# How 30 Lines of Code Blew Up a 27-Ton Generator



## joe-nwt (Mar 28, 2019)

Fascinating reading about the concept of a cyber attack but my wife could have written a more factual article of how generators work......

It's also loaded with enough inaccuracies that it makes one wonder if they wrote it like that on purpose?


----------



## HertzHound (Jan 22, 2019)

Nice article, but the picture reminds me of why I don’t want to move to Idaho. 

Isn’t that how they blew up Iran’s Uranium enrichment facility? They got into their VFDs or something?


----------



## micromind (Aug 11, 2007)

HertzHound said:


> Nice article, but the picture reminds me of why I don’t want to move to Idaho.
> 
> Isn’t that how they blew up Iran’s Uranium enrichment facility? They got into their VFDs or something?


Stuxnet virus.........incredibly clever. And it worked!


----------



## just the cowboy (Sep 4, 2013)

I'm taking cybersecurity classes now.


----------



## Wardenclyffe (Jan 11, 2019)

That is, until the researchers found a handful of malicious files on one of the systems and discovered the world's first digital weapon. 









An Unprecedented Look at Stuxnet, the World's First Digital Weapon


In an excerpt from her new book, "Countdown to Zero Day," WIRED's Kim Zetter describes the dark path the world's first digital weapon took to reach its target in Iran.




www.wired.com


----------



## Wirenuting (Sep 12, 2010)

just the cowboy said:


> I'm taking cybersecurity classes now.


Rule number 1
If it's connected to the web or a phone line, there is no security. 

The best way to protect your system is to make every attempt to break it. Then you begin to see the flaws.


----------



## just the cowboy (Sep 4, 2013)

Wirenuting said:


> Rule number 1
> If it's connected to the web or a phone line, there is no security.
> 
> The best way to protect your system is to make every attempt to break it. Then you begin to see the flaws.


Yep I’ve install an air gap between our system. Operators are not happy no more being able to call in to do something. Data diode is the next step


----------



## paulengr (Oct 8, 2017)

Wirenuting said:


> Rule number 1
> If it's connected to the web or a phone line, there is no security.
> 
> The best way to protect your system is to make every attempt to break it. Then you begin to see the flaws.


One of the best ways if you MUST do this is install two firewalls. The outer firewall goes between the office (IT department) and the DMZ. Only Microsoft/Apple/internet ports and protocols are allowed through. All “control system” protocols are blocked.

Next layer is the DMZ. Technician laptops, data collectors (databases), HMIs sit here. This is the “PC server” side of the control system.

Now another firewall. Only control system ports and protocols allowed. No Microsoft protocols of any kind. No login/authentication servers, no DNS, nothing. The devices in this layer should be minimal. Most of their purpose is interfacing such as collecting control system data to serve to a business database in the office layer or allowing techs and engineers to “remote in” to troubleshoot PLCs.

If you want to send email or SMS for instance from the control system it must signal this somehow to a DMZ server that in turn actually talks to the mail server or phone server in the office layer since the email or SMS is blocked at the control system firewall.

If you insist on DNS or Windows authentication in the control system (generally a bad idea as it is a single point of failure) it needs to be on the control system side. It will be isolated via the firewall from ALL outside communication. Recommend not allowing IT to maintain it. Windows better be IOT version (no licensing traffic). You could put it in the DMZ remember, whatever protocol or port is allowed on the control side must be blocked on the office side. No exceptions or you have no security.

Bottom layer is your control system. Physically isolated. If you have laptops for techs for this layer recommend NO OFFICE logins under any circumstance. No WiFi dongles. No phones. If you need something transfer via thumb drive but with Windows those things are toxic, too. Microsoft will just Willy nilly run anything unchecked on a USB port. That’s how Stuxnet spread. Recommend running Windows on a VM on those laptops with a different host OS and although this may get ignored copy files to a shared folder on the host OS from the USB then access it from Windows.

So you CAN call in from the internet and access the control system but you’d have to VPN to the office layer, remote in to a server in the DMZ, then you can see the control system from the server in the DMZ. The principle here is there are no direct paths anywhere through the system. So malicious software can easily penetrate one layer but would have to switch protocols to penetrate into the next layer. An infected USB would have to have Linux code on it to load it (if this is possible) then a Windows virus payload to infect the VM.

I have heard of blocking ports (USB and Ethernet) but in my mind this is first impossible to enforce and second just asking for trouble. Most of the time simply plugging in a cheap Ethernet switch on an allowed port or a hub in an allowed USB bypasses this. So it just becomes an administrative nightmare.

There are still no guarantees but this system works transparently, and does not get in anyone’s way.


----------



## just the cowboy (Sep 4, 2013)

@paulengr spot on.


----------



## micromind (Aug 11, 2007)

Every generator that would parallel the grid that I've done the controls for always had a simple synch-check relay, also known as a #25.

This is a stand-alone device that has 3 settings, voltage, frequency and time. It is not connected to any outside source, all it does is close a relay contact if the voltage difference between the gen and grid is within tolerances as well as the phase angles and stays that way for a specific amount of time. 

It does not control the voltage or speed of the gen, it just sees whether or not it's ok to close the breaker. 

With this simple relay installed and set correctly, it's not possible to wreck the gen nor is it possible to change the settings from an outside source. 

This relay will work with the tiniest of gens to huge ones.


----------



## joe-nwt (Mar 28, 2019)

For any of the gensets I've worked on the protective relay does not close the generator breaker. Besides the 25 relay micromind mentioned, one whack out of phase and a mechanical lock-out relay would have tripped requiring a manual reset. Most generators tripped at full load would hit overspeed, also tripping the lockout.

Far as I'm concerned, if things played out the way they said it did in the article, they have very poor design in their genset controls.


----------

