1970s again

The Rocketry Forum

Help Support The Rocketry Forum:

samb

Lifetime Member
Joined
Jan 22, 2009
Messages
3,973
Reaction score
379
Location
Plano, TX
Yep, a more forceful response than righteous outrage. Maybe an attack in kind ? We have some hackers on our side, right ?
 

dhbarr

Amateur Professional
Joined
Jan 30, 2016
Messages
7,276
Reaction score
1,709
These attacks always drive me nuts, b/c nobody ever holds the infrastructure operator liable for ignoring basic industry standard safety precautions.

It's always about the Big Bad Hackers when, in fact, the owners have left the keys in the ignition of the money truck, idling in a bad neighborhood.

Am I excusing the thieves? Not at all. But at some point there has to be some accountability for absolute negligence WRT securing critical system operations.
 

mtnmanak

TRA & NAR L2
TRF Supporter
Joined
May 5, 2020
Messages
775
Reaction score
700
Location
METRA & MDRA
Well, we have been caving in to Russian aggression for the past 30 years now. That's both parties through multiple changes of power on our side of the pond.

I am not registered with either political party in this country, but I honestly do not see this administration being the one that finally stands up to Russia. Neither party has had the guts to deal with Russia and the current party in power will continue to stand by and do nothing. This will only increase the hand wringing and bed wetting in Washington. But, nothing will happen except for more righteous indignation.

Neither will they fix our infrastructure issues. Frankly, we haven't really done any major infrastructure work since Eisenhower was president and it doesn't look like we are going to do any in the near term. Despite rhetoric, infrastructure spending buys you exactly 0.0 political capital. Fixing our petroleum infrastructure would cost hundreds of billions (probably trillions) and neither party would get "credit" for it. Besides, spending any money on petroleum infra works against current "green" initiative narrative. Can you imagine the President publicly saying he is going to make it a priority to fix our petroleum pipelines/refineries/storage, etc? He would get eviscerated. So get used the current situation. It may not get worse, but it definitely will not get better. Just wait until they figure out how to hit our power grid.
 

dr wogz

Fly caster
Joined
Feb 5, 2009
Messages
6,624
Reaction score
1,785
Location
Land of Poutine!
@dhbarr And that's why we (my company) is invested with 'KnowBe4' for internet security.. We get a weekly 'tip' and a quarterly course on 'how not to let the bad guys in'.

And despite the 2+ years doing it, there are still a few who click on a link in a "malicious" e-mail. (it's a test e-mail to catch you! to se eif you are payign attention..)




But on a side note: I have been reliving the 70's thru Spotify: search a particular year and listen the hits of that year! today was 1976..
 

rocket_troy

Well-Known Member
Joined
Sep 9, 2013
Messages
227
Reaction score
89
But on a side note: I have been reliving the 70's thru Spotify: search a particular year and listen the hits of that year! today was 1976..
Gimme a time machine and I'll be back there in an instant... no question.

TP
 

modeltrains

Well-Known Member
Joined
Jun 29, 2011
Messages
1,490
Reaction score
356
Just wait until they figure out how to hit our power grid.
If the New York Times' reporting is accurate ...
Power grids have been a low-intensity battleground for years.
Since at least 2012, current and former officials say, the United States has put reconnaissance probes into the control systems of the Russian electric grid.
But now the American strategy has shifted more toward offense, officials say, with the placement of potentially crippling malware inside the Russian system at a depth and with an aggressiveness that had never been tried before. It is intended partly as a warning, and partly to be poised to conduct cyberstrikes if a major conflict broke out between Washington and Moscow.
The commander of United States Cyber Command, Gen. Paul M. Nakasone, has been outspoken about the need to “defend forward” deep in an adversary’s networks to demonstrate that the United States will respond to the barrage of online attacks aimed at it.
“They don’t fear us,” he told the Senate a year ago during his confirmation hearings.
But finding ways to calibrate those responses so that they deter attacks without inciting a dangerous escalation has been the source of constant debate.

and it's not like nobody has thought about the thing until just now,
In a 2012 report, the National Academy of Sciences called for more research to make the grid more resilient to attack and for utilities to modernize their systems to make them safer. Indeed, as society becomes increasingly reliant on the power grid and an array of devices are connected to the internet, security and protection must be a high priority.


