discard quantities of spoiled food; perishable food losses at grocery stores, eating establishments and households were estimated at $12 million to $18 million."

    There were no deaths in the "millions" reported. No world ending events. Hell during the 11 hours we didn't have power, I was still on the internet chatting with my buddies on the east coast on my laptop for 3 of those hours while my UPS kept my router and cable modem powered up.


    Also, for the AC that posted this:
    "Mike the power grid isn't on the "public internet". It's a private network, but the PC that was compromised is on that network. A hacker can attack a network without having direct access to that network through a variety of exploits in web browsers, PDF files, etc..."

    ANY computers that have ANYTHING to do with the power grid shouldn't even be able to receive email or browse the web. They're used to control the grid...Not surf the net. If you can get email on a terminal that controls the power grid, THERE'S YOUR PROBLEM!!!

    link to this | view in chronology ]

  • icon
    Eponymous Coward (profile), 12 Mar 2012 @ 9:16am

    Simulation transcript

    -Good morning, Powerco superbig main control room, Fred speaking.

    -Hi Fred, this is Bill Nefario, Powerco password enforcement division. We need to verify all current passwords on your system.

    -That sounds a little suspicious to me. I don't think I should...

    -(clicks through Linkedin search results) It's ok, Tom in information security gave me authorization.

    -Oh, you know Tom? Ok, here you go.

    You can't legislate away stupidity.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Mar 2012 @ 9:36am

    And what is the government doing to prevent terrorist psychics from hacking the minds of power grid employees?

    link to this | view in chronology ]

    • identicon
      AB, 12 Mar 2012 @ 3:40pm

      Anti-Terrorist Mind Control Law

      Way ahead of you on that one. They're working on a new super-secret law that will make any unauthorized use of minds illegal.

      link to this | view in chronology ]

    • icon
      That One Guy (profile), 13 Mar 2012 @ 6:21am

      Re:

      Easy, you see all the crazy stuff they keep trying to push isn't meant to actually pass, instead it's designed to make people more and more paranoid, until finally 'poof', everyone is wearing tin-foil hats, and are therefor terrorist psychic proof.

      link to this | view in chronology ]

  • icon
    ECA (profile), 12 Mar 2012 @ 9:51am

    sTANDARD oPERATING PROCEDURE(sop)

    In any Work place..
    When you wish to do LESS..after you end 1 job, you TRY to look busy. Keep bouncing around, make it look as if you are doing something.

    THEN when the BOSS, has a FAILURE...what happens..
    IT GETS BURIED.. he gets everyone to work around the mess, until you cant see what happened...as well as MAYBE, destroying the evidence or it gets FIXED along the way.

    So, what do the law makers DO, after everything else is DONE..they cant go home. It would look like they were OVER PAID and doing nothing.

    LOGIC isnt at the top any more. And something is happening, that is Probably, being hidden. This is the 5-6th time they are passing something SIMILAR?

    I will point out something about the USA..WE ALREADY HAVE A RESTRICTED MARKET PLACE..and its not by the government..
    They finally LIMITED the use of RECORDABLE Material for movies(the VCR is gone). go look at what they are TRYING to give you to record programs.
    1. you need a tuner for sat or cable that will select a channel YOU AINT watching.
    2. record to hard drive(NOT ENCRYPTED)
    3. COPY to DVD for a collection(that you can play on ANY machine).
    4. IN GOOD quality formats.
    5. be able to play OTHER FORMATS, DVI, AVI,DIVX, ...

    They wont release such a product in the USA..UNLESS(you wont get all these options) you pay GOOD MONEY..
    This is the CORPS, ruling this nation. THEY ARE FIGHTING US thru our OWN government.

    Its time to send our leaders HOME...

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Mar 2012 @ 9:52am

    there is no desire for governments to do any of this. they are just using excuses to implement the bills that will allow them to watch what ordinary citizens are doing during every second of their ordinary daily lives. they aren't even worried about what 'other groups' are doing and how dangerous it may be, as long as they can keep tabs on their own people. there is no progress in the USA now, only regression to the days of 'reds under the bed' etc. ridiculous!

    link to this | view in chronology ]

  • icon
    ArkieGuy (profile), 12 Mar 2012 @ 10:20am

    Push the big red button.

    The thing that blows me away is the best they could come up with was a “spearphishing” attack (while certainly the most likely, it's not exactly a technology problem).

    Consider the following scenario:

    Phone ring...
    Control Room: Control room, John speaking.
    Caller: Hi John, this is Tom in management, I need you to go push the big red button that says "self destruct" for me.
    Control Room: Ummm, are you sure? I was told never to do that.
    Caller: Yup, I just got the ok from the CEO.
    Controll Room: Well, ok then. Give me a second.

    Like someone else said, you can't fix stupid! But, just like in the above example, if there aren't other fail safes in place (like two keys on the self destruct button or maybe air gaped networks), stupid can become a technology problem.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Mar 2012 @ 12:45pm

    Common sense does not apply

    This isn't about cybersecurity, this is about common sense, where things like the power grid should not be accessible via the internet -- and I'm pretty sure they're not (back here in reality).

    Critical infrastructure (including nuclear power plants) is, in fact, connected to the internet, generally for SCADA (Supervisory Control and Data Acquisition) software, which can have security vulnerabilities.

