SCADA systems security issues

SCADA systems are used to monitor and control critical installations in oil and gas refineries, water and power distribution plants, manufacturing plants and other industrial facilities. There has been a lot of discussion about malware and security in industrial automation systems after Stuxnet. Widely viewed as the most complex piece of computer malware ever created, Stuxnet is believed to have been designed to sabotage uranium enrichment centrifuges at the Iran’s Natanz nuclear plant. If nasty malware can do that, other similar malware can do something else nasty as well.

Attacks against SCADA systems can have potentially very serious consequences. I think that we have been quite lucky that we have not seen any big disasters yet. Even though the attacks are rare at the moment, security researchers are confident that their number will increase, especially since the Stuxnet industrial sabotage worm set a successful precedent. And now there are many news on Dugu worm.

News around one month ago told that SCADA hack shut down a US water plant at 8 November 2011. This hacking attack at a US water plant has been credited to an unknown attacker (handle “pr0f” took credit) who according to hacker sources managed to access a SCADA controller and take over systems. Once again caused security experts to question the security of SCADA systems. Hacker Says Texas Town Used Three Character Password To Secure Internet Facing SCADA System. “This was barely a hack. A child who knows how the HMI that comes with Simatic works could have accomplished this,” he wrote. “You know. Insanely stupid. I dislike, immensely, how the DHS tend to downplay how absolutely (expletive) the state of national infrastructure is. I’ve also seen various people doubt the possibility an attack like this could be done,” he wrote in a note on the file sharing Web site pastebin.com. On the other hand Federal officials said there’s no evidence to support a report that hackers destroyed a pump used by an Illinois-based water utility after gaining unauthorized access to the computer system it used to operate its machinery. What is the truth in this case it is hard to say.

What is known that many industrial systems are vulnerable. Siemens Simatic is a common SCADA product and has been the subject of other warnings from security researchers according to Siemens industrial control systems are vulnerable to attack that can cause serious problems. The US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned earlier that Siemens’ SIMATIC S7-1200 programmable logic controllers (PLCs) are vulnerable to so-called replay attacks that can interfere with the normal operations. An attacker with access to the PLC or the automation network could intercept the PLC password and make unauthorized changes to the PLC operation. ISO-TSAP protocol is functioning to specifications; however, authentication is not performed nor are payloads encrypted or obfuscated.

White Paper On Industrial Automation Security In Fieldbus And Field Device Level is an interesting white paper (from Vacon, Nixu and F-secure) that focuses on presenting a generic overview about security in industrial automation. Security aspects of traditional fieldbuses, Ethernet-based networks and wireless communication technologies are presented. Challenges regarding data security in the field of industrial automation are discussed. The properties of industrial automation devices are described with a focus on security, tampering possibilities, and risk mitigation methods.

Many protocols used in industrial control systems were intentionally designed to be open and without security features. As long the the networks that run those protocols are kept physically separate from public network you are quite safe. For the most part SCADA systems are not necessarily designed to be connected to the internet, but engineers can put in workarounds for remote access. Anytime you do this you put in a pathway where someone can get in. And there are often case where remote devices are accessed using those non-secure protocols though unsafe networks (public telephone network, cellular network, radio waves, even Internet).

There has been long time the belief that SCADA systems have the benefit of security through the use of specialized protocols and proprietary interfaces (security through obscurity), networks are physically secured and disconnected from the Internet. Today those beliefs all do not hold anymore. There are nowadays you can find many tools on Internet to work with standard SCADA protocols (for example Wireshark can be used to decode several commonly used SCADA protocols).

The move from proprietary technologies to more standardized and open solutions together with the increased number of connections between SCADA systems and office networks and the Internet has made them more vulnerable to attacks. Modern SCADA systems should be designed so that they can be withstand the situation they are accidentally connected to Internet (it will happen sooner or later). In addition to making SCADA system itself secure, you should separate it from Internet (no connection at all or very strictly configured series of firewalls). FACT CHECK: SCADA Systems Are Online Now article tells at nearly everything is connected now. Nearly all SCADA systems are online. The addition of a simple NAT device is far from bulletproof security access control.

Most of SCADA systems in use are are old computer systems. They are usually horribly patched (“if it ain’t broken, don’t fix it”) and often run very old operating system version. Windows is very commonly used operating systems on SCADA applications, because only few SCADA-packages support other than Windows operational systems. It seems that there are many people who are not happy with the security stance being taken within their organizations around SCADA hosts. Even if you have patches up to date and current anti-malware on a host, all you have done is eliminated some of the risk (and maybe created new risks caused by fact that anti-malware software can sometimes disturb normal system operation). Add a firewall and you have reduced some of the risk. Pile on as much security as you want and people are going to find ways to disable it and make themselves vulnerable.

I wish no one had to worry about hackers in any application, but we do. Unfortunately, data security is never a non-issue.

FACT CHECK: SCADA Systems Are Online Now article mentions an interesting story on Boeing 747 (For those who do not know, modern 747′s are big flying Unix hosts with lots of Ethernet). They had added a new video system that ran over IP. They segregated this from the control systems using layer 2 – VLANs. The security researchers managed to break the VLANs and access other systems (including Engine management systems). The issue here is that all that separated the engine control systems and the open network was VLAN and NAT based filters.

256 Comments

  1. Tomi Engdahl says:

    SCADA security problems were again in today’s news:

    SCADA vuln imperils critical infrastructure, feds warn
    Secret accounts open control systems to attack
    http://www.theregister.co.uk/2011/12/14/scada_bugs_threaten_criticial_infrastructure/

    An electronic device used to control machinery in water plants and other industrial facilities contains serious weaknesses that allow attackers to take it over remotely, the US agency that safeguards the nation’s critical infrastructure has warned.

    Some models of the Modicon Quantum PLC used in industrial control systems contain multiple hidden accounts that use predetermined passwords to grant remote access, the Industrial Control System Cyber Emergency Response Team said in an advisory (PDF) issued on Tuesday.

    ICS-ALERT-11-346-01—SCHNEIDER ELECTRIC QUANTUM ETHERNET MODULE MULTIPLE VULNERABILITES
    http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-346-01.pdf

    The default passwords are hard-coded into Ethernet cards the systems use to funnel commands into the devices, and temperatures and other data out of them. The Ethernet modules also allow administrators to remotely log into the machinery using protocols such as telnet, FTP, and something called the Windriver Debug port.

    According to a blog post published on Monday by independent security researcher Rubén Santamarta, the NOE 100 and NOE 771 modules contain at least 14 hard-coded passwords, some of which are published in support manuals.
    http://reversemode.com/index.php?option=com_content&task=view&id=80&Itemid=1

    Hard-coded passwords are a common weakness built into many industrial control systems, including some S7 series of PLCs from Siemens.
    http://www.theregister.co.uk/2011/06/13/siemens_plc_update/

    “Hard-coded backdoor credentials that give you administrator rights to a system are pretty severe,”

    A rudimentary search on the server search engine known as Shodan revealed what appear to be working links to several of the vulnerable Schneider models.
    http://www.shodanhq.com/search?q=schneider

    Reply
  2. Tomi Engdahl says:

    It seems that Boeing has their security issues sorted out…

    With FAA’s blessing, Boeing’s next-gen 747 nears delivery
    http://news.cnet.com/8301-13772_3-57343200-52/with-faas-blessing-boeings-next-gen-747-nears-delivery/?part=rss&subj=latest-news&tag=title

    The company said the certification from the U.S. Federal Aviation Administration “validates that the design of the 747-8 Intercontinental is compliant with all aviation regulatory requirements and the production system can produce a safe and reliable airplane, conforming to the airplane’s design.”

    Reply
  3. tomi says:

    Exclusive: Iran hijacked US drone, says Iranian engineer
    http://www.csmonitor.com/World/Middle-East/2011/1215/Exclusive-Iran-hijacked-US-drone-says-Iranian-engineer

    Iran guided the CIA’s “lost” stealth drone to an intact landing inside hostile territory by exploiting a navigational weakness long-known to the US military, according to an Iranian engineer now working on the captured drone’s systems inside Iran.

    Iranian electronic warfare specialists were able to cut off communications links of the American bat-wing RQ-170 Sentinel, says the engineer,

    Using knowledge gleaned from previous downed American drones and a technique proudly claimed by Iranian commanders in September, the Iranian specialists then reconfigured the drone’s GPS coordinates to make it land in Iran at what the drone thought was its actual home base in Afghanistan.

    “The GPS navigation is the weakest point,”

    The “spoofing” technique that the Iranians used – which took into account precise landing altitudes, as well as latitudinal and longitudinal data – made the drone “land on its own where we wanted it to, without having to crack the remote-control signals and communications” from the US control center, says the engineer.

    “GPS signals are weak and can be easily outpunched [overridden] by poorly controlled signals from television towers, devices such as laptops and MP3 players, or even mobile satellite services,”

    “A more pernicious attack involves feeding the GPS receiver fake GPS signals so that it believes it is located somewhere in space and time that it is not,”

    Reply
  4. Tomi Engdahl says:

    Chinese Military Suspected in Hacker Attacks on U.S. Satellites
    http://www.businessweek.com/news/2011-10-27/chinese-military-suspected-in-hacker-attacks-on-u-s-satellites.html

    Computer hackers, possibly from the Chinese military, interfered with two U.S. government satellites four times in 2007 and 2008 through a ground station in Norway, according to a congressional commission.

    A Landsat-7 earth observation satellite system experienced 12 or more minutes of interference in October 2007 and July 2008, according to the report.

    In the October 2008 incident with the Terra AM-1, which is managed by the National Aeronautics and Space Administration, “the responsible party achieved all steps required to command the satellite,” although the hackers never exercised that control, according to the draft.

    Reply
  5. Tomi Engdahl says:

    Prisons bureau alerted to hacking into lockups
    Expert: ‘Could open every cell door’
    http://www.washingtontimes.com/news/2011/nov/6/prisons-bureau-alerted-to-hacking-into-lockups/

    Federal authorities are concerned about new research showing U.S. prisons are vulnerable to computer hackers, who could remotely open cell doors to aid jailbreaks.

