Regardless of the reason, deliberate targetting, accidental "drive by DDoS" or bad configuration, the question that remains is "Why is the heating dependent on being online?"
It is completely reasonable if the heat system every so often "phones home", so report on usage, but it shouldn't actually stop working, if the network connection isn't available.
You can blame, DDoS, hackers, network outages, the Russians, I don't care, it doesn't cover up the fact that your system has a stupid design.
> the question that remains is "Why is the heating dependent on being online?"
1) So they can bill you.
2) Bad design
Billing is almost always the reason if the design is sane. And it's always a PITA.
Bad design is self-explanatory. Most programmers think in terms of features rather than function.
I have this discussion every day with people creating battery operated IoT devices.
Me: "What is your most important function?"
Them: "Well, we need to do <feature X>"
Me: "<sighing> No. Your most important function is to protect your battery. If the device is dead, nothing else matters. Nobody should be able to make you drain your battery without your permission. After that consideration, you can do something useful."
Perhaps the difference is between "Russia the state" and "citizens of Russia"? Especially when they're almost neighbors, when you live near the border, I don't see why you'd fear any random Russian citizen just because they live in Russia.
I'd be quite interested in their perspective on world politics. My impression is that Russia has a lot of propaganda and filtering of the media, and I assume it has a different character from the propaganda and filtering of the media in western countries (... where it happens just as well, but in a more decentralized, money-oriented fashion).
Just as illustration: after November 8 a lot of russians were celebrating - just because of hope that relations with US will be warmer. Really, people don't want cold war or any other war.
100%. Russia is multi-national country and we have some nations inside country that we don't like (sorry, but it's true), so I can say we like Finns even more than some russians :) They have awesome vodka (much, much better than any russian vodka), they are smart and friendly, not arrogant - awesome people. I highly doubt any russian leader, even Putler, will try to offend them.
Bullshit. Do not read Soviet newspapers until dinner. It's not "just me". Looks like you get your information from news portals which nobody read in Russia because they are owned by government.
They are violating somebody's airspace every week, nobody cares. It's just political games of the current moment, it's not whole nation's decisions. Or you think we call referendum before each airspace trespassing?
I guess when Russia tried to invade them back in 1939 there was no referendum and it wasn't a whole nation's decision either. Heck, you could even deem the Russian people friendly towards the Finns (they were trying to free their Finnish comrades from the capitalist yoke!). I don't think it made the Finns any happier though.
What I CAN see is the glee on the Russian discussion boards whenever an incident like that is mentioned in the news. It's either that or outright denial blaming the Finns (British, Estonians, etc.) for making these claims up out of "russophobia".
You will not believe, but yes! Putin is fan of Stalin and they both use internal and external propaganda. And it may sound wild or ridiculous for you, but there is official agency where people get salary for writing comments on forums, youtube, facebook and other well-known public services. There was even article about it in some western newspaper. And reaction of people: 2 guys threw molotov cocktails to the window of that agency - that's our real relation to Putin.
Night clubs of St.Petersburg are full of Finnish people, who drink even more than locals. Apparently, the mistrust is limited to subjects other than alcohol.
They frequently bring up how they beat the Germans and the Russians in WW2. And how Finnish vodka is the best. And how it sucks that the world's most popular sauna heater is made in Sweden, because Finnish sauna heaters are superior.
Well, it doesn't prove that russians don't like Finns, maybe just Finns don't like russians. Sad to hear, but, looks like our government's propaganda works. And Finnish vodka is really the best ;)
I have many Russian friends and they're intelligent and nice people in general. The info war and traumas from the winter war still exist though and we really don't like Russia as a country, except the neo-nazis who think Putin's actions against minorities should be supported and many of them think that Russia should conquer Finland so we wouldn't have such a liberal government.
Of course after Trump, the general feeling about US is pretty close what we think about Russia...
Russian hackers are a meme right now because of their meddling in the US Election. They hacked the Clinton campaign's email system. There's also the recent spate of DDOS attacks traced to Russia, iirc.
Agree. Some say Russia is the only neighbouring country Norway hasn't been at war with, although I cannot think of a time when we ever fought against the Finnish either.
That said, no reason not to be careful after what has happened in Ukraine etc we should of course be careful: Russia can wipe out half of Norway just by turning around while they sleep.
Frankly i think that oversimplifies what happened in Ukraine.
The civil war may or may not have been part of the plan, but the primary Russian goal was to secure their supply route to the Black Sea naval port.
A port that Ukraine had been happily leasing to the Russians since the dismantling of the USSR.
There are no such reason for Russia to enter Norway. They already have Murmansk as a naval port, and they export way more oil and natural gas than Norway.
> Everybody can be smart after the case :) I'm sure now the'll design something more safe.
Yes, but this is the kind of basic issue that everyone designing any sort of networked system should be aware of. The network is not reliable, and if you assume it is you're just setting yourself up for failure.
Not sure why this is controversial. Boilers have an on/off switch, and when your company manages a large number of buildings, you automate and centralize on/off for efficiency's sake, no?
