SCADA-less system 3

[Mbrooke]

What would you think if someone was to seriously pitch a system (80,000MW) entirely without SCADA or remote control? Every protection relay, tap changer control and cap bank control independent without any type of communication- except perhaps a few dry contacts to trigger remote alarms for lockout, low SF6 and relay failure. Switching can only be done at the station.


60 years ago no communications was the norm with this being an incentive:

https://www.engineering.com/Advance...sc=212727627.2.1555193147552&__hsfp=592281695

Obviously you need boots on the ground and things like phase angle regulators probably can't be used- but is this technologically feasible?

 

[FreddyNurk]

marks1080, don't forget disgruntled employee syndrome.

An example of some of the things that angry employees can do, and in this case, meets the definition of 'attack'.

EDMS Australia

 

[Mbrooke]

Know anything about how the dispatcher's swing set got its data? I know absolutely nothing about how things were going past 20 years. Hence my confusion and imagination running wild about how things may or may not have been lol.



I know about StuxNet, but how does that translate into equipment being infected already from the manufacturer?


@FreddyNurk: IMHO that is the greatest and most realistic threat. People who feel like they have lost everything are not afraid of the consequences (they see them as a honor) and have the confidence knowledge brings to be successful in an attack. Which brings me to Metcalf. Metcalf was breached 3 times and no one has ever been caught. FBI is now saying it was an insider but will not elaborate further.

 

[waross]

Hi Mbrooke;
The swing set responded to and controlled the system frequency.
As the load on the swing set increased, the dispatcher would call up more generating plants. Typically fixed output at around 80% to 90%.
The dispatcher would have information on the loading of the swing set and of the loading of the inter-ties with adjacent systems.
How was the information probably got his data over dedicated, leased "POTS" lines.
Plain Old Telephone system. Pre-dated touch tone.
Back in the 60s a micro wave link was used to exchange load flow information between British Columbia and Washington state.

Bill
--------------------
"Why not the best?"
Jimmy Carter

 

[bacon4life]

The Russian Cyber attacks on Ukrane, StuxNet, Sony and NotPetya have me far more scared of state actors than of individual disgruntled employees. Also noting that disguntled employees are likely targets for recruitment by state actors.

 

[FreddyNurk]

Whilst there may well be less risk of receiving equipment that has already been deliberately infected or compromised right from the OEM, there is definitely the risk that equipment can come from the OEM with vulnerabilities. An example might be a network router or switch that implements a known compromised version of OpenSSL, and the production release may not have been patched as yet. So not necessarily malicious activity by the OEM, but equipment can definitely be supplied compromised.

In that case the extent of mitigation often depends on support from the OEM.

EDMS Australia

 

[stevenal]

Stuxnet was designed to jump the air gap of the original post. I believe it was successful in reaching unconnected PLCs.

 

[marks1080]

Stuxnet was delivered by dropping infected USB sticks in the parking lot of a Siemens manufacturing plant. Eventually one of these sticks was plugged into a computer on the Siemens network. Siemens was manufacturing PLC's to control very high speed and sensitive centrifuges that Iran was using in their nuclear program. Iran bought the controllers pre-infected. Neither Iran or Siemens was aware of the infection until well after the results were achieved. I would not be surprised to learn the Siemens was a part of the plot, but the official narrative implies they were ignorant. That's the most basic way equipment at the manufacturing level is infected. Personally I believe that every single Qualcomm chip produced contains 'mal-ware' that the CIA made them install. How is it that we are so sure Huawei is spying on western companies (spoiler alert - they are)? It's because the western telco's have already been doing it for three decades on behalf of their respective states. This idea is not new.... The brits were hacking into old copper comm's since they existed. They hacked the american sub-sea cable during WWI - which is how they found out Hitler offered a special deal to Mexico if they attacked the US.

 

[HamburgerHelper]

All the large corporations, I believe work with the government by stick or carrot. With Siemens, I bet it would take nothing more than bring up a defense contract to get cooperation. Was stuxnet code ever found in equipment that didn't get sent to Iran?


EDIT

Yeah it did spread all over. Mostly in Asia and asia minor. I bet this was from Iran infecting its neighbors and not everything coming from Siemens being infected.
------------------------------------------------------------------------------------------
If you can't explain it to a six year old, you don't understand it yourself.

 

[marks1080]

HH - I believe traces of Stuxnet were eventually found throughout internet connected devices all over the world. I've only ever read about activation of the virus in the Iran nuke program. It was specifically made to infect a very specific type of PLC controller, so i doubt it would be able to do anything outside of that environment. I've also read a lot of stuff that says the US has software that makes stuxnet look like a kindergartner wrote it, which is pretty scary/impressive.

The thing about stuxnet that made it amazing was the compactness of the code. When it infected the specific PLC is was designed to manipulate it would first intercept all telemetry data from the centrifuge. For months the only thing the malware would do would be to record normal telemetry and report it back to the SCADA system exactly as it should. After some time the malware would start to make bad adjustments to the centrifuge controllers (usually resulting in catastrophic damage) but would send a copy of the normal telemetry to the SCADA system. The purpose of all of this was to discredit the scientists in the eyes of the Iranian government. It worked. The equipment failed, and when the scientists couldn't give a reasonable explanation they were executed.