Schneier on Security

Don't forget yesterday's power outage. Seems like a fairly regular biennial event.

@Aguirre

That's the first thing I thought of when I heard about the outage, as well. It seems overly coincidental that 60 Minutes covered it, and the next day, it gets shut down.

Unfortunate URL for this post.

"hacking_the_bra.html

Maybe the squirrels struck again.

http://www.schneier.com/blog/archives/2009/10/...

Brazilian Blackout Traced to Sooty Insulators, Not Hackers

http://www.wired.com/threatlevel/2009/11/...

@Matt Simmons

Coincidence is more common than you think. We are hard-wired to notice coincidence, ask a magician.

I saw the 60 minutes story last Sunday and have read similar stories over the years. There was so much left out of the story that I couldn't figure out what actually happened.

I do know that modern plants (chemical, oil refineries, power generation) do use PC based computers for operator consoles. Up to about 15 years ago they used proprietary hardware in the console but today just about everyone uses PCs because they are a lot cheaper. However, these plants still use proprietary hardware, operating systems, and communications protocols in the actual control computers and controllers.

I suppose that if you could get into the control console you might be able to do some damage IF you knew exactly which control system was being used and how that particular instance was configured. This would require a lot of inside knowledge but it is possible I guess.

If the operator consoles are connected to the internet I would think that that would be a really bad idea Air gaps are not perfect but they are a good start towards decent security.

Ubiquitous network access is not always a good thing. A lot of these systems probably use Ethernet and IEEE488 serial for critical things, which isn't itself bad. The real threat, in my opinion, is having the endpoint/management console be available to the outside world.

There are plenty of places I have been where I really can't imagine why the guy behind the desk needs to be able to access Yahoo web mail from the same computer as the camera system or whatever is managed from.

At the very least, require all of the outside network stuff to be run in a VM or from a terminal window. In fact, why have a general-purpose PC at the operator's station at all, when a thin-client device connected to a secure server environment would suffice.

Arclight

The fact that most of the entire 60 Minutes story is based on anonymous, unsubstantiated claims by so-called "experts" and government employees is more than enough reason to discount the entire thing.

We've all seen how our government has repeatedly lied to us over the years, so there is no reason to believe any of their claims without proof that's independent, on the record and backed by incontrovertible data.

A lot of it is not THAT custom, just custom programming on top of things like LabView.

cui bono?

I only skimmed the CBS article, but it seemed utterly lacking in any skeptical examination. People whose salaries rely on there being a problem say there is a problem. Or possibly people who say there is a problem get interviewed by CBS, others don't. I've only had one side of the issue, and I can't draw more than very tentative conclusions from this.

(Of course, the media can manipulate 'balance' too: get some raving nutter to represent the other side, leaving the impression that they are typical.)

"Hackers" (incorrect term, but lets run with it) have nothing to do with it.

Possums are to blame, or so the local power authorities here would have you believe ...

There have been incidents where virus and other malware have got into various industrial plant control systems.

Like most business organisations they don't publish the information for fear of what will happen to the share price etc.

Likewise there is also evidence of "insider attacks".

But I've yet to see any evidence of "targeted outsider attacks".

Yes PC's both "off the shelf" and custom are used for a several pragmatic reasons.

The first is equipment availability (VDUs/terminals etc just don't exist any more unless they are PC's with serial USB dongles...).

Because of this availability issue the second is cost across the project life. In long life projects maintanence often actually costs considerably more than the initial implementation, and custom hardware equipment manufactures go out of business quite quickly these days.

Then there are issues to do with availability and maintance of software tools and programers. As with hardware the builders and integraters of custom software solutions disapear almost as soon as it has been signed off. So as Fred F. noted the use of tools like LabView is becoming common think of it as the MS Office of the industrial and lab control (oh and toys Lego MindStorms uses it ;)

Also a lot of expensive test equipment uses either Win NT 4 or Win CE and semi custom hardware (just look through the HP range to see several).

