If Phishing Email Can Kill NY Power Grid, Lack Of Cybersecurity Legislation Is Not The Problem
from the oh-come-on dept
We've been talking about the faux urgency to pass some cybersecurity legislation coming from the federal government, with plenty of fear mongering from politicians who never seem to want to point out any factual basis for why we need such new laws. Instead, it's all been about Hollywood movie script-style scenarios about planes falling from the skies. It appears that the White House is heavily involved in this bogus fear mongering as well, having recently set up a "simulated cyberattack on New York City's power supply" to convince elected officials to move forward on the legislation.During a classified briefing in the Office of Senate Security, Homeland Security Secretary Janet Napolitano and White House counterterrorism adviser John Brennan showed lawmakers how a hacker could breach control systems of the city’s electric system and trigger a ripple effect throughout the population and private sector, according to a source familiar with the scenario.Now that's interesting. Just how could a hacker breach control systems of the power grid? Apparently with an email phishing attack:
“The fact that we could be subject to a catastrophic attack under the right circumstances and we now know some of the things that would help us to protect against such an attack, that’s why it’s important now for the Congress to take this up,” Napolitano said in an interview with POLITICO.
During the simulation, the hacker gains access to the electric supply’s control system through a simple “spearphishing” attack, in which a worker merely clicks on a link in an email that appears to be from someone they know.Um, there's your problem. If the NYC power grid is attached to the public internet in such a way that it can be taken down, then um, shouldn't we take it off the internet? This isn't about cybersecurity, this is about common sense, where things like the power grid should not be accessible via the internet -- and I'm pretty sure they're not (back here in reality). But in the world where we need fear, uncertainty, doubt and the ability for the federal government to spy on private networks, we have to pretend such a scenario is likely.
Of course, I also question why the White House chose NYC as the showcase for the simulation and suggested that there would be deaths and other massive harm from such a power grid takedown. After all, it was just about a decade ago that the power grid in the Northeast did, in fact, fail. It was an inconvenience for many people, certainly, but it was hardly damaging in the way the White House seems to have implied with this scare tactic.
So, once again, can we take a step back and ask some simple questions: what's the real threat and the real risk here? If it's that the NYC power grid is accessible by a simple password over the public internet, then the problem isn't cybersecurity, it's whoever was stupid enough to connect the power grid to the internet. Let's fix that. But let's not regulate and spy on large segments of the public internet to cover for a few bad decisions.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cybersecurity, fear mongering, hype, nyc, phishing, power grid, terrorism, white house
Reader Comments
Subscribe: RSS
View by: Time | Thread
My only hesitation about this is that management PHBs are sure to have cut funding for _extra_ workstations to keep the two networks separate in those utilities and industries.
The real problem is not that legislation is needed, even if there is a danger present. It is that training is needed for employees who operate these systems so that they recognize the threats that they could potentially transmit.
Now, this is a tall order. I just saw an article about the military warning soldiers not to post pictures on the Internet taken with smartphones, and not to use social networks that use the same geolocation services that smartphones offer. They offer the example of someoone posting a picture of a new fleet of helicopters on the Internet, which, of course, contained geolocation data, which was followed by a mortar attack that destroyed four of the helicopters.
You would think that it would be a no-brainer for someone to understand, "Hey guys, please don't call in a mortar attack on yourselves, pretty please?" But that is the real problem that we face. Technology is so complex that the average person cannot understand the FULL implications of his actions. Hey, I have problems with it, and I bet you've been nipped in the wringer once or twice (understatement).
[ link to this | view in chronology ]
Re:
This wasn't a virus, it was a social engineering attack, akin to someone claiming to be the pizza guy so you buzz them through your apartment complex's security door. Bigger locks aren't the solution here. The solution is a frozen-pizza only apartment complex, or possibly an in-building pizzeria.
Mmm, cyberpizza.
[ link to this | view in chronology ]
Re: Re:
When your ship is blown out of the water, it doesn't matter what got you, just that you've been had.
I was responsible for security as a Data Center Manager. Our approach was wide spectrum, from code deficiencies to not pointing out the location of the Data Center on public tours. Physical security is the first rank of protection. Every aspect of security has to be addressed.
