Tuesday, June 1, 2021

Beating Hackers By Going Retro: "Preventing a Blackout by Taking the Power Grid Offline"

On December 30, 2016 the Washington Post falsely reported that Russian hackers had penetrated the U.S. power grid by way of a Vermont utility. The report by the Post citing their government sources was blown out of the water within days by media as mainstream as Fortune.
[Fortune was owned by Time - Life which was a competitor of Newsweek, owned by the Washington Post Co. so there may have been bad blood between any octogenarians still toddling around]
 
Anyhoo, the bogus Post story had two salutatory effects: 1) It got me wondering just what the hell was going on at the Post since Bezos had bought the property and 2) it resulted in this article being directed to me.
 
Now with the news that JBS, the world's largest meat processor has been hit by a ransomware attack, and that in an effort to prevent further spread of whatever computer virus is being used, shut down 20% of U.S. meat supply it reminded me that that this and the Colonial Pipeline hack were major inconveniences versus an attack on the electrical grid which would be catastrophic.
 
From Foreign Policy, June 10, 2016:
 
What can stop hackers from turning off America’s lights? Old-school equipment that’s not connected to the web.
With hackers attacking electrical grids, banks, and a growing list of other targets, some policymakers and security researchers are calling for turning the clock back to an earlier era when devices weren’t connected to the internet — or vulnerable to digital attack.
 
The American power grid is more efficient than ever before because electricity plants, transformers, and other key pieces of infrastructure are networked together, allowing for electricity to be redirected in real time from areas with too much to those needing more. 
The problem is that those gains have also left the overall system open to attack. Power stations and grids run by network-connected computer control systems can be hacked to cause widespread power outages. 
 
American intelligence officials have long warned that the U.S. grid would represent a ripe target in a time of war, and U.S. adversaries are heavily investing in the capabilities to take it down. In Ukraine, hackers attacked a portion of the country’s grid over Christmas and succeeded in knocking out power for thousands of customers in the middle of the bitter winter. Officials in Kiev quickly pointed the finger at Moscow for the unprecedented attack, but the Kremlin denied responsibility.
 
Desperately looking for new ways of shoring up the U.S. grid’s defenses against digital attack, a bipartisan group of lawmakers is pushing a decidedly counterintuitive approach to cybersecurity: ditching cutting-edge digital technology for old-school analog control mechanisms. 
 
This week, four senators on the Intelligence Committee — Angus King (I-Maine), James Risch (R-Idaho), Martin Heinrich (D-N.M.), and Susan Collins (R-Maine) — introduced legislation that would set aside $10 million to study security vulnerabilities on the electrical grid and come up with solutions for them, including what the bill’s backers call a “retro” approach to grid security. 
 
“We can learn something from what happened in Ukraine,” King said during remarks on the Senate floor this week. “It may be that going back to the future, if you will, going back to the past and simplifying some of these critical connection points may be the best protection that we can have.” For now, at least, security engineers aren’t investing in these types of retro devices. Security-focused start-ups aren’t working on analog solutions, and engineering talent is more often focused on designing higher-tech tools, not turning back the clock to older ones. Analog security devices are widely available, but engineers aren’t usually focused on integrating them into computerized control systems. 
And that’s one reason why many cybersecurity experts are excited about the legislation introduced this week. “When the government invests in areas where there is no market, that’s exactly what we want to see,” said Robert M. Lee, an instructor at the SANS Institute and a former cyberwarfare operations officer for the U.S. Air Force.
 
He and other security experts say a “retro” approach makes a great deal of sense. Michael Assante, the head of industrial control systems at the SANS Institute, which provides cybersecurity training to security professionals, said utilities would be wise to integrate tools that aren’t connected to networks or are completely analog into a sophisticated control system. 
 
Researchers at the engineering consulting firm Kenexis have come up with similar proposals to use mechanical technology as a cybersecurity measure. In recent years, designers of high-speed rotating systems such as centrifuges have used computers to control them from moving too fast, a shift that has left them vulnerable to hacks like the Stuxnet attack on Iran’s nuclear facilities.
 
A simple, spring-based design can be used to prevent hackers from getting the centrifuges to spin too fast. As a spinning object gains speed, a spring with a weight at its end will be pulled toward the system’s edge by the centrifugal force. When the spring reaches the point defined as the maximum speed, it trips a relief valve, venting steam or whatever powers the mechanism. That’s a design that cannot be hacked. 
 
The challenge is that business incentives are firmly aligned against such a move. In recent years, companies of all types have been installing sensors on devices and networking equipment at a furious pace. Placing sensors and computerized controls on every valve on thousands of miles of pipeline, for example, allows a gas company to precisely control the pressure in its equipment. Such fine calibration can result in huge savings — savings that could be lost if those sensors were replaced by less sophisticated analog equipment....
....MUCH MORE  
 
Just ten years ago the neo-Luddite approach was easier than it is today when even air-gapped servers with zero connections to the web can be monitored.
We mentioned this in the introduction to 2018's "Science Academies Urge Paper Ballots for all US Elections": 
Following on the MIT Technology Review piece immediately below.

Back in the dark ages, 2010 or so, the gold standard of network security was physically isolating a computer from any other and from intranets and internets, so called air-gapping.
Sweet innocent days gone by.
Over the last five or ten years that ultimate security approach, a literal air-gap surrounding the target computer, has been beaten with at least a half-dozen different approaches.
So the advice in the piece below is already behind the times if the polling place is relaying voting numbers over the internet but at least it is a start.

Seriously, we used to say the only secure computer was one not connected to the internet, ha!

Lifted in toto from the journal Nature, September 6....

But taking the grid offline can and probably should be done.