Russian Hackers Seized Control of Norwegian Dam, Spy Chief Says (theguardian.com) 42
An anonymous reader quotes a report from The Guardian: Russian hackers took control of a Norwegian dam this year, opening a floodgate and allowing water to flow unnoticed for four hours, Norway's intelligence service has said. The admission, by the Norwegian Police Security Service (PST), marks the first time that Oslo has formally attributed the cyber-attack in April on Bremanger, western Norway, to Moscow. The attack on the hydropower dam, which produces electricity, released 500 liters (132 gallons) of water a second for four hours until the incident was detected and stopped.
The head of PST, Beate Gangas, said on Wednesday: "Over the past year, we have seen a change in activity from pro-Russian cyber actors." The Bremanger incident was an example of such an attack, she added. "The aim of this type of operation is to influence and to cause fear and chaos among the general population. Our Russian neighbor has become more dangerous." The incident did not cause any injuries or damage because the water level of the river and the dam, which is close to the town of Svelgen, was a long way below flood capacity. The alleged perpetrators reportedly published a three-minute video, watermarked with the name of a pro-Russian cybercriminal group, on Telegram on the day of the attack.
The head of PST, Beate Gangas, said on Wednesday: "Over the past year, we have seen a change in activity from pro-Russian cyber actors." The Bremanger incident was an example of such an attack, she added. "The aim of this type of operation is to influence and to cause fear and chaos among the general population. Our Russian neighbor has become more dangerous." The incident did not cause any injuries or damage because the water level of the river and the dam, which is close to the town of Svelgen, was a long way below flood capacity. The alleged perpetrators reportedly published a three-minute video, watermarked with the name of a pro-Russian cybercriminal group, on Telegram on the day of the attack.
Re:Russian hackers (Score:5, Insightful)
Re: Russian hackers (Score:2)
Re: (Score:3)
This is spot on. I continue to be amazed, baffled, and terrified that critical infrastructure hasn't been disconnected from the public internet. Damn, we're dumb.
Firstly, the alternative is typically long range unencrypted radio links which are probably actually worse for security.
Secondly, there is a choice that has been made in most of the world, to run things with private industry rather than nationalized concerns. Private industry means that almost always the overriding concern is and has to be maximizing profit because if they don't do that then someone else comes in and makes a lower offer for providing whatever service and that puts the company out of busines
Re: Russian hackers (Score:4, Interesting)
How do you think dam control worked before the internet numbnuts ? Clue: men in control room, telephones.
Re: (Score:2, Informative)
Sort of. Originally people walked to and opened and closed sluices actually directly on dams and that is still done in some places where detailed control is not needed today. This is a hydro dam and so one of the main uses is grid balancing, which means you want reaction in seconds not minutes or days. Direct remote control is probably actually needed, at least for some of the most important gates.
Re: (Score:3)
How long do you think a phone call takes?
Re: (Score:2)
The Cruachan Hydro power system can go from zero to full output (440 megaWatts!!) in less than 30 seconds. Typical phone time reaction would probably delay the first delivery of power by two orders of magnitude.
Re: (Score:2)
Really? How many orders of magnitude? You think a phone call would take 300 seconds - 5 mins - to request it happen? Or maybe even 3000 seconds? Do you think grid balancing wasn't a thing pre-2000 sonny?
Re: (Score:2)
Really? How many orders of magnitude? You think a phone call would take 300 seconds - 5 mins - to request it happen? Or maybe even 3000 seconds? Do you think grid balancing wasn't a thing pre-2000 sonny?
I think that the gates start moving within mili-seconds and that since it's a pre-filled system the power likely starts to be delivered within about 2 seconds. In that time the central computer will have already checked multiple other alternatives and determined not only that the Hydro system is the best but also that other systems are going to be stable in the meantime. On the Hydro power end the computer will have consulted a table for the appropriate position required for a given output and then
Yes, if t
Re: (Score:2)
"I think that the gates"
" I believe that"
These are not valid arguments. It basically means you're plucking stuff out your arse to suit your argument.
"Prior to 2000 there were many fewer inverter based systems delivering power to the grid"
If you need to load balance with these its the wind and solar you modulate, not the large scale infrastructure.
If you think you can just start and stop a multi gigawatt hydro station in seconds as and when then there's a bridge for sale over the river downstream with your n
Re: (Score:2)
"I think that the gates"
" I believe that"
These are not valid arguments. It basically means you're plucking stuff out your arse to suit your argument.
As opposed to your arguments such as "you think" "how long do you think" and "how do you think".
I'm not going to put in the effort to actually check the specifics of a statistical sample of different hydro plants and their detailed startup profiles for someone who starts with speculation and then is rude and now, finally shows his true colours by attacking exactly what he did himself.
If you think you can just start and stop a multi gigawatt hydro station in seconds as and when then there's a bridge for sale over the river downstream with your name on.
