Friday, September 26, 2008

Bad news, part 1

A while back, I posted on Industrial Security? We'll see. Well, we're starting to see.
... an attacker can use his control over the FEP server to insert a generic electric grid malware...in order to cause harm to the grid
It's pretty surprising how vulnerable the power grid is to someone who wanted to start taking it apart, bit by bit. The grid was designed to be robust against storms and natural disasters, and is very robust indeed. Against single impact events. An attacker who exploited this SCADA vulnerability to take out an important point in the grid would stress the entire grid, as it tried to route around the failure. If the attacker took out another key point, and possibly another, the grid might collapse.

Think New York City in 2003, but across the entire eastern seaboard.
The advisory comes as concern mounts about the safety of software used to run gasoline refineries, manufacturing plants and other industrial facilities. In June, a now-patched vulnerability in CitectSCADA potentially exposed plants' critical operations to outsiders or disgruntled employees. Law makers on both sides of the Atlantic have warned that lax security may make critical infrastructure vulnerable to saboteurs or terrorists.
Forget nukes. If the Mullahs want good deterent, this is a lot cheaper.

From a security point of view, the real question is not "Is the power grid vulnerable?" Of course it is. The real question is what parts of the grid do the bad guys already own?

No comments: