Guess Who Developed Malware That Tried to Blow Up a Saudi Refinery?

The Internet of Things (IoT) is new to consumers.  We think of Nest thermostats and Internet connected baby monitors.  That is true and they cause enough grief out there like last year when they took down parts of Amazon and Twitter (and hundreds of other sites)  when malware attacked these poorly protected devices and used them as a zombie army.

And while not being able to watch your favorite show on Netflix is a big problem, in the grand scheme of things, it is basically irrelevant.  Sorry about that.

The real Internet of Things is Industrial Control Systems or ICS.  A piece of this is SCADA systems.  ICS systems control things like nuclear power plants and gas pipelines.  The developers of these systems have tried to make them safe and to a lesser extent, they have tried to make them secure.  But they were never designed to be used in the way we are using many of them today.  There was no Internet, for the most part, 20 years ago.

Unfortunately, the life expectancy of some of these control systems is 30 to 50 years, so we will be paying for the lack of security in a gas pipeline built 20 years ago, probably for another 20 years.

So it is no surprise that someone was able to hack a Saudi refinery and attempt to reprogram SCADA controllers that, supposedly, can not be programmed remotely.  Except that they can.

In this case, it is a Schneider Electric control system, one of the biggest players in the market.  The hackers figured out how to reprogram some of the devices remotely.

Now here is the good news.

Since the hackers could not buy a working refinery on eBay, they were practicing on a real one.

And, as is often the case with practice, it didn’t work out as planned.

As a result, instead of blowing up the refinery as planned, the safety systems shut down the plant.

This time the good guys won.

That will not always be the case.

For many people, there is not much that they can do other than cross your fingers, but for some people, there are things to do.

This does apply to both your baby monitor and the nuclear power plant up the road.  One has less disastrous results than the other if it gets hacked.

Install patches.  When WAS the last time you patched your refrigerator, anyway?  I am not kidding and power plants and generators and Nukes are some of the worst at patching because you don’t want to break anything.  But patching is critical.

If you can keep an IoT device off the Internet, do so.  And again, I don’t care if you are talking about a baby monitor or a nuke plant.  If it is not accessible, it is hard to hack.

If it does need to be on the Internet, implement strong authentication.  Not password0123.  Make it totally random.  And long.  Reallllllllllly long.  If you can use keys or certificates, do that.  If you make it hard for the bad guys, they may try knocking on another door.  Or, like in the case of the Saudi refinery, they may just screw it up.

Implement really good detection.  Why do we see, time and again, that the bad guys got in and roamed around for days, weeks, months and sometimes years without being detected.  If you can’t keep them out, you have to be able to find them right away.

And that leads to incident response.  How long will it take for you to figure out what the bad guys did.  Or didn’t.  What they changed.  Or deleted.  What they stole.  

All of this has to be done quickly.  Sometimes.  With good hackers.  They may only be logged on for a minute or two.  You have to be able to detect that and respond.  And remember, your response could also blow up the pipeline, so you can’t act like a bull in a china shop.

Unfortunately, it is a mess and it will continue to be a mess for quite a while.  Then, maybe, it will get better.

But people have to start improving the situation right now.

Oh, yeah, by the way.  If you haven’t figured it out yet, it WAS the Ruskies.

Information for this post came from The Hacker News.

Facebooktwitterredditlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *

*

code