    “You could open every cell door, and the system would be telling the control room they are all closed,”

    The security systems in most American prisons are run by special computer equipment called industrial control systems, or ICS. They are also used to control power plants, water treatment facilities and other critical national infrastructure. ICS has increasingly been targeted by hackers because an attack on one such system successfully sabotaged Iran’s nuclear program in 2009.

    Reply
  6. Tomi Engdahl says:

    Researcher Claims Siemens Lied About Security Bugs
    http://it.slashdot.org/story/11/12/21/2134206/researcher-claims-siemens-lied-about-security-bugs

    “A month after an unknown gray hat hacker calling himself ‘pr0f’ used a three character password to hack his way onto Siemens software used to manage water treatment equipment in South Houston, Texas, a security researcher working for Google is accusing the company of trying to cover up the existence of other, more serious vulnerabilities in its products. Billy Rios has disclosed a range of vulnerabilities in Siemens SIMATIC software on his blog. The holes could allow a remote attacker to gain access to the Simatic user interface without a user name and password. Rios claims that he has disclosed the hole to Siemens and that the company has acknowledged the problem, only to deny its existence when a reporter asked for more information about the vulnerability.”

    Researcher Alleges Siemens Cover-up Over Security Holes In Simatic Product
    http://threatpost.com/en_us/blogs/researcher-alleges-siemens-cover-over-security-holes-simatic-product-122111

    Siemens Has Lied About Major Bugs – Security Expert
    http://uk.ibtimes.com/articles/270736/20111221/siemens-lied-major-bugs-security-expert.htm

    Siemens has lied to the press about security bugs that could affect critical infrastructure, according to a security expert who has made public the password for Siemens’ machinery.

    Billy Rios is a security engineer for a software company and has written on his personal blog that Siemens’ SIMATIC systems can be easily hacked into and controlled remotely by anyone with an internet connection.

    The Siemens SIMATIC Remote, Authentication Bypass (that doesn’t exist)
    http://xs-sniper.com/blog/2011/12/20/the-siemens-simatic-remote-authentication-bypass-that-doesnt-exist/

    I have been working with ICS-CERT and various vendors over the last year, finding bugs and “responsibly” reporting nearly 1000 bugs… all for free and in my spare time. Overall, its been a great experience.

    I reported an authentication bypass for Siemens SIMATIC systems. These systems are used to manage Industrial Control Systems and Critical Infrastructure. I’ve been patiently waiting for a fix for the issue which affects pretty much every Siemens SIMATIC customer.

    For all the other vendors out there, please use this as a lesson on how NOT to treat security researchers who have been freely providing you security advice and have been quietly sitting for half a year on remote authentication bypasses for your products.

    Since Siemens has “no open issues regarding authentication bypass bugs”, I guess it’s OK to talk about the issues we reported in May. Either that or Siemens just blatantly lied to the press about the existence of security issues that could be used to damage critical infrastructure…. but Siemens wouldn’t lie… so I guess there is no authentication bypass.

    First, the default password for Siemens SIMATIC is “100”. There are three different services that are exposed when Siemens SIMATIC is installed; Web, VNC, and Telnet. The default creds for the Web interface is “Administrator:100” and the VNC service only requires the user enter the password of “100” (there is no user name). This is likely the vector pr0f used to gain access to South Houston (but only he can say for sure).

    If a user changes their password to a new password that includes a special character, the password may automatically be reset to “100”. Yes, you read that correctly…

    Administrator logs into the Web HMI. Upon a successful login, the web application returns a session cookie
    Totally predictable.
    use this to gain remote access to a SIMATIC HMI which runs various control systems and critical infrastructure around the world…

    No need to worry though, as there are “no open issues regarding authentication bypass bugs at Siemens.”

    xssniper said:

    Agreed. I already waited over six months for the fix… I had no problems waiting longer. All that was needed was a “no comment”, no need to lie and try to discredit me.

    Reply
  7. Tomi Engdahl says:

    EU Shipping Sector Cyber Security Awareness “Non-Existent”
    http://it.slashdot.org/story/11/12/22/0242235/eu-shipping-sector-cyber-security-awareness-non-existent

    “The European maritime sector has next to no idea about cyber security, according to a report released by the European Network and Information Security Agency (ENISA). The shipping industry, which carried 52 per cent of goods traffic in Europe in 2010, has ‘currently low to non-existent’ awareness of cyber security needs and challenges, the report said. ENISA claimed the lack of understanding was evident at every layer of the industry, from government bodies to port authorities and maritime companies.”

    Shipping sector security awareness ‘low to non-existent’
    http://www.itpro.co.uk/638005/shipping-sector-security-awareness-low-to-non-existent

    The European maritime sector has next to no idea about cyber security, according to a report released by the European Network and Information Security Agency (ENISA).

    “This overall low awareness represents a concern as there is an increased dependency on ICT of all key players, processes and activities within the maritime sector,” the report continued.

    ENISA considered the maritime sector to be one of Europe’s critical infrastructure industries, saying the continent was ” critically dependent” on the movement of cargo and passengers over sea.

    Given critical infrastructure is a key target for cyber criminals, the body recommended European nations to boost awareness

    Reply
  8. Tomi Engdahl says:

    Gloomy prediction: cyber-threats become lethal
    http://www.digitoday.fi/yhteiskunta/2011/12/21/synkka-ennustus-kyberuhat-muuttuvat-tappaviksi/201119571/66?rss=6
    http://translate.google.fi/translate?sl=auto&tl=en&js=n&prev=_t&hl=fi&ie=UTF-8&layout=2&eotf=1&u=http%3A%2F%2Fwww.digitoday.fi%2Fyhteiskunta%2F2011%2F12%2F21%2Fsynkka-ennustus-kyberuhat-muuttuvat-tappaviksi%2F201119571%2F66%3Frss%3D6

    Finnish Stonesoft hopes that next year’s security prophecy is not fulfilled.

    Intrusion prevention and observation Stonesoft released its forecast next year’s data security trends . One of the rising severity of all the other over: Security problems threaten human lives.

    - In 2012, the first time, we may lose the security of lives because of crime. Remains to be seen, it is due to industrial SCADA systems against attacks, such as hospitals or automated drug delivery systems for vulnerabilities.

    Stonesoft a list of the 2012 Security Trends
    http://www.stonesoft.com/en/press_and_media/releases/fi/2011/21122011.html?uri=/en/press_and_media/releases/fi/index.html
    http://translate.google.fi/translate?sl=auto&tl=en&js=n&prev=_t&hl=fi&ie=UTF-8&layout=2&eotf=1&u=http%3A%2F%2Fwww.stonesoft.com%2Fen%2Fpress_and_media%2Freleases%2Ffi%2F2011%2F21122011.html%3Furi%3D%2Fen%2Fpress_and_media%2Freleases%2Ffi%2Findex.html

    Reply
  9. Tomi Engdahl says:

    Hackers could shut down train lines: expert
    http://www.reuters.com/article/2011/12/28/us-trains-security-idUSTRE7BR0C520111228

    (Reuters) – Hackers who have shut down websites by overwhelming them with Web traffic could use the same approach to shut down the computers that control train switching systems, a security expert said at a hacking conference in Berlin.

    Katzenbeisser said GSM-R, a mobile technology used for trains, is more secure than the usual GSM, used in phones, against which security experts showed a new attack at the convention.

    Prisons bureau alerted to hacking into lockups
    Expert: ‘Could open every cell door’http://www.washingtontimes.com/news/2011/nov/6/prisons-bureau-alerted-to-hacking-into-lockups/

    Federal authorities are concerned about new research showing U.S. prisons are vulnerable to computer hackers, who could remotely open cell doors to aid jailbreaks.

    The Federal Bureau of Prisons is “aware of this research and taking it very seriously,” spokesman Chris Burke told The Washington Times.

    The security systems in most American prisons are run by special computer equipment called industrial control systems, or ICS. They are also used to control power plants, water treatment facilities and other critical national infrastructure. ICS has increasingly been targeted by hackers because an attack on one such system successfully sabotaged Iran’s nuclear program in 2009.

    Stuxnet’s developer has coded five cyber weapons
    http://www.digitoday.fi/tietoturva/2011/12/29/stuxnet-kehittaja-koodannut-aikakin-viisi-kyberasetta/201119965/66?rss=6
    http://translate.google.fi/translate?sl=auto&tl=en&js=n&prev=_t&hl=fi&ie=UTF-8&layout=2&eotf=1&u=http%3A%2F%2Fwww.digitoday.fi%2Ftietoturva%2F2011%2F12%2F29%2Fstuxnet-kehittaja-koodannut-aikakin-viisi-kyberasetta%2F201119965%2F66%3Frss%3D6

    The plant virus Stuxnet was probably one of the five cyber weapons from the same developer, estimates the Russian security company Kaspersky Lab.

    Scientists have previously linked the Stuxnet compiling data Duqu-trojan. Kaspersyn Research and Analysis Director Costin Raiun that now has found evidence that Stuxnet and Duqun development platform is the code used to come from at least three other malicious software.

    Raiu says that the development platform consists of software modules compatible with the group

    - It’s like a Lego block. Components can be placed anywhere: a robot, building, or tank wagon, raiu says.

    Kaspersky has given platform named “Tilded”

    Reply
  10. Tomi Engdahl says:

    Kaspersky claims ‘smoking code’ linking Stuxnet and Duqu
    Warns of three other unknown variants
    http://www.theregister.co.uk/2011/12/30/kaspersky_stuxnet_duqu_link/

    Researchers at Kaspersky Lab are claiming to have found proof that the writers of the Stuxnet and Duqu malware are one and the same, and are warning of at least three new families of advanced malware potentially in circulation.

    Security experts have been debating if the two code groups are by the same authors, but the evidence has been inconclusive. An analysis by NSS last month suggested that the two were linked, but this might be down to reverse engineering, rather than the original coding.

