Tag Archives: Power Grid

Security News for the Week Ending June 18, 2021

Security Company Founder Charged with Hacking Georgia Hospital

An indictment unsealed this week in a Northern District of Georgia court accuses Vikas Singla, 45, with 18 separate counts of aiding and abetting a 2018 cyber attack against the Gwinnett Medical Center in Georgia. According to his LinkedIn profile, he is (or maybe now was) the COO of Atlanta based Securolytics. It is not clear what he did, but the feds say that he aided and abetted the attack. Credit: SC Magazine

Energy Secretary Says Adversaries Have Ability to Shut down US Power Grid with Cyberattacks

Maybe this story is a no-big-deal in light of the Colonial Pipeline attack, but Energy Secretary Jennifer Granholm said that US adversaries already are capable of using cyber intrusions to shut down the US power grid. This is something that security professionals have been saying for a long time and in light of the almost half dozen attacks on water, oil and support infrastructure in the last couple of months, this is not a big surprise. Credit: Fox8

China Crackdown Continues

The FCC approved a plan this week to ban approvals for Chinese telecom equipment from companies deemed a threat to US national security. This includes, potentially, revoking the approval of equipment and apps already in use. This continues the pressure on China started in the last administration. Credit: Verdict

Apple Not Happy With Proposed Requirement for Competition

Europe is trying to force some competition in the Apple app store and, given the amount of money that represents to Apple, they are not happy. They say that it would harm consumer’s privacy. Informed consumers could make a choice under those circumstances. Would a consumer be willing to trade some personal data in exchange for getting an app for free or at a reduced cost? Apple thinks it is their job to answer that question for their customers; the EU disagrees. Actually, Apple thinks it is their job to be a monopoly. Stay tuned. Credit: The Register

Security News for the Week Ending May 22, 2020

AG Says They Unlocked Shooter’s iPhone Without Needing Apple to Hack Their Security

For a couple of decades the FBI and Justice Department has been saying that software vendors need to insert backdoors into their security software to make it easier for the government to hack it if they want to.

One high profile case was the Pensacola Naval Air Station shooter, who was killed by police in the attack (making it difficult to prosecute him). Therefore, the FBI didn’t need anything off his phone to prosecute him, BUT they did want info in order to get useful intelligence about who he was working for/with and what other attacks might be planned.

In spite of the AG’s relentless claims that they need companies like Apple to insert backdoors into their systems – which will inevitably get into the hands of hackers and ruthless governments – Barr announced this week that they broke into the phones without Apple’s help. Barr said that hacking the phones was due to the great work of the FBI. Much more likely, they just placed the phone in a Cellebrite box (or competitor) and wait.

What probably galls Barr is that if he doesn’t have an unlimited license (which I am sure he does), he would have had to pay Cellebrite $1,500 for each phone he wanted to unlock.

This announcement definitely weakens the argument that software vendors need to weaken security for everyone so that the police can hack phones when it is important. Credit: The Register

Rogue ADT Tech Spies on Customer CCTV of Teen Girl

ADT has revealed that one of their techs used his permissions to access the accounts of hundreds of ADT customers and watch them via their security cameras. Last month an ADT customer in Dallas spotted an unexpected email address listed as an admin user on their account. The employee has used that email to access the home’s cameras over 100 times.

Apparently, not only could he spy on naked customers, but he could also unlock their homes if they had smart locks. One of the naked customers in question sued ADT last week.

People need to think about where they place security cameras and whether smart locks are really smart to use. Credit: The Register

Details Leaking on WHY for Prez’s EO on Securing the Grid

Earlier this month, the president issued an EO that sorta, kinda stopped the power grid from buying things that could allow adversaries to compromise the grid. I said sorta, kinda because the EO (read the text) doesn’t actually identify anything that people can’t buy. It does, however, form a committee to figure out what that might be.

Here’s what’s new. A U.S. power utility discovered a “hardware backdoor” on a Chinese transformer that was delivered to them and that they found things “that should not be there”. They think there are many of these already installed in America.

If true and I have no reason to doubt it, but almost no details to confirm it, that could be a really serious problem. A bigger problem is that the U.S. doesn’t manufacture any big transformers like the kind the utilities use.