If we start to compartmentalize security, then we end up with the same sorry mess that Congress is looking at. It's all or nothing! I cannot succeed if you fail, so we all have to address the issues.
That is why it is so painfully obvious that the Congressional move is a smoke-screen: it only addresses one small part of the security problem.
[ link to this | view in chronology ]
Re: Re:
Man, if someone built an apartment complex with one of those, and then rented it out to college students... they could charge anything they wanted and they'd still be out of available apartments inside a week of opening.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
http://digitaljournal.com/article/320997
[ link to this | view in chronology ]
We are the government
[ link to this | view in chronology ]
Awareness is power as the SOPA/PIPA events clearly showed us. The best we can do is rise awareness of this fear mongering tactic and tell the ppl to ask the Govt the real question: are you that incompetent that you actually linked the power grid to the Internet and think you can solve it with laws instead of action?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
It isn't what you know about your company that will get you in trouble. It isn't the documented architecture that provides the loophole to allow the bad guys to enter. It is the work-arounds that people have put in place to allow them to do their jobs because what was installed doesn't address how they do their jobs. Or it is the gaps in the architecture that the designers just didn't see.
I've seen this at every company I've ever been at. At one Fortune 100 company, if we found a problem outside the scope of our technology (something that would obviously never be a problem at a Fortune 100 company) I would get on the modem, dial up my BBS, and download some tool that would fix said problem. Then other people in IT started doing the same thing. What are you going to do about something like that?
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
Did you send it from a smartphone? Ok, now your factory is connected to the internet via your smartphone.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
The majority can however simply be charged by just plugging them in. No harm, or transferring of files, to your computer.
As far as XP goes, most smart phones wouldn't even be recognized at plug in. You'd have to install the necessary drivers, software or both to get it recognized. Vista or Windows 7 is another story. Also, you fail to recognize the fact that the majority of smart phones first require that you change a setting in the phone itself that results in it being auto mounted and read whenever being plugged in.
Which is of course overlooking the fact that depending where you work, some auto run and mount options are disabled from the start to prevent just such problems, like viruses, from happening. Not too mention that what few ACTUAL smartphone viruses there are ONLY target and infect.... SMARTPHONES.
I'm not going to call you an alarmist or misinformed, but suffice it to say that you're really grasping at straws.
[ link to this | view in chronology ]
Battlestar Galactica anyone?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Hopefully, at least one of them is fat enough to block the reactor before it blows.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
or have access to a generator.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Guess we better just make another law.
[ link to this | view in chronology ]
Cause of the 2003 blackout
Amid all the talk about "cyberterrorism," it's important to remember what actually happened to cause that blackout:
So it seems that, if anything, legislation should focus on the bad actors in the power industry (such as FirstEnergy), and not on any sort of "cyberattack."
Here's a good place to start:
[ link to this | view in chronology ]
Re: Cause of the 2003 blackout
The first response in the face of anything out of the ordinary is ZOMG Terrorists!
The people running the powergrid have no idea they are not about to get millions from a Nigerian Prince. The problem is not that scammers will try, it is that we refuse to demand isolated systems and penalties for people who violate those rules. Rather than lay blame on the people stupid enough to get spearfished, we make more rules and try to lock down every thing else. It is not peoples fault they are stupid greedy bastards, it is the fault that bad people will try.
Stuxnet never would have worked if not for people sticking random flash drives into their machines. If the systems running the facility were actually isolated from outside things, it never would have worked. If the control systems were not kept as archaic secrets, someone could try to harden those systems.
Instead we have security through obscurity, we create rules and laws to solve problems better solved in demanding personal accountability. We focus on the unknown, the what-ifs rather than real things we can do to avoid the issues. But then this is more about getting more control over citizens lives, and moving more towards an Orwellian dystopia where no one can think a bad thought without them knowing and stopping it.
[ link to this | view in chronology ]
I agree
This sound about right?
[ link to this | view in chronology ]
Re: I agree
[ link to this | view in chronology ]
Re: Re: I agree
I think my extremely simple point just went "whoosh" on you.
