
U.S. Power Companies Warned ‘Nightmare’ Cyber Weapon Already Causing Blackouts - kobayashi
http://www.thedailybeast.com/newly-discovered-nightmare-cyber-weapon-is-already-causing-blackouts
======
santaragolabs
So I've been in the position, a few years back, where I spent months doing
comprehensive code reviews of these energy distribution management systems and
what not more. It's all super scary legacy stuff and the code in general is
horrendous (regardless of vendor). It's next to unmaintainable, it's next to
un-upgradeable due to the risk of outages and there has been no oversight into
it whatsoever.

All the comments regarding "who puts these things on the internet" are missing
the point completely. It doesn't matter if this stuff is on the Internet or
not. It only makes it somewhat easier to get access to these networks and
start causing outages. However you've got thousands of miles of converter
stations and transformers and power lines dotting the country. It's not that
hard to go to the middle of nowhere and get access to the backend networks
that carry for example the DNP3 traffic. Once you're on there you can carry
out these type of attacks too.

The fact that an enemy can just use the Internet to penetrate the power
companies' networks and pivot from there to their back end networks and
actually touch equipment is the icing on the cake; it means they don't need to
bother with recruiting and sending spies who can get physical access somehow.

~~~
yodon
Agreed, and most people don't realize that this stuff almost "can't" be
upgraded because the initial vendor back in the late 80's or early 90's
specified a specific tech stack in the contract and any upgrading or even
application of OS patches would legimitately violate any warranties and
liabilities the original vendor has for their work. This is super time-
critical physical process code commonly running on operating systems like
Win95 or Win3.1 that were never intended to be real time operating systems and
whose behavior could change radically if a patch were installed.

The cost and complexity of designing and tuning the process control software,
and the lack of the detailed design calculations involved in figuring out what
it needed to be written to do 20 or 30 years ago makes replacing that old tech
stack nearly equivalent to replacing the entire installation.

Big power plants, refineries, and chemical plants truly are the worst of all
legacy nightmares.

------
protomyth
What is exactly is the value of having any of our utilities connected to the
internet? It seems the security risk is too high. It is bad enough we have to
rely on people not inserting a bad USB drive or other physical plant problems.

~~~
snowwindwaves
I work on about 30 different power plants on two continents and spend only 2
months a year on the road.

~~~
protomyth
If there is an bug in the software that allows a security exploit, what
prevents problems on two continents?

~~~
snowwindwaves
Nothing, but they are not my problems since I am EE not IT.

------
kobayashi
Direct link to the Dragos executive summary and full report PDF:
[https://dragos.com/blog/crashoverride/](https://dragos.com/blog/crashoverride/)

