I'm no expert, but rather than watching attacks for three years and then issuing some ineffectual reports and sanctions, wouldn't it have been better to just lock down the damn power plants? If you're smart enough to notice all this nefarious activity and correctly attribute it to somebody on the other side of the globe even though we know that other parties use all the same tools they use, why aren't you smart enough to just fix the vulnerabilities they're using? Curious!
In order to integrate more renewables onto the grid (which are non-dispatchable generation), we need to add more generation and load flexibility on the grid.
This means you need more communications between all the various parts running the grid. So it's not just the switch that opens the valve at the gas turbine power plant that you have to worry about (which I agree is easy to be air-gapped and interlocked). You also have to worry about manipulation of the communication ecosystem that let all the various grid actors coordinate so everything stays in sync.
EDIT: Also, remember that power engineers are extremely good at running the grid and keeping the lights on. They are NOT experienced at protecting it from cyber attacks. Unfortunately, neither the intelligence community or tech sector that is actually good at cyber defense (Google, Apple, Facebook, etc.) has not offered to help add cyber defenses and these physical infrastructures. So, the only parties who have been doing the grid cyberdefense work have been security theater companies ("enterprise" security).
Ah, if only the country had a three-letter agency with a responsibility to identify weaknesses in cyber infrastructure and work with relevant manufacturers to fix these bugs...
You make a good point about new engineering skills needed for cyber. There are also institutional issues. Software talent tends to be in the IT department, and power systems talent is in the operations and planning department, so issues like cybersecurity require a lot of coordination now that controls are networked and highly automated.
Have you ever tried to retroactively lock down a running system that was designed by people completely oblivious to software security?
It’s hard enough with non-safety-critical, pure-software systems. Industrial systems with life-safety implications and release cycles measured in decades cannot be made secure against nation-state adversaries at the drop of a hat.
The United States has never tried to bomb-proof every building. Our military strategy is our capability to bomb you right back a thousand times over. Attribution and offensive capabilities will be a lot more important to military strategists accustomed to that mindset.
I haven't, and clearly that's a major factor. However... decades-old industrial systems didn't come from the factory with connectivity. Either we're talking about stuxnet-style USB stuff in which case don't do that or this is a network connection that was added later as part of some project. Now it's time for another project to secure or remove those connections. This will cost money, but no power company is shy about going to the PUC for rate increases.
One reason we have to do this work instead of just warning the world "if our power plants get hacked we're going to war" is that the world in general has no way to judge our claims about hacks we may or may not have suffered. In contrast, if our buildings get bombed that's kind of obvious. We don't have a great deal of credibility when it comes to war justifications, just based on recent form.
My understanding is that grid has always been networked. Before we had computers talking to each other, we had control-room operators with telephones. That is also subject to eavesdropping, denial-of-service, and social engineering.
I agree we need to fix it, but I'm not surprised that it's slow going or ineffective. Likely we're going to see some very expensive projects to merely install antivirus packages, where what we really needed was to engineer completely different protocols.
The NSA is too busy spying on all Americans [edit: as well as collecting backdoors and keeping OS bugs secret] to fulfill its official duties (one of which is to protect U.S. communications networks and information systems).
Edit: all of the above is factual, apart from the evaluation of them being negligent of their responsibilities solely due to being overly busy. And if you reasonably hold that the NSA are failing to perform their duties to help protect US infrastructure from cyber attacks for other reasons than being too busy spying on the American people -- would you like to suggest what such reasons are?
Fact: the NSA records all electronic communications within the USA.
Fact: the NSA collects backdoors, and has bribed US companies to create them.
Fact: the NSA seeks and collects major OS bugs for exploitation.
Fact: the NSA has systematically avoided revealing the above bugs to US manufacturers. If they had done so, as expected according to their charter, the bugs would have been fixed -- and thereby would have been protecting US infrastructure, government systems, companies, and last but not the least, the people.
Yes, I agree with this argument. The intelligence community has consistently valued offensive capabilities over improving our tech defenses. Apparently they think that finding and hoarding exploits gives them an advantage over other state actors.
