Hacktivists pose growing threat to industrial computing
Members of the Anonymous hacking collective are increasingly interested in attacking industrial control systems used to automate machinery used by factories, power stations, water treatment plants, and other facilities critical to national security, the Department of Homeland Security warned last month. In a memorandum (PDF) …
Remember the fake "personality profiles of lulzsec members" document that was circulating a little while back? The provenance is not clear from the article, you only link to it on a leaks site; has the NCCIC confirmed that it's real yet?
I mean, they're a bunch of misanthropes, sure, but a bit agenda-less. I would be more worried about domestic or foreign terrorists, or other states.
Personally I think the whole thing is ludicrous. How hard can it be to keep your industrial control gear off the internet? Is it that hard to have physical separation of networks and strict rules on what data gets transferred (manually I might add) between your control network and your internet-attached office network?
Maybe I ought to go into security consultancy. it seems that you could go far with two bucks worth of common sense and a willingness to slap a few folks upside the head.
yeah, i mean what could possibly go wrong, you clearly have a very good understanding of real world security issues.
:-D
Have to agree with the haughty one.
Separation of networks is all well and good, but it's not enough.
I believe that the system targeted by Stuxnet was isolated, but it didn't help them much; and I bet that the sanction was a bit worse than a slap.
...has started.
Its more FUD really, feeding the American paranoia machine. The majority of SCADA systems are on isolated domains because the engineers know they could be vulnerable. Having just worked on one such system the control software is so buggy and cantankerous it cant be trusted anyway so needs engineers to do manual tweaks on plant directly. Its also a case of shooting yourself in the foot, the US or whoever create Stuxnet, so the script kiddies wanna play with it. The heart of the problem is the consumer electronics industry making computers mass market to sell more product. Unless the underlying software is completely locked down its going to be vulnerable. And they wont lock it down cos they cant update it with new shiny things to keep the people amused.
Yet more excuses to 'legally' grab personal data.
What's next a U.S. law that says any and all on-line accounts are to be open to the feds no matter what the circumstances?
Oh shit, I guess that makes me a terroist for merely suggesting such a thing.
I agree, it is fear mongering, do you mean to tell me that all these factories and industrial control plants have to have a direct connection to the Internet? What the hell for!? Do there workers have nothing better to do than update their social status on Facebook and Twitter. Tweet: Extracting Carbon Rods now, reactor climbing to to 35% full capacity!
Do these plants and factories have such very poor security in place that their networks are largely unprotected from attack? Have they never heard of an Intrusion Based Detection Firewall and are all the machines connected running Windows 3.1 and upwards of proprietary software that went out in the Dark Ages.. People are still happily using Windows XP and Windows NT 4.0 oblivious of the reasons they should buy an upgrade.
Here's an option: stop putting these systems on the internet... and have the systems controlling the systems on a private network with no connection to the network which has access to the net... DONE! on and vlans don't count!
The issue with stopping putting these systems on the internet is that they have been installed for a number of years prior to the internet having so many nasty people attached to it...
Removing them now and placing them onto private networks would have devestating effects involving downtime and possibilities of the actual system to be screwed up..
Yes nowadays the newer SCADA systems are being placed behind air-gapped networks and the like but you still have the problem of moving data backwards and forwards for review so you do have to allow trusts or the use of USB keys to be moved backwards and forwards. Having been involved in the design and security RMADS of these networks it is a ball ache.
SCADA systems are not just limited to the 27/7 manned industrial companies and energy suppliers for instance, they are used by unmanned IT support offshore oil rigs which require support from the mainland. This is typically supplied by sattelite. It has also been known to be done via GPRS using a mobile phone attached to a PC. It is also worth pointing out that the likes of Roll's Royce monitor plane engines during flight (Emirates) and can make changes to the engine in terms of performance for instance (a bit like a F1 car) all done on the fly (hehehehe).
