"For the past year, energy companies in the United States and oil and gas operators across North America discovered their networks had been examined by the same Russian hackers who successfully dismantled the safety systems in 2017 at Petro Rabigh, a Saudi petrochemical plant and oil refinery."
Why are these systems even connected to the internet?
Decades ago, creating such connections might have been a forgivable oversight, since the internet was a much more peaceful place, and the idea of cyberattacks might have seemed like paranoid science fiction.
Today such attacks are happening in front of our noses and these systems are still connected to the internet?
On the electrical distribution side, there are a few things which may need internet connectivity. Getting map tiles for displays; having an externally contracted call center integrate with the outage management; automatic vehicle location (painting crew vehicles on the displays).
Adding to the last point, something that is coming to the industry is read only access to the system from a mobile device. This requires internet or a private network across the bounds of your network.
I don't want to talk too much about company specifics, but typically modern systems will have servers dedicated to only internet related functions. They will be internally firewalled from any servers which could make changes on the network. These systems aren't cheap though, a lot of what we replace is 15-30 years old. As such, it may not be as secure as it could be.
I've mainly talked about distribution. Transmission and generation also have functionality which requires the internet, or at the least a very large private network.
You can always run your own OSM tile server. That's what they recommend instead of relying on the official server, actually, if you have any non-trivial load.
Google Maps for Android provides area-based offline maps, with a time limit that is not enforced.
It's been very useful to me personally, not sure what's unusable about it. I find the online version less usable because it nags me about GPS and obstinately only stores search history online, coupling it to the global Google Activity History setting.
If you have a GIS system, that is able to use Google Maps as the basemap, you still don't have the ability to save it for offline use. The APIs/libraries/license agreement with Google that these GIS systems use won't allow that.
Not that other providers (Bing, Here, etc) are any better. Your only way is to download OSM data/obtain local ortophoto and make your own tiles.
Is navigation working off-line now? Last time I checked, it didn't. And Google Maps, even on-line, are quite bad at being a map, with the completely unreliable way of rendering street labels. I've used Google Maps off-line in a pinch a few times, but it wasn't too pleasant of an experience.
(Call me entitled, but I don't think it's too much to ask of an off-line map to offer point-by-point navigation and searching through the DB of addresses and POIs in the off-line map. When you can't do it, I get the feeling someone doesn't want you to use off-line mode, and is purposefully overcomplicating things.)
All those things (except display of some street names) work for me offline on my Android phone, but only for driving directions. You have to save an offline map manually first, somewhere in the settings or sidebar.
"In our experience in conducting hundreds of vulnerability assessments in the private sector, in no case have we ever found the operations network, the SCADA system or energy management system separated from the enterprise network. On average, we see 11 direct connections between those networks."
-- Sean McGurk, The Subcommittee on National Security, Homeland Defense, and Foreign Operations May 25, 2011 hearing.
My old apartment's intercom system had a bit of advertising material saying it was "computerized, not internet-connected" (or something like that) - it was an electronic system, but all it had was a connection up to the front door entry system, a terminal for the doorman, and the ability to call 911 if you pressed the panic button. No fancy cloud apps to drain your battery and then get hacked.
If an apartment intercom can realize this is important, why can't an oil refinery?
Note that POTS pretty much doesn't exist anymore. Analog phone lines only run up to a point at which they get converted to SIP which then runs over IP (while it's often using "private" networks, it's not air-gapped from the Internet and thus can still be compromised).
Shameless plug: I work for a startup ( https://www.sensorfu.com/ ) that helps utilities and industrial companies to solve that exact problem of keeping their control | ICS networks closed and isolated from internet.
Even larger utilities often have a rather small IT teams that are tasked with everything from keeping things running to change management, network design and architecture. And whether it is lack of time to focus on making the right things, or lack of time to even learn the latest right things<tm>, mistakes happen, all the time. And even when 'perfectly' implemented, it is far too often that we see that some one just decided that it's ok to run a cable from control room to open internet to make those night shifts a little less boring.
