- Dec 27, 2020
- Reaction score
Speaking of the Iranian nuclear program and cyber security. Google “Stuxnet”isnt that he case?
I, a generic & bored 'smart guy', manage to hack you & hold you hostage. You pay me the $$ I demand. I then flee [retire] to the Turks & Cacos.. I can still come & go with impunity; you have no idea of who I am..
the guy behind 'KnowBe4' used to be a hacker. Look at him now.. How many other hackers have become legit & well employed to 'fight their own kind'?
There is always 'someone else'...
I think the root cause is companies not willing to pay for some serious cyber security defenses. I think that infrastructure operators should be required by law to have galaxy class cyber defenses. Worrying about if the ransom is passed on to the customers is closing the barn door after the horse has left.Payload, please understand my angry face emoji on your post has nothing to do with you and everything to do with the corporation passing the cost of their monumental stupidity down to us, the consumers.
Now, I identify as fiscally conservative and understand and support capitalism. However, this is one of those RARE times when I think the government should force the offending corporation to forgo passing the costs on to the consumer and tell them to suck it up, buttercup. Actions (or inaction) should have consequences. If they recoup their "losses" by charging us for cleaning up their FUBAR, then they avoid the negative consequences of a decidedly negative failure to take appropriate precaution.
Maybe the costs should come out of the CIO's and CEO's compensation packages.
Everything you list can be defeated. Some take more effort than others. There is a ranking of cyber bad guys based on their available resources. Top of the heap is nation-states who are assumed to have unlimited resources. Flip that around if a good guy is a nation-state, it has unlimited resources to find you. Everything that crosses the Internet leaves a trail of bread crumbs. Go https://www.fireeye.com and get their report on APT1.Between TOR, Darkweb, VPS, IP spoofing, staying completely untraceable on the internet is easy. And to that, payment by bitcoin? You cannot stop someone you cannot identify.
You have a point, but something needs to be done to wake these E. a. asinus haberdashers up.I think the root cause is companies not willing to pay for some serious cyber security defenses. I think that infrastructure operators should be required by law to have galaxy class cyber defenses. Worrying about if the ransom is passed on to the customers is closing the barn door after the horse has left.
After a few incidents like this one (and hopefully just one will be enough), it may well be that insurance companies for large corporations will begin to put cyber security into their policies. What I mean is, policies may explicitly state that the insurance company doesn't pay out if the corporation doesn't have cyber security that meets certain standards. That, or premiums will increase for companies with lax security. You may be skeptical, but after the Oklahoma City bombing and 9-11, everyone pays an additional premium for terrorism. And, after several church shootings, etc. local congregations are having conversations with their insurers about building security. The insurance companies are going to pay out claims and their response will be to push stricter requirements, and/or increased premiums to cover this "new" eventuality. Those increased premiums, we hope, will drive increased cyber security awareness.I think the root cause is companies not willing to pay for some serious cyber security defenses. I think that infrastructure operators should be required by law to have galaxy class cyber defenses. Worrying about if the ransom is passed on to the customers is closing the barn door after the horse has left.
Would you personally feel better, if she was wearing a mask? I'm not talking about today, but two days ago, when the nanny state told you we all had to?I'm pretty sure the venn diagram of anti maskers and people who would fill a tote with gasoline are two overlapping circles.
Unfortunately not many. My one buddy from high school spent 5 years in a federal jail because he hacked a bank and a credit reporting agency do his girlfriend could buy a house! LOL. He said they showed no interest in hiring hackers "officially". Many times they are used to counter hack and get shortened sentencesYep, a more forceful response than righteous outrage. Maybe an attack in kind ? We have some hackers on our side, right ?
AND talking on the cellphone...
Neah, she is outdoors. Same answer today, and X-many days ago.Would you personally feel better, if she was wearing a mask? I'm not talking about today, but two days ago, when the nanny state told you we all had to?
Neah, she is outdoors. Same answer today, and X-many days ago.
But she should be required to always wear her Magaca hat, as a fair warning to others. So normal people can see her coming from afar.
Like the dude below:
Smoking and pee-ing at the gas pump are optional, but earn one extra "Darwin award" qualification points:
Interesting stuff there.
I would personally feel better if she washed down a handful of hydroxychloroquine with a Pepsi product.
