Crackers have blackmailed foreign governments after disrupting the operating of utilities, according to a CIA analyst. Skeptics said the unspecified claims amount to nothing more than urban myths, although other sections of the security community are treating the possibility of attacks against Supervisory Control And Data …
They just so want Die Hard 4 to be true.... but SCADA systems don't run on networks connected to the Internet, or other public network and if they ever were to be connected to a public network, you'd sack the Network Architect rather than give the CIA a budget to go chase these elusive 'cyberterrorists'.
Even bridging to a critical control network is a firing offense in major suppliers.
That attempt to link terrorism and the internet was simply to give ammo to Bush & Blair to silence dissenting voices on an uncontrolled medium. Those damn bloggers keep going off message! How dare they! Lets call them cyberterrorists and silence them!
Now I see the CIA wants to reduce the number of connections to the internet for the USA.gov to 50 points, so that only 50 political appointees could control the outflow of information.
And that it wants access to all messages and all communications all the time. Except the destroyed CIA water boarding videos, and related emails, oh and except Bush's secret GOP email account used to bypass the requirement to keep records.
Yeh gee sure, I really believe this story.....
Must be fact
"Rob Rosenberger, Vmyths co-founder and scourge of cybersecurity fear-mongering, said the CIA had confirmed nothing. In an entertaining rant against SANS for treating unspecified reports of disruption seriously, he described the topic as the genesis of an urban myth."
But doesn't publication mean it is now quotable fact - according to Wikipedia standards?
I was thinking that was a decent article, till the very last sentence: "The threat level, for now at least, remains at around the same level of the possibility of mobile malware taking down a phone network".
There's approximately zero chance of mobile malware taking down a phone network, for lots of reasons that ought to be reasonably obvious.
There are lots of ways a malicious or even accidental event could result in the bringing down of a SCADA network, such as the ones which run utilities (and factories) around the world.
The classic attack vector these days is the consultant/contractor who brings in a laptop which is connected to the SCADA network with or without the consent of those in charge. If the network is PC-based, well all bets are off aren't they.
It's the CIA and who believes them anyway
It's the CIA for heavens sake and when have they ever told the whole truth and nothing but the truth which is never ever since the date they replaced the wowsers in OSS way back when and only fiction became their permanent utterance at every breathing moment since !
...not putting your #^!$(ing critical infrastructure control systems on the internet, where every snot-monkey with a keyboard will have access to your kit?
This goes throughly into the categories of "just desserts" and "deserves a right thrashing with a hosepipe"
Well Trinity can do it and all she needed was nmap and an "sshnuke" hack and down went the grid (again) .... oh but she did need to fight her way through the physical security first 8-)
Self-serving FUD from SANS
Err, several cities had the power drop out and there is no mention of which cities and no mention in the mainstream news? I don't believe this sort of story until details are used to confirm event. It's just self-serving FUD until then.
RE: Crackers take out power grid
Why would white people want to take out the power grid?
It's all true I tell you
The terrorists are so sneaky they plan these attacks to take place during electric storms so nobody will know what's happening till they get the blackmail note.
SelfServing FUD from SANS?
Look guys, how about engaging brain before spewing over keyboard.
As has been suggested already, it is good practice to not connect your SCADA network to the wider Internet. However, just because it's good practice doesn't mean the rules are enforced (ask anyone round here about UK data protection best practice and how effectively the policies and legislation are enforced, and iirc JC Penney and TKMaxx and others are no better at this kind of thing...).
Maybe it is just a SANS advert/scare-story, but it has more than a grain of truth in it.
For example, if you can get access to an IP network with legacy SCADA devices connected to it (the near-ubiquitous Modbus, anyone?), you're in charge. The devices typically have no access control other than physical security. Maybe I shouldn't be telling you this, but hey, I don't work for Modicon any more and the truth is out there for anyone with eyes and a semi-operational brain.
Anyway... a few years back, there was a multi-state US power outage shortly after either MS Blaster or SQL Slammer went public. Anyone remember the details, or seen any writeups?
So, crackers did it, eh?
...I never did trust the white man.
Yeah, yeah. I had my coat on before I even typed that one.
If you want to attack critical facilities...
Why not attack weakest point of the chain ?
And, logically, an unguarded one ? One that takes long to repair ?
Then, there are far easier possibillities.
Take a long distance high-tension electricity line, for example. Some run across hundreds of kilometers, with unguarded weak points every 100 meters or less.
It would be easy as hell and cost nothing in money or knowledge to bring such a line down. With the load on the electrical web already close to maximal capacity, taking such a line down will have real annoying consequences, for a minimum of 3-5 days.
A terrorist ready to study a week could find public plans to find weak points of fiber lines around Wall Street or the City, then go cut one with an axe.
