Tag Archives: ICS

Security News for the Week Ending September 3, 2021

Apple Offers Fixes For Broken iPhone 12s

While not exactly a security issue, Apple is offering to fix defective iPhone 12s that were made between October 2020 and April 2021 and which have a defective receiver module component. That is mighty kind of them since every single one of them is still under warranty and if you can’t hear sound on your phone, it is of lesser usefulness. Still, we are talking about Apple. Owners can take them to an Apple store or authorized repair center. Apple says you might want to back up your data first in case something bad happens. Credit: Bleeping Computer

Teslas on Autopilot Crash into Cop Cars

I don’t think it is intentional, but on more than one occasion, Teslas on autopilot have crashed into police cars. At night. On autopilot When they have their lights flashing. Those high intensity lights have occasionally blinded me at night so it doesn’t seem like much of a stretch that it could also bother Tesla’s cameras also. Right now they are investigating about a dozen of these crashes. Credit: Vice

Federal Departments Ordered to Improve System Logging to Respond to Incidents

As a result of the recent executive order on cybersecurity, the OMB has ordered federal agencies to begin outlining the steps they plan to take to improve their incident logging capabilities, including log retention and log management. You should assume this will flow down to you, even if you aren’t an agency and don’t sell to one. It is just good practice. Credit: Data Breach Today.

Teamsters Are Coming for Amazon’s Tax Breaks

This is not directly a security issue, but it does point out that there are many different forms of attacks and if one doesn’t work then the attackers might try a different one – as happens all the time with cyber attacks. I will let you read the details if you are interested, but the Teamsters have not been successful at winning union elections so they are changing tactics. When Amazon comes to a local government to ask for a tax break to add, according to the union, dangerous, depressed wage jobs, they launch a campaign asking the voters to explain why the city should give a tax break to one of the wealthiest companies in the country just so that they can create more dangerous, low paying jobs that will be automated out of existence as soon as Amazon can do it. Interesting tactic. Credit: Motherboard Vice

Industrial Control Systems Bugs Out of Control

In just the first six months of 2021 there were 637 bugs in products of 76 vendors affecting Industrial Control Systems. More than 70% of them are rated critical. Three quarters of the bugs do not require any privileges and two thirds can be exploited without any user involvement. Given all the attacks we have seen and the fact that ICS owners are very slow to deploy patches, expect hackers to start exploiting these and taking down factories, utilities and critical infrastructure. Credit: Security Week

Hackers break in to German steel mill and cause “serious damage”

BBC and others are reporting that a German steel mill was hacked.  The report came not from the news media or the mill, but rather the German Federal Office for Information Security (BSI).

As a result, not a lot of details are known, but the posting are new, so perhaps more information will come out in time.

Apparently, the hackers started out the usual way – spear phishing attacks on the business network.  Once in, they used that access to get access to the factory floor network.

Using that access, they were apparently able to take over a blast furnace used for melting steel and stop the plant from shutting the furnace down in a normal fashion, causing “massive” damage.  Exactly what that means is unclear, but it was apparently significant effort for the BSI to report on it.

What are the take aways from this little bit of information that we have –

1. There apparently was not enough separation between the factory floor network and the business network.

2. There apparently were not enough safeguards in the factory control system to retake control of the physical factory after hackers got into the network.

3. Possibly, there was not an adequate incident response plan to deal with a situation like this.

4. Cyber attacks can cause “massive” physical damage.

2015 looks to be an interesting year.

 

Mitch

How to shut down an entire factory with one text message

Seems far fetched, but it is not.

Of course, it is expensive.  It took Stephen Hilt almost two weeks and $400.  Of course that is the “quantity one” price.  With a little work and volume, the price would go down.

Dark Reading is reporting that Stephen, who works for the industrial control security firm Digital Bond, took a normal factory automation controller case, added a few off the shelf components like a Raspberry Pi CPU and a DroneCell cellular modem, add a dash of metasploit-like software and VOILA!, the factory is toast.

The DroneCell card allowed Stephen to bypass the airgap;  the software allowed him to issue a stop command to every controller on the network and the factory or power plant comes to a complete halt.  Now all he has to do is send a text message to his cell card to start things off.

All in the case of an Allen Bradley PLC controller.

Next he would need to payoff some disgruntled maintenance person at the plant to install it.  That might cost him another hundred bucks.  Or, if that person is really disgruntled, he might do it for free.  He could get a job with a contractor that maintains the plant and get PAID to install his attack tool.

Given the state of (lack of) controls at most factories or utilities, if the very normal looking box was stuck in an out of the way place, it might take a while to find it.  IF they even think to look for a rogue controller.  Shut down the plant every week or two at random times and watch them scratch their heads.

Stephen does give credit where credit is due. The idea came from a similar but different effort by DARPA and the Department of Energy’s Idaho National Laboratory who built a hacking tool inside a power strip.

Mitch

Turkey Pipeline Blast – Was It A Cyber Attack

Bloomberg has been busy lately with cyber reporting.  On December 10th, 2014, they reported that the attack on the Turkish BTC pipeline in 2008 was likely a cyber attack.

The Department of Energy’s Idaho National Laboratory caused a 1 megawatt generator to blow up to prove a point a couple of years before this, so from a possibility standpoint, this is not news.  What is news is that terrorists are moving from possibility to actuality.

The pipeline had sensors and cameras to monitor all 1,100 miles of pipe but curiously, neither the cameras nor the sensors detected the blast.  The pipeline operator found out about the blast and fire when a civilian called the control center on their phone.

The Turkish government blamed a malfunction (kind of like Sony saying they were investigating an IT incident a couple of weeks ago).  A group of Kurdish separatists claimed credit.  BP said there was a fire (true, but kind of missing an important point).

According to 4 different sources, the hackers shut down alarms, cut off communications and over pressurized the pipeline until it exploded and caught fire.  Apparently, the chief suspect is Russia.

The NSA had been warning for years that bad guys could blow up infrastructure from afar.  Admiral Rogers, the current NSA boss, in fact, stated in testimony before Congress last month that it was no longer a question of if, but rather when.  I guess the when was 6 years ago.  The NSA did investigate at the time, so like with the Sands attack I reported about yesterday, the NSA is being a tad bit coy with what they do know.

The good news is that the pipeline was repaired in only a couple of weeks.

The article has more details on the attack.

The point of entry was the wireless security cameras themselves.  The software had a vulnerability and the cameras were not isolated from the rest of the control or alarm system.  Bad boys and girls.

The blast spilled 30,000 barrels of oil and cost BP $5 million dollars a day in transit tariffs.  The Republic of Azerbaijan lost $1 billion in export revenue while the pipeline was down.  Assuming the pipeline was running at capacity, that revenue was lost for good.

For any organization that has industrial control systems (this is not just the local water company – this includes security cameras, alarm systems, HVAC controllers, elevator controllers and other physical plant equipment – just to name a few possibilities) now would be a good time to be worried and make some changes.

Mitch