U.S.'s Biggest Gasoline Pipeline Halted After Cyberattack
washingtonpost.comThere’s nothing in this article indicating the operator has a recovery plan in place involving restoring backups to get these systems online. Seems grossly negligent on their behalf, and made almost satiric by the fact that Fireye can be mentioned without reference to their own massive security lapses.
Too much focus always on the “hackers” and never the obvious security lapses solved by diverting executive pay to more bodies and training to cover them, but oh well right?
You think Fireeye had massive security lapses because they reported they were hacked. Everyone else was also hacked and FireEye was the only one that figured it out and blew the whole thing wide open. Now if the best incident responders in the world can’t always prevent malicious activity on their network, how is an oil company going to do that? Or utilities, transporters, hospitals, defense contractors, or universities? The truth is everything is vulnerable, and what you think is the stability and security of all the other organizations you don’t hear about getting hacked, is just the current set of hackers working hard to be discreet. I think if war was to break out with certain other nations we’d find it in a hurry how much our infrastructure has already been compromised.
IT is typically grossly understaffed and underfunded in these businesses. At the site-level, you'll see some very out of date tech running critical systems. IT is a cost-center to be reduced as much as possible, oversight is non-existent.
You always know you’re dealing with one of these companies when IT reports up into the CFO.
I used to work at a scientific research institute where the entire IT department reported to a single researcher for no apparent reason.
Could be worse, I saw IT reporting through HR once upon a time.
Horrible
Its difficult to chastise a country that misses the forest for the trees, when that country has spent sixty years formenting a culture of blind consumption and wilful ignorance of anything STEM. instead of a flourishing culture of hacking and computing, the united states through DMCA and law relegated the notion to comic books and hollywood fiction. most of the public war drumming for 'hacking' (if it could be said to exist at all in 2021) is a thinly veiled surrogate of consumerism.
What reason would we have to blame the company for poor security hygene? what possible outcome could we hope for when in 2021 nearly every Solarwinds customer renewed their license after the hack.
What are you talking about? The country has spent so much time on STEM, that we have a trade labor shortage.
Please.
The reason country is has spent so much time on “STEM” is not that there is a labor shortage but that salaries of “STEM” people are too high and business owners need more people not to fill shortages but to overflow the system such that salaries go down significantly.
There is no shortage of labor for jobs paying high 6-figures … :-)
The problem is our government. There is no shortage of STEM graduates -- we have the best and brightest. Our government has failed to set the right incentives for the private market to innovate on critical infrastructure... so naturally the smartest STEM grads end up building Netflix or Facebook.
I'm here to bring a message from the future: they did have usable backups, according to a news article published just a few days after this one:[0]
> Once they received the payment, the hackers provided the operator with a decrypting tool to restore its disabled computer network. The tool was so slow that the company continued using its own backups to help restore the system, one of the people familiar with the company’s efforts said.
It's hard to get the full story from a single article, and larger publications like the Washington Post tend to focus on the most recent statements from federal agencies and corporations rather than details that you and I find more interesting. Sometimes I wish that newspapers would do more of a synopsis of news stories a month or so after the fact to give more context and "lessons learned" or "what impact has this had?". I would prefer that much more to the "breaking news" approach.
[0] https://www.bloomberg.com/news/articles/2021-05-13/colonial-...
Was just gonna say this sounds like your classic case of a business scoffing at the high price of software devs.
I'd wager a guess that their current IT team was worked to the bone on profit-focused projects, but will be 100% blamed internally by the execs.
Failure accrue down, to people who do work. Successes accrue up, to managers who decided it should be done.
It's almost like this arrangement was by design...
Executives are rewarded extremely handsomely for short-term returns. Even if the company goes under, they've long ago accumulated enough wealth to live out their lives fabulously. The incentives to invest in security are weak.
> There’s nothing in this article indicating the operator has a recovery plan in place involving restoring backups to get these systems online.
No one cares about that type of work that’s why. It’s ridiculous but true.
In a twisted sort of way I am happy to see these types of ransomware attacks making headlines. Before it was much harder to quantify how much a breach might cost but with ransomeware you get a fuzzy lower bound. Also the prevalence of these attacks might actually make us all safer in the long run.
This one in particular is good because, it's public, it's not that scary, but it's easy to make the jump to scary attacks.
Absolutely, it's better to have a ransomware attack against the workstations instead of a more developed attack that blew the pipeline up.
This is interesting. Ransomware authors may be protecting their targets against destructive attacks since this would reduce their profits. In the same way that botnets attempt to protect their host from being infected by competing malware.
Agreed. It also tells us where bug bounty rewards should be in value. As the structure of bug bounty programs are completely wrong and the rewards are undervalued.
The market is literally saying they are undervalued.
The flogging will continue until bug bounties improve.
I think I understand your POV and can see why one might find some peace in it, but I don't. More crime, or I suppose mroe news about it, so we know how much crime costs? More attacks make us safer? It's a means justify the ends argument, but it doesn't hold water.
It's eerily similar to "burn it all down" https://en.wikipedia.org/wiki/Accelerationism, which, itself is on the rise and burning from both ends.
I infer your point to be that more attacks might cause the victims to step up their defenses. It's a cat and mouse game. Always has been in all realms.
"It'll get worse before it gets better." I've been hearing that for decades. I'm starting to wonder, due to what appears to be a decline in civility. Following the rules only works if we all do. Those who eschew the rules have an obvious advantage.
Where has integrity gone? We are tearing ourselves apart and justifying it ... or coming to terms with it I suppose, by saying it'll be better some day.
Well... when... exactly? By what measure will we know?
I know Stephen Pinker, Hans Rosling, and various folks say it's the best time to be a human. Okay. Sure. I see the math. I'd like to see them update their charts for data out over the past year.
But ... anecdotally, none of that math seems to percolate down to my community. The people around me are in constant fear. I just saw a woman walking down the road, all by herself, I had clear vision for a mile and so no one else but her... and she was wearing a mask.
She was afraid. She was anxious. Regardless of the relative safety that exists today, or the belief that it'll be safer tomorrow because of the lack of said safety, the people around me aren't feeling it.
They're buying guns because red people are coming for them... or the blue people already are. Or the government will. There is literally no milk at the store because of an HDPE shortage prompting the grocer to put a Force Majeur notice on the dairy fridge door.
Trust has broken down. Fear of our own neighbors is up. Crime is up. Poverty is up. Suicide is up. Cyber crime is up. Inflation is up. The Gini coefficient is up.
I really have trouble believing that making it worse real fast, or even reporting more of it, is going to make it better.
I don't see it.
Trust and integrity are irrelevant when it comes to professional cyber criminals who likely live in another country. Continually escalating cyber attacks are our new reality. There is no possible way to prevent the attackers from trying. Thus the only option is to harden our systems.
I expect after a few major crises involving mass casualties or major economic losses the federal government will mandate that private industry completely disconnect certain critical infrastructure control systems from the public Internet. Basically the same approach used by SIPRNet.
It's absurd to suggest there is only one option.
What is the other option?
> What is the other option?
letters of marque for the nation-state actors. bounty hunters for the criminals. There's a lot of options, I suspect using the financial systems to stop bad guys is probably going to miss the mark and produce emergent unintended consequences.
I.E. it's going to get bloody.
What a silly idea. The Chinese will conduct a false flag cyber attack to trick us into retaliating against the Russians.
Hell, your own government may conduct a false flag attack to fabricate a casus belli against anyone they wish. It's not like governments don't do such things.
Digital Gulf of Tonkin
You still think there's only one other option? There are probably at least dozens if you think about it.
Then let's hear some of your brilliant options based on your expensive experience in cyber security and international relations.
I have no patience for bullies.
While you’re probably right on the zeitgeist aspect of this, I think you’re missing the practical aspects of what OP is talking about. We have major vulnerabilities to key infrastructure components. Publicly exposing these helps harden them. Yes 9-11 added a ton of security theater and fear, but it also resulted in armored doors on airplane cockpits. I’d like to see the armored door of the energy infrastructure implemented.
That's not the society I want. I don't want stronger doors everywhere. Tougher locks everywhere. Onerous security everywhere.
I prefer a society where passengers are free to chit chat with the pilots when they aren't busy. Where children who might be interested in being a pilot can see a cockpit in the air and how it's done.
I remember reading about the history of security in ancient Rome. The lengths to which normal citizens had to go to to protect their homes. I don't want that. No one wants that. No one wanted that then either.
It's a distraction from productivity. It's a constant worry factor that consumes brain waves that could be spent making all our lives better.
Instead, we have to divert our attention to those who want to make it worse.
Do I want security cameras/metal detectors/metal doors and other <s>police state</s> security measures everywhere? No. Do I want to have all that in electrical plants/pipelines/nuclear reactors and other objects of critical infrastructure - yes. If that means employees there would need to spend more time for annoying security checks(additional password prompts, 2FA, metal detectors, etc) - sure, I did all of that when working for one of British banks, mildly annoying but feasible. If that means more taxes - I'm ready to pay.
One can't just tell russians/chinese/iranians "we have open and free society do please don't hack into our electric grid" and expect it to work.
Those things already exist in electrical plants/pipelines/nuclear reactors and other objects of critical infrastructure. Eliminating the ability of people to casually enter and access/alter/destroy this infrastructure isn't the issue.
And yeah... we exactly can say that. We do it all the time. We almost blew up the world because Russia sent some missiles to Cuba.
There's no reason the digital war can't have physical repercussions. If a foreign nation invades our digital properties, we drop a bomb on their electric plant.
Simple as that.
> There's no reason the digital war can't have physical repercussions. If a foreign nation invades our digital properties, we drop a bomb on their electric plant.
> Simple as that.
Do you think people would support a nuclear war ( because if the US bombs Russia or China, the response could very well be nuclear) as a response to hacking? And are you aware that the US is one of the most active countries on the cyber warfare front? ( Snowden, the various NSA toolkit leaks, etc.) Should Iran respond with bombs when Israel and maybe the US sabotage it's nuclear industry? Should Russia respond with nukes when the US disrupts GRU operations?
It's already happened. Remember Stuxnet?
>> drop a bomb on their electric plant
Not gonna happen. Because: a) that would almost surely mean all-out war (in case of Russia/China - with country that has nukes), started by US b) dropping a bomb on electric plant of country that has at least some air defense (and I think it's safe to assume Russia/China/Iran have plenty of that) is not simple
As I said in the cousin post below, it has already happened.
While I wholeheartedly agree with what you're saying for the physical world, the digital world is completely different. In the physical world, the scope of any action is inherently localized. But with digital systems it takes just one person out of seven billion (or even just the right software bug) to create a global scale problem. The Internet is best treated as a source of malicious noise.
The main purpose of government is to protect its citizens from foreign invaders. I don't see any difference here.
So then you're up against the halting problem at the "digital border" and you've only reduced the problem to say one in 300 million.
There are many differences. I already mentioned locality and scale. Another is that it's possible to make secure software (aka math) that precludes undesirable behavior a priori, whereas such thing is impossible in the real world.
A) It's not a halting problem. B) Digital borders exist all over the net. We use them every day to secure all sorts of things.
> That's not the society I want. I don't want stronger doors everywhere. Tougher locks everywhere. Onerous security everywhere
> Digital borders exist all over the net. We use them every day to secure all sorts of things
Erm, how do you square these two sentences?
I took your first comment to be arguing against software security in general, presumably in favor of more post-facto enforcement when people violated authorization boundaries.
Your response then seemed to focus on mitigating the cross-jurisdictional issues that make post-facto enforcement hard, by having some sort of software-based security enforcement at a "border", and then relying on post-facto enforcement inside of that.
Now you seem to be supporting software-based security in the form of firewalls everywhere?
If we continue along this trend to even more local, we'll get to fewer firewalls (because they aren't that good of a technology), with security pushed out to the edges. Which is where best practices seem to be headed (BeyondCorp, etc), but is directly antithetical to your initial comment.
No it isn't. Arguing with people like this is just boring.
Not interested.
What isn't? I'm earnestly trying to understand what you're actually advocating, as your perspective seems to be shifting with each comment. If I have characterized your previous comments incorrectly, it was done in good faith and please correct me.
I'm exactly advocating for the federal government to do its job and protect its citizens and their property from foreign enemies.
It's not my job to protect my house from a foreign military that might want to come into it and steal things from me.
Nor should I install radar systems to alert me to enemy aircraft. That's why the USA spends the better part of a trillion dollars on the military.
That's my government's job and they should do that job. That's what I'm saying.
If a foreign government sent boats full of marauders to our shores to steal from people's homes and stores, you think the government would look the other way?
I don't. I think they'd blow the boats up and kill the marauders.
So you're not talking about digital security at all?
Actually, I expected such a response, as I already stated, the reality is: I'm not interested in talking to you at all.
Forgive me for thinking you had a coherent opinion on the topic at hand.
FWIW, I hadn't realized you were the one that started the whole thread. By "initial comment" I meant the first comment I responded to - https://news.ycombinator.com/item?id=27090800 .
You've got a good point about general fear and trust breakdown with your top level comment (although not your inference from someone wearing a mask alone outside, there are many good reasons for that such as the possibility of coming up on someone, not wanting to fiddle with it while going between places you need it, etc.)
Let's see if 15+ years of security people getting after critical infrastructure asset owners like this has made any difference. At least they detected something and shut it down to control the response. They also know the costs to repair and replace things. I don't suspect the pipeline uses a federation of heterogeneous systems to operate its SCADA actuators, so I would speculate it is likely a single firmware vulnerability facilitating it.
The global chip shortage for replacement parts if they are needed seems like a strategic coincidence. Definitely an evolving story.
I work in control systems OT space. A lot of distributed control systems and scada systems interface with the business layer in some fashion to provide access to time series and event data and to allow for alerts via email/mobile. Some people do this properly with good network segmentation, firewalls, A/V and patching, etc (there are several standards that dictate best practice). That said, even when doing it properly you're introducing attack vectors. I don't think it would be a firmware vulnerability, but instead something malicious affecting the computers they use to control the process.
The reason I'm going for firmware is while the HMIs could have had a solarwinds style exposure, but that's just any generically wormable OS vulnerability, and not something that should cause a physical shutdown.
To shutdown a pipeline, it's not a management console issue, hence why I'd speculate it's in the ICS devices themselves, which probably use uClinux toolchains on SoCs from one or two large vendors. I did some smart meter and ICS security work in the 00's, and there were a few vendors who would be strategic targets. The attack tools available now are unbelievably better, while the attack surface is pretty much the same due to the long lifecycles of ICS components, and considering today we've got cheap SDRs and gnuradio blocks for most wireless protocols, AVR tools, buspirate and the good/greatfet, ghidra/ida, and python for reverse engineering, the vulnerability research on this stuff moves way faster than the industry ability to respond.