What I have seen is that due to such incidents as operators playing games on PC's (and causing malware infections) the more modern systems are locked down.

However there is a dirty little issue that not many people want to talk about in industrial control and that is reliability effects.

When you have 24x365.25 operation running at tens of millions of USD a day, you don't want to have AV/Malware software and security patching going on.

Especialy if there are "safety critical" asspects to consider (a "red shutdown" can take a considerable time to recover from).

So even though the systems are locked down they are invariably vulnarable (especialy now that "web browser front ends" are appearing).

In the UK power plants spend a lot of money getting the level of security required for control room equipment.

However the further you move from the center the less secure things are. A lot of local substations use Low Power Radio Systems and hand held control units that enable "drive by maintanence". Most of these control systems lack any real security.

Which brings you around to "Home Power Controler Initiatives" there is a political idea in the US and other places that to solve energy supply issues and be more "green" the utility companies should be able to control your power consumption in things like air conditioners etc.

Quite frankly these scare the life out of me as you know that they will have a quater century or more life expectancy and have to be produced at a very low cost with absolutly minimal maintainance.

Have a think about what has changed in security since 1984...

Oh and as an example of,

"Have a think about what has changed in security since 1984..."

The very recent TLS/SSL protocol hole in authentication.

As many industry commentators have remerked "most security relies on firewalls and SSL for it's solutions", Opps...

Maybe the "Sooty Insulators" are a gang of the world's best hackers with laptops in Las Vegas. As they card count, they use their mobile phones to take down a whole country's power grid...just because they can. Oh yeah, they also win millions on a single bet they rig with an electro-thingy-jigger that stops the roulette wheel with super-nerdy-code stuff.

Or maybe it's just crappy South American wiring.

With the huge length of the high voltage transmission lines in Brazil, hackers are the least of the problems faced in ensuring continuity of the Brazilian electricity supply.

It would still be interesting if anybody at all could provide any evidence that hackers were involved in Brazil's 2005 and 2007 power blackouts.

Without any evidence, I suppose we may as well assume that the hacker story is a just an unsubstantiated and ultimately deniable rumour being spread for another purpose. Not that anybody is currently trying to take control of cyber defence, or is requesting vast funding for increased cyber surveillance?

Some people here already noticed the periodicity of that. That are some metereological phenomena that repeat themselves at the brazilian south and south-east regions (where are located the biggest power generation plants and power consumers) with that periodicity, and they get the blame every time the power goes off.

Our governemnt would really love to have some hackers to blame, they'd blame someone else if there was the tinest evidence available to support the claims. The fact that they didn't blame anyone is a strong indicator that there isn't someone to blame.

@ Marcos,

"That are some metereological phenomena that repeat themselves at the brazilian south and south-east regions"

If I rememner correctly, doesn't Brazil lay claim to the place with the most lightning in the world?

I know it has some of the longest and highest electrical distrubution systems in the world so putting the two together does suggest outages would be more common than more temperate regions.

@Clive "even though the systems are locked down they are invariably vulnarable "

So as new holes are found they aren't patch. The installed code base ages.

Risk metric? This should be a function that can be easily graphed.

In many ways, poor transmission line maintenance is more condemning than so-called "cyber attacks."

(Use of the "cyber" non-word is really grating on me!)

@ BF Skinner,

"So as new holes are found they aren't patch. The installed code base ages."

Yes it ages over a period of time that depends on the "end users" policy of test before update.

Some end users make a "no changes" choice and effectivly isolate the areas concerned the best they can.

Others have test update at down times (ie when the controled part is down for other maintanence)

And other end users have a more normal software patch cycle.

With regards to,

"Risk metric? This should be a function that can be easily graphed."

It obviously depends on a number of things, but the more isolated the control system the lower the perceived risk.

Some control systems now run on high availability telecoms grade open source systems (thanks Sun & Nokia ;) and achive very high availability figures.

And yes I've seen some control systems get given the VMware etc treatment.

