Schneier on Security: Tagged utilities

Entries Tagged "utilities"

Page 1 of 3

EPA Won’t Force Water Utilities to Audit Their Cybersecurity

Despite the EPA’s willingness to provide training and technical support to help states and public water system organizations implement cybersecurity surveys, the move garnered opposition from both GOP state attorneys and trade groups.

Republican state attorneys that were against the new proposed policies said that the call for new inspections could overwhelm state regulators. The attorney generals of Arkansas, Iowa and Missouri all sued the EPA—claiming the agency had no authority to set these requirements. This led to the EPA’s proposal being temporarily blocked back in June.

So now we have a piece of our critical infrastructure with substandard cybersecurity. This seems like a really bad outcome.

Posted on October 24, 2023 at 7:02 AM • View Comments

LA Covers Up Bad Cybersecurity

This is bad in several dimensions.

The Los Angeles Department of Water and Power has been accused of deliberately keeping widespread gaps in its cybersecurity a secret from regulators in a large-scale coverup involving the city’s mayor.

Posted on March 11, 2020 at 10:52 AM • View Comments

Water Utility Infected by Cryptocurrency Mining Software

A water utility in Europe has been infected by cryptocurrency mining software. This is a relatively new attack: hackers compromise computers and force them to mine cryptocurrency for them. This is the first time I’ve seen it infect SCADA systems, though.

It seems that this mining software is benign, and doesn’t affect the performance of the hacked computer. (A smart virus doesn’t kill its host.) But that’s not going to always be the case.

Posted on February 8, 2018 at 11:55 AM • View Comments

Human and Technology Failures in Nuclear Facilities

This is interesting:

We can learn a lot about the potential for safety failures at US nuclear plants from the July 29, 2012, incident in which three religious activists broke into the supposedly impregnable Y-12 facility at Oak Ridge, Tennessee, the Fort Knox of uranium. Once there, they spilled blood and spray painted “work for peace not war” on the walls of a building housing enough uranium to build thousands of nuclear weapons. They began hammering on the building with a sledgehammer, and waited half an hour to be arrested. If an 82-year-old nun with a heart condition and two confederates old enough to be AARP members could do this, imagine what a team of determined terrorists could do.

[…]

Where some other countries often rely more on guards with guns, the United States likes to protect its nuclear facilities with a high-tech web of cameras and sensors. Under the Nunn-Lugar program, Washington has insisted that Russia adopt a similar approach to security at its own nuclear sites—claiming that an American cultural preference is objectively superior. The Y-12 incident shows the problem with the American approach of automating security. At the Y-12 facility, in addition to the three fences the protestors had to cut through with wire-cutters, there were cameras and motion detectors. But we too easily forget that technology has to be maintained and watched to be effective. According to Munger, 20 percent of the Y-12 cameras were not working on the night the activists broke in. Cameras and motion detectors that had been broken for months had gone unrepaired. A security guard was chatting rather than watching the feed from a camera that did work. And guards ignored the motion detectors, which were so often set off by local wildlife that they assumed all alarms were false positives….

Instead of having government forces guard the site, the Department of Energy had hired two contractors: Wackenhut and Babcock and Wilcox. Wackenhut is now owned by the British company G4S, which also botched security for the 2012 London Olympics, forcing the British government to send 3,500 troops to provide security that the company had promised but proved unable to deliver. Private companies are, of course, driven primarily by the need to make a profit, but there are surely some operations for which profit should not be the primary consideration.

Babcock and Wilcox was supposed to maintain the security equipment at the Y-12 site, while Wackenhut provided the guards. Poor communication between the two companies was one reason sensors and cameras were not repaired. Furthermore, Babcock and Wilcox had changed the design of the plant’s Highly Enriched Uranium Materials Facility, making it a more vulnerable aboveground building, in order to cut costs. And Wackenhut was planning to lay off 70 guards at Y-12, also to cut costs.

There’s an important lesson here. Security is a combination of people, process, and technology. All three have to be working in order for security to work.

Slashdot thread.

Posted on July 14, 2015 at 5:53 AM • View Comments

"Military Style" Raid on California Power Station

I don’t know what to think about this:

Around 1:00 AM on April 16, at least one individual (possibly two) entered two different manholes at the PG&E Metcalf power substation, southeast of San Jose, and cut fiber cables in the area around the substation. That knocked out some local 911 services, landline service to the substation, and cell phone service in the area, a senior U.S. intelligence official told Foreign Policy. The intruder(s) then fired more than 100 rounds from what two officials described as a high-powered rifle at several transformers in the facility. Ten transformers were damaged in one area of the facility, and three transformer banks—or groups of transformers—were hit in another, according to a PG&E spokesman.

The article worries that this might be a dry-run to some cyberwar-like attack, but that doesn’t make sense. But it’s just too complicated and weird to be a prank.

Anyone have any ideas?

Posted on January 2, 2014 at 6:40 AM • View Comments

Smart Meter Hacks

Brian Krebs writes about smart meter hacks:

But it appears that some of these meters are smarter than others in their ability to deter hackers and block unauthorized modifications. The FBI warns that insiders and individuals with only a moderate level of computer knowledge are likely able to compromise meters with low-cost tools and software readily available on the Internet.

Sometime in 2009, an electric utility in Puerto Rico asked the FBI to help it investigate widespread incidents of power thefts that it believed was related to its smart meter deployment. In May 2010, the bureau distributed an intelligence alert about its findings to select industry personnel and law enforcement officials.

