SCADA systems are used to monitor and control critical installations in oil and gas refineries, water and power distribution plants, manufacturing plants and other industrial facilities. There has been a lot of discussion about malware and security in industrial automation systems after Stuxnet. Widely viewed as the most complex piece of computer malware ever created, Stuxnet is believed to have been designed to sabotage uranium enrichment centrifuges at the Iran’s Natanz nuclear plant. If nasty malware can do that, other similar malware can do something else nasty as well.
Attacks against SCADA systems can have potentially very serious consequences. I think that we have been quite lucky that we have not seen any big disasters yet. Even though the attacks are rare at the moment, security researchers are confident that their number will increase, especially since the Stuxnet industrial sabotage worm set a successful precedent. And now there are many news on Dugu worm.
News around one month ago told that SCADA hack shut down a US water plant at 8 November 2011. This hacking attack at a US water plant has been credited to an unknown attacker (handle “pr0f” took credit) who according to hacker sources managed to access a SCADA controller and take over systems. Once again caused security experts to question the security of SCADA systems. Hacker Says Texas Town Used Three Character Password To Secure Internet Facing SCADA System. “This was barely a hack. A child who knows how the HMI that comes with Simatic works could have accomplished this,” he wrote. “You know. Insanely stupid. I dislike, immensely, how the DHS tend to downplay how absolutely (expletive) the state of national infrastructure is. I’ve also seen various people doubt the possibility an attack like this could be done,” he wrote in a note on the file sharing Web site pastebin.com. On the other hand Federal officials said there’s no evidence to support a report that hackers destroyed a pump used by an Illinois-based water utility after gaining unauthorized access to the computer system it used to operate its machinery. What is the truth in this case it is hard to say.
What is known that many industrial systems are vulnerable. Siemens Simatic is a common SCADA product and has been the subject of other warnings from security researchers according to Siemens industrial control systems are vulnerable to attack that can cause serious problems. The US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned earlier that Siemens’ SIMATIC S7-1200 programmable logic controllers (PLCs) are vulnerable to so-called replay attacks that can interfere with the normal operations. An attacker with access to the PLC or the automation network could intercept the PLC password and make unauthorized changes to the PLC operation. ISO-TSAP protocol is functioning to specifications; however, authentication is not performed nor are payloads encrypted or obfuscated.
White Paper On Industrial Automation Security In Fieldbus And Field Device Level is an interesting white paper (from Vacon, Nixu and F-secure) that focuses on presenting a generic overview about security in industrial automation. Security aspects of traditional fieldbuses, Ethernet-based networks and wireless communication technologies are presented. Challenges regarding data security in the field of industrial automation are discussed. The properties of industrial automation devices are described with a focus on security, tampering possibilities, and risk mitigation methods.
Many protocols used in industrial control systems were intentionally designed to be open and without security features. As long the the networks that run those protocols are kept physically separate from public network you are quite safe. For the most part SCADA systems are not necessarily designed to be connected to the internet, but engineers can put in workarounds for remote access. Anytime you do this you put in a pathway where someone can get in. And there are often case where remote devices are accessed using those non-secure protocols though unsafe networks (public telephone network, cellular network, radio waves, even Internet).
There has been long time the belief that SCADA systems have the benefit of security through the use of specialized protocols and proprietary interfaces (security through obscurity), networks are physically secured and disconnected from the Internet. Today those beliefs all do not hold anymore. There are nowadays you can find many tools on Internet to work with standard SCADA protocols (for example Wireshark can be used to decode several commonly used SCADA protocols).
The move from proprietary technologies to more standardized and open solutions together with the increased number of connections between SCADA systems and office networks and the Internet has made them more vulnerable to attacks. Modern SCADA systems should be designed so that they can be withstand the situation they are accidentally connected to Internet (it will happen sooner or later). In addition to making SCADA system itself secure, you should separate it from Internet (no connection at all or very strictly configured series of firewalls). FACT CHECK: SCADA Systems Are Online Now article tells at nearly everything is connected now. Nearly all SCADA systems are online. The addition of a simple NAT device is far from bulletproof security access control.
Most of SCADA systems in use are are old computer systems. They are usually horribly patched (“if it ain’t broken, don’t fix it”) and often run very old operating system version. Windows is very commonly used operating systems on SCADA applications, because only few SCADA-packages support other than Windows operational systems. It seems that there are many people who are not happy with the security stance being taken within their organizations around SCADA hosts. Even if you have patches up to date and current anti-malware on a host, all you have done is eliminated some of the risk (and maybe created new risks caused by fact that anti-malware software can sometimes disturb normal system operation). Add a firewall and you have reduced some of the risk. Pile on as much security as you want and people are going to find ways to disable it and make themselves vulnerable.
I wish no one had to worry about hackers in any application, but we do. Unfortunately, data security is never a non-issue.
FACT CHECK: SCADA Systems Are Online Now article mentions an interesting story on Boeing 747 (For those who do not know, modern 747′s are big flying Unix hosts with lots of Ethernet). They had added a new video system that ran over IP. They segregated this from the control systems using layer 2 – VLANs. The security researchers managed to break the VLANs and access other systems (including Engine management systems). The issue here is that all that separated the engine control systems and the open network was VLAN and NAT based filters.
256 Comments
Tomi Engdahl says:
The Dark Side of Mobility
http://www.controleng.com/home/single-article/the-dark-side-of-mobility/4e35e850e685db095fbde54edf9a331a.html
Search, select, purchase, and install. It’s that easy. Now you can join the ranks of the elite that can remotely manage their control systems from a smartphone, but should you take this step?
Sure, the idea of “iPhone as HMI” is convenient, but it opens a whole new range of cyber vulnerabilities. Is the functionality worth the risk? Many users are already deploying the technology without sufficient safeguards.
HMIs, maintenance interfaces, and remote administration functions that were once proprietary can now be installed and programmed in Apple’s iOS and Google’s Android operating systems. Human beings are excellent at making work simpler; however, how does one address the additional cyber risk that our traditional five senses do not manage?
Many simply decide to ignore the problem and tell themselves that they will never be a target. They ask, “Why would someone come after my facility or supply chain?” The reality is that someone may not be targeting you specifically, but you may be a victim of a generic attack that exploits a vulnerability of your system that you don’t even know is there.
Google Android and Apple iOS devices serve the purposes of all three of the control system vulnerability gateways: They are wireless, support remote access, and are portable user-following devices. Over the past year, Android and iOS control system applications have become available for purchase or even free download.
however, any application using these devices requires IEEE 802.11 wireless access to be existent or added to the control system environment. Why? Most Apple iOS and Google Android devices simply do not have the option to use physical network cabling. This fact led to the Cybati IEEE 802.11 wireless node study.
During February through April 2012, Cybati personnel covered nearly 4,000 miles of roads hunting for IEEE 802.11 a/b/g/n wireless transmissions. The specific target was the organizational unique identifiers (OUIs) of the popular control system hardware providers.
we had no trouble finding a few control system components on protected wireless networks and on unprotected ones as well.
Here are some questions you should ask yourself and the business before allowing remote access, wireless, and user-controlled portable devices on the control network.
• Operations: Who will use it? Where will it be used? When will it be used? How will it increase productivity?
• Personnel: How should current safety and security operations be altered to accommodate this mobile application?
• Security: Recognizing that security is a state of mind, what additional controls will be put in place now that a highly portable device can gain access to the control network using a local wireless network and/or an international telecommunication provider?
Ultimately you have to ask yourself whether the new mobile application is still valuable after considering these points.
Tomi Engdahl says:
ICS-CERT Warns of Serious Flaws In Tridium SCADA Software
http://it.slashdot.org/story/12/08/16/2028259/ics-cert-warns-of-serious-flaws-in-tridium-scada-software
“The DHS and ICS-CERT are warning users of some popular Tridium Niagara AX industrial control system software about a series of major vulnerabilities in the applications that are remotely exploitable and could be used to take over vulnerable systems. The bugs, discovered by researchers Billy Rios and Terry McCorkle, are just the latest in a series of vulnerabilities found in the esoteric ICS software packages that control utilities and other critical systems.”
Tomi Engdahl says:
World’s biggest oil company hit by cyber attack
Hackers isolated Saudi Aramco’s production systems from infected PC workstations
http://www.theinquirer.net/inquirer/news/2199578/worlds-biggest-oil-company-hit-by-cyber-attack
World’s biggest oil company hit by cyber attack
Hackers isolated Saudi Aramco’s production systems from infected PC workstations
“The disruption was suspected to be the result of a virus that had infected personal workstations without affecting the primary components of the network,” Aramco said.
