The Gray Lady is outdoing herself these days -- not reporting on what is actual news and recycling dead stories from years ago as -- get this -- breaking news!
From the New York Times:
Academic Paper in China Sets Off Alarms in U.S.
It came as a surprise this month to Wang Jianwei, a graduate engineering student in Liaoning, China, that he had been described as a potential cyberwarrior before the United States Congress.
Larry M. Wortzel, a military strategist and China specialist, told the House Foreign Affairs Committee on March 10 that it should be concerned because "Chinese researchers at the Institute of Systems Engineering of Dalian University of Technology published a paper on how to attack a small U.S. power grid sub-network in a way that would cause a cascading failure of the entire U.S."
When reached by telephone, Mr. Wang said he and his professor had indeed published "Cascade-Based Attack Vulnerability on the U.S. Power Grid" in an international journal called Safety Science last spring. But Mr. Wang said he had simply been trying to find ways to enhance the stability of power grids by exploring potential vulnerabilities.
"We usually say 'attack' so you can see what would happen," he said. "My emphasis is on how you can protect this. My goal is to find a solution to make the network safer and better protected." And independent American scientists who read his paper said it was true: Mr. Wang's work was a conventional technical exercise that in no way could be used to take down a power grid.
The difference between Mr. Wang's explanation and Mr. Wortzel's conclusion is of more than academic interest. It shows that in an atmosphere already charged with hostility between the United States and China over cybersecurity issues, including large-scale attacks on computer networks, even a misunderstanding has the potential to escalate tension and set off an overreaction.
Sigh... Large industrial systems are generally controlled with a computer protocol known as Supervisory, Control and Data Acquisition with the acronym of SCADA.
SCADA was never designed to operate over publicly accessible networks. There was never the idea that elements of computer security needed to be implemented or that rogue elements would try to hack SCADA systems and disable them.
That was then, this is now. The latest attempt was in 2008 and that involved social engineering (Hey. This is Joe from the main plant, I am at your site and I forgot the login to your system, could you read it back to me? I would sure hate to have to call my boss for this -- they would never let me live it down...) No damage was done, no power was lost.
There were some events in Brazil back in 2005 and 2007. I would assume that Brazil has now updated their SCADA software.
Bruce writes about a 2008 pronouncement:
Hacking Power Networks
The CIA unleashed a big one at a SANS conference:I'll bet. There's nothing like an vague unsubstantiated rumor to forestall reasoned discussion. But, of course, everyone is writing about it anyway.On Wednesday, in New Orleans, US Central Intelligence Agency senior analyst Tom Donahue told a gathering of 300 US, UK, Swedish, and Dutch government officials and engineers and security managers from electric, water, oil & gas and other critical industry asset owners from all across North America, that "We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyber attacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet."
According to Mr. Donahue, the CIA actively and thoroughly considered the benefits and risks of making this information public, and came down on the side of disclosure.
It is funny too as you look through the 'news' reports -- it is the same five or six voices proclaiming the danger. Wortzel and Donahue are the two most vocal these days. They are all consultants seeking money from the feds to make this non-problem go away.
Again, if someone does hack into some public utility, it will either be an inside job or it will be a case of social engineering. The core SCADA systems were brought up to date about ten years ago and there is no problem there. If anyone says there is a problem, they have ulterior motives (think: $$$$).
For the New York Times to fall for such an old and outdated rent-seeking scare is a shame and it greatly reflects on the problems with today's Main Stream Media and their public record of acuracy...
