Tag Archives: Industrial Control Systems

Guess Who Developed Malware That Tried to Blow Up a Saudi Refinery?

The Internet of Things (IoT) is new to consumers.  We think of Nest thermostats and Internet connected baby monitors.  That is true and they cause enough grief out there like last year when they took down parts of Amazon and Twitter (and hundreds of other sites)  when malware attacked these poorly protected devices and used them as a zombie army.

And while not being able to watch your favorite show on Netflix is a big problem, in the grand scheme of things, it is basically irrelevant.  Sorry about that.

The real Internet of Things is Industrial Control Systems or ICS.  A piece of this is SCADA systems.  ICS systems control things like nuclear power plants and gas pipelines.  The developers of these systems have tried to make them safe and to a lesser extent, they have tried to make them secure.  But they were never designed to be used in the way we are using many of them today.  There was no Internet, for the most part, 20 years ago.

Unfortunately, the life expectancy of some of these control systems is 30 to 50 years, so we will be paying for the lack of security in a gas pipeline built 20 years ago, probably for another 20 years.

So it is no surprise that someone was able to hack a Saudi refinery and attempt to reprogram SCADA controllers that, supposedly, can not be programmed remotely.  Except that they can.

In this case, it is a Schneider Electric control system, one of the biggest players in the market.  The hackers figured out how to reprogram some of the devices remotely.

Now here is the good news.

Since the hackers could not buy a working refinery on eBay, they were practicing on a real one.

And, as is often the case with practice, it didn’t work out as planned.

As a result, instead of blowing up the refinery as planned, the safety systems shut down the plant.

This time the good guys won.

That will not always be the case.

For many people, there is not much that they can do other than cross your fingers, but for some people, there are things to do.

This does apply to both your baby monitor and the nuclear power plant up the road.  One has less disastrous results than the other if it gets hacked.

Install patches.  When WAS the last time you patched your refrigerator, anyway?  I am not kidding and power plants and generators and Nukes are some of the worst at patching because you don’t want to break anything.  But patching is critical.

If you can keep an IoT device off the Internet, do so.  And again, I don’t care if you are talking about a baby monitor or a nuke plant.  If it is not accessible, it is hard to hack.

If it does need to be on the Internet, implement strong authentication.  Not password0123.  Make it totally random.  And long.  Reallllllllllly long.  If you can use keys or certificates, do that.  If you make it hard for the bad guys, they may try knocking on another door.  Or, like in the case of the Saudi refinery, they may just screw it up.

Implement really good detection.  Why do we see, time and again, that the bad guys got in and roamed around for days, weeks, months and sometimes years without being detected.  If you can’t keep them out, you have to be able to find them right away.

And that leads to incident response.  How long will it take for you to figure out what the bad guys did.  Or didn’t.  What they changed.  Or deleted.  What they stole.  

All of this has to be done quickly.  Sometimes.  With good hackers.  They may only be logged on for a minute or two.  You have to be able to detect that and respond.  And remember, your response could also blow up the pipeline, so you can’t act like a bull in a china shop.

Unfortunately, it is a mess and it will continue to be a mess for quite a while.  Then, maybe, it will get better.

But people have to start improving the situation right now.

Oh, yeah, by the way.  If you haven’t figured it out yet, it WAS the Ruskies.

Information for this post came from The Hacker News.

‘Crash Override’ Might Take Down US Power Grid

What if the attack on the Kiev power station last Christmas which killed power to a goodly chunk for the city was just a dry run?  For what?

Security researchers at ESET and Dragos analyzed the malware used in the attack and say it represents a dangerous advancement in attacks on critical infrastructure.

Like Stuxnet before it, it was purpose built to damage industrial control systems.

The system, called Crash Override or Industroyer, is modular with the ability to swap in and out modules, depending on the particulars of the system they are attacking.

This version of the software knows how to directly talk to the hardware that controls the power grid, rather than attacking the workstations that manage the grid.  Given that it is modular, the attackers could configure it with particular attacks based on the control systems a particular plant uses.

By damaging the hardware, the attack would be much more difficult to recover from.  If the controls don’t respond, then engineers would need to go directly to the substations to try and recover.  Assuming there is a way to do that.  At some stations, there are no manual overrides, just automation.  Damage could mean that you have to reboot the hardware.  OR, it might mean that you have to replace the hardware.  That is what we saw in Ukraine.  Depending on how much damage it does it could take time to recover.

The North American Electric Reliability Corporation or NERC has been working very actively with the utility industry to make it more resilient to attacks, but as the industry gets better, so do the attackers, so it is not a simple problem to solve.

This malware is also more automated than the software used in the 2015 Ukraine attack.  That attack took 20 people to attack 3 companies.  Experts say that with this new software that same team could attack ten or fifteen targets  – or more.

Unlike Stuxnet, which is believed to be the work of Israel and the United States, this malware is thought to have come from Russian hackers.

The researchers note that this does not spell the end of humanity – although grid operators should be concerned.  They say that the malware is very “noisy”, meaning that it is not subtle as it tries to map out the network it is attacking.  If operators are watching their network, they will see the attack early, hopefully before it can do much damage.  Stay tuned.   Could Russia attempt to launch an attack in the U.S.?  Sure, its possible.  Could they try to attack more than one part of the grid at once?  Also possible.  Would they succeed?  That is the real question.  One that we don’t know the answer to.

Information for this post came from Wired.

When Medical Devices Get Hit With Ransomware

Is it possible that North Korea used stolen NSA hacking tools to infect medical devices at U.S. hospitals?  Forbes says, yes it is.