Security vendor McAfee said it is still analysing the threat and believes that it is a largely isolated and targeted attack.
Tomi Engdahl says:
F-Secure reports that cyber arms race has begun. State-funded information technology has become an alternative to warfare and diplomacy, such as the boycott of traditional enforcement service.
Accroding to F-Secure’s Chief Research Officer Mikko Hypponen Stuxnet and its successors and Flame Gauss words are simply changed the name of the game.
“States are attacking each other with malicious code”
F-Secure Threat Report H1 2012
http://www.f-secure.com/static/doc/labs_global/Research/Threat_Report_H1_2012.pdf
Tomi Engdahl says:
Private Key Found Embedded In Major SCADA Equipment
http://it.slashdot.org/story/12/08/22/1853246/private-key-found-embedded-in-major-scada-equipment
“RuggedOS (A Siemens Subsidiary of Flame and Stuxnet fame), an operating system used in mission-critical hardware such as routers and SCADA gear, has been found to contain an embedded private encryption key (PDF). Now that all affected RuggedCom devices are sharing the same key, a compromise on one device gets you the rest for free.”
“This is the second security nightmare for RuggedCom this year, the first being the discovery of a backdoor containing a non-modifiable account.”
Never, ever, name any software “Rugged”.
RuggedOS was a recent acquisition by Seimens from a Canadian firm, who had various security worries before its sale, but took care to suppress such news to preserve its valuation.
The story is the fact that they all have the same one. That part is insanity. Without key lifecycle management, including creation, distribution, and revocation, you might as well not use asymmetric encryption at all.
The embedded controller market is a market full of devices programmed by hardware engineers, not by security professionals. They don’t open up their systems for peer review and thus security flaws make it into the final product. There is definitely a sense of security through obscurity with those products, and it almost works except that the internet makes it too easy to broadcast information to the world.
At least now they know that their system is insecure, instead of having it come as a complete surprise when some attacker exploits the weakness to cause some sort of disaster.
U.S. looks into claims of security flaw in Siemens gear
http://www.reuters.com/article/2012/08/22/us-cybersecurity-siemens-idUSBRE87L02F20120822
(Reuters) – The U.S. government is looking into claims by a cyber security researcher that flaws in software for specialized networking equipment from Siemens could enable hackers to attack power plants and other critical systems.
Justin W. Clarke, an expert in securing industrial control systems, disclosed at a conference in Los Angeles on Friday that he had figured out a way to spy on traffic moving through networking equipment manufactured by Siemens’ RuggedCom division.
“If you can get to the inside, there is almost no authentication, there are almost no checks and balances to stop you,” Clarke said.
“It’s a big deal,” said Carey, who previously helped defend military networks as a member of the U.S. Navy Cryptologic Security Group. “Since communications between these devices is critical, you can totally incapacitate an organization that requires the network.”
ICS-CERT ALERT
ICS-ALERT-12-234-01—KEY MANAGEMENT ERRORS IN RUGGEDCOM’S RUGGED OPERATING SYSTEM
August 21, 2012
http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-234-01.pdf
Tomi Engdahl says:
Mystery malware wreaks havoc on energy sector computers
Like malware that attacked Iran, Shamoon permanently destroys hard disk data.
http://arstechnica.com/security/2012/08/shamoon-malware-attack/
Malware researchers have uncovered an attack targeting an organization in the energy industry that attempts to wreak havoc by permanently wiping data from an infected computer’s hard drive and rendering the machine unusable.
The computer worm, alternately dubbed Shamoon or Disttrack by researchers at rival antivirus providers Symantec and McAfee, contains the string “wiper” in the Windows file directory its developers used while compiling it. Combined with word that it targeted the energy industry, that revelation immediately evoked memories of malware also known as Wiper that reportedly attacked Iran’s oil ministry in April and ultimately led to the discovery of the state-sponsored Flame malware.
Shamoon is unusual because it goes to great lengths to ensure destroyed data can never be recovered, something that is rarely seen in targeted attacks. It has self-propagation capabilities that allow it to spread from computer to computer using shared network disks. It overwrites disks with a small portion of a JPEG image found on the Internet.
World’s largest oil producer falls victim to 30K workstation attack
Saudi Aramco comes clean with some details, resumes network operations today.
http://arstechnica.com/security/2012/08/worlds-largest-oil-producer-falls-victim-to-30k-workstation-attack/
It’s nearly a plot line from the movies: World’s largest oil producer gets hit by a cyber-attack that threatens to wipe away all data from its internal computers. But largely, this is the situation Saudi Aramco described today.
The Saudi Arabia-based, industry leader released a statement confirming that roughly 30,000 workstations were affected via cyber attack in mid-August. Details beyond that were scarce
The company said it cleansed its workstations and resumed operations for its internal network today.
The mid-August attack on Saudi Aramco came during the same week when security researchers identified the Shamoon attacks mentioned above.
Tomi Engdahl says:
Hack on Saudi Aramco hit 30,000 workstations, oil firm admits
First hacktivist-style assault to use malware?
http://www.theregister.co.uk/2012/08/29/saudi_aramco_malware_attack_analysis/
Saudi Aramco said that it had put its network back online on Saturday, 10 days after a malware attack floored 30,000 workstations at the oil giant.
In a statement, Saudi Arabia’s national oil firm said that it had “restored all its main internal network services” hit by a malware outbreak that struck on 15 August. The firm said its core business of oil production and exploration was not affected by the attack
Oil and production systems were run off “isolated network systems unaffected by the attack”, which the firm has pledged to investigate.
Neither victim nor perpetrator named the malware that featured in the attack but security researchers implicated the Shamoon malware in the security breach
Core router names and admin passwords along with email address and supposed password of Saudi Aramco chief exec, Khalid A Al-Falih, were uploaded to Pastebin on Monday.
“Hacktivists rarely use malware, if other hacktivists jump on this trend it could become very dangerous,”
Tomi says:
ICS-CERT Warns That Infrastructure Switches Have Hard-Coded Account Holes
http://it.slashdot.org/story/12/09/05/1639254/ics-cert-warns-that-infrastructure-switches-have-hard-coded-account-holes
“The Department of Homeland Security is warning users of some of GarrettCom’s switches that there is a hard-coded password in a default account on the devices, which are deployed in a number of critical infrastructure industries, that could allow an attacker to take control of them. A researcher at Cylance discovered the hidden account and warned the ICS-CERT…The problem exists in the GarrettCom Magnum MNS-6K Management Software and the company has released an updated version of the application that addresses the vulnerability.”
My guess from the description is that they blocked non-console logins as the ‘factory’ user, but forgot about the equivalent of ‘su’, so you can login as another user and then escalate.
Tomi Engdahl says:
Insecure SCADA kit has hidden factory account, password
Dept. of Homeland Security urges instant upgrade
http://www.theregister.co.uk/2012/09/05/more_insecure_scada/
Cylink’s Justin Clarke has tagged another SCADA maker for default insecurity, discovering a hidden factory account – complete with hard-coded password – in switch management software made by Belden-owned GarrettCom.
Since GarrettCom claims “75 percent of the top 100 power utilities in North America” among its customers, the patch might be regarded as important.
Clarke seems to have struck a rich seam looking for undocumented insecurities in SCADA kit. In April, he sniffed out a similar default account vulnerability in RuggedCom kit, following it up in August with the discovery that the same vendor had a hard-coded RSA key in its switches.
Tomi Engdahl says:
Prof casts doubt on Stuxnet’s accidental ‘great escape’ theory
How DID the super-weapon flee Iran’s nuke plant?
http://www.theregister.co.uk/2012/09/13/stuxnet/
An expert has challenged a top theory on how the infamous Stuxnet worm, best known for knackering Iranian lab equipment, somehow escaped into the wild.
New York Times journalist David Sanger wrote what’s become the definitive account of how Stuxnet was jointly developed by a US-Israeli team.
Now Prof Larry Constantine, a software engineer with years of experience in industrial control systems, claims some parts of Sanger’s account are just not possible.
Prof Constantine asserted that the specialised payload hidden away in the control systems was incapable of infecting a Windows PC
The academic also said the malware was designed to restrict itself to local-area networks
First of all, the Stuxnet worm did not escape into the wild.
