Electricity Grid in U.S. Penetrated by Spies

[Richard]

Quote:

Originally Posted by ZonieDiver

And how, praytell, do you know about this "porn streaming from the Fiji Islands at $3.95/min"???

A surprise addendum to our telephone bill one month when my teenaged sons were getting up in the middle of the night and cruising the WWWs back alleys. It cost them over $400 and their computer privileges until they paid the bill.

It may even be more per minute now - that was over 8 years ago and I haven't seen such a bill since.

Richard's $.02

[ZonieDiver]

Quote:

Originally Posted by Richard

A surprise addendum to our telephone bill one month when my teenaged sons were getting up in the middle of the night and cruising the WWWs back alleys. It cost them over $400 and their computer privileges until they paid the bill.

It may even be more per minute now - that was over 8 years ago and I haven't seen such a bill since.

Richard's $.02

My younger daughter learned that lesson by way of AOL back around '95 when it was cost bucks after your relatively short "free" time ended. No more leaving it on and open while you watch TV or do homework! Kids... ya gotta love 'em!

[SF_BHT]

Quote:

Originally Posted by Richard

A surprise addendum to our telephone bill one month when my teenaged sons were getting up in the middle of the night and cruising the WWWs back alleys. It cost them over $400 and their computer privileges until they paid the bill.

It may even be more per minute now - that was over 8 years ago and I haven't seen such a bill since.

Richard's $.02

Boy's will be Boys wont they..........
It will give you something to bring up in the moment later in life as when you need to embarrass them......

[Ret10Echo]

...bump

No surprises here.....

Quote:

SAN FRANCISCO (AP) -- Computer-security researchers say new "smart" meters that are designed to help deliver electricity more efficiently also have flaws that could let hackers tamper with the power grid in previously impossible ways.

At the very least, the vulnerabilities open the door for attackers to jack up strangers' power bills. These flaws also could get hackers a key step closer to exploiting one of the most dangerous capabilities of the new technology, which is the ability to remotely turn someone else's power on and off.

The attacks could be pulled off by stealing meters - which can be situated outside of a home - and reprogramming them. Or an attacker could sit near a home or business and wirelessly hack the meter from a laptop, according to Joshua Wright, a senior security analyst with InGuardians Inc. The firm was hired by three utilities to study their smart meters' resistance to attack.

These utilities, which he would not name, have already done small deployments of smart meters and plan to roll the technology out to hundreds of thousands of power customers, Wright told The Associated Press.

There is no evidence the security flaws have been exploited, although Wright said a utility could have been hacked without knowing it. InGuardians said it is working with the utilities to fix the problems.

Power companies are aggressively rolling out the new meters. In the U.S. alone, more than 8 million smart meters have been deployed by electric utilities and nearly 60 million should be in place by 2020, according to a list of publicly announced projects kept by The Edison Foundation, an organization focused on the electric industry.

Unlike traditional electric meters that merely record power use - and then must be read in person once a month by a meter reader - smart meters measure consumption in real time. By being networked to computers in electric utilities, the new meters can signal people or their appliances to take certain actions, such as reducing power usage when electricity prices spike.

But the very interactivity that makes smart meters so attractive also makes them vulnerable to hackers, because each meter essentially is a computer connected to a vast network.

There are few public studies on the meters' resistance to attack, in part because the technology is new. However, last summer, Mike Davis, a researcher from IOActive Inc., showed how a computer worm could hop between meters in a power grid with smart meters, giving criminals control over those meters.

Alan Paller, director of research for the SANS Institute, a security research and training organization that was not involved in Wright's work with InGuardians, said it proved that hacking smart meters is a serious concern.

"We weren't sure it was possible," Paller said. "He actually verified it's possible. ... If the Department of Energy is going to make sure the meters are safe, then Josh's work is really important."

SANS has invited Wright to present his research Tuesday at a conference it is sponsoring on the security of utilities and other "critical infrastructure."

Industry representatives say utilities are doing rigorous security testing that will make new power grids more secure than the patchwork system we have now, which is already under hacking attacks from adversaries believed to be working overseas.

