12 comments

[ 623 ms ] story [ 851 ms ] thread
What is exactly is the value of having any of our utilities connected to the internet? It seems the security risk is too high. It is bad enough we have to rely on people not inserting a bad USB drive or other physical plant problems.
Terrible planning of legacy systems (and some current ones) from people who never gave any thought to security is how we got here. The value is usually negligible.
This right here. Most of these systems are not new or not even from one vendor. Takovers and mergers create networks, that give most sys-admins nightmares. The people who set these things up in the 50s or even 70s did not think about networking, let alone digital security. Most are retired.

It would be extremely expensive to replace all infrastructure ad once, so most will be upgraded as we go along, creating new problems but also hopefully mitigating older bugs.

IoT would be my guess.
Partly money. "Rolling a truck" is one of the most expensive operational costs for a utility. Sending people places to fix problems is not ideal, especially when those places can be substations or transformers in the middle of nowhere.

Partly, sometimes, people don't understand what systems are connected to which networks. Maybe it's a logical misunderstanding -- they're leasing a communications path that they don't realize is connected to the Internet. Sometimes it's a physical misunderstanding, they just never diagrammed everything and have no idea what's isolated and not.

I work on about 30 different power plants on two continents and spend only 2 months a year on the road.
If there is an bug in the software that allows a security exploit, what prevents problems on two continents?
Nothing, but they are not my problems since I am EE not IT.
The article never once uses the term "internet", and indeed many of these SCADA networks probably aren't connected to the internet. I've worked on a handful of them (no power utilities though), and the state of security is pretty bad.

-Physical security ranges from OK to non existent. A smile and a wave can get you lots of places. Many things that could be locked, aren't.

-I've seen many, many alarmed doors and areas where there is a large "Enter 12345 to disable alarm" taped to the alarm panel

-Default passwords are never changed on lots of equipment

-When default passwords aren't used, often times the passwords are taped or written on equipment

-Radio networks are often unsecured (authentication and encryption simply dont exist on lots of older radio equipment, a cheap SDR could let you discreetly access sensitive communications in some cases). Modern radio networks can be much better, though (this is my area of expertise).

Still, you'd need a lot of domain specific knowledge to pull off a successful attack.

So I've been in the position, a few years back, where I spent months doing comprehensive code reviews of these energy distribution management systems and what not more. It's all super scary legacy stuff and the code in general is horrendous (regardless of vendor). It's next to unmaintainable, it's next to un-upgradeable due to the risk of outages and there has been no oversight into it whatsoever.

All the comments regarding "who puts these things on the internet" are missing the point completely. It doesn't matter if this stuff is on the Internet or not. It only makes it somewhat easier to get access to these networks and start causing outages. However you've got thousands of miles of converter stations and transformers and power lines dotting the country. It's not that hard to go to the middle of nowhere and get access to the backend networks that carry for example the DNP3 traffic. Once you're on there you can carry out these type of attacks too.

The fact that an enemy can just use the Internet to penetrate the power companies' networks and pivot from there to their back end networks and actually touch equipment is the icing on the cake; it means they don't need to bother with recruiting and sending spies who can get physical access somehow.

Agreed, and most people don't realize that this stuff almost "can't" be upgraded because the initial vendor back in the late 80's or early 90's specified a specific tech stack in the contract and any upgrading or even application of OS patches would legimitately violate any warranties and liabilities the original vendor has for their work. This is super time-critical physical process code commonly running on operating systems like Win95 or Win3.1 that were never intended to be real time operating systems and whose behavior could change radically if a patch were installed.

The cost and complexity of designing and tuning the process control software, and the lack of the detailed design calculations involved in figuring out what it needed to be written to do 20 or 30 years ago makes replacing that old tech stack nearly equivalent to replacing the entire installation.

Big power plants, refineries, and chemical plants truly are the worst of all legacy nightmares.