Category Archives: Control Systems

Industrial and other control systems

CISA-ICS CERT Releases 4 ICS Advisories

Earlier this month Homeland Security released 4 different advisories for industrial control system vulnerabilities. This comes in the wake of a successful breach of a water treatment plant in Florida. While that hack took advantage of poor cyber hygiene practices (obsolete unpatched software, shared passwords, etc.), it did call attention to the fact that our critical infrastructure is under attack.

#1 – JOHNSON CONTROLS EXACQ TECHNOLOGIES EXACQVISION

DHS says this vulnerability is remotely exploitable and requires only a low skill level to exploit. It affects all supported versions of the software and can expose sensitive information of hackers. For more details see this ICS CERT ADVISORY.

#2 – Hitachi ABB Power Grids eSOMS

Again, DHS says that this vulnerability requires only a low skill level to exploit. This vulnerability allows a hacker to gain access to report data. For more details see this ICS CERT ADVISORY.

#3 – Hitachi ABB Power Grids eSOMS Telerik

This is a different Hitachi ABB problem and it is related to path traversal (get to a directory that they should not have access to), deserialization of untrusted data, improper input validation, inadequate encryption and insufficiently protected credentials. This scores a 9.8 (out of 10) on the vulnerability Richter scale. A hacker could upload malicious files, steal sensitive data and execute arbitrary code. For more details see this ICS CERT ADVISORY.

#4 – Rockwell Automation Logix Controllers

This is an update to the alert issued last month and this one rates a 10 out of 10 on the vulnerability rating scale. This one is also exploitable remotely and requires low skill to exploit. The vulnerability would allow a hacker to bypass the login requirement, alter the system’s configuration or change the code in the controller. For more information on this alert, see this ICS CERT ADVISORY.

If we look at this as a whole, what do we see:

  • Most can be executed remotely
  • Not limited to a single vendor
  • Most require low skill to achieve
  • Hackers can steal data and/or corrupt the system

If these attacks were applied to systems like the Florida water system that was compromised, you could, potentially, cause physical damage (like an explosion), turn off services (like turn off power or gas) or poison people (as could have happened in the Florida water treatment plant attack).

The other problem is that industrial control system owners are notorious for not applying patches. They are concerned, probably rightfully, that a patch could cause an outage (Microsoft or Apple never, ever, broke anything when applying patches, right?) or stop the system from working.

Unfortunately, given the typically poor cyber hygiene practices and the increased connectivity to the Internet of these systems, along with the information about the vulnerabilities that are now publicly available, don’t be surprised if hackers take advantage of this.

As a consumer, unfortunately, there is not much that you can do. That means that regulators, who are often in bed with the regulatees (the Chairman of the Texas PUC was just caught on tape reassuring investors that the millions of dollars they stole from Texans during the deep freeze this month was safe and they would not be forced to give it back. AFTER the recording was made public, the Governor asked him to resign – only AFTER). Given the often too cozy relationship between the PUCs and utilities, I am not counting on much pressure, but we can hope.

Guess Who Developed Malware That Tried to Blow Up a Saudi Refinery?

The Internet of Things (IoT) is new to consumers.  We think of Nest thermostats and Internet connected baby monitors.  That is true and they cause enough grief out there like last year when they took down parts of Amazon and Twitter (and hundreds of other sites)  when malware attacked these poorly protected devices and used them as a zombie army.

And while not being able to watch your favorite show on Netflix is a big problem, in the grand scheme of things, it is basically irrelevant.  Sorry about that.

The real Internet of Things is Industrial Control Systems or ICS.  A piece of this is SCADA systems.  ICS systems control things like nuclear power plants and gas pipelines.  The developers of these systems have tried to make them safe and to a lesser extent, they have tried to make them secure.  But they were never designed to be used in the way we are using many of them today.  There was no Internet, for the most part, 20 years ago.

Unfortunately, the life expectancy of some of these control systems is 30 to 50 years, so we will be paying for the lack of security in a gas pipeline built 20 years ago, probably for another 20 years.

So it is no surprise that someone was able to hack a Saudi refinery and attempt to reprogram SCADA controllers that, supposedly, can not be programmed remotely.  Except that they can.

In this case, it is a Schneider Electric control system, one of the biggest players in the market.  The hackers figured out how to reprogram some of the devices remotely.

Now here is the good news.

Since the hackers could not buy a working refinery on eBay, they were practicing on a real one.

And, as is often the case with practice, it didn’t work out as planned.

As a result, instead of blowing up the refinery as planned, the safety systems shut down the plant.

This time the good guys won.

That will not always be the case.

For many people, there is not much that they can do other than cross your fingers, but for some people, there are things to do.

This does apply to both your baby monitor and the nuclear power plant up the road.  One has less disastrous results than the other if it gets hacked.

Install patches.  When WAS the last time you patched your refrigerator, anyway?  I am not kidding and power plants and generators and Nukes are some of the worst at patching because you don’t want to break anything.  But patching is critical.

If you can keep an IoT device off the Internet, do so.  And again, I don’t care if you are talking about a baby monitor or a nuke plant.  If it is not accessible, it is hard to hack.

If it does need to be on the Internet, implement strong authentication.  Not password0123.  Make it totally random.  And long.  Reallllllllllly long.  If you can use keys or certificates, do that.  If you make it hard for the bad guys, they may try knocking on another door.  Or, like in the case of the Saudi refinery, they may just screw it up.

Implement really good detection.  Why do we see, time and again, that the bad guys got in and roamed around for days, weeks, months and sometimes years without being detected.  If you can’t keep them out, you have to be able to find them right away.

And that leads to incident response.  How long will it take for you to figure out what the bad guys did.  Or didn’t.  What they changed.  Or deleted.  What they stole.  

All of this has to be done quickly.  Sometimes.  With good hackers.  They may only be logged on for a minute or two.  You have to be able to detect that and respond.  And remember, your response could also blow up the pipeline, so you can’t act like a bull in a china shop.

Unfortunately, it is a mess and it will continue to be a mess for quite a while.  Then, maybe, it will get better.

But people have to start improving the situation right now.

Oh, yeah, by the way.  If you haven’t figured it out yet, it WAS the Ruskies.

Information for this post came from The Hacker News.

The Global Shipping Industry is a Shipwreck

Maybe we should call it a dumpster fire, but whether we call it a shipwreck or a dumpster fire, it is a mess.

According to pen testers, shipping industry security is where mainstream IT was years ago.

The pen  testers say that the attacks are TRIVIAL to execute an easy to mitigate against.

These ships are connected via satellite and are always on the Internet, like most businesses.  Just with crappy, insecure software.

The pen testers created proof of concept attacks were they took ships off course.  A bad guy could cause ships to crash into each other at night or in fog.

The flaws that they revealed are just the tip of the iceberg, the pen testers say.

They say that this is definitely a matter of when a big attack happens and not if.

One attack targeted the electronic chart display and information system (ECDIS).    Hack the charts and young sailors who believe computers instead of “looking out the window” will be easily fooled.  They tested 20 different ECDIS systems and they were all easy to hack.  If the ship is in autopilot mode tied to ECDIS and ECDIS is hacked, then the hackers can make the ship go anywhere they want it to go.  That is just one attack.

OK, so what does this mean to you and me?

Since most of us are not a captain of a tanker or container ship, it is not about that.  But,  if you are, take note!

These shipboard systems are just sophisticated IoT systems and like most IoT systems, the security is horrible.

While you may not captain a ship, your car likely has hundreds of computers in it and we have seen them hacked in the news from time to time.  When you buy a car, do you ask about the security of it?  If you do, the salesperson is probably clueless and has no idea about the answer.  Most people just believe whatever babble the salesperson provides.

Whether it is a car, TV, refrigerator or factory floor machine, ask questions, educate yourself and don’t believe the first answer you get.

Once you buy it, you likely own the problem.  The problem has to get massively large before anyone is really going to help you.

You are, pretty much, on your own.  Understand that and make sure that you are OK with that.

Information for this post came from Threatpost.

Is Kinetic War Obsolete?

Kinetic warfare, a term that seems to have roots with former defense Secretary Donald Rumsfeld (see article), is the kind of war we are most familiar with – bombs, guns, bullets, poison gas.  I don’t think it is going anywhere any time soon, but what is clear is that cyber warfare is likely to play a much more important role over the short and long term.

There are a number of reasons for this, in my opinion.

Lets look at traditional kinetic warfare first:

  • Massing an army takes time, is expensive and has bad PR value when citizen’s children die or come home with physical and psychological problems.  It is also expensive long term as the country has to care for those veterans.  If the country doesn’t do a good job of that, there is more bad PR (look at the mess our veterans health care system is in).
  • Building traditional weapons systems is very expensive.  Look at our F-35 fighter as a example;  we have spent tens of billions of dollars on it so far.
  • If you mass an army and build weapons, it costs a huge amount to keep that capability working – just look at our defense budget.
  • It is hard to do this secretly.

These comments are not meant to detract from what we are doing;  it just points out that maintaining a kinetic warfare capability is neither cheap nor easy.

Now lets look at cyber warfare, the alternative to kinetic warfare.

