January 2008
Good NY Times Magazine Article on E-Voting (6 January 2008)
A License for Geiger Counters? (9 January 2008)
Hacking Trains (11 January 2008)
A New Internet Wiretapping Plan? (15 January 2008)
The CIA Blames Hackers for Power Outages (18 January 2008)
Apple Adds the Missing Applications to the iPod Touch (23 January 2008)
The Dangers of the Protect America Act (27 January 2008)
Massive Computer-Assisted Fraud (29 January 2008)

The CIA Blames Hackers for Power Outages

18 January 2008

According to the CIA, hackers have turned off power in some foreign cities as part of an extortion plot. The intrusions took place over the Internet.

It’s scary that this can happen, but it shouldn’t surprise anyone. Ten years ago, the National Security Agency conducted an operation known as Eligible Receiver, in which a team of simulated hackers showed that they could shut down the US power grid. Remember how much less use of the Internet there was then — and the system was still vulnerable.

It’s tempting to say that the operational networks for the power grid (or the financial system, or the railroads, or what have you) shouldn’t be connected to the public Internet. Unfortunately, that’s difficult to do, because there are operational needs for interconnection. For example, in some jurisdictions customers can switch among different power generating companies in real-time. But this isn’t just a billing artifact, to be resolved later; the total demand load on a given company has to be communicated to it, so they can adjust the performance of their generator. Even without that, there generally needs to be connectivity to internal corporate nets, so that engineers can monitor and adjust system performance.

Many people will respond that that doesn’t conflict with the ability to create separated nets. In theory, that’s true. In practice, maintaining the air gap is very hard. Even the Defense Department can’t always do it; viruses have spread to classified networks in the past.

As I noted a few days ago, computer security failures can have real-world consequences. This is yet another example.