Alot of companies do not see two PC's on a desk attached to different networks as acceptable anymore. Alot of people like using one PC, one screen.
I sure hope they're paying their poor workers a fair overtime rate for those extremely long days!
What?
Is Internet porn getting boring?
Looking for new thrills?
Anon of course.
And the fuckwits in charge still haven't figured out the obvious fact that SCADA should never be connected to publicly available networks? Makes me wonder how bad things are in other so-called "security" matters ...
I mourn for my country ... not even Rome imploded as fast as we are.
DHS doesn't RUN the infrastructure. While I have my issues with them in this instance they are the ones yelling at the people who have them on the internet. Not that it is easy to clean up the mess that has come from them being put on the public nets in the first place.
Please stop connecting critical systems to the internet.
Thanks.
I'm sure they're proud of themselves, but this really is playing the blame game under the guise of threat assesment on a TSA level. I'd call it "cheap" but the DHS goonery is anything but.
Sure SCADA systems are vulnerable. So are plenty, if not most, of other systems. They're built for function, not security. This has been known for a long time, has been demonstrated again and again, and has even been exploited to spectacular effect by... the USoA government.
But most operators prefer ignorance over securing their systems, so vendors have no incentive to do better. That means it requires no great skill to "pwn" much of anything, since it won't really be secured and it will turn out connected to the public internet in some way or another. So, the DHS goes out of their way to blame a group of people as harbingers of badness. The vendors and operators that are demonstratably negligent? Noooo.
Anonymous is fickle, flippant, faddish, and full of the flashmob nature. That's very annoying to the DHS. So they resort to a little pro-active character assassination. Well, isn't that an advanced threat mitigation strategy. Because already, all your base are belong to the Chinese. So you're going to complain about a hotshot couple youngsters in Anonymous. Thanks so much, security-industrial complex fanbois. This is really useful. Give the DHS a cookie, they've certainly earned it.
Pay no attention to that man behind the curtain.
What a surprise tho see that lawfully established, human rights enshrined body spouting this nonsense. Couldn't possibly be that now Bin Laden is gone they are looking for the next boogey man to justify their budget and sweeping authority to do wtf they like?
Here be dragons -> English Tea -> Anti slave traders -> Ruskies -> Libya -> Aliens -> Men in Black -> Iraq -> Iran -> Libya -> (and my all time favourite) "terror"
Show me just one scrap of evidence Anonymous has any interest in power stations and water treatment plants?
Last I heard they're a hacking group which specialises in preventing people from burying information that reveals criminal activity. (even if they potentially screw the prosecution of those cases)
Doesn't fit, not even slightly, you're making it up as you go along.
Given the two options:
1. Connect your instrumentation to the corporate network. Be able to check status and diagnose from your office desktop (The same office PC I use for err.. essential research). Find it trivially easy to fix issues before they lead to production stops.
Or
2. Make a 400 mile round trip everytime you or a production manager suspects that there is an issue with your kit. Face hostile questions about your expenses and the need to travel at all
What would you rather do ?
It is very easy to say "keep your industrial control gear off the internet", rather harder in practice.
Sadly this is what it comes down to, cost & convenience versus security. And guess what is the usual winner? Maybe if you're boss' pension put on the line if it gets hacked it might look different...
I suspect it is not beyond belief that dedicated encryption hardware could be deployed so you have a secure VPN that only terminates in another dedicated local machine without general internet connectivity at either end?
Maybe less secure than an air gap, but better than having a general computer (and probably a Windows PC) with internet access.
There you have it, they've chosen ease of use over security, well tough sh*t then when some script kiddie and his mates get bored looking up porn and decide to have some fun.
If IT decisions were made by people with solid IT experience instead of feckless, idiot managers they'd know that for everything you take, you have to give something back. In IT you can't have your cake and eat it.
