The most recent distributed denial of service attack (DDoS) meant that most people could not get to Twitter. While that was awful and may have forced a few people to actually work instead of tweeting, for the most part, that was not a big deal. In fairness to the DYN attack, there were actually hundreds of web sites that were effectively offline, but still, in the grand scheme of things, a small problem.
The Metropolitan, an English language newspaper in Finland is reporting a much more serious issue and that is combining DDoS attacks with the Internet of Things (IoT).
In this case, two apartment buildings in the city of Lappeenranta lost heat and hot water due to a DDoS attack on the computer that controls the heating system. The CEO of the company that manages these buildings said the heat and warm water were “temporarily disabled”.
By temporary, he means from late October to November 3rd, a period of over a week. Remember, Finland is pretty chilly this time of year, so to have no heat or hot water for a week or two is, kind of, “a problem”.
The attack deluged the computers that control the system with traffic. The system’s solution to this is to reboot, but that doesn’t make the traffic go away, so it is sort of “rinse and repeat”. Since the systems were continuously rebooting, they could not turn on the heat or hot water.
Since the building maintenance engineers are not cyber security experts, they had no clue what was happening. If they had replaced the “faulty” computers, they would have done the same thing because the computers were not faulty – just doing what they were programmed to do.
This is reminiscent of the attack on the Ukrainian power grid last year, with different results. In Ukraine, the power grid is old and creaky. What computers there are there are bolted on to the existing infrastructure. If the computers fail, you have to drive to the substation and throw the switch by hand. Which is why that attack, while it literally destroyed a lot of the power distribution infrastructure, only turned off the lights for less than a day.
Finland, however, is not a third world country. They have a lot of modern technology. I suspect, in this case, that there was no switch to throw in the apartment building to turn on the heat.
Like we see a lot in modern IoT devices, security is an afterthought. Probably no one considered that someone might want to attack their controller so they didn’t harden it nor did they set up protocols to deal with an attack.
SCADA, the industrial version of IoT (I know that is an over simplification, but it will work for this piece), was also never designed with security in mind. I used to work for one of the largest SCADA manufacturers in the world. There was no security in those devices. Not even a userid and password, never mind something more sophisticated. SCADA devices were never designed to even be on the Internet, but people figured out that they could save money by doing that.
Unfortunately, water plants, sewage plants, power plants, chemical plants and a lot of other infrastructure is not a good place to experiment, but the money to be saved is too large to ignore. So we are being guinea pigs.
The attack on DYN, I think, was an experiment. How did people deal with it? How did the experts respond? Did the police do anything?
Now they have some data points and they will continue to experiment.
At some point they will decide it is time to take down the power grid. While throwing the entire United States in the dark is probably more effort than even a nation state would want to take (although far from impossible), throwing Washington, DC or New York City into the dark might produce some interesting results. If you could damage the infrastructure at the same time to make it harder, take longer and cost more to repair, that would be a “side benefit”.
You can believe me or not, but this will happen. It is just a matter of when because the steps that need to be taken now are not being taken. It is too expensive and too inconvenient. Remember my mantra. Security. Convenience. Pick one. You could probably modify that to Security, convenience, cost, pick at most two.
Tell the utilities that all of their little controllers that connect by way of Wi-Fi have to be secured or all of their controllers in the field that live in a secure metal box by the side of the road have to be replaced by something that actually is secure. They will tell you that it is too expensive to do. Right now, secure means that there is a padlock on the box. An attacker could cut the padlock and if that was too hard, they could smash the box to bits with a sledgehammer.
After 9-11, the Feds paid local utilities to put fences around water treatment plants and such. Some even have fence shakers – cool little gizmos that detect if someone is shaking the fence by trying to climb over it. And, maybe, that will improve the security of central infrastructure, but there is so much distributed infrastructure that is not effectively protected.
For example, is there a power substation near your house? How about a gas main line? How strongly are they protected? Maybe – and only maybe – there is a fence around it. For me, there is a fence around the substation but not around the gas main. Of course, even with the fence, there is no one there to physically disable the attacker and by the time the police or utility got there, the damage would be done.
Maybe the attack in Finland is a warning. But are enough people and the right people listening? I don’t know.
Information for this post came from the Metropolitan.