In my previous comment I literally named a specific 440MW plant that can go from zero to 100% power in 30 seconds. This is di
Re: (Score:2)
"I'm not going to put in the effort to actually check the specifics of a statistical sample of different hydro plants"
Well why would you? Much easier to BS, right?
"In my previous comment I literally named a specific 440MW plant that can go from zero to 100% power in 30 seconds"
Yeah, I know. Funny how you went from:
"the power likely starts to be delivered within about 2 seconds"
to 30 seconds. Realised you were talking out your arse sonny and hoped I wouldn't notice? Also it was built in 1965, how do you thin
Re: (Score:2)
Four year old reading comprehension too.
"the power likely starts to be delivered within about 2 seconds"
to 30 seconds
Except I didn't. I went from "starts to be delivered within about 2 seconds" to "is 100% delivered after 30 seconds". Now, I can see how it might be difficult for someone with no engineering background, an inability to read beyond primary school age and the arrogance of a total prick to see how those statements could be compatible, however they actually are.
"If you think the amount of rotating mass - sorry "moment of inertia" -
If you think that "rotating mass" is a substitute for "rotational inertia" or even "moment of inertia" then I ho
Re: (Score:3)
Having someone on site wouldn't necessarily make security any better. They would have to be communicated with somehow, to control the dam. Voices can be faked over the phone, sending a runner takes too long for remote areas. Whatever authentication you use with those two methods is going to have similar vulnerabilities to a VPN, probably worse.
They need good IT staff with the budget required to build a secure system.
Re: Russian hackers (Score:2)
Re: Russian hackers (Score:2)
Voices can be faked, although getting enough of a recording of night duty manager Svens voice to train an AI might be a challenge, but one time pads are generally fullproof and if the hackers have got them then your organisation is hosed anyway.
Re: (Score:3)
Regardless of who did it, there's a bigger question here: Why do they, or anybody for that matter, have critical infrastructure connected to the internet?
People are stupid and want convenient and cheap. Infrastructure operators are no different. The only thing that can change this is regulation and real penalties.
Re: (Score:3)
The only thing that can change this is regulation and real penalties.
And only then when backed and enforced by people who understand the situation and care to ensure that security actually happens.
Re: (Score:3)
You know what happens to an auditor involved in enforcing regulation when they do not do their job repeatedly? They need to find a different job. For most, that will be pretty hard and they know it.
Re: (Score:2)
Seeing as it was pissing water out at high speed for 4 hours before anyone noticed, and didn't really do any harm, I'd say it's a lot less "critical" than the name might suggest.
That said, it also feels like something incredibly easy to keep the hackers out of. A halfway decent firewall, VPN and password policy ought to do 99% of this. Some internal segregation and maybe a system of approvals would do the rest.
Re: (Score:2)
It probably did do 99% of it, and this was the 1%...?
Re: (Score:2)
People nearly everywhere have utterly rejected airgapping. Yes including dam and nuclear power station controls.
Re: (Score:2)
Siri: "Evening floodgate now set to maximum flow rate."
Operator: "No! Hey, SIRI: set the floodgate to STANDARD evening settings."
Siri: "Evening floodgate is already at maximum flow rate."
Operator: "Hey SIRI: CLOSE THE FLOODGATES."
Siri: "I'm having trouble connecting to the floodgates. You can try again if you ask from your iPhone."
Re: (Score:2)
Re: (Score:2)
I would mod this up if I could.
Why is it connected to the internet (Score:3, Insightful)
Re: (Score:3)
Came to post this.
Disconnect that shit. Too bad for people who want to work from home and control the dam.
If you want to enable remote monitoring of the damn, maybe ok. Those systems should have no way to control the dam. Monitoring is a completely different function that should be entirely disentangled from any control functionality.
Re: (Score:2)
Except it usually isn't, because the monitoring data is often used by the control systems to close the loop and ensure everything is operating properly. And you often pull the monitored data from the same server that does the closed loop feedback just because.
That said, it's connec
Watch Dogs warned us (Score:2)
The Watch Dogs game series was right. Everything will be connected to the internet. Nothing good came of it in the game and nothing will in real life. The only thing we can do is to hack the bad guy's pacemaker and kill him.
Kindergarten Foolishness (Score:1)
Please.
"Spy Chief says".
Anyone with two neurons to fire together knows whatever comes next is unreliable.
"Russian Hackers" ... "pro-Russian hackers".
Oh, JHFC, I wonder if Norway has any position on the peace-talk summit occurring today in Alaska.
These demons just want nonstop death, destruction, and MIC profits.
Stop giving them undue attention.
Re: (Score:2)
Re: (Score:2)
These days, they reward the astroturfers by promising not to draft them in the next round of mobilization.
Re: (Score:2)
"Seized Control–" (Score:2)
and went joy riding down by the Quickie Mart
Tit-for-tat-for-tot...? (Score:2)
Trump's Wacky Friend, at it Again! (Score:2)