    Here's Wikipedia's article (check the "Security issues" section):
    http://en.wikipedia.org/wiki/SCADA

    Here's a Forbes article:
    http://www.forbes.com/2007/08/22/scada-hackers-infrastructure-tech-security-cx_ag_0822hack .html

    And here's a Cracked article which includes several other things that shouldn't be hackable but are, including car brakes and pacemakers:
    http://www.cracked.com/article_19412_8-things-you-wont-believe-can-be-hacked.html

    link to this | view in chronology ]

    • identicon
      Faetan, 13 Mar 2012 @ 12:46am

      Re: Common sense does not apply

      Well then they are doing it wrong you can have two networks running, one for process control eg SCADA and the other for corporate computers.

      That is how it should be done PCN networks should be locked down completely with no internet access and also locked down form users doing almost anything with them if not they need a new IT department.

      link to this | view in chronology ]

    • identicon
      Faetan, 13 Mar 2012 @ 12:46am

      Re: Common sense does not apply

      Well then they are doing it wrong you can have two networks running, one for process control eg SCADA and the other for corporate computers.

      That is how it should be done PCN networks should be locked down completely with no internet access and also locked down form users doing almost anything with them if not they need a new IT department.

      link to this | view in chronology ]

  • icon
    Al Bert (profile), 12 Mar 2012 @ 2:01pm

    i haven't bitched in a while, forgive me.

    American terrorism wears a suit and tie.
    It has hands in government and a face on television
    and full control of a dangerously gullible population.

    I don't know why, but i am always compelled to restate the obvious. There's a whole nation of media-insulated technophobes out there. Sometimes i get the impression that these discussions fail to recognize how effective such absurd lies and suggestions are against the rest of the country

    link to this | view in chronology ]

  • icon
    ECA (profile), 12 Mar 2012 @ 3:58pm

    WARNING..

    POWER WAS TAKEN away from government control..
    It was released to be PRIVATELY run, by a CORP...FOR PROFIT..

    ITS A CORP...
    IF they SCREW UP, its THEIR FAULT.
    LEt the gov, FINE them..
    1. NOT supplying proper energy protections..
    2. NOT upgrading facilities to maintain Proper POWEr structure
    3. FOR being an F@#%#ing IDIOT..

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Mar 2012 @ 4:46pm

      Re: WARNING..

      Alright, after skimming over your last post and this one I just have to say this: if you expect to be taken seriously, at all, lay off the caps button.

      Used to that extent, or even half that much, it doesn't help your arguments, it just makes you look like a kid who doesn't know decent spelling and punctuation.

      link to this | view in chronology ]

      • icon
        Al Bert (profile), 12 Mar 2012 @ 10:38pm

        if you wanted to be constructive

        You could go so far as to politely suggest tactful use of the simple HTML tags allowed by the comment form.

        link to this | view in chronology ]

        • icon
          That One Guy (profile), 13 Mar 2012 @ 6:27am

          Re: if you wanted to be constructive

          Point, after re-reading what I typed out I was a little overboard there, the last line especially, and for that I apologize to the one I was replying to.

          link to this | view in chronology ]

      • icon
        ECA (profile), 12 Mar 2012 @ 11:04pm

        Re: Re: WARNING..

        Lets add something here..

        USA makes more food then it could ever eat, every year..Over 80% is shipped out...
        Do you think they take out the peanut oil from the shipments?
        Do they add fillers to any of the food?
        Do those Poor countries, pa as much as we do for the SAME food?

        Why do we get products that BREAK?
        Simple answer..Profit..Its cheaper to make, as they Auction for the Best prices..
        And computers make it Easy.
        Laptop batteries went to court.
        The corps were programming them to Quit, after a certain time. Just like your PRINTER Cartridges.
        Why is this happening? EASY..we dont STOP them.

        Do you have a choice? Not really.
        Corps say you have CHOICE. Go ahead, tell them what you want. and watch them either say:
        NO
        Restricted
        Or Charge you thru the nose for it.

        Copyrights should fail/fall to everyone..
        Do you really think that a Side load washer should cost $1000...For that price, you could get a commercial one, with a GREAT warranty. But it used to be, that when they shipped them to the USA, they sent PARTS with them for repairs. Not now. they have to be ordered, at SPECIAL prices.. It used to be easy/cheap to fix our appliances..Not now.

        link to this | view in chronology ]

        • icon
          Al Bert (profile), 13 Mar 2012 @ 12:04am

          Re: Re: Re: WARNING..

          Oh, I hear you. It's a horrid bitch to fix consumer products anymore. Half the time you literally need a machine shop and engineering experience to rebuild that which was designed to fail.

          But go back to the days when things could be easily fixed by users. Take your modern consumer. If they had been given a spare defrost timer, dryer belt, tuner module, vacuum tube, or even spark plugs as might be associated with such vintage expectations... could most people even muster the effort to try and fix it themselves? For the most part, the answer is no.

          The "corps" as you put it have the power to fuck people over because people accept being fucked daily. I'm not pointing my finger at you or other people in the vicinity of this comment, but next time you're out among the technophobes and whitney-watchers, look around and think about it.

          link to this | view in chronology ]

  • icon
    Gerald Robinson (profile), 13 Mar 2012 @ 10:52am

    SCADA and the 'net

    There is no reason to connect SCADA systems to the internet except laziness, parsimony and convenience. AQ laqw that specifically address security of SCADA systems and of any vendor systems which can access them either over the 'net or out of band makes sense. A law that sets security standards for automotive and transportation systems including hardening makes sense. A separate law which requires that GPS sold in the US not be susceptible to off band interference makes sense. A single buckshot law with broad effect makes no sense.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.