As none other than Google have demonstrated, option 3 is the correct way to go:
3. Pay for a private net that lets you connect all your gear to a production system. When you suspect there is an issue and aren't in the office drive 30-80 miles to the office, logon to the private network and remotely check the station 2000 miles away.
Yes it is a bit more expensive than option 1, but doesn't leave you bare ass hanging out the car window for anyone to slap.
Use a bastion host. Or as many as you need. A something low power like a soekris box will do. Connect to industrial network on the one side, connect to the corporate network on the other. Use ssh, for command line access* or connection forwarding. Or use some other trick, like vpns, vlans, or some mix of all that. Build your own ipsec tunnels to a small network in a locked room with operator terminals for all I care. Just don't connect those scada boxes to the public internet.
The technology exists and could be deployed even if the scada system vendors deliver frankly crappy interfaces on top of frankly crappy OSes that are not safe on public internetworks. If the operators fail to use well-known, tried, tested technologies to provide basic security, then they're just as negligent as the vendors that fail to harden their industrial control systems. What is the cost of a couple soekris boxes (plus setup, maintenance, etc.) on top of those scada system (plus setup, maintenance, etc.)? I doubt it's more than a rounding error.
* Which ought to be available even on industrial control things, or they're not very scriptable.
Well, for them or anybody wanting to infect industry machines, and turn valves, somehow the Propaganda machine is working at full production, and the valve is wide open for communist government officials pouring out new lies to be told.
This is nothing more than the FBI and Homeland Security, and the Obama administration attempting to demonize those that started occupy wall street. Calling them terrorist, as a way of fooling the sheeple.
Operation greenout is still active.
As others have pointed out, remote access is not dangerous per se - it only has to be properly secured SSH, SSL or HTTPS connections, strong passwords, limited IP access lists, and a dedicated client PC used ONLY for accessing the Scada systems in question.
Regular Security Audits could enforce this as much as correct bookkeeping is enforced by financial laws. The Local Linux Hacker will implement the described security setup for less than 30k dollars/euros...
An outstanding view with which I totally agree, as a linux user who is familiar with all aspects of security related topics, you can imagine what it's like trying to find a Job in a market that is largely dominated by two major software providers. Then you have certification in the field of computer related security. Where certification as a CEH or CREST accredited security professional set back the applicant in excess of $10'000 with no guarantee of a Job at the end of the certification rainbow, your either under qualified and classed as an under achiever or over qualified and ignored, if you tell someone you can setup security enhanced linux for as little as 20'000 per annum, then you've set your rate's far too low.
..it should not take a year to set up the described solution. But of course that depends on the system to be secured. If it takes the Linux person a year, I guess 100k dollars would be appropriate. And that is probably much less than buying one of these wonder security appliances and misconfiguring the box.
1. Hackers have no scruples, moral values, are not human enough to have a sense of right or wrong.
2. Hackers have no agenda, no purpose in life and do all that hacking to give their sorry excuse for a life some kind on meaning.
3. Hackers are detached from reality, thinking in some secret programming language and unable to have real social contacts.
4 Hackers take pure pleasure in destroying stuff for no obvious reason.
Wake up, everyone!! Every social group has a statistic amount of idiots, and those are usually exploited to discredit the whole group. If "the authorities" would get their minds around the idea that above assumptions are plain wrong, give the more serious parts of hacker groups some credit for their expertize (and good intentions), and gained the trust of at least a few members the benefits would be mutual. But I am afraid there is too much pride to swallow on both sides, right?
It's easier to manipulate opinion in a direction where "hacker" equals "terrorist" similar as is done with the term "activist". "If you can't control it, destroy it..."; "If they talk back, destroy them..."
And in the other corner to brandish everything close to any government as evil and corrupted, and worth fighting no matter what.
When do you mentally mature enough to get over the state of a stubborn, over opinionated, rebellious teenager thrashed around by early puberty. Damn it! Both of you!
Sign up, sign up for The Register's weekly IT security newsletter - click here