If this is a serious attack, the only way to respond will be if they are very lucky, it's a worm and they can stand up a honeynet with spare gear to catch a sample and any good infosec firm can pull it apart. But if it's an active APT group, there's probably a political solution, as given what's possible, this would seem to be just a shot over the bow.
I get what you're saying and that could very well be the case, but I think the 'pipeline' as a whole requires a lot of handshaking between the different stations. They would not be able to do this without their supervisory control later (or at least it would be particularly difficult). That alone could have caused them to shut it down.
Additionally, if there was a whiff of malicious software or unintended access I would imagine they would want to make sure it didn't get into other systems. That would involve isolating and possibly shutting down machines and equipment.
I guess we'll see when they release more information. I would imagine that we'll get more details since this is critical infrastructure.
If the management console has a button or controls that would allow the person sitting at the management console to shut down the pipeline, which systems usually do have an emergency stop button in case there is an accident, then all you need is access to the management console to write one bit to the controller that says “operator pressed estop”
No need for firmware vulnerabilities in VxWorks when there are internet connected windows pcs.
Very interesting, kinda spooky.
Peer-to-peer threats from a world power perspective seem to be less bullets and more code. Any cyber warfare would just end in both parties destroying critical infrastructure until there's none left. War of attrition, skipping completely past the military and affecting the civilian population directly.
>> but instead something malicious affecting the computers they use to control the process.
I bet there is a layer of windows XP machines involved in a legacy control system. XP machines that weren't supposed to connect to the internet somehow have malware on them. It doesn't even have to do anything. Simply the detection of anything in such circumstances is enough to warrant them being shut down.
Totally agree, see it all the time. I even know of a few NT systems floating around out there. At least most companies are getting their IT involved to mitigate (usually they work with the vendor because they know nothing about control systems). They usually provide funding to the automation groups. People are starting to take it seriously.
Why wouldn't you use a unidirectional connection for time series and event data? I understand why you might want to send things out to the rest of the world, I can't fathom why you wouldn't require physical access to have write access.
Some time series data interfaces only work with tcp comms, which means you can’t always rely on unidirectional networks. I agree you should use them where possible though.
I replied to a comment on a dupe post regarding PAT, in which analysis is done on process data and fed back into the process to increase efficiency or yield. Obviously there are varying levels of criticality where the risk vs the business reward might not be worth it though.
Genuine question (that I've been seriously wondering about for a long time): how do you implement validated attestation that a piece of log data has reached nonvolatile storage, triggered appropriate alarms, and that those alarm events have been acknowledged, while using a data diode type setup?
If it is critical to have the log, it has to be local. Infrastructure shouldn't die if an internet connection goes down.
You can sent the status of the log out through the data diode, along with a copy of the data.
What do you do when this attestation fails? Eg. A fox chewed through the cable and the ack can't be received.
Depends on your setup but a message bus architecture with polling would work.
This.
I've said it a thousand times, all the security in the world will not defend a SCADA system if someone left TeamViewer running somewhere.
Don't mean to pick on TeamViewer. It could be any number of packages, but I think security minded people get an idea of the type of attack vectors I'm talking about.
It is mind boggling the lack of basic security principles some people have. I won't just put that on the plants and their IT/OT, or lack thereof. I've seen plenty of vendors and integrators do some cringe worthy stuff too.
The whole automation industry is a security disaster but it is because security isn’t part of the deliverables for any party. It isn’t in the specs, civil, mechanical, electrical engineers it isn’t their responsibility.
If the owner has an IT department they usually don’t want to be responsible for it either since locking things down leads to weird issues with legacy proprietary SCADA systems.
There is no out of the box secure solution available yet. Rockwell certainly makes an attempt with their factory talk directory but I highly doubt that isn’t easily worked around somehow.
Yea, that is correct. I typically put together the solutions for new systems, including security. I give the sales team part numbers and hours for security software and related hardware. They then add that as an option to quotes. No principal automation engineer wants to take that on and no IT want to be involved. Also, when money is tight that’s an easy target for them to pass on.
Luckily I’ve pushed enough over the years that we at least include A/V software as mandatory.
I’ve been able to carve out a nice space within my company bridging the IT/OT divide. It’s been particularly good recently since the bigger companies are dictating good cyber practices, but rely on integrators and vendors to implement.
I don’t think there will ever be an out of the box solution unless a system stands on its own, which is becoming increasingly harder with modernization and reliability efforts. Add on top of that privileged access, remote monitoring and support, automated (kind of) patching, etc. you have to interface with the IT side a bit.
Sadly the OT networks are 100% trusting of any device on the network. With Schneider plcs any device on the OT network can write to any addressed memory register over modbus - it’s like direct memory access DMA.
I hope that one day every device on the OT network has a yubikey and all messages are signed so that no unauthenticated access is possible.
Interesting, I'll have to take a look at yubikey. I just installed a Tofino firewall with the Modbus Enforcer LSM between one of our DCS and accompanying SIS systems. We have never had a system communicate process data directly up the networks except through OPC (mostly DA, which is even more problematic for firewalls). Luckily OPC UA is now natively supported on our application, so things are starting to move in that direction.
Luckily a lot of our customers use PI, so we install the PI OPC interface on the application layer and only PI ports need to be opened to the next level.
Even more so the vendor we work with, Emerson, even has IPD firewalls to go between the DCS computers (engineering, historians, operator stations) and the I/O (what we refer to as level 2). The price tag can really jump when you implement all these security features, but an argument can easily be made that it's worth it when you consider some of our customers run batches that can be worth $500K or more per batch.
> It is mind boggling the lack of basic security principles some people have.
OpSec - it's not just a buzzword, it's the Way.
Shutting down pipelines is insanely expensive. Under normal circumstances maintenance work, including welding, is done on live pipelines. The guys that do that job are extremely well compensated, last I knew hundreds an hour, and maybe a little crazy.
A shutdown is a huge deal and means they’re taking this extremely seriously.
Washington Post reported it was a ransomware attack.
It may not have been a targeted attack.
The WaPo article itself is much more detailed. The bits about the age and fragility of Colonial's pipelines are far more significant than ransomware. Colonial's continued neglect is more disruptive than any single attack on the pipeline. The persistence of unreliable infrastructure is a more valuable disruptive asset to an organized opponent than a single targeted attack.
Tangent - Also interesting, the WaPo article [0] bears little resemblance to itself from only hours ago [1]. The article has grown by about 50%, while contents have come and gone. That's my favorite application for archive dot is - Seeing the timelapse of iterative releases, watching journalism bend and sway in the current of its own response. I'm not making any judgements, the internet is already sloshing with useless hot takes about journalism and media. It's just fascinating to see the modern editorial process at work, out in the open.
[0] https://www.washingtonpost.com/business/2021/05/08/cyber-att...
Relates to the Kent Beck "Latency vs Througput" post[1] on here right now... do you post the story immediately, and start getting feedback, or do you wait and do research and get it (more) right before posting it?
20 odd posts and yours is the only sensible one.
It's certainly a security incident but until we know more it's hard to say the infrastructure was specifically targetted for an 'attack'
I hope this ransomware called itself the Da Vinci virus? Because this sounds a whole lot like the plot of Hackers [1].
The greatest movie of all time, btw.
