(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘GRIDSEC’ Category

Lights Out: A Modern Tragicomedy

leave a comment »


I had heard that Ted Koppel was making the rounds on TV trying to pimp his book on the end of the world as well know it through cyber. Of course I instantly knew it would be utter trash, a tissue of assertions and half ass reporting relying on government and beltway bandit quotes that likely would enrage me. How little did I know about the true scope of fuckery and rage that would ensue from reading its breathlessly penned pages about our coming Armageddon. Once again we have a reporter who does not really do his homework and takes the word of people with interests over the realities of those who work in the industry at the scene of the crime.

From the first pages we are being told that the grid is vulnerable to attack. Not just physical attack, no, worse, more scary, the dreaded CYBER attack. Of course as you delve deeper in to the book you do not get any kind of technical interviews with white hat hackers or security experts other than those bottom feeders such as former NSA directors and Richard Clarke. All of these players who worked (past tense) in the government that failed to secure all the things and who now offer services as board members and pitch men. You see, no one interviewed in this book actually has hacked anything.

But trust us.. The grid will go down if attacked by the CYBER.

I will not bore you with recalling the rest of this awful book. Truly, do not buy it and certainly do not read it if you want to know anything about the potential for the power going out more permanently. Instead, I would like to give you a primer on how hard it would be to actually take the whole grid down. I would also like to show you just how hard it would be to take great sections of it out as well. Neither of these scenarios is easy and neither of them is something we will not recover from. All of the bullshit around the bugaboo that the grid could be taken out by Da’esh is fantasy for the most part and a tool to scare the public by halfwits looking for clicks or book sales.

Are there issues with the grid? Yes, there are. Could damage be done that could cause a lot of consternation and perhaps even deaths? Yes this could happen in pockets of our society. These things are true but a systemic outage across the whole of the country that would cause severe, unrecoverable damage to the grid as a whole is not probable. In fact, it may not even be possible and I plan on telling you here why. By going through the internet and seeking out data from experts, governmental files, and papers by doctoral candidates as well as those who own and operate the power systems I can give you the data you need to see what the truth of the matter is.

However, let me break this down into small consumable bullet points for you.

  • Even a nation state with capable hackers could not own every system effectively enough to take them all down simultaneously
  • Even if systems are hacked and malware like stuxnet implanted, it still takes a kinetic attack to damage many of the systems out there that transmit the power as well as generate it. Malware alone will not kill the grid.
  • Current activities in gridsec and grid technologies are making these scenarios even harder to implement due to the nature of the diaspora that is power generation and transmission
  • Certainly sections of the grid could be taken down and have in the past. All you need do is Google Squirrel+blackout and you will see how their kinetic attacks caused systemic failures that caused outages.
  • Frankly, an X-Flare has a higher probability of taking out the grid as a whole should one hit the US. This should be a real concern and the companies and government should be looking to shield against EMP but they aren’t.

So all the bleak punditry about how the grid could be taken down by hackers using Shodan is really just sensationalistic bunkem. Of course there have been a couple of interesting theories, one that made some news back in 2008 I believe was a paper by a student on a cascade effect that could black out the grid. This possible attack might be the only one that would work but the control over the disparate systems involved to make it happen is almost impossible really. Another theory was one put forth by the government itself when they performed the AURORA experiment. This particularly relies on attacking nine points on the grid (power gen and transfer) that could be the genesis of a cascade attack.

Screenshot from 2015-11-06 14:27:18

It is the cascade attack that should trouble people but this is not really explained by most of the purveyors of FUD like Koppel. The real scary point about the cascade effect though is that the attack, if successful would take out the LPT’s and those by their nature are costly and take years to build. They are also on backorder so there is that too. If you take these out, and there are no replacements then you are pretty much stuck in the 19th century in certain areas until you get one replaced. Now once again I will tell you that to take them all out at one time is damn near impossible unless you have an X-Flare that covers the whole grid with an EMP.

Screenshot from 2015-11-02 11:15:47

So where does that leave us? Well, that leaves us with scary scary ideas but little follow through on actual means to that end. Of course now the big scary scary is over the CYBER right? And when they say CYBER they really mean SCADA, ICS, and HMI technologies that monitor and control the big hardware that generates and transfers the power from the generation plant to you. Now consider that there were as of 1996, 3,195 electric companies in the US that handle generation and transmission of power. That is a lot of targets to get into and control effectively, in tandem, to create a super grid blackout. All of this is going to be done by attacking their SCADA? Are there really that many of these things that are internet rout-able anyway? This means that the adversary would have to really hack the majority of them and have major footholds in all to access the networks to get at the systems that may not be networked to their non air gapped networks.

Think this through people.

Screenshot from 2015-11-02 11:08:50

Screenshot from 2015-11-02 11:08:26

This is just not a real tenable plan to start with and then you have to consider just who would try to pull this off and why. If you take out the grid in the US sure you cause mayhem but we have military bases all over the globe. We have ships and subs at sea. We have the capacity to bomb the shit out of anyone we think carried off such an attack. So really, unless you attempt this a la some scenario like “Red Dawn” with planes in the air and boots on the ground, you pretty much don’t win. Many of these scare pieces don’t go into the semantics of attack and counter attack, they only cry havoc about how we are CYBER doomed and the grid is a scary scary thing. It makes my ass tired even thinking about all these idiots out there talking to the likes of Richard “Dr. Cyberlove” Clark and believing them.

Stop the madness.