    The researcher’s data suggests both were built on a common platform, dubbed Tilded

    Reply
  11. Tomi Engdahl says:

    Hackers could shut down train lines
    http://www.stuff.co.nz/technology/6200000/Hackers-could-shut-down-train-lines

    Hackers who have shut down websites by overwhelming them with Web traffic could use the same approach to shut down the computers that control train switching systems, a security expert said at a hacking conference in Berlin.

    Stefan Katzenbeisser, professor at Technische Universität Darmstadt in Germany, said switching systems were at risk of “denial of service” attacks, which could cause long disruptions to rail services.

    “Trains could not crash, but service could be disrupted for quite some time,” Katzenbeisser told Reuters on the sidelines of the convention.

    Train switching systems, which enable trains to be guided from one track to another at a railway junction, have historically been separate from the online world, but communication between trains and switches is handled increasingly using wireless technology.

    Katzenbeisser said GSM-R, a mobile technology used for trains, is more secure than the usual GSM, used in phones, against which security experts showed a new attack at the convention.

    The software encryption ‘keys’, which are needed for securing the communication between trains and switching systems, are downloaded to physical media like USB sticks and then sent around for installing — raising the risk of them ending up in the wrong hands.

    Reply
  12. Tomi Engdahl says:

    Network Impact crash in the city: Frightening, but unlikely
    http://www.digitoday.fi/yhteiskunta/2012/01/02/verkkoisku-kaataa-kaupungin-pelottavaa-joskin-epatodennakoista/201220178/66?rss=6

    The prestigious British security expert, Andrew Blyth, to keep societies crippling network attacks, the risk of lower than what is occurring in the news of the threats could be inferred.

    It is unlikely that the crackers will never enter into such attacks. If they break into industrial control systems, they want to brag about it. The last thing they want is that the nation-state, or a series of hunts them and take them for a long time in prison, calm your Blyth.

    Organized crime, in turn, is always looking for yield. Network attack threat to extort money, but the urban-scale attack would be virtually a declaration of war, and not very useful, Blyth said.

    Terrorism is a question of causing terror. It is much easier to get people’s attention by exploding a car bomb in the center of city than cutting off of water supply. Terrorists from ordinary people’s perspective is still missing the necessary awareness of cyber-threats, Blyth wonders.

    Reply
  13. Security trends for 2012 « Tomi Engdahl’s ePanorama blog says:

    [...] According to Stonesoft security problems threaten the lives and the year 2012 may be the first time when we lose lives because of security offenses. According to the company does this happen remains to be seen, but the risk is due to industrial SCADA systems attacks against targets such as hospitals or automated drug delivery systems. I already posted around month ago about SCADA systems security issues. [...]

    Reply
  14. Tomi says:

    Finnish automation systems addresses published on the web

    Anonymous source has released a micro-blogging service Twitter addresses of Finnish automation systems.

    Twitter is published in Finnish IP addresses, which is thought to contain sensitive information and vulnerable systems. Information systems have a variety of automation, or SCADA systems. Among them have been at least a property management systems. CERT-FI has been in contact with the owners of the systems.

    Source: http://www.cert.fi/tietoturvanyt/2012/01/ttn201201121500.html

    Reply
  15. Jorge Saucedo says:

    I got a Gens Ace LiPo battery, ran it 2 times and the stupid thing puffed! Look at this thing! http://www.flickr.com/photos/74798847@N06/6730741877/in/photostream

    Reply
  16. Tomi Engdahl says:

    Hackers manipulated railway computers, TSA memo says
    http://www.nextgov.com/nextgov/ng_20120123_3491.php?oref=topstory

    “On December 1, a Pacific Northwest transportation entity reported that a potential cyber incident could affect train service,”

    Hackers, possibly from abroad, executed an attack on a Northwest rail company’s computers that disrupted railway signals for two days in December, according to a government memo recapping outreach with the transportation sector during the emergency.

    On Dec. 1, train service on the unnamed railroad “was slowed for a short while” and rail schedules were delayed about 15 minutes after the interference

    “Cyberattacks were not a major concern to most rail operators” at the time, adding, “the conclusion that rail was affect [sic] by a cyberattack is very serious.”

    Reply
  17. Tomi Engdahl says:

    Hackers Manipulated Railway Computers, TSA Memo Says
    http://tech.slashdot.org/story/12/01/24/0054207/hackers-manipulated-railway-computers-tsa-memo-says

    Page comments give some details why things are as they are:

    by siddesu (698447) on Monday January 23, @10:21PM (#38800677)

    Because when the work is contracted, the work is done in a piecemeal manner in order to show a lower budget to the committee that will be approving funds. Since the budget as a rule is never enough to allow for a proper, safe design, deployment and operation, things are done haphazardly, staff is overworked and/or under-qualified and the requirements change daily and need to be completed yesterday. As a result, you get holes, and holes get exploited.

    Then some politician exploits the news to create yet another committee to investigate and countermeasure the “attacks”, leaving even less money for planning and deployment, and creating more opportunities for attacks and for position for his cronies, while maintaining an image of staunch defender of National Security.

    Business as usual.

    by Anonymous Coward on Tuesday January 24, @12:46AM (#38801515)

    Railway signalling usually consists of two pieces – vital logic and control logic. Vital logic is the sort of thing that prevents showing two trains signals that would make them crash, or would allow the points on a switch to throw under a train, or other safety-related functionality. It’s designed to be failsafe, and the design methodology is usually very rigorous because of the huge liabilities involved

    Control logic is the other half. It’s the part of the system that communicates from a dispatcher hundreds or thousands of miles to the local control points. It communicates instructions that can be roughly translated as “allow a westbound past this control point” or “throw the switch to the siding and permit an eastbound through”. This is then shot across somebody’s network to the control point, where it’s handed off to the vital logic.

    So, given the hype-riddled press release, I’m guessing one of two things happened.
    1) There’s a link between the dispatching computers and the field endpoints that travels over the public network, likely via VPN.
    2) Somebody found a way to compromise the dispatching computers themselves and mess with them.
    3) The scary but horribly unlikely one – somebody put a vital logic processor where it could be reached via the network

    1&2 are possibly crippling to a rail network, but not unsafe. Things stop and nothing moves, but nobody gets hurt. 3 is much more frightening, but I can’t see any sane engineer (particularly in the signal department at a railroad, as these guys tend to be risk averse to a fault for good reason) ever signing off on this design.

    by Kenja (541830) on Monday January 23, @10:27PM (#38800707)

    To me this sounds like some contractor introduced a bug to the system and is attributing the issues it caused to “hackers”. If the system is really open to attacks of this nature, then it is fundamentally flawed.

    Reply
  18. Tomi Engdahl says:

    Video: IT Security Students Examine Industrial Networks
    As industrial networks move into the conventional IT space, security engineers think we’re missing some obvious safeguards.
    http://www.controleng.com/media-library/videos/videos/video-it-security-students-examine-industrial-networks.html

    Reply
  19. Tomi Engdahl says:

    Cyber security vulnerability assessment
    The first step in creating an effective defense is figuring out where the vulnerabilities are. This is a difficult but necessary process, and it never ends.
    http://www.controleng.com/single-article/cyber-security-vulnerability-assessment/dbad02353e.html

    Companies that decide to undertake a cyber security program often falter right out of the starting blocks because they don’t begin by addressing some of the most basic concepts of security. Without that knowledge it is impossible to plan, and without a plan, the results will be haphazard at best and will likely make things worse. A sensible approach needs to begin with a basic understanding of what vulnerabilities may exist in your systems. Such an analysis is conceptually straightforward, but it can get complex in practice if not executed well. In most situations it is painful because companies often discover that the situation is worse than they thought.

    Security at the device level
    Individual field devices may be the target of cyber attacks. Getting that deep is a challenge, but attackers have done it.
    http://www.controleng.com/single-article/security-at-the-device-level/bb4c8b1ea5.html

    Field devices, meaning individual sensors, transmitters, actuators, motor controllers, and the like, are considered the bottom of industrial networks. However, they can still be the target of cyber attacks if you have a sophisticated attacker. Some recent incidents with water utilities attributed to failed sensors or a bad pump resulted in releases of large amounts of water or even destroyed a pump. Some see these as clear cyber attacks.

    If configuration information is accessible, a device can be changed or simply turned off. If enough strategic devices are manipulated in a production unit, all sorts of bad things could result.

    If the PLC or I/O section of the control system attached to the strategic devices is not sufficiently protected, it will be little trouble for the attacker to do whatever he wants with those sensors.

    Reply
  20. Tomi Engdahl says:

    Railroad Association Says TSA’s Hacking Memo Was Wrong
    http://yro.slashdot.org/story/12/01/26/227256/railroad-association-says-tsas-hacking-memo-was-wrong

    “Wired reports that the American Association of Railroads is refuting the U.S. Transportation Security Administration memorandum that said hackers had disrupted railroad signals. In fact, ‘There was no targeted computer-based attack on a railroad,’ said AAR spokesman Holly Arthur.

    Railroad Association Says Hack Memo Was Inaccurate
    http://www.wired.com/threatlevel/2012/01/railroad-memo/

    “There was no targeted computer-based attack on a railroad,” according to spokeswoman Holly Arthur. “The memo on which the story was based has numerous inaccuracies.”

    http://tech.slashdot.org/comments.pl?cid=38800761&sid=2635223&tid=1971
    by currently_awake (1248758) on Monday January 23, @10:34PM (#38800761)
    I don’t think it was. They clearly tried to blow this thing up as a major terrorist attack, but they never claimed risk to life. I’m guessing the “attacks” were a virus on the windows boxes used for selling tickets.

    Reply
  21. Tomi Engdahl says:

    http://www.controleng.com/media-library/integrated-safety-eguide-sponsored-by-abb.html

    Process industries are inherently hazardous, and maintaining safety in processes and operations has become increasingly complex and costly. But too often, companies have difficulty demonstrating a clear return on investment in their safety activities. With both safety and financial concerns being a high priority, those in the process industry sometimes struggle to reconcile them.