This seems incredibly short-sighted and stupid on the part of the fed.gov. Whether anyone will admit it publically or not, we are at war with Russia and China. It just isn't with conventional weapons; its cyber attacks, propaganda campaigns, political subversion, all kinds of asymmetrical warfare. If we don't get on the ball damn soon, we're going to lose alot more than some money. We're talking about the literal survival of our nation. And that kind of war won't be won with nukes or large invasions, etc.Unfortunately not many. My one buddy from high school spent 5 years in a federal jail because he hacked a bank and a credit reporting agency do his girlfriend could buy a house! LOL. He said they showed no interest in hiring hackers "officially". Many times they are used to counter hack and get shortened sentences
I am assuming most states require fuel to be dispense in the "approved" Gas Cans. So Wawa get out the Wawa police
Not true. PHMSA rules, among other things, includes network security.These attacks always drive me nuts, b/c nobody ever holds the infrastructure operator liable for ignoring basic industry standard safety precautions.
It's always about the Big Bad Hackers when, in fact, the owners have left the keys in the ignition of the money truck, idling in a bad neighborhood.
Am I excusing the thieves? Not at all. But at some point there has to be some accountability for absolute negligence WRT securing critical system operations.
I don't much care which of their networks were compromised, except to say if it was their controls network then that's even worse.Not true. PHMSA rules, among other things, includes network security.
(1) The SCADA system (I design and program SCADA and control systems) was not compromised. They shut the line down "out of an abundance of caution". They got skeert... Their corporate business network was hacked and that was probably from inside. Some doofus probably clicked on an email he or she wasn't supposed to or downloaded something at home and brought it to work. Firewalls abound in the corporate IT world in the energy business.
(2) The Colonial pipeline ships fuels in batches. Ie Jet A followed by a buffer fluid followed by diesel followed by a buffer fluid followed by 100 low lead Av gas, etc ,etc ,etc. At the receiver end... btw... there are a lot of receipt points on the line, a densitometer (and usually an operator just in case, looks for a density change that signifies that the product stream is switching to buffer fluid at the expected time of arrival (not all of the time in other words). Valves switch to a buffer tank, the densitometer looks for whatever product they are receiving, when it sees the cut valves switch and the product flows to the product tank. We built a plant near Midland, PA that took propane off of a products line that originated in Chicago, IL. in much the same way. I built the control system for it. It looks like it's still there. The product tanks across the street weren't there. Cool project and cool people
Years later we (different company) built a truck unloading terminal not too far from Wellsville, OH. I've been across the Newell bridge countless times. Our hotel was across the river in Newell.
(3) Speaking of tanks. The pipeline went down and there was a sudden panic buying (remnants of Covid toilet paper stupidity) because "we're out of gas". No they weren't. Depending on where inventory was there was likely to be 100's of thousands of barrels of products in storage. The pipeline isn't a nozzle straight in to the gas station. It goes to storage first, then it is trucked to the distributor, and that is trucked to the gas stations. This was hysterical panic buying induced shortages.
(4) Very few people know where the sh*t comes from.
(5) I feel like typing today and misspelling plus screwing up punctuation.
Do any of you know anything about natural gas and oil? Probably not. I like to know where my sh*t comes from plus I've worked in the business for 40+ years.
Lets start with what it's made from. Oil and natural gas is made up of organic molecules, called a hydrocarbon, made from Carbon and Hydrogen. Get it hydro = hydrogen and carbon = carbon.
Sometimes, most of the time, there are impurities like Nitrogen, Oxygen, CO2, and H2S. The CO2 and H2S have to be processed out of the wellhead stream before it is processed further. Rarely N2 is in high enough concentrations that it has to be removed, I've worked on a couple of NRU's over the years but it's energy intensive and costs usually don't warrant building the plant. But that's it, that's the primary components of natural gas and oil, Carbon and Hydrogen. Oh my... those are scary... not.
These are the more useful components of natural gas and oil. The heavier the molecule the more likely it'll ended up in a fuel tank. Typically C5 plus and additives.
C1 - Methane - CH4
C2 - Ethane - C2H6
C3 - Propane - C3H8
nC4 - Normal Butane - C4H10
iC4 - iso-Butane - C4H10
All of the above can be reformed to something more useful.
We'll get back to ethane and the butanes in a minute. Pentane also has iso and normal versions.