Secondly, it couldn’t have escaped over the internet, as Sanger’s account maintains, because it never had that capability built into it: it can only propagate over [a] local-area network, over removable media such as CDs, DVDs, or USB thumb drives.
Another thing that Sanger got wrong… was the notion that the worm escaped when an engineer connected his computer to the programmable logic controllers (PLCs)
the explanation offered in his book and in his article is that Stuxnet escaped because of an error in the code, with the Americans claiming it was the Israelis’ fault
these technical details matter “because it raises broad questions about the nature of the so-called leaks from administration personnel to Sanger”.
“Stuxnet did not ‘escape’ into the wild by accident”.
the US administration let it be known that its super-weapon had accidentally broken free of its constraints.
Sourcefire’s technical director for EMEA, told El Reg that the local-area network protocols exploited by Stuxnet to spread across a nuclear plant’s internal systems would be blocked at the firewall in any corporate – or even any sensible home user. Even a badly managed enterprise set-up would block incoming file and print sharing connections. If it didn’t, Stuxnet would be the least of the organisation’s problems.
Tomi says:
Flame espionage weapon linked to MORE mystery malware
Command systems weren’t just directing data-raiding worm
http://www.theregister.co.uk/2012/09/17/flame_analysis/
Forensic analysis of two command-and-control servers behind the Flame espionage worm has revealed that the infamous malware has been around for longer than suspected
Flame was built by a group of at least four developers as early at December 2006, according to freshly published joint research by Symantec, Kaspersky Lab and the United Nations’ International Telecommunication Union.
Over the last six years, the team behind Flame used the command servers to communicate with the malware on the compromised machines and order them to launch attacks
C&C servers were disguised to look like a common content management system
“They [the command servers] are all dead,”
There’s no evidence to suggest that Flame’s command servers were used to control other known cyber-weapons – such as Stuxnet or Gauss – but they were used to operate a mystery malware strain, codenamed “SPE” by its authors.
Unnamed US officials told the Washington Post that Flame was created as part of the same covert programme that spawned cyber-weapon weapon Stuxnet, codenamed Olympic Games. Flame was described as a reconnaissance tool that was used to map networks associated with Iran’s controversial nuclear enrichment programme. This information was used by Stuxnet to target its nuke centrifuge cyber-sabotage mission.
Tomi says:
Smart Grid & Cybersecurity
http://www.nema.org/Policy/Energy/Smartgrid/Pages/default.aspx
The basic concept of Smart Grid is to add monitoring, analysis, control and communication capabilities to the national electricity delivery system in order to maximize the output of the system while reducing energy consumption. Smart Grid will also allow homeowners and businesses to utilize electricity as efficiently and economically as possible.
Protection from and the ability to respond to cybersecurity events are critical to the Smart Grid. Manufacturers seek a common, risk-based approach to cybersecurity. Rapidly-evolving threats require cybersecurity strategies that give manufacturers, utilities, and grid operators the flexibility to respond quickly and decisively.
Tomi Engdahl says:
Network will be a war zone
Jarno Limnell from Stonesoft estimates that the war moves to the next few years more and more to cyber-world.
“I’m absolutely. I believe it, “he says seriously in Stonesoft’s Helsinki office.
In Finland, the issue has not yet woken up enough, but the risks are there. Information technology is increasingly driven by the activities of the physical world. For example, trains, access control, and power stations are completely it’s dependent on IT.
Limnell believes that Finland should have the ability to make a launch cyber-attacks. The mere defense is not enough. According to him, the ability of their own is not the same as using it. “But, of course, in some cases, attack is the best defense,” says Limnell.
Source: http://www.tietoviikko.fi/kaikki_uutiset/verkosta+tulee+sotatanner/a841198?s=r&wtm=tietoviikko/-24092012&
Tomi Engdahl says:
With the increasing presence of modern Programmable Automation Controllers (PACs), all embracing the same open Ethernet Communication standards and Object-Oriented Programming, come the benefits of commoditization including lower prices, common device compatibility, and “components off the shelf” (COTS) availability. Also, the programming and maintenance skills required of one PAC platform is easily transferrable to another, which lowers integration and training costs and increases labor flexibility and efficiency.
The question is will the wider use of COTS cause more security problems (more attacks known for widely used systems) or will it help in security (many systems built by one company have had serious security holes)?
pozycjonowanie says:
I’ve been exploring for a bit for any high quality articles or blog posts in this sort of area . Exploring in Yahoo I eventually stumbled upon this website. Reading this info So i’m glad to exhibit that I have a very excellent uncanny feeling I came upon just what I needed. I so much without a doubt will make sure to don’t fail to remember this site and give it a glance on a relentless basis.
Tomi Engdahl says:
U.S. Senators call for executive order to boost cybersecurity of nation’s critical infrastructure
Posted on 9/19/2012
http://www.cablinginstall.com/index/blogs/blog-display/blogs/cim-blogs/cabling-blog/post987_8061742683253310503.html
United States Senators Richard Blumenthal (of Connecticut) and Chris Coons (of Delaware) have written a letter to President Barack Obama requesting that he issue an executive order dealing with cybersecurity. In a press release, Senator Blumenthal’s office explained that he and Senator Coons “were part of a bipartisan effort to build consensus on critical infrastructure provisions of the Cybersecurity Act of 2012,” and said that an executive order could “begin addressing the urgent need to improve the cybersecurity capabilities of the nation’s critical infrastructure.”
The letter to President Obama states, “the failure of Congress to act should not prevent the executive branch from taking available steps to counter the enormous and growing cyber threat,”
Tomi Engdahl says:
CloudConnect Conference Talks Infrastructure in the Cloud
http://www.designnews.com/author.asp?section_id=1365&doc_id=251365&cid=NL_Newsletters+-+DN+Daily
Bernie Anger, a general manager at GE Intelligent Platforms, spoke at one of the keynote sessions. His company makes automation control systems. As Anger points out, this industry has been very conservative, as it should be. These systems control large machines and generally are deployed for a long time.
On the other hand, the imperatives of the Information Age are driving these systems toward a connected environment. As Anger said, if it can be measured, it will be connected. That connection will be through and to the cloud. GE’s concept relies on high-performance computing in the edge devices. This requirement is driven by the need to collect data for use later.
Users engage in a community that allows sharing of information and expertise. Solutions can be tested through simulation before buying. The existence of large data stores — big-data — allows this simulation and opens up new ways to optimize systems.
Tomi Engdahl says:
Smart-Grid Control Software Maker Hacked
http://it.slashdot.org/story/12/09/27/2144220/smart-grid-control-software-maker-hacked
“Telvent, a multinational company whose software and services are used to remotely administer and monitor large sections of the energy and gas industries began warning customers last week that it is investigating a sophisticated hacker attack spanning its operations in the United States, Canada and Spain. Brian Krebs reports that the attacker(s) installed malicious software and stole project files related to one of Telvent’s core offerings — OASyS SCADA — a product that helps energy firms mesh older IT assets with more advanced ‘smart grid’ technologies.”
Tomi Engdahl says:
Chinese Hackers Blamed for Intrusion at Energy Industry Giant Telvent
http://krebsonsecurity.com/2012/09/chinese-hackers-blamed-for-intrusion-at-energy-industry-giant-telvent/
In letters sent to customers last week, Telvent Canada Ltd. said that on Sept. 10, 2012 it learned of a breach of its internal firewall and security systems. Telvent said the attacker(s) installed malicious software and stole project files related to one of its core offerings — OASyS SCADA — a product that helps energy firms mesh older IT assets with more advanced “smart grid” technologies.
The firm said it was still investigating the incident, but that as a precautionary measure, it had disconnected the usual data links between clients and affected portions of its internal networks.
“In order to be able to continue to provide remote support services to our customers in a secure manner, we have established new procedures to be followed until such time as we are sure that there are not further intrusions into the Telvent network and that all virus or malware files have been eliminated,” the company said in a letter mailed to customers this week, a copy of which was obtained by KrebsOnSecurity.com. “Although we do not have any reason to believe that the intruder(s) acquired any information that would enable them to gain access to a customer system or that any of the compromised computers have been connected to a customer system, as a further precautionary measure, we indefinitely terminated any customer system access by Telvent.”
