Never mind that much to my horror, the number of major organisations running systems on Windows XP or whatever dinosaur kit they have, is absolutely beyond belief.
It may seem shocking, but it is not a problem per se to have old kit.
Old hardware - no.
Old software - no.
Good heuristics and in most organisations, the policy defines it and forbids. But many large estates have exceptions.
Old (or even new) software that’s out of support and not being patched any more - yes.
Anything of unknown origin can be a serious risk. Slightly lower risk if normal software not being patched. Whether acceptable depends on the context and in reality also on budget.
As it happens, the potential for malicious use of grid-connected generation/storage was an issue I was already well aware of. I had already been in communication with the Commons Select Committee on Energy regarding threats from commercial inverters in December'23 (18 months earlier).
Within those communications I provided an illustration of a cascade event taking down a section of the GB Grid.
That example does not require any form of cyber attack. Just because a cascade event takes out a whole section of the distribution grid (as occurred in Spain) doesn't mean it should be investigated as if the reason was 'cyber'.
Don't bother trying to find those Select Committee documents from 2023, because they're not in the Parliamentary Library, for obvious reasons!
Yes, was this related to disconnection of some windfarms that took down a narrow stretch all the way to around London some years back?
I am not sure about what would have happened if the Spanish grid had not been helped to recover by Morocco and France. Have all the black-starts worked as expected?
Erm... It isn't possible for Spain or Portugal to have recovered without assistance from neighbouring countries.
The whole point of re-starting a grid in Europe is that you have to synchronise with others! You can't have two different 50Hz frequencies operating on the same grid.
What I mean is that a decision was taken early on, considering the agreed black-out recovery plans were national, each country would try to recover their grid as soon as possible.
But yes, reading the logs and maps, the HV lines from France to North Portugal were energised relatively early. A few regions were started before the largest in SW Spain where power from Morocco was used and only at a later stage merged with the European signal.
Never mind that much to my horror, the number of major organisations running systems on Windows XP or whatever dinosaur kit they have, is absolutely beyond belief.
It may seem shocking, but it is not a problem per se to have old kit.
Old hardware - no.
Old software - no.
Good heuristics and in most organisations, the policy defines it and forbids. But many large estates have exceptions.
Old (or even new) software that’s out of support and not being patched any more - yes.
Anything of unknown origin can be a serious risk. Slightly lower risk if normal software not being patched. Whether acceptable depends on the context and in reality also on budget.
Surely Windows XP hardware cannot be the backbone of internet facing solutions.
I wish your optimism matched reality. Sadly I have seen plenty of examples of exactly that; perhaps not “backbone”, but certainly “key component”.
I would not say it cannot be running... In some cases it is in use is accepted risk. The trouble is when it is unknown vulnerability!
You've completely missed the point.
Old, unpatched software - particularly stuff that's unpatched because it's no longer supported - is, by definition, a known vulnerability. @lucia's highly valid original point is that some major organisations continue to use this kit knowing it's vulnerable. This is not running risk mitigation; it's gambling. The vast majority of hacks these days are exploiting security holes that have been well known for some time (sometimes years) and for which patches have been made readily available.
It doesn't matter if an organisation has a large estate or small. It has certain responsibilities, and it's no defence to suggest a breach was just "because we didn't realise xyz was still running". If an organisation hasn't the resources to manage its infrastructure properly, it shouldn't be operating in that shape; either it should stump up better resources or scale back its infrastructure. This is not a game.
105 m2 bungalow in South East England
Mitsubishi Ecodan 8.5 kW air source heat pump
18 x 360W solar panels
1 x 6 kW GroWatt battery and SPH5000 inverter
1 x Myenergi Zappi
1 x VW ID3
Raised beds for home-grown veg and chickens for eggs
"Semper in excretia; sumus solum profundum variat"
As it happens, the potential for malicious use of grid-connected generation/storage was an issue I was already well aware of. I had already been in communication with the Commons Select Committee on Energy regarding threats from commercial inverters in December'23 (18 months earlier).
Within those communications I provided an illustration of a cascade event taking down a section of the GB Grid.
Yes, was this related to disconnection of some windfarms that took down a narrow stretch all the way to around London some years back?