Convenience will trump security at the first opportunity unless extraordinarily stringent procedures and checks of those procedures are in place. "Well it was costing us an extra ten minutes every day so we just brought a router from home and hooked it up" is a situation I run into almost constantly.
I'm not sure about the US, but in Russia and, well, in all former Soviet states energy systems are not actually connected to the internet and where there is automation it can all fallback to manual operations, so they can survive cyber attacks like nothing happened (almost, as figuring things out and communications cost some time).
This didn't stop the 2015 attack Ukraine's power systems from wreaking havoc, although I suppose if it was entirely computerized they could have been offline for much longer.
They dont have to be connected to the internet directly, the attackers can move laterally across segmented network boundaries or deliver a USB or backdoored device implant for their initial access.
Which is why you dont get to bring your equipment into those facilities. But someone always thinks he is the exception to the rule. What harm could a USB stick do and you really need your powerpoint slides.
> Today such attacks are happening in front of our noses and these systems are still connected to the internet?
I've done my fair share of inspecting critical infrastructure in different countries and 9 out of 10 times the reason is: cost.
Got a bridge / tunnel / trafostation that needs monitoring / interaction? DSL only costs 20 a month, let's do it! VPN and 2FA? Costs & our employees are going to kill us since that is too complicated. Updates of the OS and that application that was tailor made by the maker's daughter in law 10 years ago? Too risky and costly.
TL;DR Never attribute to malice that which is adequately explained by stupidity.
This is about nation state adversaries. There should be no illusions that they laugh at people who think they are safe behind air gaps and routinely cross them. Often both infiltrating and exfiltrating data.
I prefer security focused organizations attempted to deploy their limited resources more effectively. Well trained and security conscious end users are very hard to attack.
I don't understand your point. Everything is vulnerable; you can never secure something fully. Security in layers is how security works, and disconnecting critical systems from the internet seems like a good layer to add.
“So far, there is no evidence that the United States has actually turned off the power in any of the efforts to establish what American officials call a “persistent presence” inside Russian networks, just as the Russians have not turned off power in the United States.”
The NYT decision to frame these efforts as “attacks” rather than “infiltration” is certainly an interesting one. In essence, the U.S. has built a (digital) mutually-assured destruction deterrent. We wouldn’t refer to past nuclear drills or tests as “attacks” on Russia, so I find the use of that phrase here intriguing. I assume they simply borrowed the vocabulary of security researchers, knowing that it would mean something different to much of their readership.
Uhh, I think "attack" is the only term. If you installed such software in US power plants it would almost certainly be described as "hacking," "a [cyber] attack", and likely if multiple targets "terrorism."
Regardless of your opinion US/Russia, we should all hold that words need objective meanings that can't be "bent" for convenience.
Yeah this is pretty basic information security terminology. An "attack" is any attempted intrusion, successful or not, damaging or not. If the threat actor managed to breach your defenses and gain unauthorized access, that's called an attack.
I think it's an attack in the network/technical sense but not the strategic sense. There's a bit of a conflation of terms here because there are at least two layers to any operation like this; the system intrusion itself, and using the access to achieve some kind of real world objective. Militarily or strategically, this would just be something like reconnaissance and preparation, I think (I know almost nothing about militaries though). So it's a system attack but not an "attack-attack".
Maybe they’re both more concerned with attacks from terrorist groups than from each other.
The analogy would be one guy telling a colleague that his fly is down before a client meeting. They both might want the same position but an unrecognized failure would make them both look bad.
My impression is that it's easier to attack than to defend or detect. That would make the country who doesn't attack a sucker. So treating it as an act of war isn't viable.
We've banned this account for breaking the site guidelines. You may not owe the New York Times better, but you do owe the community better if you want to post here.
If you don't want to be banned, you're welcome to email hn@ycombinator.com and give us reason to believe that you'll follow the rules in the future.
I recall reading, some years ago, that the US reserves the right to respond to cyberattacks with nuclear weapons. I wonder if Russia also does.