Wellll sort of. The "Da Vinci" virus claimed it was going to capsize oil tankers in order to cause an ecological disaster. Not just shut down a pipeline.
Give ‘em a cookie! Hack the planet!
I know you play the game!
More movie recommendations please
If you like Hackers, the obvious other two are Sneakers, which is good, and The Net, which is not.
This one is probably not well known in the anglophone world: https://en.m.wikipedia.org/wiki/23_(film)
Based on a true story, though it's debated endlessly. Clifford Stoll's Cuckoo's egg deals with the same material.
Not GP, but:
- The Godfather
- Chariots of Fire
- Dr. Strangelove
- Das Boot (original German version)
- About Time
- Who Framed Roger Rabbit?
- Tron
Connecting infrastructure to the internet is something that is done for many reasons. It would be a vast improvement of security if most of those connections went through a data diode[1] and only allowed monitoring.
Knowing what is happening now with critical infrastructure, through the internet, can be done in a completely safe manner. It is a solved problem.
What would be the difference between having a data diode between your control and monitoring network and external monitoring systems, versus just splitting the monitoring part off into a completely separate network with ordinary two-way traffic?
What you explained doesn't solve the problem. You still want to have an unidirectional network in place at least between your critical infrastructure to the monitoring systems.
Monitoring systems are usually separate and often have their dedicated network too, but they still need some sort of network connection to your critical infrastructure to do their job (monitoring).
If you put a data diode between your infrastructure and the internet, you can see the status from anywhere, yet never compromise it from the outside.
Yes, I think we are on the same page.
I was trying to explain that having a separate monitoring infra and network group wouldn't work as a replacement for unidirectional network setup, because you sill need to open network access between critical infra and the monitoring system in your design, which will expose it to the internet.
So like you said, you still need to have an unidirectional network in place.
It's only a matter of time, there's gonna be physical casualties at some point in time. We've all seen it in the movies. Experts have warned of the dangers of tethering vital utilities controls to the internet.
Is it not possible to develop protocol or device that operates outside of the web but functions like the'two-man' rule used to launch nuclear bombs?
Those devices don’t work like a nuclear bomb control does - that is adding resistance/controls to taking an action.
The appropriate analogy is more like a nuclear reactor. They require some system controls to stay functional and healthy (water temp increases in loop x, increase motor speed of pump y, if already at or exceeding speed z, set off an alarm).
These controls need constant monitoring in a control station somewhere, sometimes tuning or fixing if there is a bug or issue somewhere, etc.
A lot of the cost of a nuclear plant is trying to cover every possible scenario and being compliant with endless regulations for stuff like this (and everything else).
That most non-nuclear plants don’t want to deal with the hassle and expense shouldn’t surprise anyone. That non-nuclear plants often don’t even TRY to cover basic cases SHOULD dismay and surprise people. These issues have been well known and publicized for literally 30 years.
A reason safety guys in these industries have the saying ‘regulations are written in blood’ is often not because no one sees the danger. Rather, until the body count reaches a certain point, no one can justify the expense to require it be fixed.
> the'two-man' rule used to launch nuclear bombs?
Yes. It's called Threshold Cryptography and it generalizes 'two-man' rule to require that N of M authorized users agree to an action.
But it's not really necessary here. What's needed for infrastructure is to get it off the internet and to quit using insecure operating systems and languages.
>It's only a matter of time
According to some sources, it's been done before:
>CIA plot led to huge blast in Siberian gas pipeline
>Thomas Reed, a former US Air Force secretary who was in Ronald Reagan's National Security Council, discloses what he called just one example of the CIA's "cold-eyed economic warfare" against Moscow in a memoir to be published next month.
>Leaked extracts in yesterday's Washington Post describe how the operation caused "the most monumental non-nuclear explosion and fire ever seen from space" in the summer of 1982.
>Mr Reed writes that the software "was programmed to reset pump speeds and valve settings to produce pressures far beyond those acceptable to pipeline joints and welds".
https://www.telegraph.co.uk/news/worldnews/northamerica/usa/...
It's like 100x more expensive.
Would be nice to have separate data lines, running fiber optics sealed in pressurized conduits for double tamper detection. The military actually does this for their critical infra.
> Would be nice to have separate data lines, running fiber optics sealed in pressurized conduits for double tamper detection.
At least German Telekom has been doing this for ages for the trunk cables serving entire areas with analog phone service - although not for tamper detection as an anti-spionage measure, but rather to detect and pinpoint damage to the cables, e.g. from excavators, tree growth or splice seals degrading.
Pressurizing conduits also helps prevent water ingress.
One such example... a test done at the Idaho National Lab
https://www.wired.com/story/how-30-lines-of-code-blew-up-27-...
That lab tends to specialize in cybersecurity and infrastructure.
https://www.wired.com/2011/10/idaho-national-laboratory/
The critical infrastructure part of the lab:
"It's only a matter of time, there's gonna be physical casualties at some point in time. We've all seen it in the movies."
You mean like a pandemic? ;)
All these attacks usually caused by two things, office macros and mimikatz.
Easier: Microsoft Windows
I re-call the Russians did a full featured malware for macOS called Proton. You may find videos of that in Youtube.
Of course, Macros works in macOS too if the user has installed Microsoft Office
The government needs to finally ban Windows. In addition to being insecure it's used by many criminals for their scams and blackmail operations.
A few years back we had two different instances of this pipeline getting shut down from newly-found leaks. While they say it won’t cause gas shortages, these articles tend to drive people to the pumps in droves in the southeastern states served by it (like mine, NC!).
So, two possible responses by the government to the current increase in these kinds of attacks:
1) blame the lack of computer security in our infrastructure, and work on improving that
2) blame cybercurrencies, and try to eliminate them
Any bets on which one our government will choose?
Both are correct.
The state of computer security is unacceptable and needs to be fixed. Today its profit-motivated extortionists, but anything they can do is also an option for spy agencies, and is it really that hard to imagine anti-oil activists pulling the same stunt some day?
On the other hand, crypto is the thing behind the profit motive. If crypto is impractical (if there were no way to convert it to real currency), the profit incentives for these attacks (and mining, for that matter) break down.
I realize this isn't a popular opinion around here, but we should probably do both.
Yes, we need to ban math. Math is the root of cryptography; which is the root of cryptocurrency. Ultimately it’s numbers. They are the worst. Everything bad comes from the interaction of points on elliptic curves.
Get out of here with this.
Cryptocurrency, not math and cryptography.
Cryptocurrency is a bunch of people thinking their bets are more important than the government's control levers of monetary and fiscal policy. They'd rather make a quick buck and disregard the fact that this takes away our government's sovereignty. Our government's ability to bail out the economy, protect its most vulnerable.
It's more important that the Winklevosses and early supporters get all the economic upside, and it's just fine if the US dollar slides into the abyss. Lower income folks surely won't get screwed by this.
Nevermind the fact that cryptocurrency is destroying the environment. That's just a minor detail.
Cryptocurrency is selfishness and hubris.
All the smart people working on this insanity would be doing the planet much better if they were working on fixing social media or making tools for cancer researchers. I'm not for telling people what to do with their lives, but this observation seems pretty obvious to me.
> Our government's ability to bail out the economy, protect its most vulnerable.
How did the bailouts in 2008 help the vulnerable people who were subjected to predatory loans and lost their homes?
> Nevermind the fact that cryptocurrency is destroying the environment. That's just a minor detail.
