1970s again

The Rocketry Forum

Help Support The Rocketry Forum:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.
Proper IT security is made up of 3 parts
1) something you know
2) something you have
3) something you are

To get into my data center, I have to have my badge, I have to know my PIN and I have to have my eyes (retinal scanner at all doors). Our network security is similar except that the "something you are" is very hard to do so they add the SecurID part. I have to know my user ID and password, I have to be on a company device (with company installed certificates) and I have to have my SecurID token.

And for EMPs, the risk is over-blown I think. Since EM has to obey the inverse square rule, in order to take out all of the US, you'd need so many EMP devices it'd be unworkable. Putting them in key locations at key times could be done to take out some critical infrastructure. Take out a few key power substations in the middle of high usage times and you could take out the entire power grid (see Texas this past winter)
 
Well, we have been caving in to Russian aggression for the past 30 years now. That's both parties through multiple changes of power on our side of the pond.
I don't think we've been "caving to Russian aggression" - 30 years ago the entire Russian economy was being reorganized by the US government, with a big helping of CIA infiltration.

I would assume the competent parts of the US security apparatus have been quietly engineering deploying Stuxnet successors all over the Russian (and other) infrastructure apparatus, to use at a time of their choosing.

Sadly, the rest of the the US security apparatus is hiring liberal arts majors to make TikToks about empathy and equity, and those are the ones the Russians target to hack when it comes time for payback.
 
I don't think we've been "caving to Russian aggression" - 30 years ago the entire Russian economy was being reorganized by the US government, with a big helping of CIA infiltration.

I would assume the competent parts of the US security apparatus have been quietly engineering deploying Stuxnet successors all over the Russian (and other) infrastructure apparatus, to use at a time of their choosing.
So far so good.

Sadly, the rest of the the US security apparatus is hiring liberal arts majors to make TikToks about empathy and equity, and those are the ones the Russians target to hack when it comes time for payback.
WTF?
 
You have a remarkable ability to communicate well. The other day you told me to 'grow up', and now you ask if I 'Just like getting bent'. It really drives home your points.
 
You have a remarkable ability to communicate well. The other day you told me to 'grow up', and now you ask if I 'Just like getting bent'. It really drives home your points.

Thank you for recognizing true talent. I have noticed your talents as well.

As for those malcontents, they just want to tear apart the fabric of our society is all . . . the neutron bomb mention was pure theatre.
 
The CIA just put out a recruitment video where a CIA officer talks about how she has "generalized anxiety disorder" and "impostor syndrome". People like her are in charge of America's most important secrets.

If the CIA is hiring insecure, anxious officers, the FSB is going to exploit this. That's their job.
 
The CIA just put out a recruitment video where a CIA officer talks about how she has "generalized anxiety disorder" and "impostor syndrome". People like her are in charge of America's most important secrets.

If the CIA is hiring insecure, anxious officers, the FSB is going to exploit this. That's their job.
Thanks for clarifying. I found a bit more about what you're referring to from that. Who knows what they were thinking with that one. Looks like basically everybody thought it was a dumpster fire on both sides of the aisle.
 
Unless you detonated a single nuke in low-Earth orbit.
Even when they did that as part of project Starfish, they took out comms for some hours over most of the pacific as well as some sats but they didn't render ground based electronics inoperable. It wouldn't be fun but it also wouldn't be end-of-the-world type thing either. Much easier, safer and more covert to take out a few power generating stations and watch the entire grid collapse like what happened in Texas this past year or what happened on the east coast about 10 years ago.

Hack a few pipelines to shut them down and drop the 3 power grids in the US by causing a cascading failure and it'd pretty much shut us down completely for weeks if not longer. No power and no hope of refueling the few generators that could still be running. Don't need ICBM level launchers nor megaton sized EMPs But anyone doing such things would be committing acts of war and would not like the result. That's why you don't see nation-state level groups doing this. If it could ever be traced back to them....
 