Playing games with power grids etc is arguably much higher stakes than fighters messing with each other, or even with passenger planes. Or navy ships passing too closely.
Edit: I guess that it was more like a heads up for adversaries. As in "don't think that we won't". Just in case you didn't think we were that hardcore.
Every state "reserves the right" to do whatever they want, including things they have previously claimed they will not do. That is literally the definition of sovereignty.
I don't think it can be related. For one, the US was referring to a cyber sabotage operation, not an attack in the sense of "an attack against a computer system". "Attack" has two very different meanings in this context. SSHing into a server is an attack and shutting down power for a city leading to 20 hospital deaths is an attack.
The original statement I could find [0]:
>recommending, in response to the "most extreme case" (described as a "catastrophic full spectrum cyber attack"), that "Nuclear weapons would remain the ultimate response and anchor the deterrence ladder."
I think this is referring to an unprecedented attack which intentionally kills many citizens. It's hard to imagine a scenario where nuclear weapons would be the warranted response, even if the cyber attack killed people, but I don't think the statement should be taken literally.
Either way, this is not that. These are the same espionage and sabotage games every big nation plays. Russia has been and probably is in many of our energy SCADA systems. China, too. And we're in theirs. That's just how things go in the 21st century. It will undoubtedly escalate; the real question is who will pull the trigger. (The US did at least once against the IRA, though that was in direct retaliation to disinformation campaigns aimed at destabilizing the US.)
It's part of a larger game these nations are playing.
There will not be a war between Russia and the US. Not with China who is ultimately the enemy of both Russia and the US.
These incidents are meant to keep each other awake.
False flag operations aren't new concept, taking out Ukraine's power plants for a few hours could also be false flag operation with Russia not even involved as a pretext to get more military funding. Or russian links to Trump a false flag operation by some third party to install their own president. I've seen russia used as a scary monster so often I always think "who does _actually_ benefit from this" whenever russia comes up in news headlines.
Plus, what if multiple state actors penetrate a system and each lay their own "implants"? Mutually assuredly destruction only works if you can attribute an attack. Unless you're planning on destroying non-guilty actors too. What if NK, China, and Russia all hack the same system and then eventually the system fails catastrophically as a result of malware and no one takes credit. How could the US respond? What if the perpetrator were an adversary that wasn't even known to have penetrated the system?
Have you read about the 2016 United States election interference? [1] Or the Russian probing of the US power grid? [2]
Russia has been attacking critical infrastructure in the US for years. This is at best an incredibly latent response from a government who in many cases welcomes these attacks.
Wonderful. What better way to drive home the message that the Russian government’s strategy of control over internet and Great Firewall makes total sense from the POV of national security.
The Russian new law which would be effective on Nov 1st would handle the operation of routing (you read correctly, patching ISP's BGP tables) of over-the-border links to a state-running body (in case of emergency which is basically whenever they'd want) so it's not a firewall, I'd like to call it the Red Internet Plug.
The same way that it helps prevent them in a corporate environment. I work for a security company and control over ingress and egress is absolutely a fundamental part of our network security.
Same as having a centralised firewall on a corporate ISP, having a firewall on a country level can prevent / monitor traffic to whole segments of IT infrastructure.
It's more of a back up system (for now?) than anything, so when things go south for them they can rely on something else. Just like gps has many alternatives by other super powers, so when American military decided to turn it off, things would still work.
Not much - there is now a law for this sort of equipment to be manufactured in Russia, with an increasing requirement of using locally manufactured components (as they gradually become available).
Currently a lot of the microelectronics is still manufactured in Asia but there has been a steady progress in acquiring capabilities to manufacture them within Russia. The costs are usually much higher due to much lower volumes, but since these mainly go to military and government infrastructure, cost is not a concern.
I think doing this type of work, causing possible disruption in another countries infrastructure during peace time is ethically problematic. Much more problematic that the ethically dubious things alleged on FB and Google. I hope there is some outcry against doing this type of work.