That fair enough, but in this case the heating system is directly attached to the internet. The correct way of designing something like this is having the heating system as one system and the management system as another.
The management system can then receive information and MAYBE control some aspects of the heating system. If you remove or crash the management system, the heating system just reverts back to being a "dumb" heating system.
My question is: Why in the name of all that is holy does the heating system stop working just because the remote management interface decides to reboot?
This has to be design by the same idiots that believe that an in car infotainment system should be hooked up to the drive computer in a Jeep.
There are other methods to prevent such occurrences: furnaces have "flame out of bounds" sensors and/or chimney flow sensors: this is very good at preventing the furnace from starting a fire of its own.
If there's already a fire present, whether furnace decides to stop operating or not is usually irrelevant (you can get a gas leak from a damaged furnace even if it's off). I do not see why _remote_ control should be able to prevent a fire from starting: whatever is remotely controlling this furnace doesn't have more data than the furnace itself.
So, circumvent your furnace control logic to burn at max rate when it receives no commands from it remote controller, then go somewhere for a week. Engineers are stupid people, you know.
My family has a furnace for heating water and the house. The furnace has a control unit that controls the burner and pumps. There is also a "manual operation" switch, to be used if the control unit fails, that simply switches everything on: pumps and the burner. The burner has a thermostatic control (that is set to a very high temperature and is essentially used to prevent it from boiling the water).
So, in this case, "burn at max rate" _is_ the safe setting to be used when the controller dies. The only unsafe situation that it will cause is that the hot utility water will be scaldingly hot, but there will be no increased danger of fire nor of CO poisoning.
That sounds like either clueless reporting or an attempt at blame shifting.
The heating system of a building is not a typical DDoS target, and it's improbable that somebody living outside of that building had a take against the inhabitants, knew of the right IP(s) for that building, and the effect a DDoS would have.
It's more plausible that the control system was designed so badly that exposing it to the Internet (and the accompanying background noise from port scanners, be it botnets, spammers or IoT malware) caused it to break down.
Then, the operators saw the effect of the misconfiguration and proclaimed it was a DDoS, because you don't get fired for breaking down under a DDoS, as opposed to having miserable IT security in place. This is similar to getting hacked by "the Russians" (or other state-level evildoers) where it is widely accepted that you just can't prevent such incidents.
It is bad reporting. The systems in question were used as a part of launching a DDoS attack, they were not the target of the attack. The high load then caused the systems to crash repeatedly.
Officials reported (sorry, no link) that they had "heavy reasons" to think that the attack was
1) done by actual criminals
2) pointed elsewhere, and the heating system was just one of the many systems used to initiate the attack.
They weren't more specific as to who attacked and who was the actual intended victim, but they were pretty sure the heatimg systems going down was just collateral.
The service provider says it was a DDOS but the device manufacturer says it was probably an aftershock of the Mirai botnet that uses IoT to launch attacks.
Sounds like exactly the sort of thing I'd have done in my youth (if I had had the skills) if I would've discovered lax security in my own building's systems and it pissed me off.
IOT companies don't tend to have bug bounties et al, and shutting off the heat to some buildings seems like a mostly harmless way to get some publicity for the issue.
Could very well be a prank by teenagers who spot a hole in a nearby buildings systems. Not necessary to assume reporter has it wrong unless you have a contradictory source.
In my experience, embedded systems tend to behave poorly when faced with large amounts of traffic (normal traffic to these systems is tiny). I have once been locked out of work due to an errant workstation flooding the network with broadcast DHCP packets, which overloaded the embedded system which validates the key cards and unlocks the door (later permanently solved by moving the embedded system to its own firewalled VLAN).
As an aside: lovely Netscape favicon on that site.
One thing is sure: we won't ever make 100% secure networks. For now, ransomware are few and only on a big scale, but they could indeed become a big problem with IoT. I'm not exactly sure why we need to connect those devices to the internet: sounds like a local network should be enough. And if we want to send usage data to some kind of aggregation service, devices still can issue POST requests to our connected desktop, or be bluetooth connected to our mobiles.
[1] for those who didn't watch it, the battlestar galactica is one of the only human spaceships not destroyed by robots, thanks to the fact its captain always refused to connect the ship on the network
If we had large amount of devices like heaters and boilers attached to remote control system it would be probably possible to cause major problems to the electrical network by just turning the devices on and off in synchronised fashion.
And actually this is not so far fetched, since there are already discussions about making these devices smart and remotely controllable so that the utility company could balance the electricity need.
I wouldn't call it "this exact topic", since the primary attack vector in the story are smart meters, but still can second your recommendation. The book is highly based on a study founded by the german government[0], analyzing the outcome of a great scale blackout. The study is also worth reading, unfortunately only a german version is available.
It is completely reasonable if the heat system every so often "phones home", so report on usage, but it shouldn't actually stop working, if the network connection isn't available.
You can blame, DDoS, hackers, network outages, the Russians, I don't care, it doesn't cover up the fact that your system has a stupid design.