"We know that automation will bring new vulnerabilities, and our task - which we tackle on a daily basis - is making sure the system is secure," said Ed Legge, spokesman for Edison Electric Institute, a trade organization for shareholder-owned electric companies.

But many security researchers say the technology is being deployed without enough security probing.

Wright said his firm found "egregious" errors, such as flaws in the meters and the technologies that utilities use to manage data from meters. "Even though these protocols were designed recently, they exhibit security failures we've known about for the past 10 years," Wright said.

He said InGuardians found vulnerabilities in products from all five of the meter makers the firm studied. He would not disclose those manufacturers.

One of the most alarming findings involved a weakness in a communications standard used by the new meters to talk to utilities' computers.

Wright found that hackers could exploit the weakness to break into meters remotely, which would be a key step for shutting down someone's power. Or someone could impersonate meters to the power company, to inflate victims' bills or lower his own. A criminal could even sneak into the utilities' computer networks to steal data or stage bigger attacks on the grid.

Wright said similar vulnerabilities used to be common in wireless Internet networking equipment, but have vanished with an emphasis on better security.

For instance, the meters encrypt their data - scrambling the information to hide it from outsiders. But the digital "keys" needed to unlock the encryption were stored on data-routing equipment known as access points that many meters relay data to. Stealing the keys lets an attacker eavesdrop on all communication between meters and that access point, so the keys instead should be kept on computers deep inside the utilities' networks, where they would be safer.

"That lesson seems to be lost on these meter vendors," he said. That speaks to the "relative immaturity" of the meter technology, Wright added.

[Ret10Echo]

Critical infrastructure hacks....

I expect (reports of) these will continue.

Should there be some determination (doubtful if it would be public) it is unsurprising. The systems are not designed to a level of resiliency expected of WAN and LAN deployments where there is considered to be some motivation for an attack.

Quote:

Posted at 12:44 PM ET, 11/18/2011

Foreign hackers targeted U.S. water plant in apparent malicious cyber attack, expert says

By Ellen Nakashima

Foreign hackers caused a pump at an Illinois water plant to fail last week, according to a preliminary state report. Experts said the cyber-attack, if confirmed, would be the first known to have damaged one of the systems that supply Americans with water, electricity and other essentials of modern life.

Companies and government agencies that rely on the Internet have for years been routine targets of hackers, but most incidents have resulted from attempts to steal information or interrupt the functioning of Web sites. The incident in Springfield, Ill., would mark a departure because it apparently caused physical destruction.

Federal officials confirmed that the FBI and the Department of Homeland Security were investigating damage to the water plant but cautioned against concluding that it was necessarily a cyber-attack before all the facts could be learned. “At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety,” said DHS spokesman Peter Boogaard.

Full story here

[mark46th]

I bought my wife one of these for emergency power...

[Ret10Echo]

Quote:

Originally Posted by Ret10Echo

Critical infrastructure hacks....

Should there be some determination (doubtful if it would be public) it is unsurprising. The systems are not designed to a level of resiliency expected of WAN and LAN deployments where there is considered to be some motivation for an attack.

Update...funny... The headline is misleading...if it was "false" then it was NOT a cyber attack.... And "blamed"....really??

Quote:

U.S. contractor blamed for false cyberattack
Friday - 12/2/2011, 6:53am ET
By CARLA K. JOHNSON
Associated Press

CHICAGO (AP) - Mystery solved. A reported cyberattack on a water district in central Illinois turned out to be a false alarm set off when an American contractor logged onto the system remotely while vacationing in Russia.

Jim Mimlitz of suburban St. Louis says he hopes he'll be able to laugh about it someday. For now, the contractor is puzzled. Why didn't terrorism investigators pick up the phone and call him? He says he could have straightened out the matter quickly.

Instead, investigators assumed someone had stolen Mimlitz' password and hacked into the system from Russia, causing a water pump to shut down five months later. A blogger spread word of the possible hack, touching off a minor panic

Link here

[BOfH]

They are still investigating the incident in South Houston and one other: https://www.infosecisland.com/blogvi...-Networks.html


On a side note, a recent report from Pike Research on the state of cyber-security in the Utility sector, a good read, but take with a grain(or two) of salt.

http://www.pikeresearch.com/wordpres...e-Research.pdf