Can you back this up with any data? Just went through a paper published on this topic by a couple of environmental researchers and the methodology was quite awful, and the authors did not understand mining.
I'm happy to discuss any data you have.
I'm a bit pessimistic because you don't sound open to the idea that cryptocurrencies have any value at all.
>How did the bailouts in 2008 help the vulnerable people who were subjected to predatory loans and lost their homes?
They didn't but they kept the banking infrastructure alive. What I never understand however is that the government doesn't give that bailout money in exchange for newly issued shares which they then sell for a profit once the bank is back on its feet.
>They'd rather make a quick buck and disregard the fact that this takes away our government's sovereignty.
This isn't true. For every person buying Bitcoin thinking they are hedging themselves against inflation there is someone who sells Bitcoin because they think the exact opposite. So this doesn't take the government's sovereignty because someone ends up with a lot of USD at the other end and you can still apply things like negative interest rates on accounts with huge balances.
Ironically Bitcoin is a very poor inflation hedge because of its periodic bubbles and extreme volatility. The bubble can pop exactly the moment inflation goes up and ruin the "hedge" until the next bubble exceeds the current all time high again.
It isn’t, and you might be a little misinformed. But it’s ok, you can scream into the abyss as long as you like.
We don’t want to cure cancer (don’t know how). We want to free the world of the tyranny of central banking, debt-based economies and theft of savings through inflation. It is a noble endeavor. Selfishness is continuing along the old broken road. There are new, better ones.
How do cryptocurrencies save you from a debt based economy or inflation? Don't you still need to pay for goods and services in the same debt-based economy? How does the flavor of money change whether someone needs to go into debt? What would prevent cryptocurrency values from inflating or deflating?
It's best not to ask. I'm starting to believe that these people are exhibiting cult-like behavior at this point.
Inflation is mostly a monetary phenomenon. They'd limit creation of new money so it very rarely happens, and then we get deflation.
Of course they'd end up printing money via some L2/L3 and we get the same deal. If we actually followed through, we'd get permanent deflation which is an obvious disaster even without accepting the Keynesian arguments against it (I find that part of Keynesian thinking to be mostly false).
>Inflation is mostly a monetary phenomenon
In an economy, where everything is scarce and people can't get enough of the things that they need. The US and EU economies are not like that. Turkey is like that, Zimbabwe is like that, Argentina is like that, Venezuela is like that.
In the US the only scarcity exists in housing and it is purely self inflicted. All inflations are caused by scarcity or shortages, solve the shortage and you solve the inflation. Covid won't be here forever, any shortages it causes won't be permanent but it may take years to recover if you are pessimistic.
We're hardly at a post-scarcity economy. At most we can say that (poor quality) food isn't scarce. Education, housing, transportation, medical care etc. are scarce. Self-inflicted? At least to some extent. But artificial scarcity is still scarcity when you're on the receiving side.
A large cryptocurrency like Bitcoin is entirely capable of functioning like gold as a hedge against fiat inflation.
I'm not much of a crypto cultist (which is the latest trend here on HN, to tag anybody that defends crypto with that to shut down conversation), however it's extraordinarily obvious at this point how cryptocurrencies can help you evade inflation in eg USD or evade the debt damage to the US economy. Bitcoin for its part is global and not primarily dependent on the condition of the US economy, and it's likely to become increasingly global and even less dependent on the US over time.
> Don't you still need to pay for goods and services in the same debt-based economy
Of course. This is a case where crypto is even better than gold. It's particularly trivial to convert in and out of traditional fiat.
Surely you understand enough about cryptocurrencies at this point to know how easy that is. And it appears likely to keep getting easier, given the effort companies like Coinbase, Robinhood and Square are putting into it (check out what Square did in its latest quarter courtesy crypto).
> How does the flavor of money change whether someone needs to go into debt?
The parent said debt based economies. The US has an economy and government system that is increasingly drowning in debt (check out the corporate balance sheets in the US; nationally it's horrific; that situation has been spurred on by the Fed's forever low interest rates, which encourages corporations to take on ever greater sums of debt because it's artificially cheap, which will ultimately lead to zombies ala Japan). The Federal answer to that is to print ever increasing sums of fiat USD, because there are no foreign buyers left that can absorb tens of trillions in new US government debt. The Fed unavoidably becomes the primary buyer of the US Government's debt (this is where a nation begins eating itself; that began for the US over a decade ago now as a trickle, that trickle is picking up pace). Once upon a time not so long ago it was a huge deal that China held a trillion dollars of US government debt, now that sum is a joke, a mere portion of one spending program this week or next. That's how quickly the US is imploding fiscally.
How does Bitcoin help you with that if you're stuck in a debt based economy? Well it's very obvious. The Fed will keep printing aggressively to fund the US Government's finances. And the Fed will have to hold interest rates as low as possible forever now, because the US Government can't afford its debt any longer at normal interest rates (3% * $40 trillion = bye bye social security or medicare or the US military). That need by the US to inflate massively, to constantly debase the rapidly expanding monster pile of debt, can be hedged via gold, sometimes via high quality stocks, and possibly via crypto (pick the one/s you think will endure).
And as this all gets worse, the tax hikes have to keep getting worse, which will choke off growth, which accelerates the stagnation and makes everything that much worse. All in all, the average rate of growth in the US economy will keep sinking toward zero.
Given enough time, somewhere between 10 and 20 years depending on how wild the clowns in DC get with spending, they'll have to begin directly debasing the USD to accomplish their goals (they'll promptly educate the public on how it's economically beneficial to devalue their currency), it won't be enough to do it slowly. There's nothing novel about any of this, we already know exactly what the playbook looks like, see: Japan. The US will be able to maneuver a little better than Japan has courtesy of having the global reserve currency (although at the rate they're destroying things, that global reserve position will drop out even faster than it was otherwise going to).
The only way Bitcoin & Co aren't useful given where the US is obviously going at this point, is if the powers that be get so desperate about the context that they outlaw crypto or otherwise make it very impractical (artificially add enormous cost to owning it, via tax or regulation).
You've used the word obvious several times, but strong political opinions and conjecture underlies every aspect of this response. Debt-based economy does not obviously refer to the fact that the dollar is printed by the fed. Your response also doesn't really address how it saves us from the debt based economy that we all have no choice but to participate in. There is no debate about whether sovereign currencies will continue to be maintained by governments. They will, and they will use their military might to protect the sovereignty. Your position here is akin to saying that if I park all my money in gold, I am no longer a victim of the debt based economy.
I don't know if the gradual, typically controlled and predictable inflation of fiat currencies is worse than constant value fluctuations due to speculators in cryptocurrencies, but that's obviously for each individual to determine for themselves.
I am also curious, is it impossible for new BTC (for example) to be minted? Is it possible to change that? My understanding is yes. If so, it sounds like someone could play the same role as the fed there if they really wanted to.
And what happens to the value in the event of a fork of BTC that attempts to make BTC actually useful as a currency instead of just as a commodity? Is this an additional vector of instability in the value of the "currency"?
I think this take is a little alarmist.
Yes, the national debt is increasing, but from 2000 to 2020, the percent of federal debt owned by the Fed increased from ~11% to ~18%. [0] That is hardly uncontrolled money printing. Private investors are still buying the bulk of treasuries despite the low interest rates, because they're extremely safe investments. I do believe that inflation will pick up a bit, especially for assets vs. consumables, but I don't buy the idea that we'll see anything much worse than what was going on in the 70s or 80s.