I don't think we've been "caving to Russian aggression" - 30 years ago the entire Russian economy was being reorganized by the US government, with a big helping of CIA infiltration.

I would assume the competent parts of the US security apparatus have been quietly engineering deploying Stuxnet successors all over the Russian (and other) infrastructure apparatus, to use at a time of their choosing.

Sadly, the rest of the the US security apparatus is hiring liberal arts majors to make TikToks about empathy and equity, and those are the ones the Russians target to hack when it comes time for payback.

These are just the examples of Russian aggression for the past 30 years I can think of, there are probably a lot more. Many of these are acts of war. Time and time again, the West has not stopped them in their tracks, so Putin feels emboldened to keep on going. Why stop if there are no real consequences? The pattern I see below is eerily reminiscent of Germany in the 1930's. No one wanted to stand up to them as they invaded small countries and territories... until it was too late.

- 1993: Russia takes advantage of unrest in Georgia to seize Abkhazia region under the guise of peace keeping.
- 1994-1998: Putin makes deals with Oligarch's to take control of the country (new Russian Mafia) and suppress/oppress all internal opposition. Stalin'esque purge of opposition ensues.
- By 2000, Putin is making liberal use of fictional Red Notices to try and bring back Russian dissident and even foreign nationals they deem "criminals". Many of these people are never seen again. Interpol plays along for years.
- 2003: after Georgia declares its intent to get closer to the West and ambitions to join NATO, Russia takes control of Abkhasia completely.
- 2007: Russia declares its territory in the Arctic is bigger than internationally recognized and basically takes a bunch of new oil fields by force. Nobody has kicked them out.
- 2007: Cyber attack against Estonia
- 2008: Russia withdraws from long standing Arms Treaty with Europe.
- 2008: Russia invades and takes South Ossetia in Georgia.
- 2009: Russia cuts off gas line to Ukraine, portending a much bigger problem to come
- 2009: Kyrgyzstan cyber attack.
- 2011: Russian backed Assad use chemical weapons in Syria. They didn't just cross the "red line", they jumped over it with both feet. Then, Russia uses their veto vote on the UN Security Council to make sure nothing happens.
- 2014: Russia invades the Ukraine.
- 2014: Russia shoots down Malaysian Airlines flight 17. killing 298 people.
- 2015: French election tampering
- 2015: Cybertheft of files from German Parliament
- 2015: Cyber attack against US White House & State Department
- 2016: US election tampering
- 2016-2019: 3 year long cyber disinformation campaign against Poland
- 2016: Cyber tampering with Brexit referendum
- 2018: Cyber attack against Winter Olympics
- 2018: Large scale cyber attack against US Commercial facilities
- 2014-Present: Too many cyber attacks against Ukraine to count.
- 2020: Cyber attack against US Treasury, Commerce and Energy.
- 2021: Cyber attack on US gas pipeline
 
Cyber attacks have been done before by our gov...probably time to do it again.....the big difference between this admin will be if they decide to do it, they will do it smart....one can hope anyway. And when enough people see that shutting down infrastructure is warfare, then I’m sure some minds will change no doubt.
 
Even when they did that as part of project Starfish, they took out comms for some hours over most of the pacific as well as some sats but they didn't render ground based electronics inoperable.
On the other hand, ground-based electronics were practically nonexistent in 1962 (Starfish Prime) compared to today.
 
Last edited:
These are just the examples of Russian aggression for the past 30 years I can think of, there are probably a lot more. Many of these are acts of war. Time and time again, the West has not stopped them in their tracks, so Putin feels emboldened to keep on going. Why stop if there are no real consequences? The pattern I see below is eerily reminiscent of Germany in the 1930's. No one wanted to stand up to them as they invaded small countries and territories... until it was too late.

