Tag Archives: SCADA

Friday News for May 4, 2018

U.K.’s High Court Gives the U.K. Gov 6 Months to Fix Law

Privacy in the U.K. is a bit of wishful thinking.  Besides having the most public surveillance cameras in the world (Wikipedia says there is one camera for every 14 people in the country), the government has attempted to kill privacy in other ways.  The courts have struck down the now expired Data Retention and Investigatory Powers Act (DRIPA), but, until now, has not ruled on the replacement law for it affectionately known as the Snooper’s Charter.  Now the U.K. High Court has said that law is incompatible with the EU Charter of Fundamental Rights.  The government asked for a year to come up with a way around this ruling, possibly by creating a new law, but possibly not.  The government is suggesting that they are only keeping data for serious crimes by redefining a serious crime as any crime where it is POSSIBLE that the person, if convicted, COULD be sentenced to 6 months in jail.  That might include repeated jay-walking.    The court said you have 6 months to fix the law or the court will consider your inaction a serious crime.  Meanwhile, more challenges to the Snooper’s Charter are being filed (Source: The Register).

Why Did Atlanta Spend $5M Instead of Paying $50k in Ransom?

Atlanta was hit by a ransomware attack last month that knocked the city pretty much into the 1940s, technology wise.  The Attacker asked for $50,000 in ransom to unlock the files, but instead, the city chose not to pay and has reportedly spent $5M recovering from the attack – so far.  In fairness, the city likely did things after the attack that they should have done 5 years ago, but it is money they would not have spent if were not for the attack.

Fast forward to last week.  The school district of Leominster, MA, northwest of Boston, was hit by a ransomware attack.  While the details are sketchy, the distict says they had no choice other than to pay the ransom.  I guess this means that they didn’t have backups of systems, didn’t have a disaster recovery plan, didn’t have an incident response plan and didn’t have a business continuity plan.    I wish this was unusual, but it is not.  The population of Leominster is 41,000.  Attackers are targeting municipalities and even states (the Colorado Department of Transportation was down for the count for at least a week or two after an attack) because they know that, compared to private industry, the public sector’s cyber security posture is even worse.  Paula Deacon, the Leominster Schools Superintendent said “we paid the ransom through a bitcoin system and are now awaiting to be fully restored”.  They, apparently, paid the ransom last week and are still waiting.  I have a bad feeling about this.  Usually, if the files are going to be unlocked, it happens right away (Source:  CBS Boston).

Google to Shut Down Google Link Shortener Goo.Gl

Unlike some of the Google services that they have abandoned in the past, this one is going to be gracefully shut down but as of this month, the wind down is starting.  Google says that it is used too much by scammers trying to hid malicious links using their shortener.  They also say that you can use their competitor Bit.ly if you still need a link shortener.  But for users, this is just a reminder that clicking on any link shortener is a bit like playing Russian Roulette – you have no idea whether the link you are clicking on is malicious or not (Source: Google Blog).

“Massive” Flaw in Schneider Electric SCADA Control Software Gives Hackers Full Control Over Critical Infrastructure

“Full control” is the hacker’s nirvana and the IT team’s worst nightmare.  In this case, the software controls oil and gas production, water plants, manufacturing and similar facilities and, with full control, the hackers could do anything from shutting it down to, possibly, with enough motivation, blowing it up.  There are caveats, but still, it is scary.  Given the FBI warning last month about state sponsored hacking of critical infrastructure, this is concerning.  And, I bet, there are hundreds or thousands of Schneider installations that have not been and will not be patched (Source: Tech Republic).

Maybe Waiting to Deploy Patches Isn’t a Good Idea

Companies often wait a couple of weeks up to a month before deploying new patches as patches sometimes break things and waiting is good way to make sure that they break someone else’s system, but that strategy does have some flaws.

According to the SANS Institute, they were hacked within hours of making the honeypot server live.  They say that hackers started going after the Oracle Weblogic bugs immediately after it was announced on April 18th.

SANS says patch fast or plan to recover.

You wait at your own peril (Source: The Register).

DDoS Attack Turns Off The Heat. In Finland. In the Winter.

The most recent distributed denial of service attack (DDoS) meant that most people could not get to Twitter.  While that was awful and may have forced a few people to actually work instead of tweeting, for the most part, that was not a big deal.  In fairness to the DYN attack, there were actually hundreds of web sites that were effectively offline, but still, in the grand scheme of things, a small problem.

The Metropolitan, an English language newspaper in Finland is reporting a much more serious issue and that is combining DDoS attacks with the Internet of Things (IoT).

In this case, two apartment buildings in the city of Lappeenranta lost heat and hot water due to a DDoS attack on the computer that controls the heating system.  The CEO of the company that manages these buildings said the heat and warm water were “temporarily disabled”.

