Does this worm communicate with the outside world in some way? It seems to me that taking down a nation’s power grid isn’t something you’d do just to harass them: It only really makes sense if you’re planning on following up with other sorts of attacks in very short order. Which means that you either don’t deploy the cyberattack until you’ve got the other attacks ready to go and have already decided that you’re going to use them, or you put the cyberattack in place good and early and leave it dormant, waiting for some sort of signal.
The “malware” (we have no idea what kind, it was not reported) was discovered on a laptop that is not connected to the grid. Since it’s a laptop, most likely it’s an employee’s laptop that he took home and used there as well.
So - Occam’s razor - the employee browsed some less-than-savory websites and picked up an infection. The check that the power company conducted on all its computers revealed the infection. That the employee works for a power company is most likely a coincidence.
The breathless headlines of “Russia Infiltrated U.S. Electrical Grid” are pure fake news.
I know that the network security of our power systems and water systems is important.
I have a question: Has there ever been an actual attack on such a system that caused disruption? In any country? I am excluding the STUXNET attack on the Iranian enrichment facilities-not power or water.
I know there have been intrusions into various business computer systems in the companies that control those systems, this latest Vermont example is one. I would like to know if there has ever been a disruptive attack, say in Iran, Syria, Iraq, Saudi Arabia (I am aware of the attack on the oil facilities-again not water or power), S. Korea, Israel, Estonia, Ukraine (that might be one. I am not familiar with the details)…
You didn’t read the articles very well.
“…detected a malware code used in the Grizzly Steppe operation in a laptop that was not connected to the organization’s grid systems”.
These were not fake news stories. They are accurate reporting of what happened. You may not be reading them very well, but the news stories are correct.
The reason the malware was detected is because of a DHS notice to utility companies to be on the lookout for this specific piece of malware. The Vermont utility looked for it and found it. Your speculation about how it got on the laptop may or may not be true and such speculation was not part of any reputable article on the subject. The news was limited to the facts. The headlines-not so much.
And that is perhaps part of the current problem with the credibility of the news. People only read the headlines, or the tweet or some similar brief bit of advertising and get upset that the news isn’t being honest. Headlines are written to catch attention and get the reader to read the article. One should only judge the quality of the news based on the article, not the headline.
Fake news has a specific meaning: articles that are made up and bear no relation to the truth. In fake news not just the headlines, the articles are false. Some people are beginning to misuse the word, but it doesn’t change the meaning.
The original WaPo story was titled: ““Russian hackers penetrated U.S. electricity grid through a utility in Vermont, officials say”. And the content matched the headline.
Brent Staples (NYT) tweetedsubsequently: “Our Russian “friend” Putin attacked the U.S. power grid”.
The headlines and the contents changed when their fake-ness was shown.
Well, I guess I didn’t see the original article so I have no information regarding “And the content matched the headline”.
But 2 out of three of your points match mine. Neither headlines nor tweets should be counted as news-fake or real.
And my main point stands-fake news has a specific meaning: an article that is made up and not based on anything that actually happened.
I didn’t read the original article, so I can’t say whether the Washington Post article was not based on anything that actually happened. However, I have been reading the Washington Post since I was 10-about 50 years, and if that article meets the definition of fake news, it would be the first such article I have ever seen or heard of in the Washington Post. But you may be right, I didn’t read it. I am skeptical though.
I am aware of that one. Scary.
Any others?
I woke in the wee, dark hours of the morning to find it was darker than usual. Power was out. My first thought was “Putin, you bastard!!” But it came back on a little later - all told, off less than an hour and a half, but still. We get our power thru a co-op about 50 miles from DC. Maybe it was just a coincidence.
In the U.S. hacking attempts and successes against utilities are considered confidential information. Corporations do not report them. When successful, you see them only as “service outages.”
They happen on a small scale fairly often.
Much of the equipment that actually produces and transmits the power in this country is so old its analog. But that equipment is connected to digital systems. With the exception of nuclear power plants, it isn’t “walled off” - hopping around on a utility’s network is pretty easy. So you shouldn’t take comfort in this incursion not being on “the grid” - that’s sort of meaningless.
Security isn’t great. One of the techs I worked with needed to change a router in a nuclear power plant. He wasn’t cleared to enter the plant - which takes a lot of clearance - understandably so. But he needed to change the router, so they let him in and let him swap equipment. He social engineered his way into a nuclear power plant and swapped equipment, bypassing the official process.