    Reply
  22. Tomi Engdahl says:

    Alert on Hacker Power Play
    U.S. Official Signals Growing Concern Over Anonymous Group’s Capabilities
    http://online.wsj.com/article_email/SB10001424052970204059804577229390105521090-lMyQjAxMTAyMDIwMDEyNDAyWj.html

    The director of the National Security Agency has warned that the hacking group Anonymous could have the ability within the next year or two to bring about a limited power outage through a cyberattack.

    The group has never listed a power blackout as a goal, but some federal officials believe Anonymous is headed in a more disruptive direction. An attack on a network would be consistent with recent public claims and threats by the group.

    “The industry is engaged and stepping up widely to respond to emerging cyber threats,” said one electric-industry official. “There is a recognition that there are groups out there like Anonymous, and we are concerned, as are other sectors.”

    U.S. intelligence officials already have found what they say is evidence of Chinese and Russian cyberspies snooping in computer systems that run the electric grid

    “It’s a real threat,” said James Lewis, a cybersecurity specialist at the Center for Strategic and International Studies

    “Some hacker, next thing you know, could be into our electrical grid. We have to get after this.”

    Reply
  23. Matt Wyman says:

    Hum… With Stuxnet and Duqu being developed by… Well lets not name names instead I’d suggest you see The Good Shepard. But it is the elite who fear that the global carbon foot print will get out of control. That is why it is their societies that seek to use Duqu to level the industrial complex and no doubt reduce the population – as their Georgia Guide Stones recommend. How long are the Sheeple going to sleep through their own demise? When your company’s Siemens PCL unit goes down contact us and we will get you going again. http://www.itsolutionsraleigh.com

    Reply
  24. Tomi Engdahl says:

    Richard Clarke on Who Was Behind the Stuxnet Attack
    America’s longtime counterterrorism czar warns that the cyberwars have already begun—and that we might be losing
    http://www.smithsonianmag.com/history-archaeology/Richard-Clarke-on-Who-Was-Behind-the-Stuxnet-Attack.html?c=y&page=1

    The story Richard Clarke spins has all the suspense of a postmodern geopolitical thriller. The tale involves a ghostly cyberworm created to attack the nuclear centrifuges of a rogue nation—which then escapes from the target country, replicating itself in thousands of computers throughout the world. It may be lurking in yours right now. Harmlessly inactive…or awaiting further orders.

    A great story, right? In fact, the world-changing “weaponized malware” computer worm called Stuxnet is very real. It seems to have been launched in mid-2009, done terrific damage to Iran’s nuclear program in 2010 and then spread to computers all over the world.

    And at the heart of the story is a mystery: Who made and launched Stuxnet in the first place?

    Richard Clarke tells me he knows the answer.

    Clarke, who served three presidents as counterterrorism czar, now operates a cybersecurity consultancy called Good Harbor

    in his recent book, Cyber War. The book’s central argument is that, while the United States has developed the capability to conduct an offensive cyberwar, we have virtually no defense against the cyberattacks that he says are targeting us now, and will be in the future.

    Clarke now wants to warn us, urgently, that we are being failed again, being left defenseless against a cyberattack that could bring down our nation’s entire electronic infrastructure, including the power grid, banking and telecommunications, and even our military command system.

    “I think we’re living in the world of non-response. Where you know that there’s a problem, but you don’t do anything about it. If that’s denial, then that’s denial.”

    “The picture you paint in your book,” I said to Clarke, “is of a U.S. totally vulnerable to cyberattack. But there is no defense, really, is there?” There are billions of portals, trapdoors, “exploits,” as the cybersecurity guys call them, ready to be hacked.

    “There isn’t today,” he agrees. Worse, he continues, catastrophic consequences may result from using our cyber­offense without having a cyberdefense: blowback, revenge beyond our imaginings.

    When you’re dealing with virtual espionage, there is really no way to know for sure who did what.

    Unless you’re Richard Clarke.

    “I think it’s pretty clear that the United States government did the Stuxnet attack,” he said calmly.

    This is a fairly astonishing statement from someone in his position.

    “I think there was some minor Israeli role in it. Israel might have provided a test bed, for example. But I think that the U.S. government did the attack and I think that the attack proved what I was saying in the book [which came out before the attack was known], which is that you can cause real devices—real hardware in the world, in real space, not cyberspace—to blow up.”

    “If we went in with a drone and knocked out a thousand centrifuges, that’s an act of war,” I said. “But if we go in with Stuxnet and knock out a thousand centrifuges, what’s that?”

    “If the United States government did Stuxnet, it was under a covert action, I think, issued by the president under his powers under the Intelligence Act.”

    When I e-mailed the White House for comment, I received this reply: “You are probably aware that we don’t comment on classified intelligence matters.” Not a denial. But certainly not a confirmation.

    “But you now have it, and if you’re a computer whiz you can take it apart and you can say, ‘Oh, let’s change this over here, let’s change that over there.’ Now I’ve got a really sophisticated weapon. So thousands of people around the world have it and are playing with it. And if I’m right, the best cyberweapon the United States has ever developed, it then gave the world for free.”

    With the advent of “weaponized malware” like Stuxnet, all previous military and much diplomatic strategy has to be comprehensively reconceived—and time is running out.

    Reply
  25. Tomi Engdahl says:

    National security threat: hacking the smart grid
    http://www.edn.com/article/521399-National_security_threat_hacking_the_smart_grid.php?cid=EDNToday_20120405

    The nation’s smart grid is constantly under threat of real attack and potentially no amount of investment in securing it will help, according to a white hat security expert.

    Speaking at DESIGN WEST panel on hacking the smart grid, senior research engineer Joe Loomis blasted through the buzz on smart grid and smarter energy technology, exposing the risks of hacking and full scale cyber warfare and the crippling effects it could have on national infrastructure.

    “It’s critical infrastructure and society depends on it, making it a prime target for attack,” said Loomis.

    Indeed, as smart grid technology develops year by year, so too do the opportunities for hackers with malicious intentions on national infrastructure.

    Loomis pointed to the recent Stuxnet computer worm discovered in June 2010

    A similar worm, DuQu, was discovered more recently in September 2011 and is thought to have been developed the same team that created Stuxnet, though its purpose is apparently different, with DuQu having been designed to capture system information and keystrokes which could enable a future Stuxnet-like attack.

    “People are actively pursuing cyber warfare as an attack method,” said Loomis, pointing out that the smart grid was a prime target for such an attack.

    “No system is 100% secure,” he said. “Given enough time and access, you can reverse engineer the whole thing.”

    Loomis added that even if the country, or individual businesses spent a great deal of money to secure the power infrastructure, it would still be open to compromise, and that it was thus up to every individual to determine how much money they wanted to spend on trying to plug up the security holes.

    “I tell clients they should judge it on a case by case situation,”

    Reply
  26. Tomi Engdahl says:

    End of Windows XP Support Era Signals Beginning of Security Nightmare
    http://tech.slashdot.org/story/12/04/12/020224/end-of-windows-xp-support-era-signals-beginning-of-security-nightmare

    Microsoft’s recent announcement that it will end support for the Windows XP operating system in two years signals the end of an era for the company, and potentially the beginning of a nightmare for everyone else. When Microsoft cuts the chord on XP in two years it will effectively leave millions of existing Windows-based computers vulnerable to continued and undeterred cyberattacks

    Sarwate says many SCADA systems for industrial networks still run a modified version of XP, and are not in a position to upgrade. Because much of the software running on SCADA systems is not compatible with traditional Microsoft OS capabilities, an OS upgrade would entail much more work than it would for a home or corporate system

    End of Windows XP support era signals beginning of security nightmare
    http://www.networkworld.com/community/blog/end-windows-xp-support-era-signals-beginning-security-nightmare

    Consumer, corporate and even SCADA systems could be at risk when Microsoft stops supporting Windows XP.

    Although that number is on a steady decline, its high volume just two years before support is cutoff is cause for concern, Qualys CTO Wolfgang Kandek says

    “Where do you think all these botnets are set up? They’re not set up on the corporate computers,” Miller says. “They’re set up on my grandmother’s computer, my mother’s computer, and they don’t even know its running because they’re running vulnerable software out there.”

    Even scarier, Sarwate says many SCADA systems for industrial networks still run a modified version of XP, and are not in a position to upgrade. Because much of the software running on SCADA systems is not compatible with traditional Microsoft OS capabilities, an OS upgrade would entail much more work than it would for a home or corporate system.

    “A lot of these systems are connected to critical infrastructure and that particular SCADA software running on Windows XP has to be first upgraded to a new operating system,” Sarwate says. “So there is a SCADA vendor also in this picture and some SCADA software and hardware which is already configured in plants, factories or critical infrastructure. So in the typical SCADA environment I don’t think Microsoft could encourage people to upgrade because the problems there are completely different.”

    In a blog post, Sarwate also highlighted the dangers inherent in many SCADA systems stemming from an inadvertent connection to the public internet. Many companies are under the impression that their SCADA networks are disconnected from others, Sarwate wrote, when in fact they may be just as susceptible to malware as corporate or at-home desktops.

    “A search for ‘data presentation and control’ software on the internet yields SCADA systems with management services exposed to the internet,” Sarwate wrote. “If an organization’s SCADA network is not securely connected with the IT network, worms can jump from the HR desktops or reception kiosk into the SCADA network.”

    Six Ways to Improve SCADA Security
    https://community.qualys.com/blogs/securitylabs/2012/03/29/six-ways-to-improve-scada-security

    1. A SCADA network is inadvertently connected to a company’s IT network or even to the internet

    Recommendation: Based on available resources, use a mapping tool or professional service (who will use some tools on your behalf) to investigate your SCADA network connectivity and deviations from the securenetwork diagram on paper. Caution: Not all tools are created equal and a blind scan of your network could knock down SCADA components like PLCs, RTUs and IEDs. Thus, it is important to ask your tool vendors if the tool has ever beenused in SCADA environment and if a SCADA configuration is available.

