SecDef’s nightmare: Cyber-attack

SecDef’s nightmare: Cyber-attack

What keeps Secretary Panetta up at night?

The unexpected attacks he knows the U.S. isn’t ready for, Panetta told House budgeteers on Wednesday — especially a major cyber-attack.

Panetta said one of his worst fears is that suddenly America would realize its electrical grid or its financial system had been attacked or damaged, and  it might not be able to find out who was responsible.


He was careful to add that he also worries about traditional terror; weapons of mass destruction; North Korea and some other standards, but his choice to lead off with cyber-vulnerabilities was telling, especially since the two specific targets he mentioned do not now fall under his area of responsibility.

The Pentagon has spent the past few years playing political hot-potato with the other federal agencies over just who in the alphabet soup should be responsible for protecting against cyber-attacks. DoD and service-level witnesses have been pretty consistent: We are guarding our networks, our bases and our utility access, but we are not going to volunteer to take the lead in defending the power grid, the financial industry, the private sector, or any of that stuff.

Joint Chiefs Chairman Gen. Martin Dempsey has told lawmakers “we had better be talking about cyber,” because he knows what the U.S. is capable of — this always with a wink and a nod — and as such he would hate to be on the receiving end of anything like it. Uniformed officials love the secret handshake, “trust me” technique of assuring you that U.S. offensive cyber capabilities are top-drawer, though there are never any follow-up questions or other details. Secret squirrel stuff, after all.

Panetta’s warning comes just a day after Congress’ watchdog arm released its latest warning about the vulnerability of the U.S. electrical grid. The Government Accountability Office said Tuesday that the grid is not only vulnerable now, it could get even more vulnerable as more utilities adopt “smart grids,” highly automated, efficiency-minded upgrades. Beyond the not-my-jobism in Washington and a whole different alphabet soup of state and federal regulators, the nature of the grids themselves leave many openings for attack, GAO said.

There’s no coordinated approach for monitoring whether the electrical industry is following its voluntary standards; smart grids are being built without security features; the industry is not sharing information about its vulnerabilities; and power companies don’t even have good data about attacks or vulnerabilities, GAO said.

Bottom line: No matter which federal agencies wind up responsible, the cyber-threat to power grids is not just a “Die Hard 4″ fantasy, GAO concluded. Here’s how its report wound up:

The electricity industry is in the midst of a major transformation as a result of smart grid initiatives and this has led to significant investments by many entities, including utilities, private companies, and the federal government. While these initiatives hold the promise of significant benefits, including a more resilient electric grid, lower energy costs, and the ability to tap into alternative sources of power, the prevalence of cyber threats aimed at the nation’s critical infrastructure and the cyber vulnerabilities arising from the use of new technologies highlight the importance of securing smart grid systems. In particular, it will be important for federal regulators and other stakeholders to work closely with the private sector to address key cybersecurity challenges posed by the transition to smart grid technology. While no system can be made 100 percent secure, proven security strategies could help reduce risk to an acceptable level.

That’s if Washington and the private sector can get their act together before Panetta’s nightmare comes true.

Join the Conversation

True most people think of the old approach to s sneak attack of of conventional or nuclear strike where a nation like Russia and China could just cripple the US by a massive cyber attack crashing every US network.

Of course we in turn would launch a Cyber attack also, regardless as to whether we were 100% sure that the people we suspected did it or not. We also would use limited military options based on national pride against an offender. I worry more about the smart college student(s) who wants to make a statement by shutting down the grid or hacking into the DoD, then China or others who have as much to lose as we do for getting caught/traced back to. There are a fair amount of crazies out there who really don’t care about anything or anybody but themselves!!!

(1)EA.

If some brilliant computer individuals tried to shut down our power grids ‘they would be put in jail so far back in that they would have to pump air to them.
Our intelligence abilities to find said individuals responsible for doing this is basically a guillotine hanging over a hackers head.

@AlanH: Fortunately very few have the capability to successfully hide themselves from an highly capable pursuer. Unfortunately, when they got the capability, they are literally untraceable. It’s not a hasard that when a cyberattack happen on a government website, the only thing they can trace back is about the server used for the attack (i.e. The attack came from a compromised server in China). And if they end up being able to prove it, it won’t be from a log from the attack, it will have to be a more classical form of intel.