At the end of the day safety, dependability and availability are the usual key metrics for industrial control systems, and security is looked at in respect of those metrics.

Do we seem to have either Sooty Terns or Sooty Turns
rather than dark turnings?

Just one thing, Vitoria is not the world's greatest iron ore producer. It may be the world's greates iron ore exporter, because that is where is one of the largest Vale's ports is located. Minas Gerais is Brazil's greates iron ore producer, contributing with over 70% of the total produced by the country.

@Clive

Yes, it claims to be the country with the most lightning, also most of it is of the worst kind (with positive charged clouds, if I remember it righ). But the affected region is more prone to winds than lightning. That is the first time I heard about the power going off because of lightning, but I guess it should happen sometimes, since there is always some lightning with the winds.

Also, Brazil has a very large and very interconected set of transmission lines. It seems that every country that depend on hydro-power has that characteristic. Every time a big plant goes off, the entire grid goes off.

@ Marcos,

"That is the first time I heard about the power going off because of lightning"

The stats on lightning are quite frightening in terms of peak current, volatage and power. Even moderate strikes can fuse soil into glass.

Interestingly it appears that cities make the lightning above them more severe than surounding areas. Two theories about this are "heat islands" and "micro particulate polution".

Heat islands is a fairly interesting idea but... Does not fully account for the observed effects.

Micro particulate polution effects are being investigated by UMIST (UK) (by somebody also called Clive ;)

It looks like adding even very minor amounts of micro particulates have significant effects on charge seperation in clouds. So ordinary polution such as smoke and fumes increases the effects of lightning quite measurably.

All well and good but... What about Global Warming and some of the proposed "technical solutions" one of which is seeding the atmospher with sulpher compounds which are effectivly micro particulates.

As has been noted on a number of occasions "Physics strongest law, is the law of unintended consiquencies"...

It could be that a "man made" attempt to solve another "man made" problem might just bring black/brown outs to a large number of places.

thats what happened, they accessed a website and then there was a button, "turn off whole country eletricity" they pressed it and boom ? if you believe this computer existed and ´d be connected to the internet...then you should believe in dwarfs also

lol, hackers shut down your electricity grid, suuuure, and witches are responsible for the crops failing and the milk souring in your cow's udders too, right?

there's a *very* similar psychosocial dynamic going on here. expect salem hacker trials some time in the next decade.

Most recently I noticed that CEMIG got hacked on 8-29-2009, references to the hack on Zone-h are missing , still in google cache though.
http://74.125.93.132/search?...
I find it odd that this hack in august has been pulled from Zone-h and there are little other links or indications that the hack occurred.

http://arqtec.furnas.gov.br
http://br.zone-h.org/component/...

http://ridat.furnas.gov.br
http://www.attrition.org/mirror/attrition/2000/...

http://www.mme.gov.br
http://www.zone-h.org/mirror/id/229927

http://www.energiabrasil.gov.br
http://www.zone-h.org/mirror/id/229926

http://hidroweb.aneel.gov.br
http://www.zone-h.org/mirror/id/763

http://www.aneel.gov.br
http://www.attrition.org/mirror/attrition/2000/...

http://www.cemig.com.br/
http://attrition.org/mirror//attrition/2000/06/...

http://www.eletronuclear.gov.br
http://www.zone-h.org/mirror/id/19089

http://www.itaipu.gov.br
http://attrition.org/mirror//attrition/1999/12/...
http://www.zone-h.com/mirror/id/19928
http://www.zone-h.com/mirror/id/12054

http://itaproxy.itaipu.gov.br
http://www.zone-h.com/mirror/id/14503

http://www.cnen.gov.br
http://br.zone-h.org/component/...

Anyone care to add to the list? It is really almost as easy as picking an agency name and adding 'defaced, hacked, attrition or zone-h' in the search query.

Anyone care to speculate what occurs after a breach like this? How about before the public defacement?

Anyone think these fine defacing artists are the only ones to have breached these servers?