No. I wrote them a story! 😀
I wanted to illustrate a Cascade Event occurring in a very simple scenario.
So I literally created an imaginary hamlet a few miles from a town in the West Country, and put in loads of graphics.
Real-world grid faults are too complex.
I needed MPs to understand just the one concept, without bringing in secondary factors.
Old, unpatched software - particularly stuff that's unpatched because it's no longer supported - is, by definition, a known vulnerability. @lucia's highly valid original point is that some major organisations continue to use this kit knowing it's vulnerable. This is not running risk mitigation; it's gambling. The vast majority of hacks these days are exploiting security holes that have been well known for some time (sometimes years) and for which patches have been made readily available.
It doesn't matter if an organisation has a large estate or small. It has certain responsibilities, and it's no defence to suggest a breach was just "because we didn't realise xyz was still running". If an organisation hasn't the resources to manage its infrastructure properly, it shouldn't be operating in that shape; either it should stump up better resources or scale back its infrastructure. This is not a game.
Absolutely not missed it.
We do not know the full details behind what @lucia mentioned. On a high level, we can all agree that technology x or y should not be used. But as when assessing whether a component of a power grid needs to be replaced or not for reliability, whoever is accountable for operating it will do a risk assessment. That is the best practice. And if it was cheap to replace it, you would not hear about it.
From all I see, there are much bigger considerations that anyone heavily involved in proposing major changes to regulation of the main actors in the Spanish grid would have than that!
No organisation has unlimited resources and the type of statements made here, "it would be embarassing if x or y happens" are made every minute by vendors. They rarely go beyond mid level managers.
Gambling is what happens when there is no asset management nor risk management functions.
Knowing and assessing It vulnerabilities is one of the key cybersecurity capabilities. There are best practices to decide which route to follow as they are identified. And context is always key.
So I literally created an imaginary hamlet a few miles from a town in the West Country, and put in loads of graphics.
Real-world grid faults are too complex.
I needed MPs to understand just the one concept, without bringing in secondary factors.
Love the thought of it! simplification and sometimes metaphors...
In some industries like biology, bending their language was a great way to get them interested in how information moves from system to system. Talking about flows and the like, when it is bits and bytes, wires and compute and storage devices!
That Octopus/Lloyds announcement screams ETHICS at me.
Octopus have been doing well due to the ethical standards which Greg Jackson has tried to set, with pretty good success. That's not to say I agree with all that Octopus does, but I can sense good intentions behind it.
The banking world, on the other hand, has a low level of trust from the general public.
Many have not forgiven them for the 2008 global banking crisis, and that us taxpayers had to bail them out.
The financial sector isn't well regarded for its eco-credentials either. Investments into green-tech tend to be based on the profits they expect to rake in.
Of course, they might yet get their fingers burned by installing free ASHPs into properties over which they hold a mortgage.
Unless the energy survey is properly undertaken, and the installation work is correct, Lloyds customers could find themselves with problems when they later try to sell on.
I wonder what Lloyds would do if the Energy Surveys were actually done properly, but showed marked deviations from the declared EPCs which were provided when the mortgage was originally offered?
Or what happens if the owners commission a new EPC to be done when they try to sell, and their house receives a poor rating due to heating inefficiencies?
Yup, should have been better to say, what is made to look like an off-the-shelf solution.
No recommendation made. Given credit is involved, this is surely FSA regulated. Folks should consider the interest rate, etc they provide, which is of course the elephant in this room.
Which says need for a change of operating procedure. Relatedly (but less up to date) NESO issued a report on the differences between the Red Electrica system and the UK system. They highlighted that the UK requires more control available from all renewable generators in one particular voltage control (voltage fluctuations and increases were part of the failure event build up in Spain).
I hope this is a real better understanding by National Grid and not just another example of British over-confident exceptionalism.
This post was modified 2 weeks ago 3 times by Judith
2kW + Growatt & 4kW +Sunnyboy PV on south-facing roof Solar thermal. 9.5kWh Givenergy battery with AC3. MVHR. Vaillant 7kW ASHP (very pleased with it) open system operating on WC