- 1993: Russia takes advantage of unrest in Georgia to seize Abkhazia region under the guise of peace keeping.
- 1994-1998: Putin makes deals with Oligarch's to take control of the country (new Russian Mafia) and suppress/oppress all internal opposition. Stalin'esque purge of opposition ensues.
- By 2000, Putin is making liberal use of fictional Red Notices to try and bring back Russian dissident and even foreign nationals they deem "criminals". Many of these people are never seen again. Interpol plays along for years.
- 2003: after Georgia declares its intent to get closer to the West and ambitions to join NATO, Russia takes control of Abkhasia completely.
- 2007: Russia declares its territory in the Arctic is bigger than internationally recognized and basically takes a bunch of new oil fields by force. Nobody has kicked them out.
- 2007: Cyber attack against Estonia
- 2008: Russia withdraws from long standing Arms Treaty with Europe.
- 2008: Russia invades and takes South Ossetia in Georgia.
- 2009: Russia cuts off gas line to Ukraine, portending a much bigger problem to come
- 2009: Kyrgyzstan cyber attack.
- 2011: Russian backed Assad use chemical weapons in Syria. They didn't just cross the "red line", they jumped over it with both feet. Then, Russia uses their veto vote on the UN Security Council to make sure nothing happens.
- 2014: Russia invades the Ukraine.
- 2014: Russia shoots down Malaysian Airlines flight 17. killing 298 people.
- 2015: French election tampering
- 2015: Cybertheft of files from German Parliament
- 2015: Cyber attack against US White House & State Department
- 2016: US election tampering
- 2016-2019: 3 year long cyber disinformation campaign against Poland
- 2016: Cyber tampering with Brexit referendum
- 2018: Cyber attack against Winter Olympics
- 2018: Large scale cyber attack against US Commercial facilities
- 2014-Present: Too many cyber attacks against Ukraine to count.
- 2020: Cyber attack against US Treasury, Commerce and Energy.
- 2021: Cyber attack on US gas pipeline
Did we forget shutting down the NY Stock Exchange or was that the Chinese? Too many cyber attacks to keep track of.
 
These attacks always drive me nuts, b/c nobody ever holds the infrastructure operator liable for ignoring basic industry standard safety precautions.
Am I excusing the thieves? Not at all. But at some point there has to be some accountability for absolute negligence WRT securing critical system operations.

I had the same immediate thought.
Far too many folks intuitively get physical security and protection measures (fences, barbed wire, watch towers, cameras, double doors, etc), yet casually ignore, short-change, or pay lip-service to network and information-systems protection. In far too many industries. Partly from laziness and incompetence, partly from cost cutting pressures and incentives.

Now combine that with our reality that most of US infrastructure is owned and operated by semi- or fully-privately owned natural monopolies. Natural monopolies are companies to which standard free market incentives do no apply - you can't expect private investors to justify building duplicate oil pipelines (electricity grids, utilities, water purification plants, etc.) to drive poorly managed and operated companies out of business.
https://www.investopedia.com/terms/n/natural_monopoly.asp
The only practical fixes would come from either writing exorbitantly detailed and painful government regulations, or imposing severe non-market penalties for screwing up - civil fines and criminal penalties for CIO/CTO/CEOs of infrastructure firms who fail to invest into network security.
I would be in favor or the latter over the former, for many reasons. But right now we are doing neither.

We have to get better. no doubt/.

Indeed.
In practical terms - risk / reward incentives for infrastructure operators need to be re-aligned. Somehow.
Otherwise, more of the same is the only logical outcome.
 
Last edited:
Sandy H is on the right track. We operated pipelines and power grids in the USA long before the advent of 21st Century whiz-bang electronics. We can do it again. There will be grumbling and whining, but the business managers who want a "cool picture of process statistics on their phone while having brunch at their favorite restaurant" will just have to get over their egos and deal with it. There's too much at stake here.
Computers are cool, when they work right. It's just a damn shame that the evil in the world has led to this.
Bob Schultz

That's a good idea in theory, but it comes with some costs. Computers aren't integrated into the pipeline system just for kicks--there's some actual benefits in making the system run more efficiently. An analogous situation is the difference between CNC and manual mills/lathes. A top-notch machinist can do anything a CNC can do, and might be able to do it faster. However, the CNC (once dialed in) is faster, cheaper, more repeatable, and more accurate than the majority of machinists.

