SCADA Watch: Foolish Logic Undermines Electrical Grid Security
Ira Winkler writes on Internet Evolution:
About a year ago, I blogged about attacking power grid control systems as part of a penetration test. At the time, a lot of people claimed it was complete nonsense. I was even told by a Washington Post reporter that the Nuclear Regulatory Commission was offering detailed presentations to discredit my comments. It was actually quite entertaining that the government would waste so much time on me. However, while they were wasting time to discredit me, they were leaving our power grid wide open.
In May 2008, the GAO released a report [.pdf] and testified to Congress about how the Tennessee Valley Authority, a Southern power company, intermingles its control systems with its business systems on the same network, which was, not so ironically, how I described the vulnerabilities exploited by my penetration test. There was also a widely noted statement by a CIA analyst that details the same problem of foreign governments being extorted by computer hackers who compromised their power grids.
The Wall Street Journal recently reported that foreign intelligence agencies have infiltrated the U.S. power grid and have planted malware to selectively sabotage the grid at a time of their choosing. Given the well documented weaknesses in the power grid, this should not be surprising.
Most people wonder why the power grid is so insecure, and the answer is simple: Well paid lobbyists and naïve Congresspeople. For more than a decade, the U.S. government has relied on the power companies to protect themselves, despite no real improvement over the years. Yet the Department of Homeland Security (DHS) continues to call for "voluntary" efforts.
The cliché definition of insanity is doing the same thing again and again, and expecting different results. The DHS is clearly insane.