When the WannaCry ransomware spread out of control last week infecting 48 hospital trusts in the UK and unnamed medical facilities in the U.S. for the most part U.S. businesses were not affected.  Except for some.

For those people who work in offices, the effects of ransomware are annoying and if there are not sufficient backups, it can lead to losing data and losing customers.  And lawsuits.

But when it comes to hospitals, in addition to all of the above, it can lead to people dying.

Forbes was given an image of a Bayer Medrad power injector (shown below) that manages the injection of MRI contrast die into patients.

Many of these medical devices in hospitals are connected to Windows PCs and those PCs are often connected to email and the Internet.  When they are – and even if they are not – they can get infected with malware.  Think Iran and Stuxnet.  Those centrifuge controllers were not connected to anything and we still infected them.

Bayer acknowledged that at least two devices were infected here in the U.S., but they were able to restore them in 24 hours.

Microsoft released a patch for the bug that allows the ransomware to work in March.  Bayer said that it plans to release that same patch to its customers “soon”,  That means that hackers – say, perhaps, the North Koreans – have at least three months, maybe more after the patch is released to reverse engineer the patch and use that knowledge to infect medical devices.  From what I have heard. three months from vendor patch release to medical device patch release is super speedy.  And don’t forget that you have to add the time it takes the hospital to approve deploying that patch.

While this particular attack would, if effective, take the machine offline and not directly kill anyone, that is only THIS particular malware.

We have already seen demonstrations of hacking changing the settings inside drug infusion pumps.  If that bit of maliciousness propagated in the wild, it could change the dosage of drugs being dispensed to patients without any obvious indication externally (set it to 10 and it dispenses 50 for example) and then people would die.

In the case of that brand of infusion pumps, after beating up the vendor and the FDA for a year, the FDA finally issued a warning.  Hackers don’t use that kind of time scale.  You have to be able to warn hospitals in hours and the FDA and medical device industry are no where near the capability to do that.

Lets say that instead of locking up Windows PCs, the WannaCry worm instead infected infusion pumps.  Granted the same bug would not work in infusion pumps, but lets say there was a different one.   Think about how fast that worm spread around England, Scotland and a hundred plus other countries.  Could the national medical device regulators in all of those countries respond to that kind of event before people died.  Sadly, I don’t think so.

According to the article, the medical device manufacturers rushed out an alert telling hospitals that they were working on a patch and would release it sometime in the future.

HITRUST, a private company that helps the medical industry deal with cyber security issues said that it had reports of both Bayer and Siemens being affected.  Siemens said it could not confirm or deny reports of their machines being infected.

The Department of Homeland Security’s Computer Emergency Response Team (CERT) said that many industrial control systems vendors are issuing alerts also.  They said that ICS devices were infected and did have impact.

While this particular attack didn’t have deadly consequences, unless the medical device and industrial control industries up their cyber security game, it is just a matter of time before something bad happens.

Information for this post came from Forbes.

The Rickety World of Industrial Control Systems

Industrial Control Systems (ICS) run everything from waste water to nuclear power.  Unfortunately, they are on pretty shaky ground.

During the cold war, Ronald Reagan’s CIA convinced the Russians to use American control software to manage a gas pipeline in Siberia.  Unfortunately for the Russians, the CIA placed a few time bombs in the software and after it was in use for a while, the software caused the pipeline to over pressure itself and blow up.  The explosion was so big that you could see it from space (see article).

The objective was to mess with the Russian economy and it worked.

Any wonder why the Chinese do not want to use Western technology, especially in their critical systems?

Well, things have not changed much in the last 30 years.  OLE for Process Control or OPC controls a lot of power, water and other plants.  Guess what – it only runs on Windows XP, the operating system that Microsoft stopped supporting last year.  That does not mean that all the bugs are out of it – just that the new ones don’t get patched.

Part of the problem with the ICS world is that when it first started everything was connected to the controller with purpose laid direct wires.  Then the Internet and wireless was invented and people figured out that they could save money not running all those wires.  Of course the controllers didn’t change – they didn’t add encryption, authentication or logging.  There are some band-aids, but they are just that.

We were able to blow up Iran’s centrifuges.  Maybe we are the good guys, but don’t fool yourself into thinking that the bad guys are trying to attack our infrastructure.  They are.  And don’t fool yourself into thinking that we are so much smarter than them that they can’t do to us what we did to them.  The Department of Energy’s Idaho National Lab demonstrated years ago that they were able to cause a one megawatt generator to execute that famous computer instruction – halt and catch fire.  Literally.  You can watch it on You Tube.

So why don’t fix it?  Do you have a few billion dollars to spare?  It would require redesigning most of our existing infrastructure to do that.  Actually, maybe a few tens of billions.

And, we would need to take that infrastructure offline while we do that because, let’s say, there is a valve that controls the flow of gas or water or sewage.  Either that valve is on the new system or the old system, typically not both.  You probably could leave both valves in there, but that makes it even more complicated.   Times millions of valves, gauges and other sensors.  As they say, it’s complicated.

And, we haven’t had a power plant blow up lately.  Least not that we know of.

So since the world does not APPEAR to be broken, we tend to leave well enough alone.  Until it is a crisis.  Here is another article on the subject.

We are likely going to live with this very fragile ecosystem until all the existing infrastructure gets replaced.  Like in a hundred years.

That is not a comforting thought.

Wait, maybe this is more comforting.  It could get fixed sooner if we have an incident like the Russian gas pipeline explosion described at the beginning of the article.  No.  That’s not more comforting. Forget I suggested that.