Alert (TA18-074A)
Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors

Original release date: March 15, 2018 | Last revised: March 16, 2018

...
Description
Since at least March 2016, Russian government cyber actors—hereafter referred to as “threat actors”—targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.
Analysis by DHS and FBI, resulted in the identification of distinct indicators and behaviors related to this activity. Of note, the report Dragonfly: Western energy sector targeted by sophisticated attack group, released by Symantec on September 6, 2017, provides additional information about this ongoing campaign. [1]https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group
This campaign comprises two distinct categories of victims: staging and intended targets. The initial victims are peripheral organizations such as trusted third-party suppliers with less secure networks, referred to as “staging targets” throughout this alert. The threat actors used the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims. NCCIC and FBI judge the ultimate objective of the actors is to compromise organizational networks, also referred to as the “intended target.”
 
Last edited:

Sandy H.

Well-Known Member
Joined
Mar 20, 2009
Messages
715
Reaction score
167
Why is the pipeline hooked up to the internet? There was a time before the internet when the pipelines ran without the internet.
That was my first question. I assumed someone hacked the control system of the pipeline and caused a possibly hazardous condition.

From the information I read based on popular news feeds (i.e. not necessarily fact. . . ) it seemed that the company had an attack and chose to shutdown the pipeline 'just in case' something cross contaminated. I'm not sure if that is logical or not.

At my company, none of our equipment (machinery) is connected to the internet or the company network at all. At times, people use a USB key (or hard drive) to transfer data to/from the machine(s). If we had an IT concern (i.e. office computer) that spanned a time period that we knew someone had connected a device to the machine(s), we would absolutely halt machine operation until it could be verified as unaffected (by the software engineers as well as the IT guy) and then we would re-start production under a watchful eye. This has happened twice in 20 years, as far as I know.

I am aware that some big companies somehow ban the use of USB (or other easily connected devices) on the production machinery, but I honestly don't know how that works when you need to get data-logs or other production related data. It is either manual ('air gap') with the chance that something gets plugged in that could be infected (our case) or it is somehow on a network that could also be possibly compromised. I imagine any (*see note) scenario that anyone could come up with would be able to be defeated if there was a $10billion dollar budget for defeating it. . . Thankfully, my company doesn't do anything that interesting. . .

Anyway, initially I was heartbroken when a co-worker said 'some Russians hacked our pipeline' and thought it was literally shutdown by a hacker. I was encouraged (at least a little) that it sounds like 'some Russians' hacked a company and they reacted to shut down their systems on their own that they didn't know 100% were unaffected.

Either way, I'm scared as heck of the whole concept of IOT and that business managers seem to be wanting to rush 'online connectivity of our plant' just so they can get a cool picture of process statistics on their phone while having brunch at their favorite restaurant. . .crazy scary, IMO.

Sandy.

* Note: By 'any', I mean any in the context of 'regular' companies, not mega-companies like Google, Microsoft, etc. or government stuff. People who can spend billions to defend can obviously have better defenses than regular companies.
 
Last edited:

modeltrains

Well-Known Member
Joined
Jun 29, 2011
Messages
1,490
Reaction score
356
I imagine any scenario that anyone could come up with would be able to be defeated if there was a $10billion dollar budget for defeating it. . .
That brings to mind a thing heard/read a while back, it went something like;
"If getting money to defend the power grid depends on the voting public you are doomed unless you have the vote on about the third day of a power outage in January in the North and August in the South."

(yeah, that's cynical to the max, but is it wrong?)
 

Sandy H.

Well-Known Member
Joined
Mar 20, 2009
Messages
715
Reaction score
167
That brings to mind a thing heard/read a while back, it went something like;
"If getting money to defend the power grid depends on the voting public you are doomed unless you have the vote on about the third day of a power outage in January in the North and August in the South."

(yeah, that's cynical to the max, but is it wrong?)
Heh. . .hits close to home. . .

Back in 2018-ish, we had a pretty hot summer. Our house AC shredded a compressor and was 100% down. I tried for about 10 days to get an AC company out to replace the unit, but could barely get a call back, much less a date for service.

I had purchased a mini-split a month before to climate control the garage and after sleeping in the 85 deg house for a week (wife was thankfully out of town) I gave up and installed the mini-split myself. I bought about $1500 in tools to do is right since nobody would call back and 3 years later it is working well still, so I guess I did it right. . .

I will never live in a single source AC house voluntarily unless it is in the mountains or somewhere that it is always cold. You can always add a blanket, but you can only take off so many clothes. . .