    2. ‘Data presentation and control’ now runs off-the-shelf software

    Recommendation: Use your IT experience to deal with IT problems. Scan for vulnerabilities in your IT and SCADA networks and patch them as soon as possible. Our research has shown that patching is the most simple yet effective solution. In some cases patches cannot be applied

    Use a policy compliance system to make sure that off-the-shelf systems are configured securely. Anti-virus, IDS, firewalls and other well-known IT solutions will also be helpful.

    3. Control systems not patched

    In many SCADA systems, the underlying OS or applications have not patched for years. It’s not fair to blame SCADA system administrators in all instances because there is little guidance from SCADA vendors regarding whether or not an OS patch is safe for SCADA software.

    Recommendation: Demand your SCADA vendor to provide guidance on patching Microsoft, Adobe, Oracle, etc., for all software used in the setup. If acustomized version of the standard OS is used, then demand quick release of customized patches. If possible, invest in a lab where you can test for patch compatibility yourself. Use a vulnerability management system to identify missing patches.

    4. Authentication and authorization

    In many instances ‘data presentation and control’ software is not capable of basic authentication and authorization. Even if the software is capable weak configuration, shared or default passwords render these features useless.

    Recommendiation: Configure SCADA control software to use per user authentication, authorization and logging controls. In addition to strong passwords, use a smart token based authentication scheme.

    5. Insecure ‘datacommunication’ protocols

    Decades ago, SCADA protocols were not designed with security in mind as networks were air-gapped and this thing called as Internet did not exist. However, 20 to 30 year-old protocols like Modbus and DNP3 still exist and thrive in SCADA networks.Manipulating PLCs running on such protocols is trivial, and upgrading to newerprotocols (like secure DNP3) often requires you to replace components, which can be costly.

    Recommendation: If your system is already using newer protocols with key management and secure communication, make sure they are configured to use these newer features.

    6. Long life span of SCADA systems

    Finally, the achillesheel of SCADA systems is their long lifespan, which is often measured in decades. These systems are built to last, and unlike PCs, which are easy to replace, it’s difficult and costly to replace even part of a SCADA infrastructure.

    Recommendation: There is no easy fix for this. While designing new systems or expanding existing systems, consider the long life cycle and architect your infrastructure accordingly so that components are easily upgradable or replaceable.

    Reply
  27. Tomi Engdahl says:

    Stuxnet Loaded by Iran Double Agents
    http://www.isssource.com/stuxnet-loaded-by-iran-double-agents/

    The Stuxnet virus that damaged Iran’s nuclear program was implanted by an Israeli proxy — an Iranian, who used a corrupt “memory stick.32,” former and serving U.S. intelligence officials said

    In the continuing battle to hold off the Iranian nuclear program, Iranian proxies have also been active in assassinating Iran’s nuclear scientists, these sources said.

    These sources, who requested anonymity because of their close proximity to investigations, said a saboteur at the Natanz nuclear facility, probably a member of an Iranian dissident group, used a memory stick to infect the machines there. They said using a person on the ground would greatly increase the probability of computer infection, as opposed to passively waiting for the software to spread through the computer facility. “Iranian double agents” would have helped to target the most vulnerable spots in the system,” one source said. In October 2010, Iran’s intelligence minister, Heydar Moslehi said an unspecified number of “nuclear spies” were arrested in connection with Stuxnet.33 virus.

    Meanwhile, going back to Stuxnet, once the memory stick was infected, the virus was able to infiltrate the network and take over the system. U.S. officials said they believe the infection commenced when the user simply clicked on the associated icon in Windows. Several reports pointed out this was a direct application of one of the zero-day vulnerabilities Stuxnet leveraged.

    Building and deploying Stuxnet required extremely detailed intelligence about the systems it was supposed to compromise, and has made reprogramming highly specific installations on legacy systems more complex, not less. According to reports, the Stuxnet mystery was unveiled in June 2010, when a small company called VirusBlokAda in Minsk, the capital of Belarus was emailed by a dealer in Tehran about an irritating problem some of his clients were having with their computers.

    The company analyst saw the computers were constantly turning off and restarting. At first the analyst thought it was just a problem with the hardware. But when they said several computers were affected, not just one, VirusBlokAda understood it was a problem with the software the computers were running.

    U.S. officials confirmed Stuxnet takes advantage of zero-day vulnerabilities. This type of virus had been previously undetected, and remained unidentified by anti-virus software. According to public reports, early versions of Stuxnet used certificates by Realtek Semiconductor systems – later versions used certificates from JMicron Technology Corp. The use of these certificates gives the worm the appearance of legitimate software to Microsoft Windows.

    It is interesting to note Stuxnet was not the first virus used by the U.S. military intelligence to try and disable opponents. In the 1980s, the United States had considerable success at planting viruses inside Soviet military-industrial structure that could be activated in time of war, a process still continuing with China. “We put in bugs inside the Soviet computers to feed back satellite information that had been ‘leeched’ off hard drives, in the Soviet Defense Ministry and others,” said a former U.S. intelligence official.

    In December 1991, just before Desert Storm, the CIA and the British Government Communication Headquarters (GCHQ) had experimented with all sorts of viruses to inject into Iraq’s computers. In December, CIA operatives, working in Jordan, infiltrated bugs into hardware smuggled across the border and into Baghdad.

    Reply
  28. Tomi Engdahl says:

    Iran’s Oil Industry Hit By Cyber Attacks
    http://news.slashdot.org/story/12/04/24/0229203/irans-oil-industry-hit-by-cyber-attacks

    Iran disconnected computer systems at a number of its oil facilities in response to a cyber attack that hit multiple industry targets during the weekend. A source at the National Iranian Oil Company (NIOC) reportedly told Reuters that a virus was detected inside the control systems of Kharg Island oil terminal, which handles the majority of Iran’s crude oil exports.

    Iran Took Systems Offline After Cyber Attack Hit Oil Industry
    http://www.securityweek.com/iran-took-systems-offline-after-cyber-attack-hit-oil-industry

    Reply
  29. Tomi Engdahl says:

    Are Industrial Control Systems Secure?
    http://www.securityweek.com/are-industrial-control-systems-secure

    By allowing the collection and analysis of data and control of such equipment as pumps and valves from remote locations, SCADA networks offer the benefits of performance, reliability and flexibility for mission critical processes. However, Stuxnet demonstrated the extent to which common industrial machines are vulnerable to the threat of electronic attacks. Consider a SCADA breach of a power supply and distribution plant—all business would be impacted and economies could suffer incalculable losses. Failure to adapt SCADA systems to the changing threats and vulnerabilities of the cyber world exposes companies and governments to the very real possibility of a catastrophic event.

    Historically, SCADA systems were kept separate from other corporate systems. Even though these networks may not have been effectively secured, they were traditionally difficult to break into because they were isolated for health and safety reasons.

    More recently, however, major companies are driving their process control through ERP systems, which not only control their financial data, but link their suppliers and customers. Third parties are now being given direct access to SCADA networks via the Internet to manage them and/or to do diagnosis. These connections to the outside world create a massive challenge from a security perspective.

    ther security challenges inherent to today’s SCADA networks include the following:

    • Ownership. Many wrongly believe that the IT department automatically looks after SCADA as well as enterprise security. This, in fact, is rarely the case.

    • Exposure. SCADA architectures increasingly involve Commercial Off the Shelf (COTS) software, such as Win servers, TCP/IP protocols, and management tools, many with inherent vulnerabilities. Without clear ownership and responsibility, these products are frequently left unpatched and expose

    • Origin of Attacks. Many managers mistakenly assume that all cyber security problems arise from outside the company premises, generally from hackers. The assumption is that hackers attempt to attack SCADA systems through obvious pathways that can be managed by a single Bastion firewall between the business and SCADA networks.

    • Common Design Flaws. For many years, simply keeping the systems communicating posed a major challenge for SCADA engineers. The emergence of Ethernet, TCP/IP and Web technologies radically altered the equation. The result? The creation of “control networks” that act as common pathways for all industrial control communications.

    The first step for organizations should be to assign responsibility for managing security around the SCADA process control environment.

    The time to take action is now. The effort needed to secure SCADA networks can’t wait any longer.

    Reply
  30. Tomi Engdahl says:

    Interview with SANS’ Ed Skoudis: America losing the cybersecurity war to hackers
    http://blogs.computerworld.com/20072/interview_with_sans_ed_skoudis_america_losing_the_cybersecurity_war_to_hackers

    Ed Skoudis: The SCADA infrastructure associated with the power grid is a big concern. These systems were built without the intention of ever connecting them to a public network such as the Internet. Unfortunately, though, these systems are now controlled from networks that are indeed interconnected with the Internet. A computer attacker could exploit a power company computer network through the Internet, and then pivot through other networks to ultimately hit SCADA systems. Worse yet, even when SCADA systems are air-gapped from public networks, attackers have been remarkably effective in hoping that air gap with their infections using USB thumb drives or compromised laptops that are connected to the target network.

    By attacking power grid systems, attacker could cause significant physical damage to the network, resulting in large scale blackouts that could require a lot of time to fix, possibly days or weeks.

    Reply
  31. Tomi Engdahl says:

    New report on control system cyber security incidents released
    http://www.controleng.com/single-article/new-report-on-control-system-cyber-security-incidents-released/07954f07c0.html

    RISI, the industrial network security monitoring organization, publishes its survey for 2011.

    According to data in the Repository for Industrial Security Incidents (RISI) database, approximately 35% of industrial control system (ICS) security incidents were initiated through remote access. Supporting this finding is RISI survey results that indicate nearly 65% of facilities allow remote access to their control systems. These findings and many more are published in the 2011 Annual Report on Cyber Security Incidents and Trends Affecting Industrial Control Systems.

    The 80-page 2011 Annual Report includes detailed analysis of the 220 incidents recorded in the RISI database from 2001 through the end of 2011.

    The survey data provide very interesting insight into the current state of control system security especially when compared with data regarding actual incidents. For example, RISI data indicate that the percentage of control system security incidents caused by malware, while still very high (28%), has been steadily declining over the last five years. This trend is supported by survey data that indicate that more than 60% of facilities have implemented patch and anti-malware management programs.

