Kathleen's Comments

Taccolini comments continued:

3) The interface is based on ACTIVE-X and custom TCP/IP protocols on non-standard ports.

That is the I.T. nightmare for security, you cannot really protect from an Active-X components. The non-standards TCP/IP protocols in one side force to disable Firewall ports, on the other side, most of the protocols those SCADAs use to exchange data between their station or their servers and client viewers is a very simples text or value data stream inside the TCP/IP message what makes very easy to network attacks and also to get access unauthorized access to the data.

Those are just some examples, but there are more issues. The good news is that is the company decides to stay updated with the current technology, any of those issues would create a problem in a solution created using the latest technologies. For instance:

On item 1) The new systems can use C# and VB.NET as scripting language that is compiled and embedded inside the application, making impossible the work of that virus and also solves the runtime robustness issues.

On Item 2) The new systems save all the project files in a unified SQL-compatible database with encryption and access protection

On item 3) the new systems use WCF (Windows Communication Foundation) and connection oriented data transfers protected by built-in login validation on the protocol and standard firewall-friendly protocols.

The bottom line is the SCADA is not different from a car, the fact it was working well the past 10 or 15 years is not your security for the next five years, in fact, it exactly the opposite! If is in place the past 10 to 15 years, it means the internal and kernel architecture it is using is from that age, not prepared to our new inter-connected environment and if you want to "drive" safely the next five years you should think about evolve to the generation systems.

Marcos Taccolini, the CEO of Tatsoft, sent me a note about the worm today. Here are his comments:

That is a perfect example of the hidden costs and potential problems when you keep installing on mission-critical applications, like scada systems, a piece of software that has an architecture created more than 10 years ago.

What had enabled that VIRUS to be attack those system is that the Siemens system, as well most of the solutions still on the market place, were create on the before the Microsoft.NET Framework era, using technologies like VBA, VBSCRIPT, Active-X and other technologies that are intrinsically "UNSAFE".

I am not criticizing any supplier here, my own previous product created on the later 90' is still using VBSCRIPT and TEXT non-protect files that also very vulnerable for attacks. Only my latest product generation, created from the principals in managed .NET code I was able to prevent completely that kind of vulnerability.

The fact is, whatever the supplier, if the technology is used in the product internal is the same from 10 years, a lot of potential problems can happen. I will list some of those problems, that not only Siemens, but many other still have:

1) Scripting language is VBA or VBSCRIPT, that creates two issues:

1.1- It is interpreted, not compiled, so an external program, like that virus can add malicious code

1.2- Lots of errors are only found on RUNTIME, as on the engineering the error-checking capabilities are very limited.

2) Project is composed by hundreds of files, many of them in pure text files. That create the following problems:

2.1. There is no encryption on the project configuration, allowing both malicious actions and access to the control logic

2.2. It is not hard to a file get mixed with an out-to-date version or when moving, an application can "ADD" by accidentally pieces from other applications.

3) The interface is based on ACTIVE-X and custom TCP/IP protocols on non-standard ports.

I agree, Daniel, that there are kinks to work out here and there. The smart grid (including smart meters) is certainly not a polished, finished product. And, you can have a very smart meter and bad equipment reading and digesting the data (which is what the problem sounds like in the case of your farmhouse meter). The meters are only as smart as the technology reading it, unfortunately.

And, Dennis, the job of meter reader, unfortunately, has been disappearing for quite awhile. Smart meters can allow utilities to read data from the comfort of control centers, but RF tech has allowed a smaller number of readers to gather data from the comfort of their trucks for years. I do like the concept of retraining them to deal with disgruntled customers. It's really not a bad idea. This amount of change is going to take some serious getting used to.

That's true. And, this does seem to be a deal with a lot of illusions all layered atop one another.

Bill, I urge you to read the Fox News piece. It was one of the funniest things I've ever read. Not only did they take the whole thing super seriously, they called employment lawyers to find out all the laws Exelon may be breaking with this notice. I don't really know what was funnier, how that slipped through into the ad or how seriously Fox News took it. Apparently, Fox News saw it as an affront to patriotism or something.

Indeed, it does seem that Europe, India and China are the frontrunners in this arena. Let's be honest, though, India and China have the advantage of being largely government owned and operated. So, making large and sweeping changes is pretty darn easy. And India is coming from well behind the pack in this race. So, rather than having to fit together years of legacy piecemeal technology, they can change the format of their T&D industry in one swoop. In the U.S., we need to take a good look at the advancements in Europe (investments, incentives, how the countries are working together). That's going to be a mirror to what we need, how we can effectively tie together states and various legacy systems. But, you're right, it's obvious China and India are going to leap far ahead of us with the smart grid.

I still think y'all are giving Teddy an awful lot of altruistic credit. The man is a brilliant businessman, but he's a shark. And very risk adverse. (There was a delightful "New Yorker" article about this trend, mentioning him a few weeks ago.) He's crafty, and very good at not contributing out of his own pocket for business deals. It's how he bought his first TV station. It's how he bought the Braves. I just really think he has an angle he's playing close to the vest that will pan out in a similar format. I don't trust that this is really all about saving the world, or, in more Ted-form, keeping us from devolving into cannibals.

That truly is delightful, Adrian. I'm going to forward that on to the academic gurus at Cincinnati State for their enjoyment.