Sandy.
 

hobie1dog

Hi-Fi Addict
Joined
Jul 26, 2009
Messages
4,647
Reaction score
887
Location
NC
It may not get worse, but it definitely will not get better. Just wait until they figure out how to hit our power grid.
Read the book. "One Second After" where they shoot off missiles located on cargo ships and explode EMP (Electro Magnetic Pulse) over us and kill everything with an electronic circuit in it. NO gas pumping, no cars running, no refrigeration, A/C, heat, lighting, cell phones :eek:, no way to contact family members . It would be the worst thing that could happen to us as we would end up starving and/or getting killed by other members of society. An Atomic Bomb would at least be instant.
 

bschultz32

Active Member
TRF Supporter
Joined
Feb 28, 2020
Messages
43
Reaction score
48
Sandy H is on the right track. We operated pipelines and power grids in the USA long before the advent of 21st Century whiz-bang electronics. We can do it again. There will be grumbling and whining, but the business managers who want a "cool picture of process statistics on their phone while having brunch at their favorite restaurant" will just have to get over their egos and deal with it. There's too much at stake here.
Computers are cool, when they work right. It's just a damn shame that the evil in the world has led to this.
Bob Schultz
 

Citizen Baslim

Wife: No, you're burning money vertically.
Joined
Apr 5, 2019
Messages
80
Reaction score
43
Location
53 miles west of Venus
I said this tongue and cheek, but I do see this as an act of war. People will be hurt by this act.

It's called asymmetric warfare and both the Chinese and Russians are really good at it. I don't like how we've characterized asymmetric warfare as "irregular warfare" because asymmetric warfare has long since been the regular type of warfare.

https://mwi.usma.edu has a an article about failing to train conventional forces for irregular warfare

These are my personal opinions and do not reflect the opinions of the US Government or any entity thereof.
 

TSMILLER

Well-Known Member
TRF Supporter
Joined
Aug 31, 2014
Messages
908
Reaction score
440
"Computers are cool, when they work right."
In the mid 90's I was injured at work and lost use of my left arm for some time. Not foreseeing a future of continuing my ability to build heavy aircraft components I utilized company money to take several computer forensics courses. These courses were for law enforcement and corporate IT.
The very first thing that was said to the class: "Remember; we are running the world with a device that was designed to be nothing more than a toy."
Cool, yes, over dependent on, yes.
 

cwbullet

Obsessed with Rocketry
Staff member
Administrator
TRF Lifetime Supporter
Global Mod
Joined
Jan 24, 2009
Messages
27,204
Reaction score
4,634
Location
Glennville, GA
We have to get better. no doubt/.
 

mo2872

Well-Known Member
Joined
Jun 22, 2020
Messages
549
Reaction score
442
Location
NE OK
Time to go back to points and condensers............(said only slightly tongue-in-cheek).......mention above of EMP taking out cars.....and landlines?
 

JLP1

Well-Known Member
TRF Supporter
Joined
Feb 1, 2019
Messages
157
Reaction score
152
Saw one lady on ABC news last night saying she drove a hundred miles looking for gas ? Duh now you have to drive a hundred miles back home so what did you accomplish?

Now the other stuff where the hell is the NSA, FBI, CIA, and all the other groups that are suppose to be watching over this stuff. (They are really great at spying on us) We've got thousands and thousands of kids sitting on their butts playing video games and doing all kinds of crap with cell phones and we can't put a hacker force together that can outwit the Russians, Chinese, and the Ukrainians. But hey we got a Space Force Wow o_O
 

cwbullet

Obsessed with Rocketry
Staff member
Administrator
TRF Lifetime Supporter
Global Mod
Joined
Jan 24, 2009
Messages
27,204
Reaction score
4,634
Location
Glennville, GA
Saw one lady on ABC news last night saying she drove a hundred miles looking for gas ? Duh now you have to drive a hundred miles back home so what did you accomplish?

Now the other stuff where the hell is the NSA, FBI, CIA, and all the other groups that are suppose to be watching over this stuff. (They are really great at spying on us) We've got thousands and thousands of kids sitting on their butts playing video games and doing all kinds of crap with cell phones and we can't put a hacker force together that can outwit the Russians, Chinese, and the Ukrainians. But hey we got a Space Force Wow o_O
‘I agree. That fails the common sense test.
 

dhbarr

Amateur Professional
Joined
Jan 30, 2016
Messages
7,276
Reaction score
1,709
Reminder: it is not the FBI's job to prevent you from:
  • leaving all your doors wide open when you go on vacation
  • keeping gold bars in plain sight in your passenger seat
  • storing your cash in a barrel on the lawn
Most of the 'hacks' we read about are pretty much exactly this: poorly configured, unpatched systems attached directly both to the public internet as well as critical infrastructure.
 