  • Training cyber warriors is also hard, but hackers rarely die or come home from cyberwar with missing body parts.  The long term care costs are much lower because of these reasons.
  • The hacking tools are mostly free; the rest are really cheap compared to a fighter aircraft or even a bomb.
  • The operational cost is also low.  Hackers can go home at night and sleep in their own beds.
  • It is much easier to hide.  Hackers look like any other white collar worker in an office.

That said, the threat of your enemy’s airplanes dropping bombs on your country – either conventional or nuclear – is a pretty strong deterrent, which is why it isn’t going anywhere anytime soon.

But lets look at cyber warfare.

We saw the Russians knock out the power in Ukraine twice during 2015 and 2016.  These attacks were mostly designed to get people’s attention as opposed to doing horrible damage, but turning off the power in the middle of the winter when the temperature is below zero will get your attention.

The U.S. Department of Energy’s Idaho National Laboratories demonstrated their ability to remotely cause a generator to blow itself up.  The video is available on Youtube.  To be fully honest, they did add some theatrics to get Congress attention (which failed), but the failure of the generator is very real.

And cyber warfare isn’t new.  Under then President Ronald Reagan, the CIA got the Russians to use some American SCADA software (that runs the valves and controls for a gas pipeline in this case) which caused an explosion in Siberia that was so big that it could be seen from space (see article).

Fast forward to today.

Britain’s Defense Secretary Gavin Williamson, in an interview with the Telegraph, said that the Russians were researching the UK’s critical national infrastructure and how it connects to the continental power supplies with a view to creating panic and chaos.

To be fair, I am sure that this is EXACTLY what every other country’s intelligence agencies are doing.  If they are not, they are missing something.

There is a step between understanding how to execute a cyber attack and actually executing one, but if you are the head of a country’s military and you have to make a choice as to whether to deploy troops, drop bombs or blow up a pipeline or electric grid, you want to have all available options.

Of course Russia is denying this, but I wouldn’t expect anything else and the denial is meaningless.

Congress has been been effectively sticking its collective head in the sand when it comes to cyber warfare – meaning not spending anywhere near enough money to prevent it.  In part this is due to the fact that almost all gas and electric utilities in the U.S. are privately owned.  Most water and sewer utilities are municipally owned, but owned by one of thousands of local utility districts.  All but a few telephone and Internet utilities are privately owned.  Just to be clear, when I say private, I mean non-government.  Many of these are publicly traded companies, owned by investors.

Almost all of these utilities have to go to regulators to raise their prices and raising prices is considered consumer unfriendly.  Spending money on non-revenue generating activities isn’t popular with investors either.  UNTIL, of course, some utility gets taking out by hackers.  Then all hell will break loose.

These utilities are doing small things to help protect themselves.  After 9/11, we saw many utilities erect fences around their facilities.  That is probably useful but unlikely to stop a determined attacker and a fence won’t stop a cyber attack.

The government is trying to play this threat down because they don’t want people to panic.  Panic is not good for politician’s careers.

Hopefully, however, people are beginning to realize that it may well be easier to turn off the lights, heat and water to a country and politically more palatable at home than a conventional war.

One thing that our Homeland Security folks are working on is trying to figure out how to respond.  For example, in the U.S. there are tens of millions of transformers that help distribute power.  Most of the largest ones are unique and not built in the U.S.  It could take a year to get a replacement shipped from overseas.  What Homeland Security is trying to figure out is if an attacker figures out how to damage or destroy a bunch of these, how can we keep the power working while new transformers are built.  Similarly, if a gas pipeline is destroyed and the distribution network for gas is interrupted – as we have seen by non attack based failures – gas prices skyrocket, shortages appear, rationing is needed, etc.  How can we deal with that.

There is no short term answer to these problems and it will take a lot of work, but we better get to work on it because the Russians are and likely so are the Chinese and others.

Just saying!

Information for this post came from the Telegraph.

 

 

Nest Security Cameras Can Be Easily Blacked Out

Security researchers have figured out three different ways to disable Nest Security Cameras (Nest is part of Google).  As of a few days ago, Google said they were working on patches and would push them out shortly.  But it speaks to the more general problem of wireless security.

In the Nest situation, there are three vulnerabilities.  The researcher, Jason, Doyle, notified Google in October but there are still no fixes – 5 months later.  If the bug had been found by Google’s own bug hunters in Project Zero, they would have started having a wall-eyed cat fit in January.

But it points to the lack of security in IoT in general, the challenge of getting companies to patch IoT bugs (there is no revenue after the initial sale) and later getting users to actually install the patches (I hope Nest automatically looks for and installs patches with no user involvement,  but I don’t know).

The first bug is pretty simple. Get into bluetooth range and ping the camera with an overly long Wi-FI SSID parameter.  This causes the camera to crash and reboot.  While it is rebooting, you are clear to break in.  Keep doing it and you could be clear for days.

