
Report reveals play-by-play of first U.S. grid cyberattack - signa11
https://www.eenews.net/stories/1061111289
======
yourad_io
Recap: An attacker exploited a vulnerability on their firewall that allowed
unauthenticated users to reboot. Exploit was public, firewall was unpatched.
Unlikely that the attack was targeted, making "cyber-attack" somewhat of a
stretch in my book.

~~~
badrabbit
S/Unlikely/unknown

~~~
arcticfox
s/unknown/unlikely, according to the expert quoted in the piece.

> "So far, I don't see any evidence that this was really targeted," said Reid
> Wightman, senior vulnerability analyst at industrial cybersecurity firm
> Dragos Inc. "This was probably just an automated bot that was scanning the
> internet for vulnerable devices, or some script kiddie," he said, using a
> term for an unskilled hacker.

~~~
themark
People still say script kiddie?

~~~
badfrog
Why not?

~~~
themark
Sounds like “Web 2.0” but probably just me.

~~~
badfrog
I think it's meant to be an insult, so that seems appropriate.

------
arkadiyt
There's a bill in congress (the "Securing Energy Infrastructure Act") that
would pilot a program to move the most important control systems to use
analog, manual controls.

Text of bill (pdf):
[https://www.king.senate.gov/imo/media/doc/01-17-19%20Securin...](https://www.king.senate.gov/imo/media/doc/01-17-19%20Securing%20Energy%20Infrastructure.pdf)

Article summary: [https://www.zdnet.com/article/us-wants-to-isolate-power-
grid...](https://www.zdnet.com/article/us-wants-to-isolate-power-grids-with-
retro-technology-to-limit-cyber-attacks/)

~~~
bsder
Oh, joy. So it can take us days to reboot a grid blackout instead of minutes.

And analog is generally slower on the other end as well. So, if I can create a
fast traveling disturbance, I can destroy your equipment before the analog
system kicks in.

The problem isn't digital vs analog--it's connecting !@#$ to the Internet that
doesn't belong on it.

------
badrabbit
Looks like they just rebooted firewalls.

I wish the lessons learned bullet points explicitly stated that management
interfaces should only be accessed from internal bastion hosts (jump boxes).
You'd be surprised how rare the practice is. Just getting people to disable
internet access is a pain -- "but it has a really good password".

~~~
ethbro
If the federal government wants things to change, they should form an
independent red team, running exercises against private companies, and then
help companies address issues (the US government leaning on a vendor gets a
lot more action than Topeka Electric Coop). With fines to increase the cost of
inaction.

The general consensus of reports thus far has been stupid, 101-level mistakes.

And guidelines and recommendations aren't going to help with people who don't
read them.

E.g. Staff up NCATS [1], empower them with more binding regulation, and turn
them loose to conduct non-requested tests of critical infrastructure

[1] [https://www.us-cert.gov/resources/ncats](https://www.us-
cert.gov/resources/ncats)

------
cracker_jacks
Solar energy seems like a great way to decentralize energy infrastructure,
making it more robust to attack.

~~~
badrabbit
Nope,that's just the source. I can imagine overloading the battery farm or
downstream distribution lines.

~~~
cracker_jacks
I'm referring to solar as a distributed energy source. Imagine homes and
buildings having their own energy sources.

~~~
PeterisP
Most of standard solar panel installations in homes and buildings don't
actually provide decentralization, as they tend to be linked to the grid in a
way that they will not provide power at all if the grid is down.

Enabling decentralization requires extra hardware and installation costs, so
it's usually not done. Essentially you need a solution to disconnect all your
house from the grid in that case for safety reasons - so that your
panels/batteries don't send voltage back to the grid potentially killing the
repairmen fixing the broken lines, and when the grid does come up, re-linking
to its frequency safely is a bit tricky, etc. It's not _very_ hard, but it
does require some extra stuff and thus expenses.

~~~
zaroth
There’s absolutely an extra switch that needs to be installed, but I think
it’s not so much the transfer switch requirement but two main things; 1) the
battery cost, and 2) net metering.

Grid tie solar with net metering gives you all the benefits of a battery
(except blackout coverage) with none of the cost. In other words, you get full
retail value for 100% of your solar generation no matter when it comes or how
much power you happen to be using at the time (because the meter runs
backward, the grid acts like an infinite perfect battery)

Net metering is a nice solar subsidy while batteries where extremely
expensive, but as battery costs plummet I assume net metering will also
disappear. It’s not really fair for the utility after all to be paying solar
customers retail rates for their generation.

Without net metering you will only get paid for solar power that you happen to
use while it’s being generated, or that you can store for yourself to use
later.

Finally, I’m not 100% sure but I would imagine a solar system with a transfer
switch and no battery will just immediately overload or brownout if the grid
is not there to keep the voltage steady. I would assume you need a battery to
be able to serve any variance in your demand (e.g. a compressor turning on)
even if your 1 minute average demand is actually running below your generation
capacity.

TLDR: Batteries need to be cheap and net metering needs to die before you see
most solar deployments that can run off grid.

The good news — if batteries are _durable_ then a battery backed grid tied
system can actually pay for the batteries and then some, if you can arbitrage
the demand pricing curve. This is a win-win for everyone (including utilities)
and IMO absolutely the future we’re heading towards.

------
gforst
These attacks seem to be happening more and more (or reporting them more).

The DOE is funding potential solutions, saw this earlier this week

[https://finance.yahoo.com/news/us-energy-department-funds-
tr...](https://finance.yahoo.com/news/us-energy-department-funds-
trial-130021787.html)

------
spsful
Is anyone else having trouble reading this article? It seems to repeat itself
over and over again. Reminds me of this SNL skit:
[https://www.youtube.com/watch?v=RQG7PaOE1Mo](https://www.youtube.com/watch?v=RQG7PaOE1Mo)