Citing confidential sources, the FBI said it believes former employees of the meter manufacturer and employees of the utility were altering the meters in exchange for cash and training others to do so. “These individuals are charging $300 to $1,000 to reprogram residential meters, and about $3,000 to reprogram commercial meters,” the alert states.

The FBI believes that miscreants hacked into the smart meters using an optical converter device - such as an infrared light - connected to a laptop that allows the smart meter to communicate with the computer. After making that connection, the thieves changed the settings for recording power consumption using software that can be downloaded from the Internet.

Posted on April 19, 2012 at 5:52 AM • View Comments

Hacking Critical Infrastructure

A otherwise uninteresting article on Internet threats to public infrastructure contains this paragraph:

At a closed-door briefing, the senators were shown how a power company employee could derail the New York City electrical grid by clicking on an e-mail attachment sent by a hacker, and how an attack during a heat wave could have a cascading impact that would lead to deaths and cost the nation billions of dollars.

Why isn’t the obvious solution to this to take those critical electrical grid computers off the public Internet?

Posted on March 20, 2012 at 8:52 AM • View Comments

Hack Against SCADA System

A hack against a SCADA system controlling a water pump in Illinois destroyed the pump.

We know absolutely nothing here about the attack or the attacker’s motivations. Was it on purpose? An accident? A fluke?

EDITED TO ADD (12/1): Despite all sorts of allegations that the Russians hacked the water pump, it turns out that it was all a misunderstanding:

Within a week of the report’s release, DHS bluntly contradicted the memo, saying that it could find no evidence that a hack occurred. In truth, the water pump simply burned out, as pumps are wont to do, and a government-funded intelligence center incorrectly linked the failure to an internet connection from a Russian IP address months earlier.

The end of the article makes the most important point, I think:

Joe Weiss says he’s shocked that a report like this was put out without any of the information in it being investigated and corroborated first.

“If you can’t trust the information coming from a fusion center, what is the purpose of having the fusion center sending anything out? That’s common sense,” he said. “When you read what’s in that [report] that is a really, really scary letter. How could DHS not have put something out saying they got this [information but] it’s preliminary?”

Asked if the fusion center is investigating how information that was uncorroborated and was based on false assumptions got into a distributed report, spokeswoman Bond said an investigation of that sort is the responsibility of DHS and the other agencies who compiled the report. The center’s focus, she said, was on how Weiss received a copy of the report that he should never have received.

“We’re very concerned about the leak of controlled information,” Bond said. “Our internal review is looking at how did this information get passed along, confidential or controlled information, get disseminated and put into the hands of users that are not approved to receive that information. That’s number one.”

Notice that the problem isn’t that a non-existent threat was over hyped in a report circulated in secret, but that the report became public. Never mind that if the report hadn’t become public, the report would have never been revealed as erroneous. How many other reports like this are being used to justify policies that are as erroneous as the data that supports them?

Posted on November 21, 2011 at 6:57 AM • View Comments

Prepaid Electricity Meter Fraud

New attack:

Criminals across the UK have hacked the new keycard system used to top up pre-payment energy meters and are going door-to-door, dressed as power company workers, selling illegal credit at knock-down prices.

The pre-paid power meters use a key system. Normally people visit a shop to put credit on their key, which they then take home and slot into their meter.

The conmen have cracked the system and can go into people’s houses and put credit on their machine using a hacked key. If they use this, it can be detected the next time they top up their key legitimately.

The system detects the fraud, in that it shows up on audit at a later time. But by then, the criminals are long gone. Clever.

It gets worse:

Conmen sell people the energy credit and then warn them that if they go back to official shops they will end up being charged for the energy they used illegally.

They then trap people and ratchet up the sales price to customers terrified they will have to pay twice something Scottish Power confirmed is starting to happen here in Scotland.

Posted on September 21, 2010 at 1:42 PM • View Comments

Security Vulnerabilities of Smart Electricity Meters

“Who controls the off switch?” by Ross Anderson and Shailendra Fuloria.

Abstract: We’re about to acquire a significant new cybervulnerability. The world’s energy utilities are starting to install hundreds of millions of ‘smart meters’ which contain a remote off switch. Its main purpose is to ensure that customers who default on their payments can be switched remotely to a prepay tariff; secondary purposes include supporting interruptible tariffs and implementing rolling power cuts at times of supply shortage.

The off switch creates information security problems of a kind, and on a scale, that the energy companies have not had to face before. From the viewpoint of a cyber attacker—whether a hostile government agency, a terrorist organisation or even a militant environmental group—the ideal attack on a target country is to interrupt its citizens’ electricity supply. This is the cyber equivalent of a nuclear strike; when electricity stops, then pretty soon everything else does too. Until now, the only plausible ways to do that involved attacks on critical generation, transmission and distribution assets, which are increasingly well defended.

Smart meters change the game. The combination of commands that will cause meters to interrupt the supply, of applets and software upgrades that run in the meters, and of cryptographic keys that are used to authenticate these commands and software changes, create a new strategic vulnerability, which we discuss in this paper.

The two have another paper on the economics of smart meters. Blog post here.

Posted on July 29, 2010 at 6:16 AM • View Comments

1 2 3 Next→

Sidebar photo of Bruce Schneier by Joe MacInnis.