Easy, cheap, safe for your health ways to bring hell are all around.
Fortunately, terrorists are busy studying how to hijack planes with explosives hidden in shoes or in coke bottles, or so are we to believe !
I believe the CIA
Were hinting fairly strongly it wasn't SCADA primarily to blame that inside help was also used, which makes it less a network problem and more HR/physical security problem, which as we know is perfectly possible given the number of disgruntled systems administrators and other sore heads (CIA employees) out there, but I submit this is not a new problem, and if things of this nature do start to be a problem, I will be looking to the CIA for the culprit since they seem to want to use this as an excuse to ask for more money/power . We also had not long ago an idiot who worked for a power plant carrying a bomb apparently he was going to work if that's the sort of outage were talking about it ranks with trees and track hoes and requires guards not spooks. SANS shows poor judgment sometimes but they do have an ear to the ground and are useful once in a while you need to have your own filters to get the truth.
@Joe and David
(you lost trying to make 'cracker' the word for 'bad hacker'. Just use 'hacker' and get over it. Use 'geek' if you want to mean 'good hacker'. Or 'talented software atchitect' to mean 'professional geek').
*Might* have a service modem or VPN access.
Would definitely have keys and door combinations to walk into any unattended switchyard and pull a few breakers. Which is just as bad as anything you could do with SCADA (especially if you toured around pulling breakers in several switchyards).
SCADA is vulnerable.
I have worked in the SCADA/NMS field for over 8 years now and you had better believe they are vulnerable.
Most Electrical Utilities all around the world have links between their Corporate and SCADA Networks. And of course there are always links from corporate networks to the Internet.
But that ia just one way to attack the SCADA Networks. Connectivity bewteen the SCADA Networks and the field devices (Electical Substations for example) can range for striaght out analogue Radio communications to Wireless Broadband and Wifi, leaving even more places to break in to the SCADA Network.
Another thing to take into consideration is the lax security in a lot of the Applications used to run the SCADA systems. Lots of default passowrds never changed, bad programming pratices also leave holes wide open.
One major problem that is still not an easy one to fix is the patch cycle required for SCADA Systems. Most SCADA Systems are five 9s operations and as such require thourough testing of any change to the underlying software. So patches for security holes and porely writting software are not applied the instant they are release as each needs to be evaluated extensivly prior to application to prevent system outages.
So all in all I do believe the CIAs' assertions. SCADA Systems at this present time are security nightmares.
Oh just a thought they are actually referring to that evil summer the year when a terrorist group from Texas calling itself ENRON being lead by a wanker called Ken Lay who literally screwed California with rolling blackouts and brownouts in order to extort more money then they were ever entitled too so they could bankroll a crazy loon sitting in something called the White House and repay a lot of very questionable law firms in the same town as well !
SCADA is SCADAS
So to sum up. There's such thing as a SCADA network, there are multiple connections, almost all of which run inside the factory walls. If you're in the factory you wouldn't tap a wire and reverse engineer a protocol and send commands down to the safety valve, it's not plausible. Easiest way would be to take an axe to the pipe, not attack a protocol to open a valve.
Randall makes the point that some of the connections run from corp HQ to site. Yeh, down leased lines, the attacker has to get access to the physical line, get the protocol, know which device, and what to do to break it. I don't think that's a plausible attack scenario, and since cables get broken and shorted, you can bet that company has a local control centre too already to cope with that.
As for this claim of cyberterrorists taking out the power grid, even the CIA man won't back up his words. He's just floating the idea for PR purposes.
You do get the feeling that the CIA just watched Die Hard 4.0, and thought is that even possible? and like any good government agency set up a task force to find out, of course they find its very nearly imposable to do but report back that it could be done so the taskforce can continue to be funded we call that "government",
I agree with Randall.
It is in theory a massive hole as a lot of big companys are, as secure as anything is there is always a hole, its just a case of finding that hole. Think of the Trojan Horse (yes the real one not /troj), defense is only as strong as its weakest point.
Whether those holes were exploited we will probably never know, the internet is very murky!
Re: Die Hard
They nicked the "binary liquid explosives" bollocks from number three as well.
So the CIA say it's happened but won't say where or when. In the strange world of the spook reality and someones fantasy are often indistinguishable. Truth isn't the currency of spookdom.....information be it true, untrue or a mashup of both is always released for a reason.
In this case the reason is probably a shot across the bows of utilities who are not putting SCADA security high on their list of priorities.
Probably the spooks are getting concerned that such a thing is possible and the situation will get worse.
It's basically spook code for were worried about this one. We'll be running some penetration tests before paying your security guys a visit with the results so get your houses in order.