If you pay attention to the speech, they never accuse China, Israel or Russia, all they is that they think it came from there but they are usually not in a position to trow accusations.
Of all the data breach excluding a some indiduals, how many of them have been resolved? Hint: near to zero.

The problem is to be 100% sure from where it come from. There are already case of cyber-sabotage and attacker are untraceable, like trying to find the authors of Stu*****. Unless being involved, nobody know the answer to the ‘Who did stu*****’, the only thing we can do is to dress a list, most probably based on statistics. Although there is no obligation to launch an unilateral attack on an attacker, it may just experience some incident.

I suspect USA to be able to destroy all the satellites (and the critical communications infrastructures relying upon them) in less time than to launch a nuclear warhead. Step 1 would be no longer to send furtive bonbardier.

Cyberwar is a made up threat. It was invented by the same people who brought you total information dominance and network centric warfare and several other money making scams. And the same people in the pentagon who were formally into paranormal warfare and mind reading are into cyberwar now.

In the actual industries concerned cyberwar is a bit of a joke.

Cyberwar is everything except a made up treat. A cyberwar threat can be made up but it doesn’t mean that cyberwar is a made up treat.

>In the actual industries concerned cyberwar is a bit of a joke.
In the concerned industries, there is little to zero security. And according to experts, your laptop is more secure than many of those embedded system because of the lack of security, and the lack of addressing. Stuxt*** was deceptively simple in that regard.

BTW a pipeline of gaz in Russia already exploded because of a virus…

Extrapolating from laptops is just hilarious. But it’s noticeable that tall the cyber-war advocates are technologically challenged

Here’s a very simple question that usually sends these charlatans into a tailspin — “how do you do code injection when the code is in flash ?”

Hello, why is controlling our Internet and/or network so hard? Who is controlling/own it then? Then pay them to protect us, right? I don’t understand the problem when other countries do not have this problem of controlling their own. Remodel ours like the other countries or remain Vulnerable.

And how do you think that stuxtnet got into those system? Sure an attacker will not get into your pacemaker by hacking your pc, but now everything is wifi, easilly upgradable and all this with little to zero security. Those systems usually need to be controlled by humains, what their sensors read have to be controlled by humans and part of the maintenance is very likely to be remote controlled for convenience. Most if not all of these systems have no security and as such, everybody compromising the computer connected to it can reprogram it or control it as he want. Note that an attacker doesn’t necessarily need to reflash a system to make it crashing, sending up the wrong parameter may be enough to make the system fail, and create a real catastrophe.

Those systems handle much more criticals task than operating your diswasher, and mishandling hundreeds of kilowatts is guaranteed to yield more than a wire heating up… Once again, did you ever eard about how the payload of stuxtnet was working? (the comcept is quite classical, the implementation is not)

And while you laught at this cyberwar, I can guarantee you that you will be the first one crying for your mammy when for a reason that you don’t know, the hellfire armed drone that you control have just made a U-turn in your direction. And the funny thing is that this one is very likely to be just a benign bug. Why do you think that lockheed decided to put emphasis on harden the f-35 systems agains such attack?

>why is controlling our Internet and/or network so hard?
I don’t have the definitive answer, but keep in mind that internet is a public network. As such, someone taking control of one of the many backbone routers can literally send whatever he want, and looking like to come from wherever he want, a man in the middle attack have just been created. And now, the http request for the website return some strange code running a zero day exploit on the machine. If you think that there is only few attack to counter, you should take a look at a book like ‘Hacking exposed’. I don’t say that it’s the best book out there, but for raising the awareness of all the possible attack it do a good job I think.

Others countries do have the problem of controlling the internet. There is no magic solutions. What county are you talking about?

For example, did you looked how ridiculous it is to break into a car nowaday? Hacker give it try and everything they tried have been successful. Like unlocking a door with a sms, taking control of the engine from the radio, and so on…

The problem is that you are simply extrapolating from your laptop. The fact is for many reasons these systems are much tougher target to attack then simply making a physical assault and orders of magnitude more difficult then attacking a PC.

Cyberwar is actually a form of ludditism. Its much like what you heard about the “amazing destructive power of electricity” 150 years ago. It’s perfect scam for a nation where technical knowledge is poor and declining and convinced that some hidden nefarious forces are arrayed against it.