There's really no such thing as peace time. It's always war time, just not active conflict with full force military deployments.
Military might is what's keeping the peace. Any potential edge you give up can easily turn into an exponential advantage for your opponent. Ethics against similar force projection are a weak argument when defending your sovereignty.
It's a tit-for-tat response... until some treaty is signed which forbids it and then there is follow through from Russia. US plays hard ball if the other side is not playing fairly. You can hardly blame them.
The US plays "fairly" in international relations? Honestly amazed if anyone truly stands by that statement.
The irony of mentioning treaties too. That's some next level true believer stuff.
Would love to have a chat about:
* Chemical weapons convention
* Mine ban treaty
* Rome Statute of the International Criminal Court
* Comprehensive Test Ban Treaty
* Anti-Ballistic Missile Treaty
* Biological and Toxin Weapons Convention
* Kyoto Protocol
* Reneging on the Iran deal and then forcing Europe to do the same despite US intel chiefs saying Iran they held up their end of the bargain.
* The half dozen worldwide commitments Trump has pulled out of in the last year, there's too many to count.
American foreign intel agencies have far more funding and skills than the next 10 largest countries combined. They do not play fair nor do they have to. Anyone claiming otherwise likely doesn't know much about it or wilfully ignores it out of nationalism.
> The US plays "fairly" in international relations? Honestly amazed if anyone truly stands by that statement.
If you consider how much power the U.S. has and how often it does not use that power to its fullest advantage, it's pretty remarkable how much it holds back.
There are dozens of countries murdering their own citizens. The US is not nearly as much as problem as people want to make it seem and Pax Americana has led to almost a century without major worldwide war.
You mean criminals tried, found guilty, lost all appeals, and sentenced to death? This is not the same thing as countries killing their own innocent citizens.
There's a massive difference between wrongly-fully sentenced inmates and countries that kill innocents through authoritarian means. It's disingenuous to pretend otherwise.
They are not overshadowed because life is not a commodity bartered according to rules of law. Once you take a life there is no restitution. Life is not a transaction: it is destiny, and it is above the law.
Rules and reasons for why killing is okay are therefore all equally wrong.
This is a religious stance and not how the world actually works, nor does it have anything to do with the previous discussion of the relative moralities and freedoms of countries. Since you think North Korea is the same as the US, there's nothing further to discuss here.
I don't think they're holding back so much as the Pax Americana system is the most profitable for them. They aren't powerful enough to choke the whole world, nor would they even want to.
This is actually a fair call. It could be far far worse. Still reasonable to complain about as a Western citizen barely affected if not benefiting from it.
But tit for tat responses are problamatic. Eg: Responding to terrorism with more terrorism is hardly going to lead to solutions. US supposedly does not operate in the same ethical-moral framework as the Russians.Is it even legal under American law to disrupt or cause damage to other countries property, while not engaged in war? I think the whole think smacks of extra-legality, and that is one place where democracies should not be going.
Even the major driver behind the mine ban treaty Frank O'Dea notes that the only reason the US didn't sign the treaty is no exception was made for the Korean DMZ. He gives significant credit to the United States for making the ban possible in the first place.
If you have time I highly recommend reading his book "When All You Have is Hope" - his transformation from an alcoholic to running a large coffee change and then later charitable work is heartening.
If you look into the international treaties worldwide you'll find the US has exceptions made for it all the time to the point of making the treaties basically not apply to them.
Why are mines in the Korean DMZ more important than mines anywhere else on earth? Because if that was all it was about then why are US violations of the (non-signed) treaty still carried out across the globe? Mines were used in Afghanistan.
Exceptionalism and nationalistic fervour that demands inequitable laws isn't something to proud of.
There's still thousands killed and maimed by US landmines each year in SE Asia and the sole country responsible has wiped it's hands clean of it. You don't have to look far in Cambodia to see old women missing limbs thanks to Uncle Sam.
The actual legal steps to ban landmine usage and production only occured in 2014 under Obama.