Far too much PC-mentality and complacency and confusion here
Some clueless folk seem to be confusing various things here. For example, physical security with logical security. Here's a real life example why you have to consider them separately.
While working for a comms company, I worked on a team commissioning (as in "setting up") the comms and IT side of an upgraded multi-site SCADA network for a water authority. One day, our regular contact on the day's scheduled site was off sick and it being a small site no one else was available to escort us so we were not physically allowed on site. "Security" rules, you see.
Did we take the day off? No. We went to another site where we were known, followed "security" procedures to be allowed on site, and continued to commission, as planned and agreed, the relevant bits of the SCADA network. We did it remotely, by using the water authority's corporate inter-site network.
Got a laptop? Got network access? Then you're in.
The automation end of lots of these networks is run by things called PLCs. They can typically be stopped and started remotely over their comms connection, using simple and widely documented commands, if the keyswitch is left in the "insecure" position. They have no built in security beyond the keyswitch. Legacy PLCs with serial comms typically connect through some kind of terminal server or device adapter which often lets anybody connect. Negligible risk? Maybe, maybe not.
There may be easier ways of taking down a 400kV electricity grid, eg with an angle grinder, but that doesn't mean there aren't real risks in the SCADA security area.
[No I'm not in the business of selling SCADA security services, nor do I know anyone who is. But I've been working around automation systems for decades and I know what goes on...]
"Whether those holes were exploited we will probably never know, the internet is very murky!"
Has the internet anything to do with it even? Since these are not devices on the internet.
The station shutting down due to a slammer worm infection in a safety monitoring PC should result in a Network administrator getting the sack, since that PC should never have been bridged to an Internet facing PC.
The 2003 outage was another cascade failure like the 1965 one.
They had the same problem in 1965 before computers and cyber whatnots, one line got overloaded, it tripped, that caused the other lines to carry the extra load, they tripped and so on. Soon the whole of the Northwest of America was in blackout.
The 2003 one was the same thing, an overloaded line sagged in the heat, touched trees and tripped. Which caused others to overload and trip. It shows they still don't have enough spare capacity on that generating network.
The solution is more connections and more spare capacity. Oh, but also sack any network admins that bridge critical control systems to internet facing networks. The best firewall in the world is to have no physical connection between the networks.
i blame jacobs and ritz
their crackers can cause all sorts of dry mouthedness!
Terrorist attack scenario
The obvious terrorist attack scenario, after reading the report of the 2003 outage. Wait until a heavy load day, shoot a metal cable over a power line, and watch the cascade failure. The obvious fix is more spare capacity on that electricity grid.
"Got a laptop? Got network access? Then you're in."
Yeh but that's network access to the network on which the device is sitting which is a different network to the internet. A lot of these scare mongering stories require the reader to confuse network and internet and the teller deliberately fuzzies over the 'network' part to encourage that confusion.
That in turn leads to drivel like Die Hard 4.
I maintain that the sacking policy is the best solution. Sack network admins that bridge any of these critical networks with Internet facing networks. Then your terrorist has to get past the guard to get access to it. He's no longer a 'cyber' terrorist, he's a person getting onto a real facility and physically tapping a wire to get access.
You can add all sorts of security to these devices, but you only add a bunch of new failure modes. Physical security works for the valve itself remember, so why not the wires it's connected with? Remember an attacker can always cut the *power* wire to that device! You ultimately can't get better protection than protection of the wires.
Was I the only one expecting an article on how the CIA are trying to ban Christmas then?
Guess I must be crackers. In which case I.....NO, NOT ME, OW, STOP, I.......
One for the Darwin awards
"There may be easier ways of taking down a 400kV electricity grid, eg with an angle grinder, "
After trying that you probably are a Darwin Awards candidate... I suspect that to mount a physical attack against high-voltage lines and survive, you need plenty of explosives, and some means of remote or timed detonation, which I guess is one of the reasons such attacks are not so common in reality.
""Got a laptop? Got network access? Then you're in."
Yeh but that's network access to the network on which the device is sitting which is a different network to the internet."
Sure, but if it was malicious, you could get a 3G/HSDPA USB modem and plug the laptop into that, using it as a bridge between the internet and the internal network.
Not sure that would work in the US, with their freaky 3G, but in the UK... sure, why not?
Captain Chaos and SNMP
A few years ago, the Chicago Police and FBI grabbed a freak named Captain Chaos. He had been hiding in steam tunnels under the University of Illinois Chicago campus, and had stored 10 kg of cyanide in a utility closet in one of the subway stations. According to press (mainstream and tech) reports, he had previously used SNMP to shut down an automated power substation in Wisconsin. At the time, most SNMP implementations were copies of HP and Berkley code that was very insecure. The SNMP code has been replaced, and the Captain is now a guest of the government.
