This is a ClusterHack

At about 7 am last Sunday, the power went out simultaneously in five countries — all of Argentina, most of Uruguay and parts of Paraguay, Chile and Brazil. About 50 million people were affected as homes, businesses and cities were crippled for about 12 hours. One power company blamed another, one country blamed another, but eventually a consensus emerged: the system had been brought down by a cyber attack. 

It remains to be seen whether or not this explanation was a way of deflecting attention from the culpability of executives and governors who have presided over the long deterioration of electric grids everywhere. But it is true — and a great irony — that much of what utilities have spent in recent years to upgrade the grid has made it far more vulnerable to bad actors. 

Today, it’s all about the “smart” grid (almost all the catch phrases of modern industrialism are oxymorons) which means a grid connected to the Internet of Things, a.k.a. the Internet of Shit (not my word, by the way, it’s a website, a Reddit sub and a Twitter hashtag).  The Internet of Things has been devised not by people trying to improve the Internet or the grid, but by people trying to sell you more crap by calling it “smart:” thermostats, air conditioners, doorbells, refrigerators, light bulbs, and on and on. (I have just watched a three minute YouTube tutorial on how to reset a smart light bulb that has been stricken dumb. I would have used a .22 pistol. 30 seconds max.)

The Things are called Smart because you can access them via the Internet, with your “smart” phone, to turn them up or down or off or on. Or to see who is cavorting with the babysitter while your house burns down. But these “smart” devices turn out to be a really dumb idea because each and every one of them offers a portal to the Internet that also runs things like the electric grid, and nuclear power stations. Hackers can get into the Internet via your thermostat and bring down the national grid. They have done it, and they are doing it. 

The New York Times reported last week that the United States is making frequent cyber incursions into the Russian electric grid. (President Trump didn’t deny it, but said it was “treasonous” to report it.) Since 2011, a group of nation-sponsored hackers known as “Dragonfly” has been attacking energy systems in the United States and Europe, and has recently gained access to and some control over the operating systems of electric utilities. Their intentions are not benign. Hackers took down much of Ukraine’s electric grid in 2015, shutting down power to a quarter million people in what was taken as a warning shot, because it could have been much worse.

Much of the money spent on electric grids in the last decade — Bloomberg Business puts it at $30 billion dollars a year worldwide — has been for installing so-called “smart” electric meters that can be controlled via the Internet to manage demand. One serious estimate is that half a billion of them have been installed around the world. In conjunction with the wildly proliferating Internet of Sh…I mean Things…these meters offer hackers a multitude of back doors into their promised land. By placing malware on myriad small appliances, for example, they can easily mount a so-called “denial of service” attack that floods a website with so many simultaneous demands for page views that real people can’t log in. Hostile hackers in 2010 crippled Iran’s entire nuclear enrichment program — they used an infected USB drive for access, but still. 

So when the hucksters come by with their smart shit that plugs into both the grid and the Internet, and when the utility hucksters come by with their smart meter that they would rather buy than replace their half-century-old wires and transformers, be aware that what they are really selling you is an opportunity to freeze (or broil) in the dark sooner, rather than a little later. This is turning into a clusterhack.       

“Power” by enamic5 is licensed under CC BY-NC-SA 2.0

Bookmark the permalink.

9 Responses to This is a ClusterHack

  1. Dennis says:

    I miss knobs and switches.

    • Greg Knepp says:

      Me too, Dennis.

      When I was a youngin’ our TV had three knobs: one for on-off-volume, one for channel selection and one for horizontal adjustment. This third knob seldom worked. Nonetheless, life was simpler then, and Sid Caesar’s ‘Show of Shows’ beat hell out of anything on the tube* today.

      My current TV sports two (count them – two!) separate remotes: one, controlling the TV itself, has 26 buttons. The other, tied into the ATT box-thingy, has 44. One of these buttons reads “OPTIONS”…Can you imagine?

      I fear to touch it.

      *serious anachronism.

  2. Davebee says:

    I give daily thanks to almighty God that my ‘smart’ expertise begins and ends with simple emails and the use of my yet very reliable 1980 Sharp pocket calculator!
    I don’t even own a flat screen cell phone.

    • jupiviv says:

      No offence but the selective Luddism of Boomers is hilarious to me. You can enjoy modern tech without any of its silly pointless epaulettes.