As far as the size of the debt, we're close to where we were in terms of debt to GDP ratio after World War II, but the cost to the country in terms of GDP of maintaining the debt has held fairly stable throughout modern history. [1] Considering the historically unprecedented impact of COVID-19 and the cost of dealing with the crisis, a temporary bump in debt is totally unsurprising to me, especially with how cheap it is to borrow.
I don't have a strong opinion on whether crypto will hold value well over decades or not, but I find arguments that crypto's rise is inevitable because the collapse of the USD is inevitable to be particularly unfounded.
[0] https://fredblog.stlouisfed.org/2018/04/whos-buying-treasuri... - expand and compare Q4 2000 to Q4 2020. [1] https://fred.stlouisfed.org/series/FYOIGDA188S
>The parent said debt based economies. The US has an economy and government system that is increasingly drowning in debt (check out the corporate balance sheets in the US; nationally it's horrific;
Yes, that is what happens when your currency is the world reserve currency. Every nation exports their products to you but they never want to import anything from you. Therefore you run into a domestic unemployment problem and you must take on an increasing amount of debt just to keep your economy stable. That's the "exorbitant privilege" the privilege to be forced to take on debt.
It's called a privilege because smart leaders recognize that you can have your cake and eat it too but neither Obama nor Trump have taken advantage of that, all they did was let the disadvantages outweigh the benefits. Trump merely wanted to reduce the disadvantages by starting a trade war with China.
>that situation has been spurred on by the Fed's forever low interest rates,
Those low interest rates aren't spurred by government debt. They are spurred by low inflation, if possible the interest rates would be at -1% or deeper but things like treasury bonds, cash and in theory Bitcoin prevent interest rates below 0%.
>which encourages corporations to take on ever greater sums of debt because it's artificially cheap, which will ultimately lead to zombies ala Japan).
Yes, those corporations are supposed to grow their business and employ people, even if those companies are useless to society, because the beneficial effects of employment will completely outweigh the downsides of zombie companies. However, inflation never came and unemployment is taking forever to shrink. (precovid of course)
>The Federal answer to that is to print ever increasing sums of fiat USD, because there are no foreign buyers left that can absorb tens of trillions in new US government debt.
There are lots of foreign buyers for USD though which drags inflation way down.
>The Fed unavoidably becomes the primary buyer of the US Government's debt (this is where a nation begins eating itself; that began for the US over a decade ago now as a trickle, that trickle is picking up pace).
This argument makes sense when the debt is fueled by Trump style tax cuts because you are ruining your ability to pay the debt back in the future, I mean, how are you supposed to pay the debt back if not by raising taxes above previous levels?
If you spend it on one time stimulus the risk of the debt growing only exists until the economy has recovered. If you spend the money on infrastructure you can actually net a greater return in the future.
>Once upon a time not so long ago it was a huge deal that China held a trillion dollars of US government debt, now that sum is a joke, a mere portion of one spending program this week or next. That's how quickly the US is imploding fiscally.
It's a huge deal in the sense that it obligates the Fed to increase the money supply and the government to increase debt as mentioned in my first point. China buying US government debt IS the problem, in the sense that it forces the US government to go into more debt. If China is actively hurting the US economy, it is doing so by buying US debt which means it is not importing products from the US, which means China is not creating jobs in the USA. If China ever decides to unwind its US debt only good things will happen to the US economy.
I think the answer to those questions has been answered more eloquently elsewhere. They are good questions, and have complex and nuanced answers. I wish you luck in your quest.
Well, you have been convinced of these things so it seemed like you might have stumbled across convincing resources. I'm sure there's a bunch of garbage to filter through on this topic on the open internet.
>We want to free the world of the tyranny of central banking
You've been living the last 20 years under the tyranny of lack of fiscal stimulus. The biggest problem with the Fed is that it's the job of the government to distribute the money fairly for everyone and since Obama nobody did the necessary fiscal stimulus but this is changing thanks to Biden.
>debt-based economies
That just means more unemployment than necessary.
> and theft of savings through inflation.
What about theft of future potential through deflation? Does the future generation really owe you more than you worked for yourself?
>It is a noble endeavor.
Noble as in for the aristocracy, who have inherited and did nothing with their wealth but grew it anyway?
>Selfishness is continuing along the old broken road.
Biden has already left the old broken road.
(2) isn’t wrong though. Ransom ware dates to 1989 but the uptick goes hand in hand with the rise of crypto currencies for the obvious reason that you don’t steal what you can’t fence and cryptocurrency has changed the risk and feasibility dramatically.
I’m not saying I support government action here but we should be honest about the situation.
How did criminals pull off international blackmail, kidnapping, and extortion before cryptocurrencies? Did it always require a local bagman? Could ransomware criminals not resort to the same tactics?
That's quite a strawperson - it creates a fictional story and then criticize the characters.
The U.S. government has been addressing computer security in infrastructure for a long time.
...which is why these sorts of attacks almost never occur and are always so resource intensive that no criminal would ever think of doing so for ransom?
Is your argument that if there's a problem, the government must not have tried to prevent it? We still have cancer; does the NIH exist? We still have crime, food poisoning, car accidents ...
I’d prefer a new Cybersecurity branch of the military with full funding and resources rather than Space Force.
Should the military be handling domestic cybersecurity? That seems especially perilous to civil liberties, something out of dystopian sci-fi.
The military's role isn't to provide peace and justice for citizens, it's to kill people and destroy things. That's not an insult to the military, that's what soldiers will tell you; we need to be realistic about it. They should not be operating around civilians in peacetime (except in special circumstances).
Not securing cyber and our infrastructure will kill and destroy things.
What would be an example of a civil liberty violated by for instance standing up a large Brigade or service of tech soldiers who secure, patch, work to shore up our critical infra and services? + a lot of funding; we already prop up the lockheads of the country.
I agree that it seems our Gov. can't be trusted not to intrude into our communications and other civil liberties.
But this is more about industrial control, supply chains, the foundation of software etc.
The gov didn't react or try to stop speech attacks on digital platforms even though they knew it was happening. They didn't even report it was happening because of I think naive political concerns.
Personally I liken it to missile defense and other existing programs which we spend a HUGE amount of money on.
Not securing our infrastructure could have even bigger consequences.
We're already in a growing cold war, personally I think decent potential to go hot within a decade.
Even looking at the little publicly reported easy hacks the, let alone the unknown advanced capabilities of state actors, the first salvo attacks will probably wipe out a huge portion of both sides infrastructure and basic digital necessities to function in our society. At least we're getting more serious about defending space because the military has their owned assets up there.
Maybe MAD would focus these attacks on military targets but I don't trust these nation states, or perhaps our own, to limit the radius. And maybe it's not even possible with how inter connected things are.
I completely agree that the infrastructure needs to be secured, and that it requires a lot of funding. I'm saying the military is the wrong organization for domestic operations.
What happens when the military believes an attack is coming from a private citizen? Can they spy on or take action against that person? Can that alleged attacker's computer be seized? On what evidence? What if the military determines that effective security means surveilling a wide area before an attack, or collecting all citizen data to have a source to search for clues in case of an attack? What if they determine, which some already agree, that the best defense is a good offense?