On the pipeline side, if companies are trying to run on tighter margins/JIT delivery, then they probably need more automation in the loop.

I'm a very analog guy myself, but I still see a lot of places where computers add an awful lot of value to the process.
 
Any system that is someway connected to the internet is approachable....just ask Alexa :)
 
Even when they did that as part of project Starfish, they took out comms for some hours over most of the pacific as well as some sats but they didn't render ground based electronics inoperable. It wouldn't be fun but it also wouldn't be end-of-the-world type thing either. Much easier, safer and more covert to take out a few power generating stations and watch the entire grid collapse like what happened in Texas this past year or what happened on the east coast about 10 years ago.

Hack a few pipelines to shut them down and drop the 3 power grids in the US by causing a cascading failure and it'd pretty much shut us down completely for weeks if not longer. No power and no hope of refueling the few generators that could still be running. Don't need ICBM level launchers nor megaton sized EMPs But anyone doing such things would be committing acts of war and would not like the result. That's why you don't see nation-state level groups doing this. If it could ever be traced back to them....
Scarier still is remembering that there's no need to take out power generating stations (where there is, at least, *some* security) when the long distance high-voltage lines run all over the country unguarded and in places no one would notice you fooling with them. The east coast blackout of ten years ago was largely caused by a lack of tree trimming on one line on Ohio, which sagged under high useage, arced to ground, and tripped a breaker. That shutdown caused a cascade failure up the Ohio valley and into the east coast and where I lived, in central Ohio, in the dead of winter, it took at least four days to restore power. Although it is the kind of plot device we see on shows like NCIS, it would only take a few, trained, tactical teams to cause that kind of damage, and more, and cause even worse mayhem. Lead times on some critical high voltage replacement parts can be as measured in years so if it was done well, bringing the grid back to full operational capacity could take a very long time. Imagine a major city like New York or Chicago without electricity for months or years. It would be chaos.
 
As a user, some of the IT password requirements are ridiculous . Can’t have a word in it, can’t have a backwards word in it, must have a number and a special character. So it is something I can’t remember, so I write it on a sticky note and post it on my monitor. Then I send IT a copy of the XKCD cartoon about passwords.
https://imgs.xkcd.com/comics/password_strength.png
 
As a user, some of the IT password requirements are ridiculous . Can’t have a word in it, can’t have a backwards word in it, must have a number and a special character. So it is something I can’t remember, so I write it on a sticky note and post it on my monitor. Then I send IT a copy of the XKCD cartoon about passwords.
https://imgs.xkcd.com/comics/password_strength.png
Bad password requirements are for people who don't read https://pages.nist.gov/800-63-3/sp800-63b.html#appA
 
That's a good idea in theory, but it comes with some costs. Computers aren't integrated into the pipeline system just for kicks--there's some actual benefits in making the system run more efficiently. An analogous situation is the difference between CNC and manual mills/lathes. A top-notch machinist can do anything a CNC can do, and might be able to do it faster. However, the CNC (once dialed in) is faster, cheaper, more repeatable, and more accurate than the majority of machinists.

On the pipeline side, if companies are trying to run on tighter margins/JIT delivery, then they probably need more automation in the loop.

I'm a very analog guy myself, but I still see a lot of places where computers add an awful lot of value to the process.

I agree. We absolutely need computer/PLC control to optimize actual operations, but the instantaneous adoption of IOT technology by managers/CEO's who don't have a clue about the potential impact is crazy.