So, if the feds ban Chinese transformers, I can describe a scenario where folks working in cooperation with the Chinese destroy a sufficient number of existing transformers with utilities not allowed to buy replacements and potentially leaving millions in brown-out or black-out conditions for months. Homeland Security is believed to have been secretly trying to figure out a solution for several years. Credit: CSO Online

Hackers Jailbreak New Apple iOS One Day After Release

Apple announced a new version of the iPhone software, 13.5, this week and the next day hackers claimed they had a hack to jailbreak the new version – every device, even the iPad Pro. That can’t possibly make Apple happy, but there are some in the hacking community that are very happy. Credit: Mac Rumors

Chinese Hardware Powers US Voting Machines

Third party risk company Interos took apart one very popular, widely used, touch screen voting machine and found that 20% of the machines components came from a company headquartered in Russia or China. 59% of the parts came from companies with locations in Russia and China.

Interos Visualization of Voting Machine Suppliers by Country. Image courtesy of Interos.

The red dots represent components from companies based in China. Given the the U.S. manufactures very little any more, this is not much of a surprise.

Paper based vote by mail sounds better by the day. Credit: Security Ledger

Security News Bites for the Week Ending July 28, 2017

Zip Slip Vulnerability Affects Thousands of Projects

Researchers discovered a flaw in almost all zip-style file decompressors – RAR, TAR, 7ZIP-APK and others.

The problem is caused by a very old attack vector called directory traversal that these libraries do not handle correctly.

The decompressor libraries were likely downloaded from places like Github and Stack Overflow and developers used them in thousands of projects used by millions of users without a clue that the vulnerability has existed for years, maybe decades.

And, likely, most of those developers are completely blind to the fact their their software  is vulnerable due to a software supply chain issue – assuming they are even still involved with those software projects.

Software supply chain is the Achilles heel of the entire industry and the industry is not doing much to fix it.  (Source: Bleeping Computer)

NSA Forms Group to Counter Russian Threat in Cyberspace

In what would appear to be a difference of opinion with his boss, the head of the NSA has created a special task force to address Russian threats in cyberspace.  The Washington Post reported that the NSA and its sister Cybercom will collaborate against Russian threats to the security of the U.S. midterm elections – a threat which his boss, the President, has said does not exist any more, if it ever did.  The President has called the threat fake news many times.  It would appear that General Nakasone has a difference of opinion with his boss.  Source: Bloomberg

Level One Robotics Leaves Tens of Thousand of Sensitive Docs Unprotected

Canadian robotics vendor Level One is the most recent vendor to leave tens of thousands of sensitive documents – apparently including non disclosure agreements – belonging to multiple automakers including Tesla, Toyota and Volkswagen – unprotected online.  The material includes documents from over 100 companies and includes blueprints, factory schematics and other materials.

The data was found by Chris Vickery of Upgard.  Chris has found dozens of unprotected data sets just in recent months, usually on Amazon.  Chris DOES NO HACKING.  All he does is walk around the digital neighborhood jiggling doorknobs, looking for ones that are unlocked.  In this case, the material was an unprotected backup – 157 gigabytes of data made up of over 47,000 files. If hackers found it before Chris did, and they may have, they are likely celebrating.  That quantity of data on the design of cars and car assembly could give them a significant advantage in hacking into automobiles from a wide range of companies.  Source: NY Times

Federal Officials Tell WSJ That Ruskies Have Already Hacked the US Power Grid

The Department of Homeland Security reported Monday that hackers, working for Russia, hacked into the US power grid as early as 2013 and are likely still inside the grid with the ability to turn off the lights.  DHS says there were likely  hundreds of victims and one of the attack vectors is by compromising trusted vendors of the power companies (third party vendor cyber risk management).  Homeland Security said that some of the power companies don’t know that they have been hacked (why not – don’t their telephones work?).  Maybe that will be a topic of discussion when Putin visits President Trump in the White House this fall.  For all businesses, if you do not have an aggressive vendor cyber risk management program already, now is the time.  Source: CNET

Russian Hackers Attack Senator Claire McCaskill

Reports have surfaced today that Russian intelligence agency GRU attacked the re-election campaign of Senator Claire McCaskill of Missouri.  The Senator says that the attack was not successful.  McCaskill is a vocal opponent of Russia.  This is happening as the President continues to say that Russia is not hacking us and before the campaign season really warms up.  Source: The Daily Beast

Who Turned Off The Lights?