    Reply
  32. Tomi Engdahl says:

    Backdoor in mission-critical hardware threatens power, traffic-control systems
    http://arstechnica.com/business/news/2012/04/backdoor-in-mission-critical-hardware-threatens-power-traffic-control-systems.ars

    In the world of computer systems used to flip switches, open valves, and control other equipment inside giant electrical substations and railroad communications systems, you’d think the networking gear would be locked down tightly to prevent tampering by vandals. But for customers of Ontario, Canada-based RuggedCom, there’s a good chance those Internet-connected devices have backdoors that make unauthorized access a point-and-click exercise.

    That’s because equipment running RuggedCom’s Rugged Operating System has an undocumented account that can’t be modified and a password that’s trivial to crack. What’s more, researchers say, for years the company hasn’t bothered to warn the power utilities, military facilities, and municipal traffic departments using the industrial-strength gear that the account can give attackers the means to sabotage operations that affect the safety of huge populations of people.

    The backdoor uses the login ID of “factory” and a password that’s recovered by plugging the MAC, or media access control, address of the targeted device into a simple Perl script, according to this post published on Monday to the Full Disclosure security list.

    Equipment running the Rugged Operating System act as the switches and hubs that connect programmable logic controllers to the computer networks used to send them commands. They may sit between the computer of a electric utility employee and the compact disk-sized controller that breaks a circuit when the employee clicks a button on her screen. To give the equipment added power, Rugged Operating System is fluent in the Modbus and DNP3 communications protocols used to natively administer industrial control and SCADA, or supervisory control and data acquisition, systems. The US Navy, the Wisconsin Department of Transportation, and Chevron are just three of the customers who rely on the gear, according to this page on RuggedCom’s website.

    “The equipment is so widely installed that it would be logical to assume that something I’m doing—whether it’s riding a train, using power, or walking across a cross walk—depends on this.”

    Forever day bugs bite again

    In acknowledging but not fixing a security vulnerability in software that’s widely used to control critical infrastructure, RuggedCom joins a growing roster of companies marketing wares bitten by so-called forever-day bugs. The term, which is a play on the phrase zero-day vulnerability, refer to documented flaws in industrial systems that will never be fixed. Other members of this group include ABB, Schneider Electric, and Siemens. Indeed, RuggedCom was acquired by a Canada-based subsidiary of Siemens in March.

    Reply
  33. Tomi Engdahl says:

    Everyone Has Been Hacked. Now What?
    http://www.wired.com/threatlevel/2012/05/everyone-hacked/all/1

    Then, last year, the myth of computer security was struck a fatal blow when intruders breached RSA Security, one of the world’s leading security companies that also hosts the annual RSA security conference, an august and massive confab for security vendors. The hackers stole data related to the company’s SecurID two-factor authentication systems, RSA’s flagship product that is used by millions of corporate and government workers to securely log into their computers.

    Independent security researcher Dan Kaminsky says he’s glad the security bubble has finally burst and that people are realizing that no network is immune from attack. That, he says, means the security industry and its customers can finally face the uncomfortable fact that what they’ve been doing for years isn’t working.

    “There’s been a deep conservatism around, ‘Do what everyone else is doing, whether or not it works.’ It’s not about surviving, it’s about claiming you did due diligence,” Kaminsky says. “That’s good if you’re trying to keep a job. It’s bad if you’re trying to solve a technical problem.”

    In reality, Kaminsky says, “No one knows how to make a secure network right now. There’s no obvious answer that we’re just not doing because we’re lazy.”

    Simply installing firewalls and intrusion detection systems and keeping anti-virus signatures up to date won’t cut it anymore — especially since most companies never know they’ve been hit until someone outside the firm tells them.

    “If someone walks up to you on the street and hits you with a lead pipe, you know you were hit in the head with a lead pipe,” Kaminsky says. “Computer security has none of that knowing you were hit in the head with a lead pipe.”

    So if hackers are everywhere and everyone has been hacked, what’s a company to do?

    Kaminsky says the advantage of the new state of affairs is that it opens the window for innovation. “The status quo is unacceptable. What do we do now? How do we change things? There really is room for innovation in defensive security. It’s not just the hackers that get to have all the fun.”

    “I don’t think we can win the battle,” Henry told Wired.com. “I think it’s going to be a constant battle, and it’s something we’re going to be in for a long time…. We have to manage the way we assess the risk and we have to change the way we do business on the network. That’s going to be a fundamental change that we’ve got to make in order for people to be better secure.”

    In most cases, the hacker will be a pedestrian intruder who is simply looking to harvest usernames and passwords, steal banking credentials or hijack computers for a botnet to send spam.

    “It comes down to balancing the risks, and companies need to assess how important is it for me to secure the data versus how important is it to continue doing my business or to be effective in my business,” he says. “We have to assume that the adversary is on the network and if we assume that they’re on the network, then that should change the way we decide what we put on the network and how we transmit it. Do we transmit it in the clear, do we transmit it encrypted, do we keep it resident on the network, do we move it off the network?”

    Bejtlich says that in addition to moving data off the network, the companies that have been most successful at dealing with intruders have redefined what’s trustworthy on their network and become vigilant about monitoring. He says there are some organizations who have been plagued by intruders for eight or nine years who have learned to live with them by investing in good detection systems.

    Other companies burn down their entire infrastructure and start from scratch, going dark for a week or so while they re-build their network, using virtualization tools that allow workers to conduct business while protecting the network core from attackers.

    Kaminsky advocates shrinking perimeters to limit damage.

    “Rather than one large server farm, you want to create small islands, as small as is operationally feasible,” he says. “When you shrink your perimeter you need to interact with people outside your perimeter and figure out how to do that securely” using encryption and authentication between systems that once communicated freely.

    “It changes the rules of the game,” he says. “You can’t trust that your developers’ machines aren’t compromised. You can’t trust that your support machines aren’t compromised.”

    He acknowledges, however, that this is an expensive solution and one that not everyone will be able to adopt.

    While all of these solutions are more work than simply making certain that every Windows system on a network has the latest patch, there’s at least some comfort in knowing that having a hacker in your network doesn’t have to mean it’s game over.

    “There have been organizations that this has been like an eight- or nine-year problem,” Bejtlich says. “They’re still in business. You don’t see their names in the newspaper all the time [for being hacked], and they’ve learned to live with it and to have incident detection and response as a continuous business process.”

    Reply
  34. Tomi Engdahl says:

    DHS Asked Gas Pipeline Firms To Let Attackers Lurk Inside Networks
    http://news.slashdot.org/story/12/05/07/2058243/dhs-asked-gas-pipeline-firms-to-let-attackers-lurk-inside-networks

    According to reports, which were confirmed Friday by ICS-CERT (PDF), there has been an active cyber attack campaign targeting the natural gas industry. However, it’s the advice from the DHS that should raise some red flags

    Another is the unusual if not unprecedented request to leave the cyber spies alone for a little while.’ According to the source, the companies were ‘specifically requested in a March 29 alert not to take action to remove the cyber spies if discovered on their networks, but to instead allow them to persist as long as company operations did not appear to be endangered.’

    While the main motive behind the request is likely to gain information on the attackers, letting them stay close to critical systems is dangerous.

    Alert: Major cyber attack aimed at natural gas pipeline companies
    http://www.csmonitor.com/USA/2012/0505/Alert-Major-cyber-attack-aimed-at-natural-gas-pipeline-companies

    A major cyber attack is currently under way aimed squarely at computer networks belonging to US natural gas pipeline companies, according to alerts issued by the US Department of Homeland Security.

    The ICS-CERT is charged with helping secure the nation’s industrial control systems – computerized systems that open and close valves, switches, and factory processes vital to the chemical, industrial, and power sectors. Their “fly away” teams visit factories, power plants, and pipeline companies to investigate cyber intrusions.

    “ICS-CERT has recently identified an active series of cyber intrusions targeting natural gas pipeline sector companies,” the confidential April 13 alert warns. “Multiple natural gas pipeline organizations have reported either attempts or intrusions related to this campaign. The campaign appears to have started in late December 2011 and is active today.”

    Safeguarding industrial control systems from cyber attack is a major point of debate right now in Congress, which has been wrangling over whether to grant the federal government authority to require that vital sectors like the electric utility, oil and gas, and chemical industries meet certain levels of cyber security.

    In Friday’s public warning, ICS-CERT reaffirms that its “analysis of the malware and artifacts associated with these cyber attacks has positively identified this activity as related to a single campaign from a single source.”

    Spear-phishing has become one of the attack vectors of choice for cyber spies intent on infiltrating corporate networks

    But the seemingly benign e-mail typically contains a malicious software attachment or link. Once clicked on or opened, the malware or link creates a back-door for a hacker to then gain entry and begin prowling for valuable data.

    Each of the three alerts, for instance, includes detailed descriptions of the cyber threat – much more detailed than previous ICS-CERT warnings over the years, say cyber security experts who have seen the alerts

    Those private warnings included computer file names, computer IP addresses, and other key information that a company’s cyber security experts could use to check to see if their networks have been infiltrated.

    “This was far more detail than we’ve ever received in the past – and the number of alerts in succession was unusual,” says one security expert who requested anonymity because he was sharing sensitive material. “It indicated to me this was pretty serious.”

    Amazingly, he says, companies were also specifically requested in a March 29 alert not to take action to remove the cyber spies if discovered on their networks, but to instead allow them to persist as long as company operations did not appear to be endangered.

    “In essence they were saying: ‘Do not put in any mitigation or blocks against these active intruders,’ ” says the individual who has seen all three confidential alerts. “But if you’re telling an investor-owned utility not to do anything, that’s pretty unheard of. Step 1 is always block these guys and get them off the system. It’s pretty unusual in the commercial world to just let them collect data. Heaven forbid that the intruders gain control. It kind of looks like our intel guys were trying to get more information.”

    But other cyber security experts familiar with the alerts warn that access to a company’s corporate system can eventually allow a hacker to wind through a corporate network and into the vital industrial control processes. Those systems, if infiltrated, could allow hackers to manipulate pressure and other control system settings, potentially reaping explosions or other dangerous conditions.