Air-gapped systems get you to 40% protection today (IMO, not factual, if it was truly air-gapped and could allow no outside influence, it would be 99%, again IMO), but as soon as a system goes on the company network and/or allows for common accessories to be inserted (i.e. USB, CF, SD, MicroSD, iPhone charge cable that then connects the actual phone vs. just power) you're relying on the common sense of people who think things are secure when they are not even close.

We need the control systems. The SecureID rotating codes and other higher tech items are helpful for sure (having said that, I'm ignorant enough to not know how a device that can output a code that an interrogation routine can ask for if they are not connected at all would be impossible to reverse engineer), but poor practices really make us much more susceptible than most people assume and those are the same people dooming the concept, again IMO.

At the end of the day, I think the company reacted apropriatly by shutting things down, because they couldn't quickly answer the question "Do we know how far this got?" with certainty.

Sandy.
 
@dhbarr
And despite the 2+ years doing it, there are still a few who click on a link in a "malicious" e-mail. (it's a test e-mail to catch you! to se eif you are payign attention..

Most of the 'hacks' we read about are pretty much exactly this: poorly configured, unpatched systems attached directly both to the public internet as well as critical infrastructure.

Our company does a similar test phishing e-mail
Despite annual training and getting a black mark for each failure to catch the phishing (and too many you can lose your job), every test there is a percentage of people who click.
One bad thing about the test is they hit a large portion, if not all, of the workers. So if someone thinks an email is phishing, they check with a coworker - when we see multiple people have the same one we know it is a test. But what if they only sent it to a few scattered employees? The percentage would be higher.

And if someone allows a real phishing email in, smart card or not, the mail can set up malicious code that can create a backdoor to get in.

And while many of our critical systems have an air gap, some are on the plant network.

But the cost to constantly upgrade every PC or device to keep on top of things, plus the software impacts would be excessively cost prohibitive. We once were going to replace a PC in a piece of equipment. The equipment had to interface to certain devices that were now obsolete. The drivers for those devices would not work with the operating system for the new PC, and since obsolete the manufacturer was not providing upgrades (or were out of business). We tried instead to revert down to an older OS for the PC that the drivers supported. Except the older OS could not work the peripherals in the PC itself! Now, instead of just a PC, we would need to replace the PC, all associated devices, update all the operational software, test software, interfaces to data collection, etc. What was thought to be a couple of thousand for just the PC was going to turn into multiple hundreds of thousands of dollars. Instead we managed to get the old PC working again..
Multiply that by the 100's of computers and devices of various vintages over the last 30+ years and we would price ourselves out of the market...
 
Scarier still is remembering that there's no need to take out power generating stations (where there is, at least, *some* security) when the long distance high-voltage lines run all over the country unguarded and in places no one would notice you fooling with them. The east coast blackout of ten years ago was largely caused by a lack of tree trimming on one line on Ohio, which sagged under high useage, arced to ground, and tripped a breaker. That shutdown caused a cascade failure up the Ohio valley and into the east coast and where I lived, in central Ohio, in the dead of winter, it took at least four days to restore power. Although it is the kind of plot device we see on shows like NCIS, it would only take a few, trained, tactical teams to cause that kind of damage, and more, and cause even worse mayhem. Lead times on some critical high voltage replacement parts can be as measured in years so if it was done well, bringing the grid back to full operational capacity could take a very long time. Imagine a major city like New York or Chicago without electricity for months or years. It would be chaos.

Heck, you could probably take down the average high tension power line with one of those bow and arrow/wrist rocket setups for slinging ropes into trees. The rope itself may be conductive enough without even needing a wire.

I agree. We absolutely need computer/PLC control to optimize actual operations, but the instantaneous adoption of IOT technology by managers/CEO's who don't have a clue about the potential impact is crazy.

No argument here. I do like the ability to check how my solar panels are doing from my desktop, but I'm really confused about why I need a smart toilet connected to the Internet. I wish I were joking about that...
 
Back
Top