I'm of a mind that the security should be a regulation, and the infrastructure operators have to meet it. The NIST can develop standards and techniques, but the safety of infrastructure is part of the cost of doing business. Your plant can't be a menace to the community due to risk of explosion, pollution, etc. - it seems no different. The operators have gotten away with buying cheap, crappy IT for years. It's time to invest seriously in rigorous, quality engineering.
There are also a ton of scary 'laws' like extra judicial 'border' areas which go wayyy into our country from agencies that are being militarized. Justice doesn't need swat teams...
I would be into a non-military branch. it baffles me we haven't funded this. Regulations are also a good first step, but don't seem enough alone. though HIPA and SOC seem fairly ok at least with low level stuff.
If we're going to spend $2T on infra throw at least $100 billion on this, some more to pay to onshore more critical chip & manufacturing. But Republicans are stuck on cars.
I've always secretly hoped warfare would move to the digital realm soley.
We have some shades of that happening already, but I imagine a future where instead of sending young people to die,warring nations wreck each others economies remotely... which again isn't too far from current day.
While there'd still be casualties it wouldn't be nearly as barbaric as current wars, more developed nations would finally have as much skin in the game as disadvantaged ones, etc.
The way I see it, the best way to discourage war is to make it unprofitable. If war just becomes directly hurting each other's ability to make money I could see war, or erm excuse me armed conflicts, getting a lot more unattractive.
Covered in the original Star Trek series over 50 years ago.
https://en.wikipedia.org/wiki/A_Taste_of_Armageddon
People marked as casualties had to report to the disintegration chamber.
I'm not sure it wouldn't be as barbaric at least if that word means human suffering and death. But I agree it's the future of war.
Human suffering and death are not binary things.
War will always be a bad thing, but putting people on the ground in a foreign land with the mission to kill others has always amplified the horrors of war many many times over.
Taking out power in half the US for a day would kill thousands, but it's the equivalent of an all out attack on the US.
Compare that to if another country were to physically commit to an all out attack and it's easy to see why this would make future wars look like minor skirmishes compared to what's happened in the past
I agree the worst of humanity comes out in war. We'll see what happens with China vs. US. I doubt we'd see nuclear at least, but maybe the new tactical weapons make that more likely.
I think the difference in our viewpoints might be that I don't think it would just be power our for a day.
I think it would be far far worse.
Explosions, power out for months. Exploding a pipeline much harder to repair.
cutting off chip supply with the precipitating attack on Taiwan so we can only access our onshore capacity, if there isn't a cleanroom breach taking weeks or months to recover. Or say an attack on ASML.
sewer services going out or changing the mix to make water not or less safe. Damns.
It's just such a huge amount of our day to day lives; even very simple out of date XP hacks take a while to patch, let alone something like the supply chain chip attack Bloomberg reported and never retracted - which is still weird in my mind and something I could totally see as a current reality on both sides with a long history of similar 3 letter behavior from US.
I don't see how any of that wouldn't be worse than conventional warfare.
At that point where we're being attacked with pipelines exploded we'd be getting bombed.
It's a lot easier to fix a contaminated water treatment facility than a pile of rubble. Same for every other form of technology.
It's almost tautological, the system controls malfunctioning at worst can only destroy the system, conventional warfare defaults to destroying the system.
I think you’re going to see this more and more (at least with wealthy nations). And I think the motivation for war has always been primarily about profit.
It's been motivated by profit, but this harms the motivation
Right now it is profitable for us to go to war. Contracts are signed, jobs are created, it is good for powerful wealthy people for the country to be at war. And if you're powerful enough the risk of retaliation is so low that it's all gain and no cost (outside of human cost which is never enough apparently)
With this type of war the equation would be switched. Going to war directly harms wealthy benefactors, who as a result of their wealth hold political influence.
We're already seeing that aren't we? Espionage at companies like Boeing and Lockheed Martin. It's not harming any "normal person" but it's directly hurting the pocketbooks of powerful people. It creates incentive to avoid conflict in a way that (unfortunately) young men and women dying doesn't seem to have done in the past
I agree and you make some good points.
That a pretty low effort dig at the government. What the hell does that have to do with something that is obviously state sponsored cyber espionage? Go troll somewhere else
'obviously'? Meh.
One argument you can make is to partly defund the surveillance-based departments and agencies and put together a cybersecurity agency who is tasked with hardening the country's systems. I have no idea how someone would build a legislative and personnel firewall to protect it from the existing need to peep through keyholes, it's probably not possible.
Both options sound sane, so I guess it will be
3) blame Russia/China
Didn’t see anything about ransomware in the article?
3) investigate and neutralize the groups behind the cyberattacks
Given Government inaction on climate change, could we begin to see motivated individuals or groups taking matters into their own hands and targeting fossil fuel infrastructure in this manner?
That would be domestic terrorism and is an easy way to turn the entire population against the cause
It could do more harm than good, but it remains possible that someone will do it anyway. It's a legitimate scenario for these types of companies to consider in their cyber-security planning and preparation (assuming they have any).
Domestic attacks would be somewhat more difficult to carry out without being detected. It’s much easier for the Government to track domestic actors since there’s so much data collected on them both Nationally and by local law enforcement.
That’s why international attacks are more prevalent and bold: they’re not as easily traceable. However, that also comes with its downsides: if the USG wants, it might just use lethal force against you.
So ultimately the people who tend to do this repeatedly end up being state owned or state protected actors, who are likely offered some sort of protection by their State from retribution by the USG.
1/6 looked pretty easy. It also looked like it was pretty easy to catch the most gods-awfully expensive intelligence agencies in the world completely flat-footed.
With a bus load of activists you could probably shut down a coal mine or coal power plant. Just repeat the interruptions until the location is closed.
Environmentalists used to chain themselves to trees. Would the same physical actions work for climate change?
Its difficult to see the public being opposed to this when coal infrastructure is on the edge of irrelevancy anyway and easily replaced.
I wonder if this has anything to do with the Colonial gas pipeline leak? It's been a problem for over 8 months now. Was in the news recently again. Over a million gallons spilled, but they don't really know how much.
https://www.msn.com/en-us/news/us/eight-months-later-colonia...
On the good side, someday we’ll probably get an episode of Darknet Diaries on this one.
You just brightened my day.
After reading "This Is How They Tell Me the World Ends" [1], I feel the world working normally is rather a sheer luck. (Probably I'm very late to realize this, but anyway )
To me the only reasonable survival strategy is redundancy, but I have no idea how we can reach there.
[1] https://www.amazon.com/This-They-Tell-World-Ends/dp/16355760...
I’d be curious to know how much ransom is being asked. Before Bitcoin something this big was impossible to try and pull off.
Before the bitcoin you would ask for release of prisoners. https://en.wikipedia.org/wiki/Lufthansa_Flight_615 or get steady funding https://en.wikipedia.org/wiki/Carlos_the_Jackal https://www.rferl.org/a/carlos_the_jackal_on_trial_for_1980s...
Seems like this company has more than just IT problems https://newrepublic.com/article/161498/huntersville-north-ca...
We need to have military responses to these attacks. Ransomware is running rampant because they don't fear any punishment for attacks. If people attacked our hospitals and pipelines with explosives we wouldn't sit by and do nothing.
To take the last high-profile ransomware gang stopped, if we ignore for a moment that the US didn't find them, you think sending US special forces into Ukraine to arrest or kill some unarmed dudes in a basement would have aided US interests more than just having local law enforcement arrest them? Does this policy of deploying troops expand to gangs in NATO member states and other close allies?
>If people attacked our hospitals and pipelines with explosives we wouldn't sit by and do nothing.