Tomi Engdahl says:
Maker of Smart-Grid Control Software Hacked
http://www.wired.com/threatlevel/2012/09/scada-vendor-telvent-hacked/
The maker of an industrial control system designed to be used with so-called smart grid networks disclosed to customers last week that hackers had breached its network and accessed project files related to a control system used in portions of the electrical grid.
Telvent, which is owned by Schneider Electric, told customers in a letter that on Sept. 10 it learned of the breach into its network. The attackers installed malicious software on the network and also accessed project files for its OASyS SCADA system, according to KrebsOnSecurity, which first reported the breach.
According to Telvent, its OASyS DNA system is designed to integrate a utility’s corporate network with the network of control systems that manage the distribution of electricity and to allow legacy systems and applications to communicate with new smart grid technologies.
Telvent calls OASyS “the hub of a real-time telemetry and control network for the utility grid,” and says on its website that the system “plays a central role in Smart Grid self-healing network architecture and improves overall grid safety and security.”
The breach raises concerns that hackers could embed malware in project files to infect the machines of program developers or other key people involved in a project. One of the ways that Stuxnet spread — the worm that was designed to target Iran’s uranium enrichment program — was to infect project files in an industrial control system made by Siemens, with the aim of passing the malware to the computers of developers.
“We are aware of a security breach of our corporate network that has affected some customer files,”
Project files contain a wealth of customized information about a specific customer’s network and operations, says Patrick Miller, president and CEO of EnergySec, a nonprofit consortium that works with energy companies to improve security.
“Almost all of them will give you some details about the architecture and, depending on the nature of the project, it may go deeper,” he says. Project files can also identify key players in a project, in order to allow hackers to conduct additional targeted attacks, he said.
Tomi Engdahl says:
10K Reasons to Worry About Critical Infrastructure
http://www.wired.com/threatlevel/2012/01/10000-control-systems-online/
A security researcher was able to locate and map more than 10,000 industrial control systems hooked up to the public internet, including water and sewage plants, and found that many could be open to easy hack attacks, due to lax security practices.
Infrastructure software vendors and critical infrastructure owners have long maintained that industrial control systems (ICSes) — even if rife with security vulnerabilities — are not at risk of penetration by outsiders because they’re “air-gapped” from the internet — that is, they’re not online.
“Vendors say they don’t need to do security testing because the systems are never connected to the internet; it’s a very dangerous claim,” Leverett said last week at the S4 conference, which focuses on the security of Supervisory Control and Data Acquisition systems (SCADA) that are used for everything from controlling critical functions at power plants and water treatment facilities to operating the assembly lines at food processing and automobile assembly plants.
“Vendors expect systems to be on segregated networks — they comfort themselves with this. They say in their documentation to not put it on an open network. On the other side, asset owners swear that they are not connected,” Leverett said. But how do they know?
To debunk the myth that industrial control systems are never connected to the internet, Leverett used the SHODAN search engine developed by John Matherly, which allows users to find internet-connected devices using simple search terms.
Leverett found 10,358 devices connected through a search of two years worth of data in the SHODAN database. He was unable to determine, through his limited research, how many of the devices uncovered were actually working systems
Tomi says:
This was written few years ago but the content is still valid:
Metasploit and SCADA exploits: dawn of a new era?
http://www.zdnet.com/blog/security/metasploit-and-scada-exploits-dawn-of-a-new-era/7672
First, the SCADA community can expect to see an explosion of vulnerabilities and accompanying exploits against SCADA devices in the near future.
Second, the diverse information sources that SCADA vulnerabilities may appear must be vigilantly monitored by numerous organizations and security researchers.
Third, people should recognize that the recent Stuxnet threat has cast a light on SCADA security issues. Put bluntly, there is blood in the water.
Quite a few people, companies and other organizations are currently investigating SCADA product security, buying equipment and conducting security testing for a number of differing interests and objectives.
Fourth, understand that because of the current broken business model, security researchers are often frustrated by software vendors’ action, or inaction, when it comes to reporting vulnerabilities.
Often, there is no security point-of-contact at the vendor. Even worse, the technical support who are contacted by the security researcher often do not understand the technical and security implications of the issue reported.
All of these factors lead to frustrated security researchers, some of whom will simply expose the vulnerability and exploit to the world, rather than take a disclosure path through a CERT.
Tomi Engdahl says:
Top 20 critical security controls for cyber defence
http://www.cpni.gov.uk/advice/cyber/Critical-controls/
The top 20 critical security controls for cyber defence are a baseline of high-priority information security measures and controls that can be applied across an organisation in order to improve its cyber defence. CPNI is participating in an international government-industry effort to promote the top 20 critical controls for computer and network security. The development of these controls is being coordinated by the SANS Institute.
Tomi Engdahl says:
Metasploit Modules for SCADA-related Vulnerabilities
http://scadahacker.com/resources/msf-scada.html
It is important to understand the likelihood that a vulnerability can be exploited on a particular ICS or SCADA system. One factor to use in this evaluation is whether an automated exploit module has been created for the Metasploit Framework. With the recent attention given by security researchers to ICS / SCADA systems, there has been an increased focus on the rapid deployment of these exploit modules that leverage publicly disclosed proof-of-concept (PoC) code.
Tomi Engdahl says:
Why Antivirus Companies Like Mine Failed to Catch Flame and Stuxnet
http://www.wired.com/threatlevel/2012/06/internet-security-fail/
Tomi Engdahl says:
Forget Revolution
What would really happen if the lights went out.
http://www.foreignpolicy.com/articles/2012/10/01/forget_revolution
Government officials sometimes describe a kind of Hieronymus Bosch landscape when warning of the possibility of a cyber attack on the electric grid. Imagine, if you will, that the United States is blindsided by an epic hack that interrupts power for much of the Midwest and mid-Atlantic for more than a week, switching off the lights, traffic signals, computers, water pumps, and air conditioners in millions of homes, businesses, and government offices. Americans swelter in the dark. Chaos reigns!
Here’s another nightmare scenario: An electric grid that serves two-thirds of a billion people suddenly fails in a developing, nuclear-armed country with a rich history of ethnic and religious conflict. Rail transportation is shut down, cutting off travel to large swathes of the country, while many miners are trapped underground.
But are cyber attacks really a clear and present danger to society’s critical life support systems, capable of inflicting thousands of casualties? Or has fear of full-blown cybergeddon at the hands of America’s enemies become just another feverish national obsession — another of the long, dark shadows of the 9/11 attacks?
Worries about a large-scale, devastating cyber attack on the United States date back several decades, but escalated following attacks on Estonian government and media websites during a diplomatic conflict with Russia in 2007.
Much of the concern has focused on potential attacks on the U.S. electrical grid. “If I were an attacker and I wanted to do strategic damage to the United States…I probably would sack electric power on the U.S. East Coast, maybe the West Coast, and attempt to cause a cascading effect,” retired Admiral Mike McConnell said in a 2010 interview with CBS’s 60 Minutes.
But the scenarios sketched out above are not solely the realm of fantasy. This summer, the United States and India were hit by two massive electrical outages — caused not by ninja cyber assault teams but by force majeure. And, for most people anyway, the results were less terrifying than imagined.
According to an August report by the U.S. Department of Energy, 4.2 million homes and businesses lost power as a result of the storm
The second incident occurred in late July, when 670 million people in northern India, or about 10 percent of the world’s population, lost power in the largest blackout in history.
“Reasonable people would have expected a lot of bad things to happen”
even a large-scale blackout would not necessarily have catastrophic consequences.
“That’s a good example of what some kind of attacks would be like,” he said. “You don’t want to overestimate the risks. You don’t want somebody to be able to do this whenever they felt like it, which is the situation now. But this is not the end of the world.”
The question of how seriously to take the threat of a cyber attack on critical infrastructure surfaced recently
Critics worried about regulatory overreach. But the potential cost to industry also seems to be a major factor in the bill’s rejection. A January study by Bloomberg reported that banks, utilities, and phone carriers would have to increase their spending on cyber security by a factor of nine, to $45.3 billion a year, in order to protect themselves against 95 percent of cyber intrusions.
Joe Weiss, a cyber security professional and an authority on industrial control systems like those used in the electric grid, argued that a well-prepared, sophisticated cyber attack could have far more serious consequences than this summer’s blackouts. “The reason we are so concerned is that cyber could take out the grid for nine to 18 months,” he said. “This isn’t a one to five day outage. We’re prepared for that. We can handle that.”