CalebJ

Well-Known Member
TRF Supporter
Joined
Jan 20, 2020
Messages
744
Reaction score
509
Reminder: it is not the FBI's job to prevent you from:
  • leaving all your doors wide open when you go on vacation
  • keeping gold bars in plain sight in your passenger seat
  • storing your cash in a barrel on the lawn
Most of the 'hacks' we read about are pretty much exactly this: poorly configured, unpatched systems attached directly both to the public internet as well as critical infrastructure.
This.

No matter how much money you spend or how good they are, it's not possible for the relevant agencies to guarantee that every valuable resource is doing their job properly internally to protect themselves. And even if they are, people still get through sometimes. I work in IT and have been in the middle of a cyber attack that caused a weeks long network outage. Up to the point that it happened, we were following industry best practices and doing due diligence. Obviously, we evaluated what happened and took steps to adapt our practices to prevent it in the future. That's still not a guarantee that we've predictively prepared ourselves for something new and different next time around. It's an ever changing environment.
 

Peartree

Cyborg Rocketeer
Staff member
Administrator
Global Mod
Joined
Jan 6, 2009
Messages
5,515
Reaction score
978
Location
Alliance, Ohio
As an engineer, I have wondered for years why vital and important systems like this were not air-gapped or at least super difficult to tap. My brother did IT for Republic steel and back in the early 90's he carried a digital "business card" that generated numbers. If he needed to access Republic's system remotely, he had toacces the computer over the internet, log on to his unique account using his username and password, and THEN when prompted, enter the number that was, at that moment, displayed on the "business card" (which changed every 30 -90 seconds or something). So even if hackers had stolen information that allowed them to pretend to be him, they still couldn't access Republic's sensitive information unless they physically had one of those business card number generators in their possession.

And that was thirty years ago. I'm sure that the crypto-security folks haven't been sleeping for three decades. There really isn't any excuse for infrastructure companies to be more than thirty years behind.
 

John Kemker

Well-Known Member
TRF Supporter
Joined
Aug 25, 2019
Messages
1,907
Reaction score
832
In the mid 90's I was injured at work and lost use of my left arm for some time. Not foreseeing a future of continuing my ability to build heavy aircraft components I utilized company money to take several computer forensics courses. These courses were for law enforcement and corporate IT.
The very first thing that was said to the class: "Remember; we are running the world with a device that was designed to be nothing more than a toy."
Cool, yes, over dependent on, yes.
Umm...sorry, but computers were not "designed to be nothing more than a toy." They were designed to do serious work. Read about the history of Bletchley Park, ENIAC, EDSAC, etc. If your instructor actually said this, it was gross hyperbole and highly inaccurate.

The biggest problem is people who insist on lowering/removing security controls because they see it as somehow impeding their ability to get work done and upper management that ignores security because "it'll never happen to us!"

--Former Information Security Officer for a Federal Government installation.
 

heada

Well-Known Member
Joined
Jan 18, 2009
Messages
4,184
Reaction score
1,333
Location
Indianapolis, Indiana
As an engineer, I have wondered for years why vital and important systems like this were not air-gapped or at least super difficult to tap. My brother did IT for Republic steel and back in the early 90's he carried a digital "business card" that generated numbers. If he needed to access Republic's system remotely, he had toacces the computer over the internet, log on to his unique account using his username and password, and THEN when prompted, enter the number that was, at that moment, displayed on the "business card" (which changed every 30 -90 seconds or something). So even if hackers had stolen information that allowed them to pretend to be him, they still couldn't access Republic's sensitive information unless they physically had one of those business card number generators in their possession.

And that was thirty years ago. I'm sure that the crypto-security folks haven't been sleeping for three decades. There really isn't any excuse for infrastructure companies to be more than thirty years behind.
SecurID. I have a token that does that. Changes a 8 digit code every 60 seconds. If the device is opened, the device self-destructs. I've run the servers that run the SecurID system and boy....that's not fun.

I'm not in a critical industry (normally) and all our manufacturing systems are air-gapped and the systems that monitor those systems are behind multiple levels of firewalls. If critical infrastructure is connected to a network, that is a failing of that company.
 
Top