[ link to this | view in chronology ]
Re: Re: Re: I agree
[ link to this | view in chronology ]
Re: Re: I agree
[ link to this | view in chronology ]
It Was Just A Matter Of Time...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
The network controlling the grid should be an isolated network. An isolated network would require a physical security vulnerability in addition to a information security vulnerability.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Its about a buncha kids who fix then Gibson and then go back to their shitty lives.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Reductio'd, but the absurdum is already there
[ link to this | view in chronology ]
Re: Reductio'd, but the absurdum is already there
We want to make sure that even the most inept hacker can have the rush of hacking into a system.
[ link to this | view in chronology ]
And what about us in the Southwest last year???
http://en.wikipedia.org/wiki/2011_Southwest_blackout
You forget about us?? All we lost was a few million dollars of perisable foods.
"The outage caused significant losses to restaurants and grocery stores, which were forced to discard quantities of spoiled food; perishable food losses at grocery stores, eating establishments and households were estimated at $12 million to $18 million."
There were no deaths in the "millions" reported. No world ending events. Hell during the 11 hours we didn't have power, I was still on the internet chatting with my buddies on the east coast on my laptop for 3 of those hours while my UPS kept my router and cable modem powered up.
Also, for the AC that posted this:
"Mike the power grid isn't on the "public internet". It's a private network, but the PC that was compromised is on that network. A hacker can attack a network without having direct access to that network through a variety of exploits in web browsers, PDF files, etc..."
ANY computers that have ANYTHING to do with the power grid shouldn't even be able to receive email or browse the web. They're used to control the grid...Not surf the net. If you can get email on a terminal that controls the power grid, THERE'S YOUR PROBLEM!!!
[ link to this | view in chronology ]
Simulation transcript
-Hi Fred, this is Bill Nefario, Powerco password enforcement division. We need to verify all current passwords on your system.
-That sounds a little suspicious to me. I don't think I should...
-(clicks through Linkedin search results) It's ok, Tom in information security gave me authorization.
-Oh, you know Tom? Ok, here you go.
You can't legislate away stupidity.
[ link to this | view in chronology ]
Re: Simulation transcript
[ link to this | view in chronology ]
Re: Simulation transcript
Should read "You can't patch stupid."
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Anti-Terrorist Mind Control Law
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
sTANDARD oPERATING PROCEDURE(sop)
When you wish to do LESS..after you end 1 job, you TRY to look busy. Keep bouncing around, make it look as if you are doing something.
THEN when the BOSS, has a FAILURE...what happens..
IT GETS BURIED.. he gets everyone to work around the mess, until you cant see what happened...as well as MAYBE, destroying the evidence or it gets FIXED along the way.
So, what do the law makers DO, after everything else is DONE..they cant go home. It would look like they were OVER PAID and doing nothing.
LOGIC isnt at the top any more. And something is happening, that is Probably, being hidden. This is the 5-6th time they are passing something SIMILAR?
I will point out something about the USA..WE ALREADY HAVE A RESTRICTED MARKET PLACE..and its not by the government..
They finally LIMITED the use of RECORDABLE Material for movies(the VCR is gone). go look at what they are TRYING to give you to record programs.
1. you need a tuner for sat or cable that will select a channel YOU AINT watching.
2. record to hard drive(NOT ENCRYPTED)
3. COPY to DVD for a collection(that you can play on ANY machine).
4. IN GOOD quality formats.
5. be able to play OTHER FORMATS, DVI, AVI,DIVX, ...
They wont release such a product in the USA..UNLESS(you wont get all these options) you pay GOOD MONEY..
This is the CORPS, ruling this nation. THEY ARE FIGHTING US thru our OWN government.
Its time to send our leaders HOME...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Push the big red button.
Consider the following scenario:
Phone ring...
Control Room: Control room, John speaking.
Caller: Hi John, this is Tom in management, I need you to go push the big red button that says "self destruct" for me.
Control Room: Ummm, are you sure? I was told never to do that.
Caller: Yup, I just got the ok from the CEO.
Controll Room: Well, ok then. Give me a second.