      If you have a smartphone you can:
      a)download a digital copy of the Palgrave Encyclopedia of Imperialism & Anti-Imperialism for free.
      b)post a picture of yourself eating a burger on facebook.

      The value and “smartness” of the internet comes down to “Consumer Choice”. The vast majority of Consumers Choose to be dumb and hedonistic. If they didn’t, the companies who make the phones or own the websites and servers will go bankrupt and the economy will most likely crash.

      Basically, I can listen to a free audiobook of “Heart of Darkness” because millions of other people are simultaneously watching thousands of other people sit in dark rooms, shouting at anonymous text chatters and play video games. Think of that what you will.

      And to be honest, I also occasionally enjoy watching other people sit in dark rooms, get into heated political arguments with other people sitting in dark rooms and play video games. Again, think of that what you will.

      • Oji says:

        Technology is not neutral (see McLuhan or Postman).

        Secondly, pretending a systemic problem is an individual one misplaces responsibility, and prevents real reform or response. You might as well recommend we solve climate change by asking individuals to drive fewer miles, or eliminate pollution expecting households to recycle, close the looming energy gap by switching to LED bulbs, etc…

  3. Brutus says:

    U.S. cities have already been ransomed by hackers following their municipal services being compromised. Some cities pay; others decline and pay more to fix vulnerable IT infrastructure. The mad rush to adopt hyperfragility for the simple pleasure of controlling knobs and switches from one’s phone is making people into fools. My prediction is that it will get worse so that no one can trust anything anymore.

  4. BC_EE says:

    As one whom has designed, installed, and commissioned numerous utility interconnected control and data systems I can unequivocally say the central threat is lack of discipline. That’s what happens when the biz kids run things and engineers meekly fade away to a corner with their HP calculators (stereotype self effacing).

    There are thousands of third party generators connected to utility grids. Each generating station is connected to the utility SCADA (system control and data acquisition). And each of these stations are also connected to the Owner’s control facilities through one or more methods. Some use dedicated telecom circuits, some use cloud VPN. Problem is, there are thousands of potential weak points.

    If there was a universal discipline enforced for network security – as in design and practice, not bloated government regulation – things would be hunky dory. But as you can guess, its not. We can point to any number of reasons, but the common recurring theme is cost. Cost equals time equals profits, etc. Until things go very bad and then draconian measures are decreed from on up high by those that a) caused it in the first place, and b) don’t have a clue what they are talking about. Because, you know, all that sciencey stuff in school was too hard but they feel it is acceptable they should manage organizations built on sciencey stuff.

    Accompanying the organizational lack of discipline is the cultural or lack of discipline from a generation raised on plug-n-play or downloading apps. The number of times I have had to stop engineers and get them to think what they doing! Or don’t get me started with all the “smart” protective relay devices, (termed IED for intelligent electronic device – bad acronym), that are interconnected to the same SCADA and utility networks and have default passwords left in place.

    Again, laziness and lack of discipline. “Oh, but that would be too difficult to manage and cause problems down the road”. Ya, that’s the point sunshine. They are supposed to be difficult to get into. You don’t hand out the same house key to the whole neighborhood do you?

    IOT is one threat, but they tend to connected to lower level networks that are isolated or move firewalls and databases. Industrial level hacking would go through the systems described. That’s how one activates circuit breakers and switches in substations. If I get admin level access to a protective relay(s) I can force trip signals to open circuit breakers all over the place. OUT21=Lights Out. I know, because I’ve done it – for proper admin reasons of course. I don’t even know how to hack and don’t care to learn except for preventative measures.

    • BC_EE says:

      Can add another level of mayhem. Normal practice to isolate a high voltage circuit is to open the circuit breaker and then the isolation switches. Most switches are not designed to open on full load, they burn up the contacts due to arcing. Look up your favorite YouTube video to see what it looks like. The switches can close, but not necessarily open.

      To really take down a system for an unspecified duration go back into the SCADA and open all the incoming and outgoing switches in a substation under load. This could take the station out for a month or more. The utility may come in and authorize emergency bypasses on the switches, but this still takes a couple days.

      And it gets worse.

  5. Hi Tom,

    If you don’t like it, there are options such as disconnecting. In my corner of the world there is no legal requirement to be connected to the mains electricity grid.

    Chris