    “There’s not enough information available yet to tell exactly what is the target or goal here,”

    “ICS-CERT has received additional reports involving targeted and compromised organizations within the gas pipeline sector,” according to the April 13 alert. “Analysis from those reports, including the analysis of hard drives and logs, has yielded new indicators of compromise…. Organizations are strongly encouraged to review this report and contact ICS-CERT to report their findings.”

    Reply
  35. Tomi Engdahl says:

    Weekly Metasploit Update: SCADA, Lab Gem, and Squid Pivoting
    https://community.rapid7.com/community/metasploit/blog/2012/04/05/metasploit-update

    SCADA Attacks, DigtialBond, and Metasploit

    This week sees the addition of six new SCADA modules, targeting a variety of PLC devices, including two new modules aimed at the Schneider Quantum programmable logic controller (PLC). In order to give penetration testers the ability to accurately assess SCADA infrastructure, Tod Beardsley (from Rapid7) and K. Reid Wightman (from DigitalBond) have been collaborating over IRC to bring DigitalBond’s SCADA vulnerability assessment research to the general Metasploit audience.

    SCADA Defense Measures

    While most PLCs are not connected to the Internet directly, some are. If one of them is yours, you might want to examine the wisdom of that ingress policy (or, more likely, correct this misconfiguration). You really don’t want just anyone stumbling across your PLC and rewriting your ladder logic for you.

    Reply
  36. Tomi Engdahl says:

    Project Basecamp: News from Camp 4
    http://www.digitalbond.com/2012/04/05/news-from-camp-4/

    Today Digital Bond released two new Metasploit modules affecting Schneider Modicon Quantum PLCs. I believe that these only affect PLCs with a “Unity” ethernet card, although I would guess that the exploit could be adapted to other controller types with minimal changes.

    he first exploit initializes communication with the PLC and then sends a single packet to either start or stop the PLCs CPU. This stops all logic operation in the CPU until an engineer issues a new START command to the PLC.

    The second exploit is a ‘Stuxnet payload downloader.’ It allows a remote user to download and upload ladder logic to a PLC. This module provides the basic information needed to pull off a Stuxnet attack.

    Unauthenticated ladder logic upload is in my opinion the biggest issue in PLC security. Many PLCs end up using a proprietary protocol, or a protocol based upon a traditional SCADA protocol but using custom function codes, to perform ladder logic and configuration updates. The end result is that PLCs are ‘vulnerable’ by design. The era when vendors could say, “nobody understands this protocol, so it’s secure,” is over. The basic technique for overwriting ladder logic in a PLC is just too easy — a few hours of access to a controller and its software is all that is needed to break the system.

    We also released another Metasploit module for the GE D20: d20_tftp_overflow – General Electric D20ME TFTP Server Buffer Overflow DoS.

    A new controller was also added to Basecamp, the WAGO 870 controller. This is an embedded Linux PLC running ladder logic by 3S-Software. The ladder logic may also be uploaded and downloaded without authentication

    There are a lot of interesting things about the WAGO: it has hard-coded system accounts, which allow root access to what is essentially a server. Using this, I can install whatever additional software I please (well, as much as will fit in the limited 32MB of flash memory).

    The 3S-Software CoDeSys system on this PLC is interesting for another reason. The process that executes the ladder logic is running with superuser privileges. The ladder logic file that is uploaded to the controller is actually compiled x86 code. So CoDeSys effectively provides a buffer overflow remote code execution, but without the ‘overflow’ part — you just upload binary with the protocol, and it will run with root privileges. I plan to have a PoC and metasploit module out for this in a few weeks. This metasploit module will be my first that can actually use metasploit payloads, since the controller is just x86 Linux.

    Reply
  37. Tomi Engdahl says:

    US probing cyber attacks on gas pipelines (Update)
    http://phys.org/news/2012-05-probing-cyber-gas-pipelines.html

    A series of cyber attacks has been targeting US natural gas pipeline operators, officials acknowledged Tuesday, raising concerns among security experts about vulnerabilities in key infrastructure.

    The Department of Homeland Security “has been working since March 2012 with critical infrastructure owners and operators in the oil and natural gas sector to address a series of cyber intrusions targeting natural gas pipeline companies,” DHS spokesman Peter Boogaard said in an email to AFP.

    He said the attack “involves sophisticated spear-phishing activities targeting personnel within the private companies” and added that the FBI and other federal agencies are assisting in the probe.

    The alert from Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), an arm of DHS, said the e-mails “have been convincingly crafted to appear as though they were sent from a trusted member internal to the organization.”

    “We know the nature of the threat but we don’t know the intent of the threat… we have been getting the word out to everyone in the industry, we want to make sure everyone knows this threat is out there.”

    Joe Weiss, managing partner for the security firm Applied Control Solutions, said the latest attacks highlight the vulnerability of so-called critical infrastructure systems.

    He said control systems vulnerabilities can be found in the electrical grid, water utilities and others as well as pipeline operators.

    “Once you get to those systems, really bad things happen,” he said. “That’s where people die.”

    But tracking the attacks can be difficult because of a lack of forensics, Weiss said.

    Reply
  38. Tomi Engdahl says:

    More Americans Worried About Cybarmegeddon Than Terrorism, Study Finds
    http://www.wired.com/threatlevel/2012/05/cyberarmegeddon-terrorism/

    More Americans want the presidential candidates to focus on protecting the government and the electrical grid against hackers than fighting terrorism groups.

    That’s according to a new security study by Unisys (.pdf), which found that the three highest priorities for Americans when it comes to security issues in the presidential campaign are:

    Protecting government computer systems against hackers and criminals (74 percent)
    Protecting our electric power grid, water utilities and transportation systems against computer or terrorist attacks (73 percent)
    Homeland security issues such as terrorism (68 percent)

    Should we cry over proof of the success of the security-industrial complex’s PR campaign to convince Americans that cybarmegeddon is near?

    Reply
  39. Tomi Engdahl says:

    Industrial control systems—Thwarting attacks
    http://www.eetimes.com/electronics-blogs/other/4373112/Industrial-control-systems-Thwarting-attacks

    The Department of Homeland Security put feelers out to other governments in the hope of bolstering the safety of industrial control systems (ICS) and created a venue to brainstorm solutions. Critical infrastructure safety was the subject of the ICSJWG 2012 Spring Conference and ICSJWG 2012 International Partners Day that took place in Savannah last week. Attendees quietly shared information and potential solutions to thwart and respond to attacks against ICS and Supervisory Control and Data Acquisition (SCADA) networks used to control pipelines, water supplies, electricity production and manufacturing processes.

    The conference seems to have been very timely; taking place on the heels of a series of cyber intrusions targeting natural gas pipelines companies in the U.S. The attacks, under investigation by several agencies including the FBI, involve sophisticated spear-phishing activities. Unlike the level of phishing schemes typically used with the general public, the phishing emails are convincing recipients that they are sent by a trusted and involved individual.

    Reply
  40. Ranee Wyly says:

    Nice post. I was checking constantly this blog and I am impressed! Extremely helpful info specially the last part :) I care for such information much. I was looking for this certain information for a long time. Thank you and good luck.

    Reply
  41. Presse Algérie says:

    Presse Algérie…

    [...]SCADA systems security issues « Tomi Engdahl’s ePanorama blog[...]…

    Reply
  42. Tomi Engdahl says:

    Why Antivirus Companies Like Mine Failed to Catch Flame and Stuxnet
    By Mikko Hypponen
    http://www.wired.com/threatlevel/2012/06/internet-security-fail/

    When we went digging through our archive for related samples of malware, we were surprised to find that we already had samples of Flame, dating back to 2010 and 2011, that we were unaware we possessed.

    “What this means is that all of us had missed detecting this malware for two years, or more. That’s a spectacular failure for our company, and for the antivirus industry in general.”

    It wasn’t the first time this has happened, either. Stuxnet went undetected for more than a year after it was unleashed in the wild, and was only discovered after an antivirus firm in Belarus was called in to look at machines in Iran that were having problems.

    A related malware called DuQu also went undetected by antivirus firms for over a year.

    Stuxnet, Duqu and Flame are not normal, everyday malware, of course. All three of them were most likely developed by a Western intelligence agency as part of covert operations that weren’t meant to be discovered. The fact that the malware evaded detection proves how well the attackers did their job. In the case of Stuxnet and DuQu, they used digitally signed components to make their malware appear to be trustworthy applications.

    In the case of Flame, the attackers used SQLite, SSH, SSL and LUA libraries that made the code look more like a business database system than a piece of malware.

    The truth is, consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets.

    As far as we can tell, before releasing their malicious codes to attack victims, the attackers tested them against all of the relevant antivirus products on the market to make sure that the malware wouldn’t be detected.

    This story does not end with Flame. It’s highly likely there are other similar attacks already underway that we haven’t detected yet. Put simply, attacks like these work.

    Reply
  43. Tomi Engdahl says:

    Obama Order Sped Up Wave of Cyberattacks Against Iran
    http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?_r=3&pagewanted=1&hp

    From his first months in office, President Obama secretly ordered increasingly sophisticated attacks on the computer systems that run Iran’s main nuclear enrichment facilities, significantly expanding America’s first sustained use of cyberweapons, according to participants in the program.

    Mr. Obama decided to accelerate the attacks — begun in the Bush administration and code-named Olympic Games — even after an element of the program accidentally became public in the summer of 2010 because of a programming error that allowed it to escape Iran’s Natanz plant and sent it around the world on the Internet. Computer security experts who began studying the worm, which had been developed by the United States and Israel, gave it a name: Stuxnet.

    “Should we shut this thing down?” Mr. Obama asked, according to members of the president’s national security team who were in the room.

    The United States government only recently acknowledged developing cyberweapons, and it has never admitted using them. There have been reports of one-time attacks against personal computers used by members of Al Qaeda, and of contemplated attacks against the computers that run air defense systems, including during the NATO-led air attack on Libya last year. But Olympic Games was of an entirely different type and sophistication.