From a military point of view it’s very notable that not only are these “weapons” spectacularly ineffective — inconveniencing the Iranian nuclear effort for 2 months LOL — but they are difficult and complicated to make often requiring a lot of reverse engineering. If you have that expertise there are thousands of things that provide a much better payoff.

You just have to look at the scam artists who populate the field of cyberwar consulting to see where the push is coming from.

I agree with what you say for 1 case: the military infrastructures. But for civilian, you can cross your two finger, because many public infrastructures are vulnerable to cyberattack, and the effect can be wide-spreaded.

You seems to extrapolate on a specific scheme attack: a guy sitting behind his laptop, and from what I was saying. I did not argued about the order of magnitude between attacking a laptop and such critical embedded system. The point was that there is currently more security inside a laptop than the embedded one, as soon as the attacker got an entry point, there is no security to stop it, the system will execute whatever command is send to it.

Where I agree with you is those (rumors?) of an eventual attack on power grid by anonymous. SQLi and DDOS is very likely to be ineffective, but it doesn’t mean that the power grid is secure enough to resist to a targeted cyberattack.

Again, experts doesn’t agree with you. Cyberattack, when compared to other from of strike, is extremely cheap. Stuxtnet destroyed centrifuges on a very intermittent way, that’s where thee h 2month stall come from. So litterally they had to shut-down everything and fixing everything. Stopping such projects for 2 month is huge in term of industrial process, that’s enough to kill much more company than you think. You cannot imagine all the problem of having those centrifuges exploding. And add on top of this the cost to replace them, the loss of trust on the seller, etc, etc.

Problem coming from a failing power grid system does not come from scam artist. There were a computer failure behind the blackout that USA had experienced. This is a real-case, not a attempt to scare the crowd.
http://​www​.computerworld​.com/​s​/​a​r​t​i​c​l​e​/​8​7​4​0​0​/​S​oft

I agree with what you say for 1 case: the military infrastructures. But for civilian, you can cross your two finger, because many public infrastructures are vulnerable to cyberattack, and the effect can be wide-spreaded.

You seems to extrapolate on a specific scheme attack: a guy sitting behind his laptop, and from what I was saying. I did not argued about the order of magnitude between attacking a laptop and such critical embedded system. The point was that there is currently more security inside a laptop than the embedded one, as soon as the attacker got an entry point, there is no security to stop it, the system will execute whatever command is send to it.

Where I agree with you is those (rumors?) of an eventual attack on power grid by anonymous. SQLi and DDOS is very likely to be ineffective, but it doesn’t mean that the power grid is secure enough to resist to a targeted cyberattack.

Again, experts doesn’t agree with you. Cyberattack, when compared to other from of strike, is extremely cheap. Stuxtnet destroyed centrifuges on a very intermittent way, that’s where thee h 2month stall come from. So litterally they had to shut-down everything and fixing everything. Stopping such projects for 2 month is huge in term of industrial process, that’s enough to kill much more company than you think. You cannot imagine all the problem of having those centrifuges exploding. And add on top of this the cost to replace them, the loss of trust on the seller, etc, etc.

Problem coming from a failing power grid system does not come from scam artist. There were a computer failure behind the blackout that USA had experienced. This is a real-case, not a attempt to scare the crowd.
http://​www​.computerworld​.com/​s​/​a​r​t​i​c​l​e​/​8​7​4​0​0​/​S​oft

I agree with what you say for 1 case: the military infrastructures. But for civilian, you can cross your two finger, because many public infrastructures are vulnerable to cyberattack, and the effect can be wide-spreaded.

You seems to extrapolate on a specific scheme attack: a guy sitting behind his laptop, and from what I was saying. I did not argued about the order of magnitude between attacking a laptop and such critical embedded system. The point was that there is currently more security inside a laptop than the embedded one, as soon as the attacker got an entry point, there is no security to stop it, the system will execute whatever command is send to it.

Where I agree with you is those (rumors?) of an eventual attack on power grid by anonymous. SQLi and DDOS is very likely to be ineffective, but it doesn’t mean that the power grid is secure enough to resist to a targeted cyberattack.