In the end yes, sections of the grid could go down and yes, they could be down for a while because of the nature of the hardware and it’s replacement. It would be inconvenient but it would not be the end of the world. It also would likely be more the action of Squirrels or tree limbs rather than a clandestine hacker attack on our SCADA systems. So everyone needs to just calm the fuck down and breathe. What you really should worry about is some form of EMP that melts everything and puts the whole of the country down, and really once again, that is the only scenario I buy into on this matter. If we have another Carrington Event, we are well and truly fucked.

Anyway, don’t give Koppel any money…



UPDATE: I left a review of this book on Amazon and the one response back was this:

Screenshot from 2015-11-09 11:07:53

I guess I am no Dick Clarke so meh, nevermind.

Written by Krypt3ia

2015/11/06 at 19:51

ASSESSMENT: OSINT Reconnaissance of Power Systems

with 5 comments

Screenshot from 2014-01-09 14:09:34

Power Systems, Dams, Grids & The Internet:

Since the attack on the Natanz plant the acronym SCADA Supervisory Control and Data Acquisition Systems have been in the news as the next greatest threat to us all. Of course if you listen to the bulk of what people are saying out there in the news media you might be missing some salient points on just how vulnerable we all may be and not so much because someone is going to upload malware to a system in an “air gap” somewhere in Tehran. The fact is I now understand just how vulnerable we may be and most of the problem isn’t going to be some exotic string of ones and zero’s, but instead it will be due to a lack of OPSEC. Of course this report does not mean that there will be a cascade attack that will knock out power to the United States like some far fetched Discovery cable show. Instead this report is just a slice of what was discovered in a few hours of searching with Google and should give you an idea of just how available data that could be misused is out there. My intent here is to scare people nor is it (completely) to shame people but I find that in today’s news cycle much of the real truth to things gets cut out for smaller and sexier soundbytes.

OSINT Reconnaissance:

My reconnaissance tools were just a browser, my brain, and a bit of time. I used Google Fu to look up certain key words and phrases to seek out systems sharing out data that perhaps they were unaware of. In the case of all of the pictures below, these items were open to anyone who looked for them. There was no bypassing any kind of authentication here whatsoever, all you had to do was click and wait for the system to deliver the data and therein lies the biggest problem. In one case (data not shown here) I was able to locate a user online with not only diagrams but also SCADA passwords and ID’s in an excel sheet. That user was called and told that they were sharing and they took it offline (thanks to those who used their GV numbers and made calls anonymously, you know who you are…) and I am sure was more than a little freaked out after the call was all said and done.

Screenshot from 2014-01-09 13:25:38

Hydroelectric DAM SCADA

Screenshot from 2014-01-09 14:17:27

Gas Leaks & Repairs Sheet

Screenshot from 2014-01-09 14:27:42

SCADA DIAG Hydroelectric DAM

Screenshot from 2014-01-09 14:28:37

SCADA DATA & Connection + CDR’s

Screenshot from 2014-01-09 14:34:15

Live Diagram of Circuit to Substation

Screenshot from 2014-01-09 14:35:35

Another Live Diagram to Substation

Screenshot from 2014-01-09 14:38:53Diagram for Substation

Screenshot from 2014-01-09 14:41:42GAS Pipeline Maps Northeast

Screenshot from 2014-01-09 14:51:26

Full Diagrams for Electric Fencing and Facilities for Power Station (Southeast)

As you can see there is a lot out there and remember that an aggressive and determined individual or group could in fact collect quite a bit of data not only from the government sites but also the companies that run the grid, or the gas, or the water systems. Once again though, all of this data does not mean that there will be an epic “Fire Sale” from these data leaks. It does however make you wonder just how many people and entities (corps) lack such basic OPSEC as to allow these things to be placed out in the open for anyone looking for them to have. I will be widening the scope and working with the same individuals in the background to connect with the more egregious offenders and insure their data is no longer out there for the taking but my main goal here is to sound the warning.

The internet of things… Is full of “stuff” too.


If an adversary were looking to have a cascade effect attack like that postulated by the Chinese student then their first task would be to carry out reconnaissance on the power systems of the country they wish to attack. In the case of the US let’s say, it is easy enough to look up the Wiki on all of the companies here neatly listed out with their domains. Once you have this you can spider out and carry out the OSINT on all of them. Technically as well as logically, you can carry out the intelligence gathering on employees, systems, and overall target hardness just with Google. This is not really elucidated very often when you see these things in the news or you hear the president speak about the threats to the “grid” Of course now I want you all to realize that the threat is not only the Chinese Green Army or PLA warrior at the end of the keyboard but instead YOU Mr. plant manager with a shared out hard drive in your new Macbook.

So the extrapolation to make is that it’s not the end of the world but it is a problem. In fact, it could be pretty bad for certain places were this data to be used by the wrong people. Now do I think that the Chinese and others already have this data? Well the answer to that is yes, I do believe that since this stuff has been sitting around so long in directories open to the internet anyone with a plan probably has run a script and scraped all that data at some point. Will it be used in some massive attack? I don’t really think so necessarily. My reasoning here is that to really do it well it would have to be nation state and that state would have to be pretty crazy to have a fire sale given our interconnectedness today globally. Of course that doesn’t stop someone like the Kim Jun Un’s of the world from trying to go all Bloefeld on us all from some lair with sharks though.

Here’s the overall takeaway: People do stupid things. People who are not trained to think about their data security and access do doubly stupid things. So when you hear the government next time talking about how insecure our networks are and how the grid could be taken out by a foreign power who already have backdoors in our systems, just remember that much of that probably was easily obtainable through recon and OSINT use…


Written by Krypt3ia

2014/01/09 at 21:08

Posted in .gov, GRIDSEC, ICS, OPSEC, SCADA