The security firm Symantec is reporting that hackers have compromised energy companies in the U.S.  and Europe.

Well that sounds bad enough, but we have to ask the question “what do you mean when you say compromised?”

The answer is a little bit complicated.  For most energy companies, in a bid to make it tougher for hackers, isolate their operations network – the one that controls power generation and distribution – from the administrative network – the one where users get email and browse the web and such.

Except that life is never that clean.  The power companies, as part of their business, need to get data out of their operational network to manage the business, upgrade software and many other things, so the two networks are not really completely separate – but they do try hard.

Well, according to Symantec, in this case, when they mean compromised, they mean that the hackers were into the network far enough that they could turn off your lights.

Symantec says that the group that they are calling Dragonfly is attacking energy grid operators, major electricity generation firms, petroleum pipeline operators and energy industry equipment providers.  Companies who were compromised were located in the United States, France, Spain, Italy, Germany, Turkey and Poland.

Assuming these hackers could really “flip the switches”, it would seem like they could do a LOT of damage.  And, depending on what they actually did, it could take a little time or a long time to fix.

Symantec says that this group is likely state sponsored.  Which state they aren’t saying, but I’m betting on Russia.

Symantec provides a lot of details on how the attack works, so if you are interested  go to the Symantec link below for more information.

You may remember that hackers – likely Russians – actually did turn off the lights in Ukraine in the dead of winter in 2015 and 2016.  It is not that far a stretch to think that hackers could do that to the U.S. energy industry.

Homeland Security has been working with the energy industry for the last several years to try and mitigate this threat and they probably have made some headway, but making headway and saying hackers can’t turn off the lights are two very different things.

Of course Homeland Security does not want the American public to panic, so they are going to try very hard to spin things into “this is not a problem;  we have it covered”.  If you believe that line, I have some land I want to sell you in the Florida Keys.

Unfortunately, there really isn’t a lot for the average bear to do.  You can’t fuss at the power company.  Well, you can, but they will likely call you a nut case.

Being knowledgeable on the situation and providing input when possible is a reasonable course of action.  Panicking is not.

I wish I had a better answer, but I don’t.

Information for this post came from Symantec and Wired.

‘Crash Override’ Might Take Down US Power Grid

What if the attack on the Kiev power station last Christmas which killed power to a goodly chunk for the city was just a dry run?  For what?

Security researchers at ESET and Dragos analyzed the malware used in the attack and say it represents a dangerous advancement in attacks on critical infrastructure.

Like Stuxnet before it, it was purpose built to damage industrial control systems.

The system, called Crash Override or Industroyer, is modular with the ability to swap in and out modules, depending on the particulars of the system they are attacking.

This version of the software knows how to directly talk to the hardware that controls the power grid, rather than attacking the workstations that manage the grid.  Given that it is modular, the attackers could configure it with particular attacks based on the control systems a particular plant uses.

By damaging the hardware, the attack would be much more difficult to recover from.  If the controls don’t respond, then engineers would need to go directly to the substations to try and recover.  Assuming there is a way to do that.  At some stations, there are no manual overrides, just automation.  Damage could mean that you have to reboot the hardware.  OR, it might mean that you have to replace the hardware.  That is what we saw in Ukraine.  Depending on how much damage it does it could take time to recover.

The North American Electric Reliability Corporation or NERC has been working very actively with the utility industry to make it more resilient to attacks, but as the industry gets better, so do the attackers, so it is not a simple problem to solve.

This malware is also more automated than the software used in the 2015 Ukraine attack.  That attack took 20 people to attack 3 companies.  Experts say that with this new software that same team could attack ten or fifteen targets  – or more.

Unlike Stuxnet, which is believed to be the work of Israel and the United States, this malware is thought to have come from Russian hackers.

The researchers note that this does not spell the end of humanity – although grid operators should be concerned.  They say that the malware is very “noisy”, meaning that it is not subtle as it tries to map out the network it is attacking.  If operators are watching their network, they will see the attack early, hopefully before it can do much damage.  Stay tuned.   Could Russia attempt to launch an attack in the U.S.?  Sure, its possible.  Could they try to attack more than one part of the grid at once?  Also possible.  Would they succeed?  That is the real question.  One that we don’t know the answer to.

Information for this post came from Wired.