Mines along the DMZ are important because it prevents North Korea’s significant land army from crossing into the South. Without it Seoul is at significant risk.
Everyone points to the south’s modern weaponry and US backing as reasons why the DMZ mines are not needed. However the US had a significant tech advantage in the Korean War and almost lost completely (even before China entered the war). They were saved only by a daring beach landing in the Battle of Inchon.
"""
Two administration officials said they believed Mr. Trump had not been briefed in any detail about the steps to place “implants” — software code that can be used for surveillance or attack — inside the Russian grid.
Pentagon and intelligence officials described broad hesitation to go into detail with Mr. Trump about operations against Russia for concern over his reaction — and the possibility that he might countermand it or discuss it with foreign officials, as he did in 2017 when he mentioned a sensitive operation in Syria to the Russian foreign minister.
Because the new law defines the actions in cyberspace as akin to traditional military activity on the ground, in the air or at sea, no such briefing would be necessary, they added.
"""
That damn Constitution! It actually allows a president to stop us from going to war! We never knew, because no president in living memory has dared defy MIC...
What happens to quality assurance when malware starts modifying systems? When malware starts modifying systems that have already been modified by other malware? Seems like a mutual game of Russian Roulette. Any attack that is not perfectly executed risks harming the system, even if the malware is never activated. This happens all the time with software upgrades that have been vetted. Are the spies doing regression analysis on the effects of their implants to make sure they don't accidentally break something?
It's weird, because I thought putin and trump were friends. There might be other things I'm not understanding, or that's just staged to tell the public russia and trump are not friends...
>Two administration officials said they believed Mr. Trump had not been briefed in any detail about the steps to place “implants” — software code that can be used for surveillance or attack — inside the Russian grid.
>Pentagon and intelligence officials described broad hesitation to go into detail with Mr. Trump about operations against Russia for concern over his reaction — and the possibility that he might countermand it or discuss it with foreign officials, as he did in 2017 when he mentioned a sensitive operation in Syria to the Russian foreign minister.
On a more serious note, does the US have red teams which try pen test our own power grid and other critical infrastructure? I don't believe I've ever heard of it, but I would have to assume at least one three letter agency does it right? (I hope)
Do you mean anti ad-blocking or the new detection for "private" mode?
It took the NYT like 6 hours after WaPo started detecting incognito mode for them to start doing the same thing. That was about a week ago.
I just open chrome to read the articles but if you want to be away from google, install a firefox derivative and setup to accept trackers and the like and delete all cookies on shutdown.
Yeah, I use Firefox Focus on mobile and it tells me I can't view it in private mode. I'll see if I can figure out how to implement your suggestions with it. Thanks for the tip.
Rational people are often confused by the war media's agitation for war. The reason for the confusion is they are lying to us. Whenever I'm confused by the war media, I conclude they must be trying to start another war. They're pressing this button too often, though. Compare the results in Syria to those in Libya...
Assuming "their" refers to the war media, motives vary. Younger folks are just trying not to get fired. (Those who haven't even gotten hired yet have to cultivate a very careful Twitter persona even to be considered.) More experienced journalists can't get frozen out by official sources, whether that's the spooks, the brass, the lobbyist-owned politicians, or the surveillance-owned politicians. Editors/producers/executives have to worry about pissing off big advertisers. Lots of people on the talking-head shows are think-tankers, intellectually totally beholden to whatever shadowy reptiles have funded their sinecures and sabbaticals. Even if motives went the other way, at this point habit keeps them doing their masters' bidding, as witnessed by the schizophrenia regarding Julian Assange.
But, really, asking about motives is just another way to ignore this. Motives will always be squishy and deniable. Look at what actually happens. They lied us into Vietnam with the Tonkin Gulf Deception. They lied us into the First Gulf War with the incubator babies. They lied us into the Second Gulf War with WMDs. We went to war in Afghanistan and Osama turned out to be in Pakistan. They lied us into Libya with some random exiles living in Switzerland plus a French philosopher. They lied us into Syria (thankfully not all the way) with gas attacks staged by our ally Al-Qaeda. They're trying to lie us into Venezuela with a recession caused by our own sanctions plus staged attacks on soi-disant "aid convoys". Now they're trying to justify a war with Iran with a video of CIA operatives in a boat. If you prefer older history, "remember the Maine!" was also a lie.