By temporary, he means from late October to November 3rd, a period of over a week.  Remember, Finland is pretty chilly this time of year, so to have no heat or hot water for a week or two is, kind of, “a problem”.

The attack deluged the computers that control the system with traffic.  The system’s solution to this is to reboot, but that doesn’t make the traffic go away, so it is sort of “rinse and repeat”.  Since the systems were continuously rebooting, they could not turn on the heat or hot water.

Since the building maintenance engineers are not cyber security experts, they had no clue what was happening.  If they had replaced the “faulty” computers, they would have done the same thing because the computers were not faulty – just doing what they were programmed to do.

This is reminiscent of the attack on the Ukrainian power grid last year, with different results.  In Ukraine, the power grid is old and creaky.  What computers there are there are bolted on to the existing infrastructure.  If the computers fail, you have to drive to the substation and throw the switch by hand.  Which is why that attack, while it literally destroyed a lot of the power distribution infrastructure, only turned off the lights for less than a day.

Finland, however, is not a third world country.  They have a lot of modern technology.  I suspect, in this case, that there was no switch to throw in the apartment building to turn on the heat.

Like we see a lot in modern IoT devices, security is an afterthought.  Probably no one considered that someone might want to attack their controller so they didn’t harden it nor did they set up protocols to deal with an attack.

SCADA, the industrial version of IoT (I know that is an over simplification, but it will work for this piece), was also never designed with security in mind.  I used to work for one of the largest SCADA manufacturers in the world.  There was no security in those devices.  Not even a userid and password, never mind something more sophisticated.  SCADA devices were never designed to even be on the Internet, but people figured out that they could save money by doing that.

Unfortunately, water plants, sewage plants, power plants, chemical plants and a lot of other infrastructure is not a good place to experiment, but the money to be saved is too large to ignore.  So we are being guinea pigs.

The attack on DYN, I think, was an experiment.  How did people deal with it?  How did the experts respond?  Did the police do anything?

Now they have some data points and they will continue to experiment.

At some point they will decide it is time to take down the power grid.  While throwing the entire United States in the dark is probably more effort than even a nation state would want to take (although far from impossible), throwing Washington, DC or New York City into the dark might produce some interesting results.  If you could damage the infrastructure at the same time to make it harder, take longer and cost more to repair, that would be a “side benefit”.

You can believe me or not, but this will happen.  It is just a matter of when because the steps that need to be taken now are not being taken.  It is too expensive and too inconvenient.  Remember my mantra.  Security.  Convenience.  Pick one.  You could probably modify that to Security, convenience, cost, pick at most two.

Tell the utilities that all of their little controllers that connect by way of Wi-Fi have to be secured or all of their controllers in the field that live in a secure metal box by the side of the road have to be replaced by something that actually is secure.  They will tell you that it is too expensive to do.  Right now, secure means that there is a padlock on the box.  An attacker could cut the padlock and if that was too hard, they could smash the box to bits with a sledgehammer.

After 9-11, the Feds paid local utilities to put fences around water treatment plants and such.  Some even have fence shakers – cool little gizmos that detect if someone is shaking the fence by trying to climb over it.  And, maybe, that will improve the security of central infrastructure, but there is so much distributed infrastructure that is not effectively protected.

For example, is there a power substation near your house?  How about a gas main line?  How strongly are they protected?  Maybe – and only maybe – there is a fence around it.  For me, there is a fence around the substation but not around the gas main.  Of course, even with the fence, there is no one there to physically disable the attacker and by the time the police or utility got there, the damage would be done.

Maybe the attack in Finland is a warning. But are enough people and the right people listening?  I don’t know.


Information for this post came from the Metropolitan.

Hackers break in to German steel mill and cause “serious damage”

BBC and others are reporting that a German steel mill was hacked.  The report came not from the news media or the mill, but rather the German Federal Office for Information Security (BSI).

As a result, not a lot of details are known, but the posting are new, so perhaps more information will come out in time.

Apparently, the hackers started out the usual way – spear phishing attacks on the business network.  Once in, they used that access to get access to the factory floor network.

Using that access, they were apparently able to take over a blast furnace used for melting steel and stop the plant from shutting the furnace down in a normal fashion, causing “massive” damage.  Exactly what that means is unclear, but it was apparently significant effort for the BSI to report on it.

What are the take aways from this little bit of information that we have –

1. There apparently was not enough separation between the factory floor network and the business network.

2. There apparently were not enough safeguards in the factory control system to retake control of the physical factory after hackers got into the network.

3. Possibly, there was not an adequate incident response plan to deal with a situation like this.

4. Cyber attacks can cause “massive” physical damage.

2015 looks to be an interesting year.