Joe Weiss on a New (or Newly Discovered) Risk to Substations

Control Systems security guru Joe Weiss recently wrote up his observations of a problem reported at a nuclear power facility wherein a transformer load tap charger (LTC) malfunctioned, wasn't detected in a timely manner, and could have caused trouble.

LTCs are used in ALL (Joe's emphasis) substation transformers and are designed to be remotely accessible.  But his bigger point, as he wrote me separately is that:

This incident can affect EVERY (again) electric substation - I found it because it affected a nuclear plant and an unusual event notice was issued - and [note] the word "cyber" was never used.

Key words here: "remotely accessible." Not something you want to see too often in an incident at or near a nuclear plant. You can read his full post at the URL for his Control Global blog provided below.

Also, Joe was recently quoted in an MIT Tech Review article on an attack on a water plant honey pot. You'll find a URL for that piece piece below as well.

------------------------

URLs

Control Global

http://community.controlglobal.com/content/system-still-broken-failure-cyber-sensitive-substation-device-affecting-nuclear-plant

MIT Tech Review

http://www.technologyreview.com/news/517786/chinese-hacking-team-caught-taking-over-decoy-water-plant/

Follow-up on Illinois Water Pump Hack Case

This isn't pretty, but it would be good if you knew the whole, emerging, story. My recent post said it wasn't an international cyber attack ... or a cyber attack at all, and that we had been through yet another round of grid security FUD.

But the truth seems to be worse that that. I've got a fuller picture now, having had some contact with Joe Weiss who is, for better or worse, in the thick of it. Here's yesterday's post from his Unfettered Blog:

This story would be funny if it wasn't so scary. Wired magazine has broken the real story (or the latest iteration of the real story). The link is here. So it wasn't evil hackers from Russia after all. From the sound of it, more like a Keystone Cops fire drill. Nobody checked with anybody. Lots of people assumed things they shouldn't have assumed, and now it's somebody else's fault and we're into a finger-pointing marathon.

Securing our infrastructure is complicated and tough enough as it is, without self-inflicted wounds of this type. From what I could see, the water pump control system in question was a complete security mess, connectivity and configuration-wise. It's connection to the web easily visible with Shodan.

Don't know Shodan yet? You should. Seriously. Here's a nice intro from John Matherly on it. If you're an asset owner and you can see your system on Shodan, you've got some work to do. 

And if you're part of a government or industry org charged with getting information out to help keep owners and operators appraised of threats, please do a great job. We're depending on you.