Crackers take out power grids?
Guess thats why the RAF banned them from their planes!
I thought they just went "bang" and gave you a paper hat, a toy, and of course a lousy joke...
"Sure, but if it was malicious, you could get a 3G/HSDPA USB modem and plug the laptop into that, using it as a bridge between the internet and the internal network."
I once read about a cracker call 'Lieutenant Linksys' that routed a network packet sniffer virus through the NSA's domestic spying computer in San Fransisco intercepting the hyper password that only the President knows. See they inadvertently bridged several multiplexed private and Internet connections when they blanket tapped the fibres, allow a clever freak like 'LL' to infect the spying computer and gain access to the private network data. He threaten to launch the Nukes on the Soviet Union & France (where the president keeps them aimed all the time) resulting in cheesy reprisals unless they transfer all the worlds numbers over to him in Gejigistan!
If you're reading this Daily Mail reporters, the above is totally true and no need to fact check it or anything. I've even checked the spelling of 'Gejigistan' for you, it's the country right next to 'Boogeristan', but then of course you know that.
Actually, that's exactly what the militants in south Tyrol (that's in Italy these days) did in the 1970s -- blew up power masts with dynamite.
Isnt it? That the two people who've posted and have worked on these infrastructures have confirmed that they ARE capable of insecure configuration....
A lot of the flak that the CIA have received on here has come from (I assume) technically savvy people who couldnt possibly dream for a minute that people could be SO stupid as not to set up effective network zoning....
For crying out loud
Why would anyone use the public Internet for telemetry?
It does make sense to have your sensors and actuators on some sort of network, and TCP/IP is as good a choice as any, but ..... well, you'd think it would be kept isolated from the public Internet. Either by being physically separate with no electrical connection (OK, maybe an OpenBSD-powered firewall; to all intents and purposes, that's the same thing), or -- in a multi-site setup where the public Internet is ill-advisedly being used as a cheap and flaky alternative to a private leased line -- by using OpenSSH tunnelling. Initial key distribution can of course be done out-of-band (since all the sites presumably belong to the same people).
If you are using any kind of security software, be sure to read and understand the Source Code (or get someone you trust to do that) and if the vendor won't allow that, tell them to get lost. Genuine security software doesn't rely on the vendors keeping secrets from users, but on users keeping secrets from anyone else; that way, you know that if someone manages to work out what it's doing, it won't help them.
All the Authorities need do, if they need do anything at all, is to make sure that telemetry networks are off-limits to outsiders. Then, someone actually has to get on site to do any damage -- and whatever measures are already employed against unauthorised people being on site will come into effect.
...that poeple have know that windows has been and still is full of holes and that constant vigilence and a raft of security procedures are required to "Harden" Windows sufficiently to prevent Trojans, Viruses, Malware etc. But there are still people out there who dont protect their data or computers...
Why? lots of reasons, ignorance, apethy, arogance or lack of skills.
How could you possibly think that the same does not apply to business?
For along time SCADA networks have been safe because they were isolated. But with in implementation of new business pratices, new markets and changes to "Core focuses" a lot are now being connected up to Corporate Networks.
New technologies such as Wireless Broadband, wifi and VPN are being introduced to enable the "Valuable" Data that SCADA Systems hold to mined and utilized. Or to even centralize control to allow downsizing, you name it, they have all been used as excuses.
Unfortunately, like in any business, security always comes last or never at all. Or more likely when the business is hurt by a breach in it.
What can I say? Dont think for one minute that the idea of using the SCADA as a reasource for business automatically means they will use the right level of security when connecting it to their corporate networks. If you do you are living in a dream world.
@ MacroRodent and Anonymous Coward
The Sons of Freedom (a Doukhobor terror group in the BC interior) were also fond of blowing up transmission towers back in the 50's and 60's. Much harder to fix than tripping breakers via a hacked SCADA system.
This article from SANS on the 18th is exactly what the feds want printed in advance of the congressional debate over conducting "security monitoring" at "all levels of government" and in the private sector.
Later, they'll hold up this story along with the "Chinese have infiltrated our databases" and the seemingly one-per-day clones (all of which mention the dveloping cybersecurity program) as "proof" that this is all real scary and we need to put the NSA gizmo on the network.
Wake up. SANS = Judith Miller.
- Breaking Fad 4K-ing excellent TV is on its way ... in its own sweet time, natch
- Top Gear Tigers and Bingo Boilers: Farewell then, Phones4U
- First Irish boy band U2. Now Apple pushes ANOTHER thing into iPhones, iPods, iPads
- Updated iOS 8 Healthkit gets a bug SO Apple KILLS it. That's real healthcare!
- Hey, Scots. Microsoft's Bing thinks you'll vote NO to independence