But pulling off a cyber assault on that scale is no easy feat. Weiss agreed that hackers intent on inflicting this kind of long-term interruption of power would need to use a tool capable of inflicting physical damage. And so far, the world has seen only one such weapon: Stuxnet, which is believed to have been a joint military project of Israel and the United States.
“Every SCADA control center is configured differently, with different devices, running different software/protocols,” wrote Rose Tsang, the report’s author.
Professional hackers are in it for the money — and it’s a lot more cost-efficient to search out vulnerabilities in widely-used computer programs like the Windows operating system, used by banks and other affluent targets, than in one-of-a-kind SCADA systems linked to generators and switches.
According to Pollard, only the world’s industrial nations have the means to use the Internet to attack utilities and major industries. But given the integrated global economy, there is little incentive, short of armed conflict, for them to do so.
There is also the threat of retaliation.
An unnamed Pentagon official, speaking to the Wall Street Journal, summed up the policy in less diplomatic terms: “If you shut down our power grid, maybe we will put a missile down one of your smokestacks.”
None of these considerations is an argument for dismissing the risk of cyber attacks. However, they do suggest the need to keep the degree of risk in perspective.
void “billion dollar solutions to million dollar problems.”
Strengthening U.S. cyber security is common sense, like locking your door at night.
batut yann joomla says:
Swеet blog! I found it while ѕearching on Yаhoo Νеws.
Do уou have аnу tіps on hοw to
get listеd in Yаhοo News? I’ve been trying for a while but I never seem to get there! Many thanks
tomi says:
I did not know that Yаhοo News list this site.
I don’t know how this site got listed there, but I think it is a good thing.
Tomi Engdahl says:
Iran says its infosec defences foiled oil hack
Alleges Israel tried to take down oil platforms, with Chinese involvement
http://www.theregister.co.uk/2012/10/10/iran_oil_cyber_attack_foiled/
Iran is claiming to have successfully deflected yet another large scale cyber attack on critical infrastructure in the country, this time targeted at its offshore oil installations.
The NIOOC’s IT boss Mohammad Reza Golshani explained that the attack was foiled thanks to its practice of separating internet and intranet-based machines.
No infrastructure damage or data loss resulted from the attack, although incoming phone calls to the oil platforms were barred at one stage, Golshani claimed.
The incident is yet another example of the increasing pressure on Iranian critical infrastructure organisations. Iran insists that pressure is a result of state-sponsored attackers.
Tomi Engdahl says:
Pre-emptive cyberattack defense possible, Panetta warns
http://news.cnet.com/8301-1009_3-57531071-83/pre-emptive-cyberattack-defense-possible-panetta-warns/?part=rss&subj=news&tag=title
Defense Secretary Leon Panetta uses stark language to describe a “cyber-Pearl Harbor” that could cripple the nation’s power grid, transportation system, financial networks, and government.
The U.S. military has the ability to act pre-emptively when it detects an imminent cyberattack threat, Defense Secretary Leon Panetta said today.
During his first major policy speech on cybersecurity, Panetta echoed previous statements that the United States was facing the possibility of a “cyber-Pearl Harbor” perpetrated by foreign hackers, painting a grim portrait of the destructive power wielded by unnamed agents.
“A cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11,” he said in prepared remarks during a speech at the Intrepid Sea, Air and Space Museum in New York. “Such a destructive cyber terrorist attack could paralyze the nation.”
To illustrate the threat, Panetta cited the Shamoon virus, which was blamed for a cyberattack on Saudi Arabian oil company Saudi Aramco and Qatar’s natural gas firm Rasgas in mid-August.
“All told, the Shamoon virus was probably the most destructive attack that the private sector has seen to date,” Panetta said. “More than 30,000 computers that it infected (at ARAMCO) were rendered useless, and had to be replaced.”
However, Panetta said the government’s significant investments in cyber forensics alone are not enough to prevent all cyberattacks.
“If we detect an imminent threat of attack that will cause significant physical destruction or kill American citizens, we need to have the option to take action to defend the nation when directed by the President,” Panetta said. “For these kinds of scenarios, the Department has developed the capability to conduct effective operations to counter threats to our national interests in cyberspace.”
Tomi Engdahl says:
Stuxnet and other things that go bump in the night
http://www.edn.com/design/systems-design/4398386/Stuxnet-and-other-things-that-go-bump-in-the-night
Stuxnet, a sophisticated virus that damaged Iran’s nuclear capability, is getting a lot of attention these days. And it should—it’s a fascinating story that combines international political intrigue and nuclear science. But many of the questions being raised are wrong and misleading; they don’t address the root problem. This article discusses why we shouldn’t fixate on Stuxnet, what questions we should be asking, and where we should go from here.
Tomi Engdahl says:
US Suspects Iran Was Behind a Wave of Cyberattacks
http://it.slashdot.org/story/12/10/15/0022250/us-suspects-iran-was-behind-a-wave-of-cyberattacks
“American intelligence officials are increasingly convinced that Iran was the origin of a serious wave of network attacks that crippled computers across the Saudi oil industry and breached financial institutions in the United States, episodes that contributed to a warning last week from Defense Secretary Leon E. Panetta”
Iran’s Hand Is Suspected in Computer Attacks
http://mobile.nytimes.com/2012/10/14/world/middleeast/us-suspects-iranians-were-behind-a-wave-of-cyberattacks.xml
WASHINGTON – American intelligence officials are increasingly convinced that Iran was the origin of a serious wave of network attacks that crippled computers across the Saudi oil industry and breached financial institutions in the United States, episodes that contributed to a warning last week from Defense Secretary Leon E. Panetta that the United States was at risk of a “cyber-Pearl Harbor.”
The attacks emanating from Iran have inflicted only modest damage. Iran’s cyberwarfare capabilities are considerably weaker than those in China and Russia, which intelligence officials believe are the sources of a significant number of probes, thefts of intellectual property and attacks on American companies and government agencies.
The attack under closest scrutiny hit Saudi Aramco, the world’s largest oil company, in August.
Until the attack on Aramco, most of the cybersabotage coming out of Iran appeared to be what the industry calls “denial of service” attacks
Mr. Panetta spoke only in broad terms, stating that Iran had “undertaken a concerted effort to use cyberspace to its advantage.” Almost immediately, experts in cybersecurity rushed to fill in the blanks.
One senior intelligence official described a debate inside the Obama administration over the pros and cons of openly admitting that the United States has deployed a new cyber weapon, and could use it in response to an attack, or pre-emptively.
Tomi says:
Security House Kaspersky Lab developing their own secure operating system for industrial use.
The operating system is designed to protect the complex industrial systems, which have in recent years been kyberaseiden victims. States also have raised concerns about the vulnerability of critical infrastructure.
According to Kaspersky industrial systems has traditionally sought to minimize the number of interruptions, which has meant that they have been updated, either rarely or not at all. Specialized software manufacturers according to him, been reluctant to continuous source code analysis and vulnerability patching. So fixes have been made only after the information leaked out to the problems of the public.
The company says in its analysis that the automation has not traditionally been designed with emphasis on data security. For this reason, for example, the number of scada systems, programmable logic controllers (PLC) protocols do not require a separate user identification or authentication.
Today, most of the Scada servers managed either Linux or Windows database servers. Kaspersky is going to start writing the operating system completely from scratch.
Source: http://www.tietoviikko.fi/kaikki_uutiset/tietoturvatalo+kehittaa+oman+kayttojarjestelman/a848133?s=r&wtm=tietoviikko/-17102012&
Tomi says:
Kaspersky Lab Developing Its Own Operating System? We Confirm the Rumors, and End the Speculation!
http://eugene.kaspersky.com/2012/10/16/kl-developing-its-own-operating-system-we-confirm-the-rumors-and-end-the-speculation/
Today I’d like to talk about the future. About a not-so-glamorous future of mass cyber-attacks on things like nuclear power stations, energy supply and transportation control facilities, financial and telecommunications systems, and all the other installations deemed “critically important”. Or you could think back to Die Hard 4 – where an attack on infrastructure plunged pretty much the whole country into chaos.
Though industrial IT systems and, say, typical office computer networks might seem similar in many ways, they are actually completely different beasts – mostly in terms of their priorities between security and usability.
In industrial systems that can’t be done, since here the highest priority for them is maintaining constant operation come hell or high water. Uninterrupted continuity of production is of paramount importance at any industrial object in the world; security is relegated to second place.
Another challenge to securing an “always on” environment arises due to software at an industrial/infrastructural installation only being updated after a thorough check for fault-tolerance – so as to make sure not to interrupt the working processes.