Despite having received 18 votes in 5 hours and while never having advanced beyond page 3 on the list of trending links (position #67 currently), this piece trails behind another Times piece, "Why don't more American men take paternity leave?", which is on page 2 (position #45 currently), and which has received only 6 votes in the span of 8 hours.
It got a software penalty, probably correctly, because this topic is unfortunately more likely to lead nationalistic flamewar than thoughtful discussion. But let's try taking the penalty off and seeing.
By the way, you can't derive story rank from points and submission time—HN's system is more complex than that. That's all that "WTF" means here.
In other words, HN is not ranking posts by votes, but by some (presumably handcrafted) algorithm that shapes which topics are more likely to make it to the front page. TIL.
HN has always worked like that. There are three components to the system: community, software, and moderation. You need all three in order to keep a place like this functioning. It's no secret; we post about it all the time and are happy to answer questions.
A "software" penalty. Okay, Dan. Why don't you just come out and say someone modded it, rather than hide behind the veil of some dubious natural language processing or ratio analysis.
That's like blaming the dog for a fart.
The truth is that everyone operating HN would rather keep users in the dark about how and why stories land where they do. The idea being that if we could predict what the software might do, we'd try to manipulate the narrative, and if we knew when the hand of god intervened we might dare blaspheme.
But that gives up the truth anyway, because if we cannot know what "the software" will do, then we are prevented from knowing such facts, only in service to a false narrative, and that, in and of itself, is an unnatural intervention and willful deception.
You know how American press releases go lately. Reminds me of the efforts leading up to the Iraq war. Or the "deal" that was made with Mexico that is basically a PR effort with little to no actual action. Gotta keep those ratings as high as possible.
The USG is insane. The evidence of Russian interference in our elections is not that impressive and it probably didn't have much impact (compared with Clinton sending American advisors and billions to Yeltsin in the 90s).
Instead, to paper over the decrepit nature of the American political system, they are attacking civilian infrastructure in a nuclear armed nation. Insanity.
> ... to paper over the decrepit nature of the American political system, they are attacking civilian infrastructure in a nuclear armed nation. @tehjoker
Uh, I think what you /really/ mean is:
In retaliation to numerous US Network Infrastructure incursions -from the same entity- the US has attempted their own software implantation within the attacker's networks.
Fixed that for ya! ;)
_____
Also, from the article itself which you apparently didn't read:
""" Two administration officials said they believed Mr. Trump had not been briefed in any detail about the steps to place “implants” — software code that can be used for surveillance or attack — inside the Russian grid.
Pentagon and intelligence officials described broad hesitation to go into detail with Mr. Trump about operations against Russia for concern over his reaction — and the possibility that he might countermand it or discuss it with foreign officials, as he did in 2017 when he mentioned a sensitive operation in Syria to the Russian foreign minister.
Because the new law defines the actions in cyberspace as akin to traditional military activity on the ground, in the air or at sea, no such briefing would be necessary, they added. """
When Trump's base says that "the deep state" is trying to start a war between the US and Russia, it's quotes like these that will be used to bolster their claims.
Edit: AFAICT both sides are "technically not wrong", homomorphic to the basic "free speech" argument, "it's technically not illegal".
I'm a bit flabberghasted that no one has constructed an ironclad technological solution to this wishy-washy dance of weak arguments, backed up by rhyme but not reason. Proof verifiers should come to politics.
Why are these systems even connected to the internet?
Decades ago, creating such connections might have been a forgivable oversight, since the internet was a much more peaceful place, and the idea of cyberattacks might have seemed like paranoid science fiction.
Today such attacks are happening in front of our noses and these systems are still connected to the internet?
It really boggles the mind.