Like someone else said, you can't fix stupid! But, just like in the above example, if there aren't other fail safes in place (like two keys on the self destruct button or maybe air gaped networks), stupid can become a technology problem.
[ link to this | view in chronology ]
Common sense does not apply
Critical infrastructure (including nuclear power plants) is, in fact, connected to the internet, generally for SCADA (Supervisory Control and Data Acquisition) software, which can have security vulnerabilities.
Here's Wikipedia's article (check the "Security issues" section):
http://en.wikipedia.org/wiki/SCADA
Here's a Forbes article:
http://www.forbes.com/2007/08/22/scada-hackers-infrastructure-tech-security-cx_ag_0822hack .html
And here's a Cracked article which includes several other things that shouldn't be hackable but are, including car brakes and pacemakers:
http://www.cracked.com/article_19412_8-things-you-wont-believe-can-be-hacked.html
[ link to this | view in chronology ]
Re: Common sense does not apply
That is how it should be done PCN networks should be locked down completely with no internet access and also locked down form users doing almost anything with them if not they need a new IT department.
[ link to this | view in chronology ]
Re: Common sense does not apply
That is how it should be done PCN networks should be locked down completely with no internet access and also locked down form users doing almost anything with them if not they need a new IT department.
[ link to this | view in chronology ]
i haven't bitched in a while, forgive me.
It has hands in government and a face on television
and full control of a dangerously gullible population.
I don't know why, but i am always compelled to restate the obvious. There's a whole nation of media-insulated technophobes out there. Sometimes i get the impression that these discussions fail to recognize how effective such absurd lies and suggestions are against the rest of the country
[ link to this | view in chronology ]
WARNING..
It was released to be PRIVATELY run, by a CORP...FOR PROFIT..
ITS A CORP...
IF they SCREW UP, its THEIR FAULT.
LEt the gov, FINE them..
1. NOT supplying proper energy protections..
2. NOT upgrading facilities to maintain Proper POWEr structure
3. FOR being an F@#%#ing IDIOT..
[ link to this | view in chronology ]
Re: WARNING..
Used to that extent, or even half that much, it doesn't help your arguments, it just makes you look like a kid who doesn't know decent spelling and punctuation.
[ link to this | view in chronology ]
if you wanted to be constructive
[ link to this | view in chronology ]
Re: if you wanted to be constructive
[ link to this | view in chronology ]
Re: Re: WARNING..
USA makes more food then it could ever eat, every year..Over 80% is shipped out...
Do you think they take out the peanut oil from the shipments?
Do they add fillers to any of the food?
Do those Poor countries, pa as much as we do for the SAME food?
Why do we get products that BREAK?
Simple answer..Profit..Its cheaper to make, as they Auction for the Best prices..
And computers make it Easy.
Laptop batteries went to court.
The corps were programming them to Quit, after a certain time. Just like your PRINTER Cartridges.
Why is this happening? EASY..we dont STOP them.
Do you have a choice? Not really.
Corps say you have CHOICE. Go ahead, tell them what you want. and watch them either say:
NO
Restricted
Or Charge you thru the nose for it.
Copyrights should fail/fall to everyone..
Do you really think that a Side load washer should cost $1000...For that price, you could get a commercial one, with a GREAT warranty. But it used to be, that when they shipped them to the USA, they sent PARTS with them for repairs. Not now. they have to be ordered, at SPECIAL prices.. It used to be easy/cheap to fix our appliances..Not now.
[ link to this | view in chronology ]
Re: Re: Re: WARNING..
But go back to the days when things could be easily fixed by users. Take your modern consumer. If they had been given a spare defrost timer, dryer belt, tuner module, vacuum tube, or even spark plugs as might be associated with such vintage expectations... could most people even muster the effort to try and fix it themselves? For the most part, the answer is no.
The "corps" as you put it have the power to fuck people over because people accept being fucked daily. I'm not pointing my finger at you or other people in the vicinity of this comment, but next time you're out among the technophobes and whitney-watchers, look around and think about it.
[ link to this | view in chronology ]
SCADA and the 'net
[ link to this | view in chronology ]