Still, even if the possibility to update software and patch up “holes” does exist, this doesn’t always help much. Manufacturers of specialized software aren’t interested in constant source code analysis and patching holes.
At the same time as arming themselves, both infrastructure companies and various government authorities aren’t forgetting about protection. Indeed, they started protecting themselves long ago. But how do they actually go about it?
There are really just two methods. The first – isolating critically important objects: disconnecting them from the Internet, or physical isolation from the outside world in some other way.
Second – keeping secrets. Collective and large-scale attempts to keep secret everything and anything. Developers of ICS keep the source code secret, owners of factories and infrastructure place a “SECRET” stamp on the schematics of information and control systems, the types of used software are kept secret, and so on. However, at the same time, information about vulnerabilities in, for example, the majority of popular SCADA systems, is freely available on the Internet.
Protection as It Should Be
Ideally, all ICS software would need to be rewritten, incorporating all the security technologies available and taking into account the new realities of cyber-attacks.
But there is fully realizable alternative: a secure operating system, one onto which ICS can be installed, and which could be built into the existing infrastructure – controlling “healthy” existing systems and guaranteeing the receipt of reliable data reports on the systems’ operation.
First I’ll answer the most obvious question: how will it be possible for KL to create a secure OS if no one at Microsoft, Apple, or the open source community has been able to fully secure their respective operating systems? It’s all quite simple really.
First: our system is highly tailored, developed for solving a specific narrow task, and not intended for playing Half-Life on, editing your vacation videos, or blathering on social media. Second: we’re working on methods of writing software which by design won’t be able to carry out any behind-the-scenes, undeclared activity. This is the important bit: the impossibility of executing third-party code, or of breaking into the system or running unauthorized applications on our OS; and this is both provable and testable.
Tomi Engdahl says:
Stuxnet and other things that go bump in the night
http://www.edn.com/design/systems-design/4398386/Stuxnet-and-other-things-that-go-bump-in-the-night?cid=Newsletter+-+EDN+on+Systems+Design
Stuxnet, a sophisticated virus that damaged Iran’s nuclear capability, is getting a lot of attention these days. And it should
Normal computer viruses are indiscriminate: they attack every PC they touch. Stuxnet is different—while it spread in a similar manner as other viruses, in most systems it had no effect. Stuxnet was designed to:
1. Infiltrate a PC through the typical virus pathways. USB sticks were highly effective.
2. Confirm whether the host PC’s location was Iran.
3. Establish whether there was a certain type of programmable logic controller (PLC) connected to the PC.
4. Check if there were a specific number of those PLCs attached.
5. Confirm whether those PLCs were connected in a very specific arrangement and controlling a particular piece of equipment.
6. Reprogram the PLCs to alter their behavior, but report diagnostics that everything was fine.
Note that Stuxnet did not actually damage most systems it infected—it was a highly targeted attack. This allowed it to spread to its target before it was detected and antivirus companies were alerted to its presence.
Tomi Engdahl says:
Kaspersky’s Exploit-Proof OS Leaves Security Experts Skeptical
http://it.slashdot.org/story/12/10/19/2254209/kasperskys-exploit-proof-os-leaves-security-experts-skeptical
Tomi Engdahl says:
Threats and technology from Iran
http://blogs.computerworld.com/cyberwarfare/21178/threats-and-technology-iran
Iran’s police chief, Brig. Gen. Esmail Ahmadi-Moqadam:
“Now it’s all about cyber-attacks, which only shows their desperation but Iran is doing just fine with cyber defense. It’s true that the U.S. made Stuxnet virus did some damage to our facilities but we were able to get them all up and running in no time. However, those who attack should expect retaliation and we haven’t gone there just yet.”
Iran has been getting blame recently for some attacks on financial services firms.
Tomi says:
Panetta Spells Out DOD Roles in Cyberdefense
http://www.defense.gov/news/newsarticle.aspx?id=118187
WASHINGTON, Oct. 11, 2012 – Defense Secretary Leon E. Panetta spelled out in detail the Defense Department’s responsibility in cybersecurity during a speech to the Business Executives for National Security meeting in New York, today.
“A cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11,” he said in prepared remarks. “Such a destructive cyber terrorist attack could paralyze the nation.”
The secretary pointed to denial of service attacks that many large U.S. corporations have suffered in recent weeks, but also cited a more serious attack in Saudi Arabia. In that attack a sophisticated virus called “Shamoon” infected computers at the Saudi Arabian state oil company, ARAMCO.
“Shamoon included a routine called a ‘wiper,’ coded to self-execute,” he said. “This routine replaced crucial system files with an image of a burning U.S. flag. It also put additional ‘garbage’ data that overwrote all the real data on the machine. The more than 30,000 computers it infected were rendered useless, and had to be replaced.”
There was a similar attack later in Qatar. “All told, the Shamoon virus was probably the most destructive attack that the private sector has seen to date,” Panetta said.
Enemies target computer control systems that operate chemical, electricity and water plants, and guide transportation networks.
“We also know they are seeking to create advanced tools to attack these systems and cause panic, destruction and even the loss of life,” he said.
DOD has improved its capability of tracking attacks to point of origin. “Potential aggressors should be aware that the United States has the capacity to locate them and hold them accountable for actions that harm America or its interests,” he said.
All U.S. leaders have discussed cyber security with foreign leaders.
But businesses have the greatest interest in cybersecurity. Businesses depend on a safe, secure, and resilient global digital infrastructure, and businesses own and run many of the critical networks the nation depends on. “To defend those networks more effectively, we must share information between the government and the private sector about threats in cyberspace,” the secretary said.
Tomi Engdahl says:
A look inside the cabling for federal government data centers
http://www.cablinginstall.com/articles/print/volume-20/issue-10/features/a-look-inside-the-cabling-for-federal-government-data-centers.html
While both businesses and government share many of the same data center concerns, federal government standards are many times more rigorous to achieve. Especially as the federal government is undergoing data center consolidation, planning to close 1,200 data centers by 2015, it is necessary that new facilities meet the highest standards for cost effectiveness, security, scalability, availability of information and environmental responsibility.
Tomi Engdahl says:
The rocky relationship between safety and security: Best practices for avoiding common cause failure and preventing cyber security attacks in safety systems
An industry practice reflected in the international safety standards (i.e. IEC 61508) is the need for independence among the multiple protection layers on an industrial site “…the EUC control system shall be independent from the E/E/PE safety-related systems and other risk reduction measures…” however, even the 1st generation of digital Safety Systems (Electronic/Programmable Electronic Systems) had communication ports with support for open protocols (i.e. Modbus RTU) in order to provide diagnostics and other information relevant for the operation of process (EUC).
Users have connected (interfaced) safety systems to BPCS since mid 1980s and aimed to develop tighter connectivity at least since 1995, but these efforts were based on proprietary protocols until the adoption of open network protocols and Windows on industrial control systems increased the connectivity to business systems and at the same (at least in theory) exposed them to the same issues (virus, cyber attacks, etc).
Source: http://www.mediasolvewebcast.com/AccountManager/RegEv.aspx?PIID=EB52DB83864B&utm_source=emailcampaign471&utm_medium=phpList&utm_content=HTMLemail
Tomi Engdahl says:
A serious safety risk industry and utilities: CoDeSys programming environment leaks
More than 200 manufacturer use Codesys rogramming environment to build programmable automation equipment. Platform can be found in a number of power plants, factories and military equipment.
Now, were detected by the security hole it is possible to hack into computer systems and run malicious code CoDeSys enabled device. Security hole allows access to command interface without permission. In practice, the intruder can even launch programs or copy the information and reset the memory.
CoDeSys swing can not be exploited without access to the company’s internal network.
CoDeSys manufacturer is working on to fix the problem.
Source: http://m.tietoviikko.fi/Uutiset/Vakava+turvariski+teollisuudessa+ja+voimalaitoksissa%3A+ohjelmointiymp%C3%A4rist%C3%B6+vuotaa
Tomi Engdahl says:
Well now leaks: more than 50 holes of nuclear power plants and factory IT system
Siemens industrial software (previously plagued by Stuxnet) is still full of security holes, a Russian security expert says.
Security holes found in the Siemens WinCC software, which is used in factories and energy plants. The software is used in many countries for society of critical business issues. For example, Stuxnet infected with the Iranian enrichment facility was WinCC information system.