People are almost always the weakest link in any security chain. As secure as you can make a system from remote intrusion, the people who have legitimate access and are trusted to not be negligent are frequently the easiest point of entry, and the hardest vulnerabiliy to secure without preventing them from being able to do any work.
Stranger
Yep, and complex processes make it easier to justify breaking the process. i.e. it takes three weeks to get clearance, but the router needs to be replaced today and the guy with clearance quit last week. So we will let this guy in and then pretend it never happened.
Because I also know that the tech’s entry wasn’t logged, and that if you were to audit, that router got replaced magically. Because no one wanted to be responsible for the breech.
Then, in covering up, records are all out of whack - in the asset management system it would record when and where that router was replaced - but that information has been purposely tweeked so no one got in trouble for just doing their job.
All done with the best intentions for no nefarious purpose…
Oh, another weak link in security is money. eSecurity is a constantly changing field. Every day, new ways to attack a system come out, and you need to react. Its constant catchup - and doing that takes a lot of money. Its an investment in equipment and software and people with knowledge - and the good people are expensive. But utilities are heavily regulated, and money spent needs to be justified. It can be very difficult to justify raising someone’s utility bills so that you can continually throw money at a problem that by definition you are always chasing that few people really understand and which you can’t guarantee success.
My thought is that the Russians don’t want to fuck with our power grid, but want us to know they *could *fuck with it. And our elections. And our economy. And whatever else they want to.
Then, once Trump is in office, a “truce” can be brokered, and Trump has saved the day with the American people, while Putin has gained unfathomable access to America. Just look how great their friendship and mutual admiration for one another is for us all!
I mean, wouldn’t Putin love to conquer America without firing one shot? He’ll soon have an American president so stupid and egotistical and reckless that it’s now not too absurd to think it could happen.
Trump: “I have been able to, in less than three months, do what that failure Obama couldn’t do in eight years: fix our broken relations with Russia. Now the Americans and Russians together will be able to do the one thing our people desperately want us to do: Destroy Radical Islam across the globe once and for all. Therefore, our two nations will be combining our nuclear arsenals and ramping up production of a new generation of high-powered nuclear weapons to keep us all safe from the savages trying to kill us and our way of life.”
Doesn’t all this beg the question: Why is our electrical grid (and water and gas) C&C systems accessible from the internet in the first place? Or is this a case where accessible computers are infected in the hope one is taken behind the wall to plug into the secured network? The malware that was found, how easy is it to get on my computer if I take basic precautions? As part of my job, I am required to bring home a work laptop that has the software I need to control all the utility type systems at work. Lighting, heating, ventilation, refrigeration. To do that I use my home wifi and internet connection to get to the corporate secured server. I can but haven’t used it on public wifi nor have I used it for general internet browsing. As I pointed out to my techie son, I could, if I had nefarious reasons, take actions that would require the the evacuation of a small city. Corporate decided I am safe enough but am I?
I have no reason to doubt you on this.
It does seem like a classic conspiracy theory-the bad guys are so good they don’t leave any evidence of their actions behind! Proof of the conspiracy!
There are no studies, no state level reporting, no one at all collecting information?
USA Today investigated and found that from 2011-14, there were serious computer or physical attacks on electrical utilities at a rate of about once every four days, with about 340 physical attacks and 14 cyberattacks. Only a very few of the physical attacks and none of the cyberattacks caused power outages, and none of the attacks caused a cascading failure.
It is even worse than that; there is no real system for even reporting or investigating suspected cyberattacks or evaluating security of civil systems. You can email your suspected report to US-CERT and wait a week or two for a response.
Attacks don’t need to cause power outages or cascading failures to have significant impacts on security and public health.
Stranger
This article rings really true:
Note the point made that “not everyone shares incident reports.” IME, sharing these is the exception, not the rule. Also, a lot of things that should have been security incidents we didn’t even report internally as such under the “cover your butt” rule or because our ability to discover that the root cause was a security incident was impaired by antique and underscaled SIEM systems (and other systems) and therefore a lot was reported as “unknown” - and I suspect far far more were just blips we didn’t even know about.
Ah for the good old days when everything was stovepiped and in it’s own silo. Now that we have become all efficient and networked-we can just bend over and kiss our utility asses goodbye!