The second bug is related.  Send a long Wi-Fi password and the camera crashes and reboots also – same deal as above.

The third bug can be exploited by telling the camera to connect to a new network.  This causes it to disconnect from the current network (and stop recording).  Since the new network is bogus, it will eventually reconnect to the old network, but in the meantime, it won’t record.

I have a variant to the last one.  If the burglar brings a local Wi-Fi hotspot with him or her, the Nest, I would guess, would connect to it, but since that hotspot doesn’t an Internet connection, it can’t transmit.  In that case, it might  not reconnect to the old network – I don’t know.

Since these cameras ASSUME that they always have an Internet connection, they don’t deal well with not having one.

While these attacks require the hacker to be in bluetooth range, since they are trying to break into the house, that is likely not a problem.

Why Google doesn’t turn off Bluetooth after the camera is initially configured is not clear either.

This is just an example of the challenges of Wireless camera systems.  Another example would be overpower the Wi-Fi connection to force the camera to connect to a rogue hotspot or no hotspot.  There are lots of other attacks.  Hard wired cameras are better – if the burglars can’t easily get to the wires to cut them.

Many alarm and camera systems use cellular connections to transmit alarms.  While cellular is good, it is not foolproof.  Bring a cellular jammer with you (yes, they are illegal, but so is breaking into someone’s house or office) and the alarm won’t be able transmit images or alarms.

On the other hand, wireless is much easier to install (you don’t have to run wires), so less expensive.  This goes for cameras and alarm systems also.

But the vendors don’t talk about the fact that they are also less reliable.

In part, it depends on your level of paranoia.  And also the quality of the manufacturer.  Likely there are several to many manufacturers. If you are expecting junkies to break into your house or office, they probably won’t worry about disabling cameras or alarms.  Pros, on the other hand – they might worry and likely have the smarts to disable your entire system.

For many systems, there can be multiple manufacturers.  One camera might come from vendor ‘A’, but a different camera might come from Vendor ‘B’.  Same thing with alarms.  A door sensor could come from one vendor while a motion sensor might come from another.  It used to be that these sensors were dumb – you make or break the connection and the panel generates an alarm. Now, at a minimum, it needs to have enough software to connect to the right network and then transmit the alarm.  Many cameras an sensors are much smarter than that.  Smarter also means buggier.

While Google will, eventually, issue a patch, what about the hundreds of other wireless camera vendors and thousands of other alarm piece part vendors who aren’t quite so reputable.

In addition, if the burglars can kill your Internet connection (like cutting your cable or phone line, since these cameras have no local storage, you have no pictures of the bad guys.  If a camera somehow uses wireless Internet (like cellular), then the bad guys would have to disable both, but I am not aware of any consumer grade cameras that work that way.

It is important to understand the risks you have.  In this case, the Nest was supposed to protect you, but maybe didn’t.  For other wireless camera systems – well, who knows.

Information for this post came from The Register.

There but for the grace of God go – We

Wired released a story today on the hack of the Ukraine power grid last December 23.  This is the first time I have seen the “H” word (hack) used in anything closely considered official.

The Wired article is based on a SANS Institute paper by investigators who were on the ground in Ukraine, scheduled to be released today.

One expert called the attack brilliant.

The hackers installed malware on the the business network of Ukraine power companies, but that didn’t get into the control rooms.  But it did get them into the domain controllers that held VPN passwords that the operators used to get into the control rooms remotely.

When they launched the attack, they took over control room computers and started opening up circuit breakers in different power plants, plunging hundreds of thousands of residents into the dark.

They overwrote firmware and shutdown backup power systems so that workers had to go to the power plants to turn the power back on.  They even wiped the hard drives of the control room computers.

The good news is that there is less automation in Ukraine than in the U.S., so there are manual backups that allowed them to start getting lights back on in a few hours.

In the U.S., in some power generation systems, it is all automated.  If the automation goes down, they are down until they get the automation fixed.  Apparently in Ukraine, some of that automation is still not fixed 4 months later.  Think about being in the dark for 4 months.

The article goes on to provide more details and the SANS report will provide even more details, but here is the point.

Parts of Syria went dark this week.  Was it a hack?  I wouldn’t place bets on it not being one.

Could the same thing happen in the U.S.?  According to experts quoted in the article – actually some of the security in the Ukraine power plants is better than some of the U.S. power plants.

So, the short answer is YES, it could happen here.

The other part of the story – the hackers were trying to fire a shot across the bow.  It could have been much worse.

U.S. critical infrastructure definitely has some interesting challenges.  Me – I am going to get my off-grid home ready.

Information for this article came from Wired.