Again, experts doesn’t agree with you. Cyberattack, when compared to other from of strike, is extremely cheap. Stu***t destroyed centrifuges on a very intermittent way, that’s where thee h 2month stall come from. So litterally they had to shut-down everything and fixing everything. Stopping such projects for 2 month is huge in term of industrial process, that’s enough to kill much more company than you think. You cannot imagine all the problem of having those centrifuges exploding. And add on top of this the cost to replace them, the loss of trust on the seller, etc, etc.

Problem coming from a failing power grid system does not come from scam artist. There were a computer failure behind the blackout that USA had experienced. This is a real-case, not a attempt to scare the crowd.
http://​www​.computerworld​.com/​s​/​a​r​t​i​c​l​e​/​8​7​4​0​0​/​S​oft

I agree with what you say for 1 case: the military infrastructures. But for civilian, you can cross your two finger, because many public infrastructures are vulnerable to cyberattack, and the effect can be wide-spreaded.

You seems to extrapolate on a specific scheme attack: a guy sitting behind his laptop, and from what I was saying. I did not argued about the order of magnitude between attacking a laptop and such critical embedded system. The point was that there is currently more security inside a laptop than the embedded one, as soon as the attacker got an entry point, there is no security to stop it, the system will execute whatever command is send to it.

Where I agree with you is those (rumors?) of an eventual attack on power grid by anonymous. SQLi and DDOS is very likely to be ineffective, but it doesn’t mean that the power grid is secure enough to resist to a targeted cyberattack.

Again, experts doesn’t agree with you. Cyberattack, when compared to other from of strike, is extremely cheap. Stuxtnet destroyed centrifuges on a very intermittent way, that’s where thee h 2month stall come from. So litterally they had to shut-down everything and fixing everything. Stopping such projects for 2 month is huge in term of industrial process, that’s enough to kill much more company than you think. You cannot imagine all the problem of having those centrifuges exploding. And add on top of this the cost to replace them, the loss of trust on the seller, etc, etc.

I agree with what you say for 1 case: the military infrastructures. But for civilian, you can cross your two finger, because many public infrastructures are vulnerable to cyberattack, and the effect can be wide-spreaded.

You seems to extrapolate on a specific scheme attack: a guy sitting behind his laptop, and from what I was saying. I did not argued about the order of magnitude between attacking a laptop and such critical embedded system. The point was that there is currently more security inside a laptop than the embedded one, as soon as the attacker got an entry point, there is no security to stop it, the system will execute whatever command is send to it.

Where I agree with you is those (rumors?) of an eventual attack on power grid by anonymous. SQLi and DDOS is very likely to be ineffective, but it doesn’t mean that the power grid is secure enough to resist to a targeted cyberattack.

Again, experts doesn’t agree with you. Cyberattack, when compared to other from of strike, is extremely cheap. Stuxtnet destroyed centrifuges on a very intermittent way, that’s where thee h 2month stall come from. So litterally they had to shut-down everything and fixing everything. Stopping such projects for 2 month is huge in term of industrial process, that’s enough to kill much more company than you think. You cannot imagine all the problem of having those centrifuges exploding. And add on top of this the cost to replace them, the loss of trust on the seller, etc, etc.

I agree with what you say for 1 case: the military infrastructures. But for civilian, you can cross your two finger, because many public infrastructures are vulnerable to cyberattack, and the effect can be wide-spreaded.

You seems to extrapolate on a specific scheme attack: a guy sitting behind his laptop, and from what I was saying. I did not argued about the order of magnitude between attacking a laptop and such critical embedded system. The point was that there is currently more security inside a laptop than the embedded one, as soon as the attacker got an entry point, there is no security to stop it, the system will execute whatever command is send to it.

Where I agree with you is those (rumors?) of an attack on power grid by activist. Thing like SQLi and DDOS is very likely to be ineffective, but it doesn’t mean that the power grid is secure enough to resist to a targeted cyberattack.

Again, experts doesn’t agree with you. Cyberattack, when compared to other from of strike, is extremely cheap. Stuxtnet destroyed centrifuges on a very intermittent way, that’s where thee h 2month stall come from. So litterally they had to shut-down everything and fixing everything. Stopping such projects for 2 month is huge in term of industrial process, that’s enough to kill much more company than you think. You cannot imagine all the problem of having those centrifuges exploding. And add on top of this the cost to replace them, the loss of trust on the seller, etc, etc.