    It appears to be the first time the United States has repeatedly used cyberweapons to cripple another country’s infrastructure, achieving, with computer code, what until then could be accomplished only by bombing a country or sending in agents to plant explosives.

    Flame that was recently discovered to have attacked the computers of Iranian officials, sweeping up information from those machines. But the computer code appears to be at least five years old, and American officials say that it was not part of Olympic Games. They have declined to say whether the United States was responsible for the Flame attack.

    The impetus for Olympic Games dates from 2006, when President George W. Bush saw few good options in dealing with Iran.

    The first stage in the effort was to develop a bit of computer code called a beacon that could be inserted into the computers, which were made by the German company Siemens and an Iranian manufacturer, to map their operations. The idea was to draw the equivalent of an electrical blueprint of the Natanz plant, to understand how the computers control the giant silvery centrifuges that spin at tremendous speeds.

    Eventually the beacon would have to “phone home”

    Soon the two countries had developed a complex worm that the Americans called “the bug.”

    “Previous cyberattacks had effects limited to other computers,” Michael V. Hayden, the former chief of the C.I.A., said, declining to describe what he knew of these attacks when he was in office. “This is the first attack of a major nature in which a cyberattack was used to effect physical destruction,” rather than just slow another computer, or hack into it to steal data.

    Moreover, the code would lurk inside the plant for weeks, recording normal operations; when it attacked, it sent signals to the Natanz control room indicating that everything downstairs was operating normally. “This may have been the most brilliant part of the code,” one American official said.

    “The intent was that the failures should make them feel they were stupid, which is what happened,”

    But the good luck did not last. In the summer of 2010, shortly after a new variant of the worm had been sent into Natanz, it became clear that the worm, which was never supposed to leave the Natanz machines, had broken free, like a zoo animal that found the keys to the cage.

    An error in the code, they said, had led it to spread to an engineer’s computer when it was hooked up to the centrifuges.

    American cyberattacks are not limited to Iran, but the focus of attention, as one administration official put it, “has been overwhelmingly on one country.” There is no reason to believe that will remain the case for long.

    Mr. Obama has repeatedly told his aides that there are risks to using — and particularly to overusing — the weapon. In fact, no country’s infrastructure is more dependent on computer systems, and thus more vulnerable to attack, than that of the United States. It is only a matter of time, most experts believe, before it becomes the target of the same kind of weapon that the Americans have used, secretly, against Iran.

    Reply
  44. Tomi Engdahl says:

    A Pandora’s Box We Will Regret Opening
    http://www.nytimes.com/roomfordebate/2012/06/04/do-cyberattacks-on-iran-make-us-vulnerable-12/a-pandoras-box-we-will-regret-opening

    If somebody would have told me five years ago that by 2012 it would be commonplace for countries to launch cyberattacks against each other, I would not have believed it. If somebody would have told me that a Western government would be using cybersabotage to attack the nuclear program of another government, I would have thought that’s a Hollywood movie plot. Yet, that’s exactly what’s happening, for real.

    Cyberattacks have several advantages over traditional espionage or sabotage. Cyber attacks are effective, cheap and deniable. This is why governments like them.

    In that sense, it’s a bit surprising that the U.S. government seems to have taken the credit ­ and the blame ­ for Stuxnet. Why did they do it? The most obvious answer seems to be that it’s an election year

    The downside for owning up to cyberattacks is that other governments can now feel free to do the same. And the United States has the most to lose from attacks like these. No other country has so much of its economy linked to the online world.

    Reply
  45. Tomi Engdahl says:

    Feds investigate who leaked classified Stuxnet cyberattack details to NYT
    http://www.networkworld.com/community/blog/cyber-sabatoge-feds-investigate-who-leaked-stuxnet-cyberattack-iran

    The FBI is investigating who spilled national security secrets, this time about Stuxnet and the classified cyberattack program the U.S. launched against Iran nuclear facilities. Senator Feinstein has called for Capitol Hill hearings into the leak since ‘disclosures of this type endanger American lives and undermine America’s national security.’

    Reply
  46. Tomi Engdahl says:

    New Grad Looking For a Job? Pentagon Contractors Post Openings For Black-Hat Hackers
    http://www.forbes.com/sites/andygreenberg/2012/06/15/new-grad-looking-for-a-job-pentagon-contractors-post-openings-for-black-hat-hackers-2/

    Hypponen says the job searches he began out of curiosity show a marked uptick in these self-described offensive hacker jobs for U.S. government contractors. “I think this is new,” he says. “The arms race has started, and this proves it. It’s a clear sign of the demand to stockpile cyber weapons and expand the operations underway.”

    But rocketing demand and a lagging supply of skilled hackers is boosting salaries and driving the defense industry’s war for talent into the open,

    “We don’t have the people, and we don’t have a way to make them yet,” says Paller. “We’ve got a really good core of people, but it’s tiny. We’re not even in the game. We can’t field a team.”

    Cybersecurity job openings as a whole are taking off: According to business research group the Conference Board, 15,901 jobs in cybersecurity were posted online in May of this year. That’s up 18% from the 13,477 in the previous May, and nearly double the 8,731 cybersecurity jobs posted in May five years ago.

    Just how many of the cybersecurity positions will focus on offensive, or “black-hat” hacking, rather than defensive, or “white-hat” hacking, is tough to measure. But Paller says the military’s demand for hackers who can break into systems or write malware is already enormous and growing. “Every single control system an adversary has, if there’s a way to take it over, you want to be able to take it over,” he says. “Power system, communications system, radar system, control systems for satellites, field communications unit. If you were going to war with someone, every one would be a potential target for a Stuxnet-like attack, against each of the nations you’re going up against. So you get a sense of the number of people needed.”

    “It’s an impressive number of positions,” he says, and one that points to a future where the vast majority of professional hackers work for the military or its contractors, rather than the companies that play defense–software firms or antivirus companies like Hypponen’s. “There’s no computer security company in the world that’s recruiting like this.”

    Reply
  47. Tomi Engdahl says:

    According to a hacker’s Pastebin service spills a lot of SCADA systems are open to all online, and so any hacker or malicious user’s mercy.

    The hacker posted details of many Echelon i.Lon systems that use i.Lon 600 LonWorks / IP server.

    A hacker has released more than 2300 system information including the service IP address, TCP port where the server is listening, country and city where the system is located in plain language, and the service network address.

    The information leaked by hacker’s services use the default password – the administrators are not, therefore, taken the trouble to change the password at all.

    SCADA systems do not usually able to access the public Internet, but only to the industrial site inside the network. And if the public access to the network side is activated, the password is by no means should be the one chosen by the manufacturer because hackers can can easily guess the default password.

    Now the hacker says that the two security measures have been neglected (system connected to public network and uses default password). Anyone can log on to these systems, and change the settings or functions.

    The hacker has also published pictures of various systems on which the data can not control. There is a school located in Huntington, for example, an air conditioning system can be accessed via the Internet.

    Source: http://www.mikropc.net/kaikki_uutiset/tietovuoto+suomalaisia+teollisuusjarjestelmia+avoinna+netissa+oletussalasanalla++uhkan+vakavuudesta+ei+varmuutta/a818238?s=r&wtm=mikropc/-21062012&

    Reply
  48. Tomi Engdahl says:

    My Opinion On Hacking on the Factory Floor
    http://www.designnews.com/author.asp?section_id=1386&doc_id=248251&cid=Newsletters+-+DN+Daily

    At first glance, I asked myself, “Why would someone want to hack into somebody’s network on a factory floor?” The simple answer is: because they can. The less simple and more disturbing answer is: because they want to disrupt someone’s business. You’d hate to think that a competitor would initiate something like that, but you never know.

    One of the more eye-opening presentations on this topic was delivered by Chuck Tommey, of A&E Engineering. Tommey is a senior controls systems engineer with 18 years of experience in the field. His presentation was titled, “How Hackers View Your Control System & What You Can Do About It.” The quote that got my attention was, “I’m scared silly. Very few plants are even close to thinking seriously about cybersecurity.”

    It’s certainly no surprise that the “networked plant” has arrived and is here to stay. You could easily argue that the “networked world” is here to stay. What I learned at these presentations is that cybersecurity is not keeping pace, not by a long shot.

    It’s to the point that our government is taking notice and is quite concerned about the issue. In fact, one prominent government blogger recently wrote about how Senators Joe Lieberman and Susan Collins, along with the Department of Homeland Security, hosted a cybersecurity demonstration. The purpose was to highlight some of the hackers’ methods and show how to protect against them.

    As evidenced regularly by our own Black Hat developers, no network is 100 percent bulletproof. But the harder you can make it, the more likely that the perpetrators will simply go looking elsewhere for a network to break into. Make sure you’re not that “other network” that gets hacked.

    Reply
  49. Tomi Engdahl says:

    3 pillars of industrial cyber security
    http://www.controleng.com/single-article/3-pillars-of-industrial-cyber-security/ae9f214bcd0f00fba81c041826a94d34.html

    Engineering and IT Insight: A stable physical structure requires at least three main supports. Three “pillars” form the basis for an effective industrial cyber security system: technology, policy and procedures, and people.

    A stable physical structure requires at least three main supports. Industrial cyber-security is no different; it requires supporting structures for a stable system. Three “pillars” form the basis for an effective cyber security system: technology, policy and procedures, and people.

    For example, all three security pillars could be used to protect a simple control system. The technology pillar includes the firewall protecting the system and the login accounts to the control system. In a secure environment the login accounts for the control system would be separate from the general corporate accounts. Policies and procedures provide a second pillar by specifying who can be granted login accounts and what training is required before access is granted. The third pillar is the actual training required by employees before they are granted system access. The training would include the reasons for the secure environment, any known risks, and the consequences for failing to protect that environment.

    Industrial cyber security systems must be built on a stable platform of technology, policy and procedures, and people. If any element is missing, then the system may appear secure but will be vulnerable to attack and compromise with serious consequences to safety, company, jobs, and communities.

    Reply

Leave a Reply to Ranee Wyly Cancel reply

Your email address will not be published. Required fields are marked *

*

*