Do you see pattern? CnH2n+2 where N is the number of atoms
Hidden in the compounds that I listed is the methyl group, CH3. Those two little letters and a number impact you and yours every single day. It is the basis for just about everything you can touch or see right now. Plastic, including the covering of the wire or fiber optic cable that brings you the internet, electronic component packages, warm clothes (wasn't it Northface that did some kind of "statement" about fossil fuels. That was hilarious. Don't they know where their material comes from?), computers, methanol, fertilizer, fuel of course, roads, medicine (Zantac has ties to Propane but I could never get the customer to tell me how they used it ) on and on and on.
It's energy intensive derive a methyl group from hydrocarbons.
If you were driving down the road and could magically cut your ties to all things related to the oil and natural gas you would find yourself rolling down a dirt road, car gone, naked, and quite possibly dying of whatever ails you because your meds are gone. Oh... and you would also be starving. Even Elon Musk knows the value of the hydrocarbon molecule.
If you drive by a petrochemical plant (not a refinery, but refineries do have hydrogen flares, the refinery creates the feedstock for the petrochemical plant) and you see a stack with a tiny blue flame at the tip, the blue flame is the pilot that ensures that the hydrogen coming out of the stack is lit. You can't see a hydrogen flame. So where does that come from? In very simple terms a petrochemical plant consumes and rejects hydrogen. I'm getting out of my box so we'll leave it at that.
The carbon atom likes company. It has 4 valance (outer) electrons that want to hang out with friends. Hydrogen has 1 valence electron. In the case of Methane the 4 electrons double bond with 4 hydrogen atoms. I'm not 100% sure that Methane can be made to give up one of it's hydrogen atoms to form CH3. It would be wasteful and expensive considering that it's a good rocket fuel, and it's good for heating homes, making fertilizer, etc
Here's a diagram of Methane and Ethane
View attachment 464426
With Ethane, "all you have to do" is break the C:C double bond and you get two methyl groups and no waste hydrogen. We make and sell a lot of Ethane but it's pricing is volatile due to the amount of it that is on the market.
Here's a diagram of Propane
View attachment 464430
Two methyl groups but with an extra carbon (smoke) and two extra hydrogens. Not worth the effort (yet)
Here's a diagram of iso and normal butane
View attachment 464428
Normal on the left, iso on the right. the - are double bonds (different way of drawing molecules). With normal butane you can split off two methyl groups and have a lot more waste, with iso butane you can split off three methyl groups and have one excess hydrogen.
Back in the late 80's there was a shortage of ethane and we seriously looked at adding an isomerization unit, isom unit for short to convert our normal butane stream to iso butane. It's energy intensive. You need a source of hydrogen and a catalyst. Storing hydrogen isn't the safest thing you can do (they tried it at the Skunkworks when they were developing the SR71)
What would these policies pay for, lost revenue? That might help the company, but it wouldn't stop the price increases to the consumer.After a few incidents like this one (and hopefully just one will be enough), it may well be that insurance companies for large corporations will begin to put cyber security into their policies.
That sounds easy. How do you stop someone from bringing a USB stick or drive to the office? Make a policy? That works for people that follow policies to the letter.I don't much care which of their networks were compromised, except to say if it was their controls network then that's even worse.
Office networks are also securable, and failure to do so is just as inexcusable as not inspecting piping for corrosion or letting the drains on your roof get plugged up.
Yo mean the fuzz from here:I am assuming most states require fuel to be dispense in the "approved" Gas Cans. So Wawa get out the Wawa police
That's relatively easy. We had system controls in place that could detect an external mass storage device connected to a USB (or any other port) and would block transfers to and from them. We had the system option, though we did not use it, to tattle on you if you even tried. DLP software in enterprise environments is quite common.That sounds easy. How do you stop someone from bringing a USB stick or drive to the office? Make a policy? That works for people that follow policies to the letter.
You do like Lowes and some other companies have done: You block USB drives in the OS. That doesn't stope someone from inserting a USB Killer, but it will stop malware from reaching the network.That sounds easy. How do you stop someone from bringing a USB stick or drive to the office? Make a policy? That works for people that follow policies to the letter.
If someone hasn't separated their business network from the control network by now they need a new IT department.
I will add that this incident increased my awareness and I will no longer check personal email at work. We all have the freedom to do that but this incident changes the way I see MY responsibility.