Cyber attacks on the USA (catch all)

[marct]

Hi Selil,

I saw that story on CNN this morning. I almost wished they hadn't reported on it . There are just too many ways that a cyber attack can have kinetic consequences but, at least, it does look like someone is thinking about them now.

Marc

[Watcher In The Middle]

Think some folks out there aren't sweating about this?

http://www.azcentral.com/arizonarepu...alavi0518.html

From the article:

The transcript indicates that Alavi wasn't the only employee to download the details of control rooms, reactors and designs as part of a software training package onto his personal laptop and take it home.

The software provides employees with emergency scenarios and instructs them to react with proper procedures. It has no links to actual plant workings and can't be used to affect operations.

Now, if I'm a bad guy and if I have a clear insight into what the "Plan B" steps are to counter emergency scenarios, and if I'm a halfway decent code cutter, I'm probably going to be able to write code sufficient to counteract/disable the standard emergency procedures.

I think I'll stop now.

[selil]

I want to say that as an academic I step all over OPSEC for the fun of it. But, there are places that I tread carefully. I've been having a running battle with some entities and I've been informed that cyber security is nothing to worry about. It's not like anybody can really do anything like a kinetic attack... arghhh. I have to thank SWC/J as I've learned over the last year that my issue has been being able to frame my discussion in terms that the ones making decisions understand and expect. Now issues like this one are taken more seriously.

[wm]

Think some folks out there aren't sweating about this?

http://www.azcentral.com/arizonarepu...alavi0518.html
Now, if I'm a bad guy and if I have a clear insight into what the "Plan B" steps are to counter emergency scenarios, and if I'm a halfway decent code cutter, I'm probably going to be able to write code sufficient to counteract/disable the standard emergency procedures.

I suspect that the Palo Verde training package is probably akin to the one that DoD uses for its Anti-Terrorism Level I certification on-line course. For those unfamiliar with it, the DoD training package puts one in a number of scenarios in order to reinforce points about what to do and not do should one become the target of "terrorist" activities. I found its contents fairly innocuous, if not down right inane. However, without seeing the program ised at Palo Verde, I cannot be sure that this is the case.

I think that the nation's power grids have other potential vulnerabilities that probably warrant much more concern that the story about Mr. Alavi. For one thing, the grid has a number of nodes that are single points of failure. Loss of those nodes can cripple large sections of it should those nodes go down. But then keeping the grid up is what NERC, the North America Electric Reliability Council, is supposed to be all about As another example, utilities are pushing an initiative called BPL--broadband over Power Lines--a competitor to your cable company's broadband over cable response to DSL/ISDN from your phone company. While BPL may not be a threat to the operation of the electric grid, it may provide alternative comm paths for bad guys which could be much harder to exploit by LE than other conventional comm paths. However, once one gets into a BPL pipe, one might also be able to gain access to some of the grid control data networks that flow over the same pathways--tactics like packet capture and packet replacement come to mind.

[selil]

I wouldn't worry to much about the communication paths of criminal elements. With cell phone scramblers, good encryption, and a variety of "criminal" languages the com path for organized crime is fairly stout. There is telemetry already on the power grid which is interesting from a few different perspectives.

As to the electrical grid, if in my first under graduate systems design program I designed a system that was based on five large wobbly systems, with centralized control, little redundancy, over lapping vulnerabilities, was life critical, had a design goal of MTBF of 99.99999 up time, and had control features outside of the actual (extra-territorial) control of the owning entity I'd have been given an "F" so big I'd be an art teacher (or anthropologist).

[Jedburgh]

Wired, 17 Oct 07: Astrophysicist Replaces Supercomputer with Eight PlayStation 3s

....The interest in the PS3 really was for two main reasons," explains Khanna, an assistant professor at the University of Massachusetts, Dartmouth who specializes in computational astrophysics. "One of those is that Sony did this remarkable thing of making the PS3 an open platform, so you can in fact run Linux on it and it doesn't control what you do."

He also says that the console's Cell processor, co-developed by Sony, IBM and Toshiba, can deliver massive amounts of power, comparable even to that of a supercomputer -- if you know how to optimize code and have a few extra consoles lying around that you can string together......

....This is precisely what Khanna needed. Prior to obtaining his PS3s, Khanna relied on grants from the National Science Foundation (NSF) to use various supercomputing sites spread across the United States "Typically I'd use a couple hundred processors -- going up to 500 -- to do these same types of things."....

....Khanna says that his gravity grid has been up and running for a little over a month now and that, crudely speaking, his eight consoles are equal to about 200 of the supercomputing nodes he used to rely on.....

[selil]

Wowser Jedburgh that is a great link! I had missed this. I had lunch with Ian Foster last week (father of grid computing!) and we were discussing this kind of commodity computing and some the security issues it represents.

[Norfolk]

"CIA Confirms Cyber Attack Caused Multi-City Power Outage" 18 January, 2008, The SANS Institute at Merit Network Email Archives:

SANS FLASH
CIA Confirms Cyber Attack Caused Multi-City Power Outage

On Wednesday, in New Orleans, US Central Intelligence Agency senior analyst Tom Donohue told a gathering of 300 US, UK, Swedish, and Dutch government officials and engineers and security managers from electric, water, oil & gas and other critical industry asset owners from all across North America, that "We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyber attacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet."

According to Mr. Donohue, the CIA actively and thoroughly considered the
benefits and risks of making this information public, and came down on
the side of disclosure.

CIA: Hackers Shook Up Power Grids by Noah Shachtman at Danger Room; Noah's got some more on this, including a Washington Poat article and Michael Tanji's take on this.

More Cyber War Gouge at Defense Tech:

The CIA went on to say they suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. The very next day the Federal Energy Regulatory Commission (FERC) approved eight mandatory cyber security standards that extend to all entities connected to the nation's power grid. The following are the eight areas addressed by these standards:

1. Critical cyber asset identification
2. Security management controls
3. Personnel and training
4. Electronic security perimeters
5. Physical security of critical cyber assets
6. System security management
7. Incident reporting and response planning
8. Recovery plans for critical cyber assets

These eight standards were created to increase the security of our CIP and reduce the risk of a successful attack. Disruption of a county’s critical infrastructure would have significant direct and indirect damages. Most of these damages would be psychological, economic and financial. Analysis of a cyber attack on critical infrastructure targets resulted in the following data:

Target value: High
Impact analysis: Elevated
Required skills: Moderate
Attack costs: Low
Current defenses: Moderate (elevated for nuclear sites)

More, including a references link, at the link.

What are these attackers doing this for, simply money? Or something else?