Which really sad and depressing for the American tech sector. Not only do they have foreign state actors trying to hack into their infrastructure, they also know that they're own government won't help by disclosing the holes they hoard (or worse, joining the foreign attackers in exploiting the holes they have found).
America has so much to lose and very little gain from exploits. It's so discouraging that the intelligence community is still valuing offense over defense.
The more I see it the more it looks like these guys are getting ready for a war. The 2016 election hacks seem to have been a decade-long plan. I hope it never comes to this. At a time when the country is divided, we may have trouble responding.
I like it that you've left "these guys" ambiguous. That seems wise. Don't worry about a divided USA; the following makes it clear that we'll all be in complete agreement very soon:
Russia's activities are probably more inward looking than outward. On March 18th Russian citizens will vote for their next president. Reaction (however warranted) by the Western powers will play well at home for Putin.
Well, there's nothing like a good old-fashioned war to pull the country together.
In all seriousness, I wonder if the absence of a clear foreign boogey man has resulted in Americans turning their angst and anger inward upon themselves. North Korea and Iran are too small to pose existential threats, terrorism is too ambiguous, and China hasn't crossed over into full enemy territory yet. The last real enemy we could all rally against was the USSR.
Throughout the cold war the Soviet Union had plans in place to take out much of the US energy grid, usually with well placed bombs and local agents. It's not an indication of war being imminent.
The history of the US is a history of deep divisions, until someone pokes it a little too hard, and suddenly a seemingly united response is generated. Often that response is more than a little extreme, and sometimes it gets all over the place, as Iraqis or Cambodians could tell you. The manufacturing capacity of the US, and its massive military spending are not to be fucked with lightly.
Let's not kid ourselves; Russia would kick our asses in a shooting war. Actually they just did, in Syria. Our navy can't avoid running into cargo ships. Our air force can't buy a new plane. Our army is crippled when attacked with homemade explosives. Our intelligence agencies are employed mostly in spying on their own citizens.
Any armed conflict directly with Russia would be kicked off in the same shameful shambolic fashion we've gotten underway in the last three nations we've invaded. That is to say, we'd make some stupid claims about hacking, everyone else at the UN would chuckle nervously while voting against us, and then we'd ineffectively bomb the wrong targets. Then the world would witness what a bunch of hungry tough bastards with the right equipment can do. It would not be pretty. Eventually Putin and the oligarchs would figure out a really big number we could probably pay if we stopped all entitlement spending for a few generations, and the pain would stop.
Not even Canada would join us in such folly. Putin doesn't actually want a shooting war with USA; he just wants to keep his subjects thinking about Uncle Sam. Let's not fuck up our lives forever, just so a bunch of Washington assholes don't have to admit they've been very wrong for a very long time.
I really don't doubt what you're saying, although you're probably taking a psuedo-tongue-in-cheek mode, but it would be a crying shame if we would in fact lose horribly if it came to blows with Russia. We spend positively immense sums of money on our prized military -- leaving nothing little left for extras like a single payer health system -- and have posted said forces to outstretched islands and zones all over. How sad it is that we don't have enough tanks to fight the Russians successfully in Europe, for one thing. You can be sure that China, North Korea and Russia coordinate regularly with intelligence on the status on our military, ready to take advantage once the gaps make it possible.
Syria is a proxy war, and not a particularly relevant one. Even the wars the US loses tends to leave devastation in their wake. That, and you’re grossly overestimating the Russian military as a non-regional power, but it hardly matters, since the Russians certainly don’t make that error themselves. They’re smart enough to engage in proxy and regional conflicts, for better or worse.
I hope that neither the US nor Russia would be stupid enough to go directly to war, but if they did it would be over in under and hour and we’d all be dead or dying. I’ll pass on that, thanks.
For a non-American, you do a great impression of a 73-year-old Midwestern Republican who managed to miss both Korea and Vietnam and who has taken Time magazine for most of his life. I might not convince you of anything, but mostly I would just urge you to be skeptical of American media reports that encourage spending more money on the military.
That's pretty thin. The fact that Putin said she did, doesn't mean she did. We're on much more solid ground saying that Americans got Yeltsin elected in 1996. Of course that result ended up being very good for Putin...