Moscow-based security company Positive Technologies’ chief technology officer Sergey Gordeychikin was scheduled for the Siemens presentation software vulnerabilities in the summer of Defcon security conference, but Siemens demanded Gordeychikin to cancel the presentation, so that the company would have time to patch leaks. Gordeychik presented WinCC’s problems on Thursday in Seoul at the security conference.
The information security team has found more than 50 security vulnerabilities in the latest WinCC version. Most of the vulnerabilities allows an attacker WinCC’s remote management (for example through browser-based management software page).
Source: http://www.tietoviikko.fi/kaikki_uutiset/no+nyt+vuotaa+yli+50+reikaa+ydinvoimaloiden+ja+tehdaiden+itjarjestelmassa/a854517?s=r&wtm=tietoviikko/-08112012&
Tomi Engdahl says:
Industrial control systems need security ICs
http://www.eetimes.com/design/industrial-control/4400780/Industrial-control-system-needs-security-ICs?Ecosystem=communications-design
Until now, most industrial control systems (ICSs) were designed mainly for high reliability, safety, and the maximum uptime. While the industry has been focusing for decades on fulfilling these requirements, digital security was historically almost not considered at all.
In the 1990s some governmental agencies started examining cyber security for critical infrastructures such as electrical power distribution. These efforts were still confidential. Now with the emergence of Stuxnet and the numerous publications it has triggered, cyber attacks against industrial control and automation systems are a key concern to all stakeholders.
We admit from the outset that a discussion of all ICS structures susceptible to a security attack would deserve an entire article. It is difficult indeed to limit our discussion to a few important ICSs, but that is what we must do.
Implementations of these systems can, and will, differ greatly depending on the ultimate industrial application. Some systems will be physically concentrated, limited to a well-defined manufacturing facility, or spread over a very wide geographical area
IT Technologies in an Industrial Environment—Not Always a Perfect Fit
A SCADA system is monitoring the pressure of cooling water in an industrial installation and is expected to raise an alarm when a loss of pressure is detected. In this potential emergency situation, we want the operator to take immediate action.
Consider now an operator’s response in a classic IT infrastructure. After some minutes of inactivity the IT workstation has probably locked itself; the operator must type his password to login and, usually after three unsuccessful attempts, the workstation would lock again. Now the IT operator needs to contact an administrator to get the password reset. Time is passing. A similar, reiterative procedure would be devastating in an industrial setting. With an ICS in this emergency, we want an operator to act immediately; any hesitation is a critical loss of time. So this is an example of a very standard IT procedure that is not applicable, even detrimental to an ICS.
These traditional defensive tactics do not, in any way, provide the ultimate level of protection needed for an ICS. Procedures, even if audited on a regular basis, are never 100% followed; physical protection like locking doors can be bypassed and cannot be applied everywhere. Most important, defensive manual procedures do not cover attacks performed by highly skilled people with the time and budget to elaborate the most sophisticated scenarios. Even worse, there are examples where bribery led ICS operators to bypass procedures.
The security answer is embedded. It is in the ICS hardware. The upper-level hierarchy of security countermeasures involves generic IT security countermeasures such as cryptography and hardware security
Protect the ICS with Embedded Cryptography
Generic IT policies cannot be systematically applied to the broad range of ICSs at work in industry. However, there is one technology used universally in the IT world that can be implemented: cryptography.
Cryptography answers most of the threats listed above. Still, it is not a magic wand and the approach cannot be as simple as, “I’ll add crypto to my ICS and all of sudden it becomes secure.” Crypto algorithms and protocols are building blocks that should be implemented on a case-by-case basis after a thorough analysis of the threats to each subsystem.
Why Security ICs to Support Cryptography?
So far we discussed some applications of cryptography for ICS security. Cryptography is often implemented in software, so why would one use security ICs in an ICS? There are several reasons to do so, especially because security ICs actually offer several specific benefits: secure storage of keys; protection against key disclosure through side-channel attacks; simple implementation of bug-free cryptography; accelerated computation; the quality of random numbers; and trusted software through a secure boot.
In the tiniest, most constrained systems like sensor modules, the computing capability (typically an 8-bit microcontroller) to run a sophisticated math operation might not exist. In these situations, adding a secure IC is often the only option to bring computing power for cryptography without redesigning the system.
Secure microcontrollers can even add a full security solution such as handling complete security protocols such as TLS/SSL.
Trusted Software Through Secure Boot
Unfortunately Stuxnet is a brilliant demonstration of the importance of this topic. Systems operators and designers must ensure that all equipment upon which a SCADA or DCS system is built runs a well-identified, genuine piece of software. Secure boot and secure updates management are the way to protect a device from malware or untrusted software injection. Secure boot and secure update management are implemented in the newest state-of-the-art secure microcontrollers.
Conclusion
We have said a lot and perhaps you now question, “So are we protected against cyber attacks because we are using security ICSs?” The answer is not a simple, “yes.” Full system security requires a thorough identification of assets to be protected and an in-depth analysis of threats prior to any solution deployment. Then effective security depends to a great extent on implementation of a number of cryptographic measures, which bridge software and hardware. Nonetheless, after a rigorous analysis security ICs definitely elevate the protection for ICSs to the highest level.
Tomi Engdahl says:
Stuxnet Infected Chevron’s IT Network
http://blogs.wsj.com/cio/2012/11/08/stuxnet-infected-chevrons-it-network/
Stuxnet, a sophisticated computer virus created by the United States and Israel, to spy on and attack Iran’s nuclear enrichment facilities in Natanz also infected Chevron ’s network in 2010, shortly after it escaped from its intended target.
Chevron found Stuxnet in its systems after the malware was first reported in July 2010, said Mark Koelmel, general manager of the earth sciences department at Chevron. “I don’t think the U.S. government even realized how far it had spread,” he told CIO Journal. “I think the downside of what they did is going to be far worse than what they actually accomplished,” he said.
Chevron was not adversely affected by Stuxnet
Chevron’s experience with Stuxnet appears to be the result of the unintentional (and perhaps, inevitable) release of malware upon a larger network, much like an experimental virus escaping from a medical lab. But many companies are also being specifically targeted, sometimes by less sophisticated actors attempting to retaliate against perceived U.S. cyber-aggression.
Chevron is the first U.S. company to acknowledge that its systems were infected by Stuxnet, although most security experts believe the vast majority of hacking incidents go unreported for reasons of security or to avoid embarrassment. The devices used in industrial equipment and targeted by Stuxnet are made by huge companies, including Siemens (whose devices were in use at Iran’s facility). Millions of these devices have been sold around the world, so potentially every industrial company that uses these devices, called programmable logic controllers, or PLCs, are at risk of being infected.
U.S. officials blame Iranian hackers with government ties for the so-called Shamoon virus that destroyed data on 30,000 computers belonging to Saudi Arabian Oil Co. in August. A Qatari natural gas company called Rasgas was also attacked in August.
Aramco said it quickly recovered from the August attack, but expects more attacks in the future. Rasgas says the August attack had no impact on its operations.
“All told, the Shamoon virus was probably the most destructive attack that the private sector has seen to date,”
The virus is an example of an escalation that has happened in the scale and speed of cyber attacks during the last few months.
Unleashing potent cyber weapons points to the larger problem of blowback, where “somebody could recover malware assets, tweak them and use them,” said SANS’ Skoudis. He said portions of the Stuxnet code have already been reused in financial cybercrime to steal credit cards and bank account information.
In the end, companies are left to clean up the mess associated with viruses such as Stuxnet. “We’re finding it in our systems and so are other companies,” said Chevron’s Koelmel. “So now we have to deal with this.”
Tomi says:
The New Face of Energy Insecurity
http://nationalinterest.org/commentary/the-new-face-energy-insecurity-7715#.UJ6wNNja3-c.twitter
The future of energy insecurity has arrived. In August, a devastating cyber attack rocked one of the world’s most powerful oil companies, Saudi Aramco, Riyadh’s state-owned giant, rendering thirty thousand of its computers useless. This was no garden-variety breach. In the eyes of U.S. defense secretary Leon Panetta, it was “probably the most destructive attack that the private sector has seen to date.”
What makes this kind of attack so worrying is the risk it poses to energy prices and hence the U.S. economy. Stopping oil production in Saudi Arabia could turn into a catastrophic loss of oil supplies.