Problem coming from a failing power grid system does not come from scam artist. There were a computer failure behind the blackout that USA had experienced. This is a real-case, not a attempt to scare the crowd.
http://​www​.computerworld​.com/​s​/​a​r​t​i​c​l​e​/​8​7​4​0​0​/​S​oft

@Itfunk: You seems to extrapolate on a specific scheme attack: a guy sitting behind his laptop, and from what I was saying. I did not argued about the order of magnitude between attacking a laptop and such critical embedded system. The point was that there is currently more security inside a laptop than the embedded one, as soon as the attacker got an entry point, there is no security to stop it, the system will execute whatever command is send to it.

Where I agree with you is those (rumors?) of an attack on power grid by activist, but it doesn’t necessarily mean that a power grid is secure enough to resist to a targeted cyberattack.

Again, experts doesn’t agree with you. Cyberattack, when compared to other from of strike, is extremely cheap. Stuxtnet destroyed centrifuges on a very intermittent way, that’s where thee h 2month stall come from. So litterally they had to shut-down everything and fixing everything. Stopping such projects for 2 month is huge in term of industrial process, that’s enough to kill much more company than you think. You cannot imagine all the problem of having those centrifuges exploding. And add on top of this the cost to replace them, the loss of trust on the seller, etc, etc.

Problem coming from a failing power grid system does not come from scam artist. There were a computer failure behind the blackout that USA had experienced. This is a real-case, not a attempt to scare the crowd.
http://​www​.computerworld​.com/​s​/​a​r​t​i​c​l​e​/​8​7​4​0​0​/​S​oft

How about fedex, UPS, usps, paper & pen. Kind of hard to hack a letter. Letters and packages were delivered long before t

(Thank for having solved my posting issue)
>The problem is that you are simply extrapolating from your laptop. .……
Nope, the problem is that informatics is huge and you seems to have forget it. My point is about the security concerning the embedded system itself. And it’s not because my cat cannot compromise a system that it make it secure enough, and it’s not because activist (who clearly stated that they have no will to do so) cannot find an entry point that the entry point doesn’t exist.

Look at all the cyber attack, like the one that lockheed have countered last year. Apparently some isp have been hacked, and RSA authentication method have been compromised from one way or another (remember that RSA itself have been victim of a cyber attack). Look at car security, where one can unlock car door with a sms. Blackhat tested car security and so far, everything they have tried have worked –like taking control of the engine by entering from the radio– because there is no security in place. All experts say that the security level into embedded system is near to zero, it’s not my words, nor my imagination. They are looking at implementing trusted computing into embedded system. Or take a look or a computer failure have contributed at the blackout of 2003, someone compromising the system would have got the same cascade effects.

The facts that only few people have interest to make those system fail doesn’t make the system more reliable, nor more secure.

Now lets clarify what I was saying by that there is more security inside a laptop than into an embedded system, here is how I see it; the point is that a computer is a machine that execute commands, and unless you program it to not execute anything, it will execute everything, and upload everything, regardless of what is send to it, siemes have incorporated signature check since stuxtnet. Even system V have more security than most embedded system, because there is some security in system V as ridiculously as some may be defeated; security doesn’t exist until programmer write line of codes about it. It’s as simple as that. Embedded system are running from general purpose machine, not from a codesign, as such they are limited by the software more than the hardware; machine doesn’t think, they execute!

Now stuxtnet. Stuxtnet is a success! Perhaps not as successful as expected, but it worked very well and at much lower cost than any other alternative. Stuxtnet physically destroyed centrifuges, and they have exploded. This have very serious consequence that someone sitting on his armchair may not capable to see; for instance gaseous uranium is extremely corrosive, that precisely why teflon have been invented. Having such system failing this way is the end of the world for the workers. I guess that you have never put your feet into an industrial plant involving real danger. I did and believe me, you have no idea how toxic most industrial process are.

>You just have to look at the scam artists who populate the field of cyberwar consulting to see where the push is coming from.
The facts that security into embedded system is very low came from experts. Where your claim come from? I understand that you see the system as a whole, but mine are about the embedded system itself, not the fact that it have only few entry point, which make access to the system harder, but does not have any effects about the very low security measures implemented.

*required

NOTE: Comments are limited to 2500 characters and spaces.

By commenting on this topic you agree to the terms and conditions of our User Agreement

AdChoices | Like us on , follow us on and join us on Google+
© 2014 Military Advantage
A Monster Company.