You are proposing that we attack them with explosives, are you fine with them retaliating in kind?
What if you lived next to some hackers targeting a foreign country, would you think it's acceptable to get blown up for their actions?
Precisely ascribing the origins of a malware attack, with 100% confidence, to one specific nation state is a very hard problem to solve. The time/effort that it would take for one nation to launch an attack on a 2nd party, seeming to come from a third-party, or one of their own adversaries, is not very great.
At least not with the 100% confidence that politicians would want before the US military starts dropping JDAMs on buildings.
I would give fairly even odds that something like this is the work of an organization nation state, and also even odds that it's the work of some underemployed teenagers in a basement.
It's hilarious to me that a country that invests so much in their military doesn't seem to invest in the security of their infrastructure at all.
The entire war machine will grind to a halt without oil. It would be one of the first thing to attack.
lol war machine? what war machine? there's proxy wars and internal civil conflicts happening abroad, and definitely shady profiteering in some places, and definitely refugee crisis many of which are caused by climate change actually...but what war machine are you talking about? there's no real war out there. if there was, most of us wouldn't be here posting anymore. I hope to God there's never actual war out there.
You'll find that many of the ongoing/recent conflicts listed on these pages involve bombs/rockets/aircraft/tanks, not to mention soldiers on the ground and in some cases occupation.
https://en.wikipedia.org/wiki/Category:2020s_conflicts
Remember when Russia invaded and seized part of Ukraine a few years ago? https://en.wikipedia.org/wiki/Annexation_of_Crimea_by_the_Ru...
There's lots of actual war. Not all wars are world wars.
Edit: it's also not the point of my post. The US invests in its military partially under the pretense of existential threats (basically, commies invading the mainland). That is undermined by having an laughably easy to cripple defense.
Perhaps we should pass a law that no utilities / infrastructure should be attached to the internet. Private networks are fine for this purpose.
I think the issue there is data, even on critical infra. Modernization, reliability and the such require data analysis. There are definitely ‘strong’ ways of protecting the assets and mitigating attack vectors, but almost no way to eliminate them entirely. For example, event if you isolate the process computers you’ll typically have an interface node that presents the data up a level (hopefully to a DMZ). Obviously you can be compromised if that interface node is.
Some critical infra is air gapped though. Other systems implement SIS systems in parallel with general process systems to mitigate catastrophic failure further.
They can gather the data on the infrastructure network and then carry across an air gap on a USB or tape to do their analysis. I don't see the upside of allowing any connectivity to the internet given the danger other than some mechanism for sending an alert. I'm sure creative people can air gap that too (camera on the internet side and some image recognition for example).
That's massively inconvenient, although I'm sure necessary in some cases. Some businesses actually perform analysis in 'real time' so they can adjust the process accordingly, witch requires that data be accessible. This may actually be such a case as I'm sure they have to interface with customers (tank farms) to react to supply/demand on the branches. For all I know Colonial does have a private network for that purpose though. Usually PAT is really for chemical processes where you are looking for a particular yield and those analytical services are located closer to the process (in terms of networks).
There are devices called data diodes that provide unidirectional network topology, but not all time series data interfaces can work with them.
All in all, I agree that total air gap is obviously the best way to mitigate network attack vectors, but sometimes not practical. No controlling device should be at level 3 or 4 though (business or enterprise level).
I'm gonna watch Battlestar Galactica again for ideas.
In 1983 the US military hived off MILNET, their portion of teh interwebz. Perhaps it's time for infra to do likewise. Too simple?
hmmm...might be time for me to develop a side-expertise in cybersecurity...always kinda scoffed at those electives before, but now I see that there are literal lives at stake if our nation doesn't have excellent talent working in fields like cybersecurity for national defense.
"This is as close as you can get to the jugular of infrastructure in the United States," said Amy Myers Jaffe, research professor and managing director of the Climate Policy Lab. "It's not a major pipeline. It's the pipeline."
About that infrastructure security... this forum has gone over in detail the situation of infrastructure security in quite a bit of detail as other stuff has happened.
It's easy to say "you need to isolate your critical network from your office network" but that costs dollars and time and letting things fall to shit is free 'till the time comes and then other people the price rather than you.
The privately held, Georgia-based company is owned by CDPQ Colonial Partners L.P., IFM (US) Colonial Pipeline 2 LLC, KKR-Keats Pipeline Investors L.P., Koch Capital Investments Company LLC and Shell Midstream Operating LLC.
All the best names of neoliberalism!
Companies like this are tax dodges that socialize risk. The limited partners enjoy fat returns with minimal downside.
I'm not sure about these, but there are public limited partnerships that anyone can buy like a stock.
If you don't realize what you are getting into, you may regret it because you will get a K-1 at tax time.
I don't know if it's any more of a tax dodge than an REIT.
These structures characterize cash flows as return on capital, which defer taxation.
There’s a bunch of games played.
I didn't think it deferred taxation; just the opposite.
That's what I was referring to about the K-1; you pay taxes on the income of the partnership even if you didn't sell any shares.
It depends on your situation.
For an smaller scale individual, the paperwork is a pain unless the entity is designed to be used by an individual.
I'm surprised we don't see more attacks on pipelines - both digital and physical. There are many folks out there who take issue with them or see them as a vulnerable part of our infrastructure.
Url changed from https://www.bloomberg.com/news/articles/2021-05-08/u-s-s-big..., which points to this.
Yikes, get ready for a huge jump in oil pricing.
> Colonial’s pipeline transports 2.5 million barrels each day, taking refined gasoline, diesel fuel and jet fuel from the Gulf Coast up to New York Harbor and New York’s major airports. Most of that goes into major storage tanks, and with energy use depressed by the pandemic, the attack was unlikely to cause any immediate disruptions.
https://www.nytimes.com/2021/05/08/us/cyberattack-colonial-p...
Why would oil prices jump? This isn’t an oil pipeline.
Because unlike their network gateways, their pricing change is unidirectional.
Because there was already a glut, now the places that feed this pipeline have to be backed up. Just because it’s gasoline doesn’t mean it’s not a link in the whole chain.
Because they can and do use any excuse to bump the prices.
Oh, what a surprise, another unexpected event pumping oil prices.
There's no need to use crude jokes here. It's a gasoline pipeline, so more refined jokes are appropriate.
musk lithium coup
Why don't critical infrastructure networks use a different CRC-32 polynomial for their IP packets?
Security through obscurity is not security
How would that help in any way?
Any IP packet that is valid on the Internet would be invalid and dropped on the critical infrastructure network. The only packets that could pass between the Internet and the critical infrastructure network would be those that are intentionally bridged by rewriting the CRC-32. This should not be done at the IP level, but only by application level bridges.
It would prevent inadvertent connections between the Internet and the critical infrastructure network.
The usual problem are systems that are intentionally connected to both networks, and after compromise happily serve as points to enter the inner network.
‘Arm Waving’ Response to Hackers Makes Oil Industry Easy Prey
Everyone from the facility managers to the private equity owners assumed that the plant’s computer network was “air-gapped” -- a term referring to computers that aren’t connected to the internet or another unsecured network. But when Mission Secure installed monitoring devices to check, they discovered that a worker on the night shift was connecting his Roku device to the internet to watch episodes of “CSI: Miami.”
https://www.bloomberg.com/news/articles/2021-05-12/colonial-...
So stuff like this wouldn't happen.