The August attack on Saudi Aramco was only the most recent volley in what Washington has described as “low-grade cyberwar” in the Middle East, in this case likely involving Iran.
Saudi Aramco was not the only casualty. RasGas, a Qatari natural gas company and the second-biggest producer of liquefied natural gas in the world, fell victim to an identical virus a short time after the Saudis. Like Aramco, RasGas announced that despite the attack, which left some of its computers “completely dead,” its energy production was not affected. Experts surmise that the Iranian attacks were likely payback for the apparently Western-backed Stuxnet virus, which struck the country’s Natanz nuclear plant.
Oil, gas and petrochemical companies are popular targets for hackers, who have ramped up their assault on these firms over the last two years. McAfee, an Internet-security firm, described in a recent study a barrage of “coordinated covert and targeted cyberattacks,” coming mostly from China, targeting energy companies around the world. The aim of these operations was to get ahold of proprietary data such as oil reserves, bidding strategies and critical infrastructure.
But this summer’s attack on Saudi Aramco differs from these more traditional cyber espionage cases in a critical way: It wasn’t about the data. It was about disabling the company’s operations. Both are serious, but the former poses a systemic risk that, if successful, could make waves far beyond the health (or even survival) of a single company.
Virtual warfare against energy companies will not end anytime soon. Hackers are well aware that crippling oil operations offers significant leverage, strategically speaking, as acts of terror: a single successful act has the potential to hurt oil-consuming nations far beyond the Middle East.
Defending the world’s major energy suppliers against debilitating cyber threats will not be easy, but it is essential. The risk cannot be eliminated
Tomi Engdahl says:
Is Your Network Safe?
http://www.designnews.com/author.asp?section_id=1386&doc_id=254104&cid=NL_Newsletters+-+DN+Daily
How safe is your network?
Just a few years ago, plants didn’t have to worry about the safety of their networks. From an IT point of view, plants were silos — succinct and secure. That changed over the past decade. To improve efficiency, plants connected out to the company’s back office and beyond to suppliers and customers.
The increased connectivity gives the business office insight into what the plant is producing, what orders are complete, and what new supplies need to be ordered.
This extended network prompted a battle between the organization’s IT team and the control folks on the factory floor. IT is accustomed to adding patches late at night, when the office employees are gone. A quick reboot, and everything is fine when the office employees show up the next morning. With plant networks, that’s not so easy. If a plant is running 24/7, you can’t add patches and reboot without shutting down the plant.
In addition, the plant is now vulnerable to hacking. When automation and control managers discuss this challenge, the vulnerability that most worries plant employees is not terrorists, hackers, or competitors — it’s disgruntled employees. Who else would know how to crack the system, push the right buttons, and pull the right levers to disrupt the network?
Tomi Engdahl says:
Security firm showcases vulnerabilities in SCADA software, won’t report them to vendors
http://www.networkworld.com/news/2012/112112-security-firm-showcases-vulnerabilities-in-264456.html
The vulnerability information will be sold to private buyers as part of a commercial service, the company says
Malta-based security start-up firm ReVuln claims to be sitting on a stockpile of vulnerabilities in industrial control software, but prefers to sell the information to governments and other paying customers instead of disclosing it to the affected software vendors.
In a video released Monday, ReVuln showcased nine “zero-day” (previously unknown) vulnerabilities which, according to the company, affect SCADA (supervisory control and data acquisition) software from General Electric, Schneider Electric, Kaskad, Rockwell Automation, Eaton and Siemens. ReVuln declined to disclose the name of the affected software products.
“ICS-CERT has just contacted us some minutes ago requesting more details but we don’t release information,” Auriemma said. The vulnerabilities “are part of our portfolio for our customers so no public details will be released; they will remain private,”
Along with French vulnerability research firm VUPEN, ReVuln is among a few companies that openly sell vulnerability information to government agencies and other private customers and refuse to report the vulnerabilities their researchers find to the affected vendors so they can be fixed.
However, if security researchers who find vulnerabilities in industrial control systems don’t self-regulate or get support for their work through a government program, they run the risk of meeting legal and other forms of pressure because issues that can affect national security attract particular attention, Harley said.
“I can’t say I feel comfortable with this, but it may be that legitimized and monetized research will work out better for the online world than multitudes of individuals and unofficial groups working semi-covertly,” the ESET researcher said. “If so, let’s hope too much damage isn’t done while that market stabilizes.”
Tomi Engdahl says:
Who would examine it crashes?
Airplane falling from the sky is extremely unlikely. Needed an average of seven simultaneous faults, so that was going to happen. Still, defects are seen in a while.
Few of us is afraid to board. We rely on these cloud services so strongly that they will rise up to pick up on a regular basis. Although the machine fall would be fatal.
Computer World cloud services, we still live in a kind of fear of flying time. Perhaps rightly so.
Cloud services, the reliability is not yet at the level of flying, with more than a hundred years of history. During this period, we have seen a series of devastating accidents.
Aircraft accidents examines the external group of experts. One airline unfortunate accident occurred on the causes and lessons of this will also be informed of other companies.
Traditionally, IT firms have not been reluctant to report in detail to those which occurred in the cottage.
IT services do not function in society, however, is becoming so critical in terms of the things that would eat the case of accidents acquired greater transparency. In the end, even if the obligations under the authorities.
Source: http://www.tietoviikko.fi/blogit/uutiskommentti/kuka+tutkisi+itonnettomuuksia/a859311?s=r&wtm=tietoviikko/-27112012&
Tomi Engdahl says:
Scadan vulnerabilities are traded – a new study found more than 20 holes
Security researcher reveals discovered Scada systems industry a total of 23 security holes.
A similar has occurred in the past, but the sale of vulnerabilities is being marketed more prominently until now.
Some of the security companies do not publish information on vulnerabilities. Instead, they make their money by selling their data, including factory automation systems to monitor mona software program, safety problems.
ReVuln last week announced it had discovered and sell Scadan vulnerabilities, which can be found in General Electric, Schneider Electric, Cascade, Rockwell Automation, Siemens, Eaton and systems. The Company does not intend to report their findings to public authorities or to give them free information on the Scada systems for production companies.
Now the 23 vulnerabilities are found under the same corporate software, or possibly are the same holes.
They expressed Exodus Intelligence, Aaron Portnoy. He will report to the competent authorities. At the same time information is also sold to corporate customers, to help them prepare for the time when the openings are developed patches.
Source: http://www.tietoviikko.fi/kaikki_uutiset/scadan+haavoittuvuuksilla+kaydaan+kauppaa++uusi+tutkimus+loysi+yli+20+reikaa/a859477?s=r&wtm=tietoviikko/-27112012&
Tomi Engdahl says:
What does a flightless bird and SCADA software have in common?
http://blog.exodusintel.com/2012/11/25/what-does-a-flightless-bird-and-scada-software-have-in-common/
If you’ve been paying attention to the security industry for any length of time then you’re probably familiar with the non-disclosure vs responsible disclosure vs full disclosure stances researchers take with regard to vulnerabilities they discover. As the value of vulnerabilities has been steadily going up over the years, more and more individuals and organizations are aligning themselves with the non-disclosure crowd and not for the traditional reasons. These days there seem to be an increasing number of cases of individuals hiding behind non-disclosure for reasons that generally tend to end up revolving around them making more money than reputable outlets provide.
When I read that a new company out of Italy Malta called ReVuln has discovered vulnerabilities in SCADA software and decided not to inform the affected vendors, but rather sell the information privately to their customers, I was intrigued.
Tomi Engdahl says:
GE study pimps ‘industrial Internet’
How’s that SCADA security going, gentlemen?
http://www.theregister.co.uk/2012/11/26/ge_pimps_industrial_internet/
General Electric thinks that as much as $US15 billion could be added to global industrial output, merely by connecting global industrial operations to the Internet.
The report (PDF), Unleashing the Industrial Internet: “Pushing the Boundaries of Minds and Machines”, paints the kind of futuristic picture that Vulture South seems to recall from the 1990s.
“We estimate that the technical innovations of the Industrial Internet could find direct application in sectors accounting for more than $32.3 trillion in economic activity. As the global economy grows, the potential application of the Industrial Internet will expand as well. By 2025 it could be applicable to $82 trillion of output or approximately one half of the global economy”, the report continues.
While there’s no doubt that industrial automation is at best a work in progress, with a lot of efficiency still to be achieved, The Register can’t help but wonder whether the public Internet can ever be a good place for industrial control systems.