StatCounter

Thursday 29 May 2008

And so the blackouts start

For around five years I have been advising clients to invest in backup generators for their offices as a precaution against the coming blackouts that will result from the government's woeful record of investment in electricity generating capacity. Now I learn that nine power stations had to shut down yesterday causing the National Grid to issue a "demand control imminent" warning and strongly urge suppliers to provide lower-voltage electricity to meet demand.

Two points:

1) So the fourth largest economy in the world cannot cope with the shutdown of nine power stations. This Labour government decided to spend large amounts of money on ridiculous computer systems, smart suited consultants and creating a client state rather that actually investing money in the infrastructure of this country.

2) Was this just coincidental? Nine power stations failing within a 12 hour period. Might that be more than coincidental? Conspiracy theory or possible fact? Here's an article from The NEw Scientist from 10 days ago:

"POWER plants could be sabotaged by a simple internet attack that shuts down their control systems.

Core Security in Boston, Massachusetts, has discovered a serious vulnerability in a software package called Suitelink that is widely used to automate the operation of power stations, oil refineries and production lines. This could allow attackers to crash Suitelink by sending an outsize data packet to a certain port on the computer running the program. Suitelink's maker, Wonderware, has since issued a software patch to plug the security gap.

Core had only just begun examining this kind of supervisory control and data acquisition (SCADA) program when it found the problem. This may mean that more vulnerabilities are still hidden in software of this type."



Here's an extract from more on that story at CNet:

""I will tell (you) how to break into a nuclear reactor," Ira Winkler, president of security firm ISAG said as he launched into his presentation on "How to Take Down the Power Grid" at RSA 2008 on Tuesday night.

"Frankly, it's really easy to break into the power grid," he said. "It happens all the time."

First, you set up a Web server that downloads spyware onto the computers that visit.

Second, you send an e-mail to people who work inside a power station that entices them to click on a hyperlink to the Web server with the spyware. Warning them that their human resources benefits are going to be cut and sending them to a Web site with "hr.com" in the domain would work, according to Winkler, who said he has done this several times in company-approved penetration tests.

Third, you wait as the recipients--and everyone else they forwarded the e-mail to--visit the server and get infected.

"Then we had full system control," he said. "Once the malware was downloaded onto their systems...we could see the screens and manipulate the cursors."

It took about a day to set up the attack and was effective within minutes, according to Winkler.

"It had to be shut down after a couple of hours because it was working too well," he said.

This is akin to social engineering attacks that happen all the time, but this attack has more far-reaching consequences than most such attacks.

Power stations running special SCADA control software have the perception that they are more secure than other networked systems. However, they are just as vulnerable because they are connected to the Internet and run on computers that also run Windows NT, he said.

"Things are really this bad," Winkler said. "I'm not exaggerating.""



Of course there is another less likely possibility as the BBC reported six years ago:

"MI5 has drawn up a secret list of more than 350 key British institutions considered potential terrorist targets in the wake of the threat posed by al-Qaeda forces.

Key government buildings and installations vital to the economy are on the "critical national infrastructure" list.

...

The list is thought to include the country's 15 nuclear power stations, the main National Grid sites, oil installations and petrochemical facilities."



Just something else to worry about as the economy goes phut!

No comments: