Some things are just a bad idea and just because you can do them doesn't mean you should.
Images posted online suggest that hackers may have gained unauthorized access to computers controlling a second water treatment facility, a claim that raises additional concerns about of the security of the US's critical infrastructure. Five computer screenshots posted early Friday purport to show the user interface used to …
Not a surprise
The 'security' on a lot of these systems is lax - because people don't take it seriously at the outset and save money then won't admit it later.
For the record, blowers compress air to pressures intermediate between fans and compressors. They're used at wastewater treatment works to aerate activated sludge plants and aerobic digesters (the former are not shown on the hmi - presumably on another page to the 'left'?). The aerobic bacteria that eat the waste would otherwise use up the available dissolved oxygen very quickly and die. The process would then 'go septic' and be populated by anaerobic bacteria producing methane and hydrogen sulfide and various other gases that are foul-smelling, corrosive and/or explosive.
ie it's unlikely the blowers are there to 'disperse accumulated gas'.
I suspect the plant in question would be this one - http://g.co/maps/ybhvb
I'm actually pretty terrified about attacks on water infrastructure SCADA. Petrochem and Chemical plants are much more susceptible to going bang but equally have vastly more money thrown at them. For the most part water infrastructure is, once built, minimally funded until something finally breaks.
There are imediate effects...
...and there are other, less noticeable but equally dangerous. Adjust the chemicals that are dosed in the water and a large area gets poisoned. Do it to a whole state and its bottled water on the streets for a very big area.
These are front end graphics, taken from either the system running the frontend (or the bits of the system that Derp, the night watchman, can see), or, they are images taken from the company that installed the front end.
Looks very like a ten year old 'Trend' system, the buttons at least. Suppose nothing much has changed.
I'd start at the company that installed the system and work back from there.. the poster has obviously cropped the image to hide something.
I'd be more impressed if they posted a video with alternating numerical values.. I used to draw this sort of HVAC crap for the likes of Seagate, local hospitals etc tec.. updating the graphics every 3-4 seconds with the current fan speeds/temps/pressure/water cooling temps/water heating temps.. it would take all of 10 seconds, for a control room employee to post this sort of crap and say 'look! I have control of your systems!'.
If you have access to the graphic front end, then you have physical access to the front end, or the company that created the front end, and maybe has a service contract., unless front end security control has taken a complete nosedive in the last ten years.
I'd say this is a kid with new, physical, access to systems, that they think is cool to scare people with, by posting random screen shots of..
While I'm not disagreeing with you...
...regardless of connection, be it remote or physical, the screenshots would show the same thing. The plant I work at has some computers with displays just like that - they run the test lab. Nothing mission critical, but they're just old VB6 programs; were they on the main network, I could remote-connect to them from my desk and take as many screenshots as I wanted. Luckily, that network is physically disconnected from the rest of the world... but if this one isn't, I could see how a simple Remote Desktop session could get those images.
So as I understand it, utilities adopted these remote data / control systems in order to make a financial saving because they could dispense with (x) amount of human engineers, the vehicles they required to visit sites / control stations and the fuel the vehicles needed to get from A to B and C etc.
Well I'm 100% certain that none of those savings was ever passed onto the customer.
Furthermore, why FFS was nobody interested in penetration testing before setting these things live ?!?
Should we not demand to see thorough independent testing by some accredited peeps with the real know-how, with publicly available results and then rigorous examination and re-testing of any systems that fail the tests, with the utilities concerned bearing all costs involved.
And while your at it, please independently stress test the smart meter tech that is being adopted at the time of writing.
I mean, we pay through the nose for energy as it is, with costs and 'energy security' about to get more expensive - it would seem a critical area for examination.
"Well I'm 100% certain that none of those savings was ever passed onto the customer."
What does that mean and what has that to do with anything?
Maybe the savings were used to buy a few new pumps.
Maybe the savings were used to hire guards and build a fence for security.
Maybe the savings were hoovered up through higher wages paid to attract quality employees.
Maybe the savings were hoovered up through union-imposed higher wages so that union bosses can stay in their warm bureaus for another term.
Maybe the savings were hoovered up through government-caused inflation, taxation, VAT and social security schemes.
Maybe the savings were hoovered up through government imposed arbitrary "regulation" made by bureaucrats who barely made their sociology degree at uni.
Maybe the savings were used to build the CEOs McMansion and pool, i.e. "consumption".
Maybe the savings were used to get a new contract through dining, wining and brownveloping of political decision makers, i.e. corruption.
Maybe. Who knows.
Clearly you want "more regulation" and "lower prices" and probably also "a pay rise" as well as "quality products" and possibly "jobs".
You can't have it.
No image match on tineye
Just searched for it, no results from 2 billion images, not conclusive of course but it really wouldn't surprise me to discover these systems are wide open.
This is no worse than some years ago when a contractor dumped a load of chemicals in the wrong tank because he was late arriving and there was nobody there! Somewhere in Wales I think - put a lot of people in immediate danger anyway.
Cornwall mate and it harmed a lot of people.
It was Cornwall
Search for Camelford pollution.
The DHS made a further announcement on the lack of credibility to rumors on attacks of SCADA systems controlling major infrastructure plant, but the words were drowned out by the sound of chickens coming home to roost.
Stuxnet... if you build it they will come.
Oh and PS
All the ppl whining about security and corner cutting.
A> these systems fall under the cat of 'early adopters' and the expected lifetime for this kind of control kit is measured in decades - and who really gave a shit about network security in the 80's? - and the same philosophy is in place now - Stuxnet has been around a few years. The people using & developing this kit are too busy keeping the world turning to worry about Hax0rs! (until something _big_ goes bang)
B> hell yes it was done on the cheap! - that's what the market dictates. you don't like it? - vote differently. Make critical infrastructure subject to higher standards than 'what the market will support'
"Having controls available over the internet means many cash-strapped agencies don't have to have dedicated SCADA engineers on premises around the clock"
But someone will be there around the clock, and that someone could be responsible for initiating an external connection to the internet for a dedicated SCADA engineer. No internal initiation, no connection to outside world, simples.
Its the usual thing
An Engineer said hey look we can connect these sites together to provide better customer service, Engineers can fix faults quickly, when we are short of engineers 1 guy can manage the network temporarily and I don't have to drive to the back of beyond that would save labour and fuel costs.
Look here is a working test. But we must spend some money to make sure it works properly and its secure just think what could happen?
PHB boss hears CONNECT SITES TOGETHER, FIX FAULTS, 1 GUY CAN MANAGE THE NETWORK(I can sack the rest including the one who thought of it - he knows the truth), SAVE LABOUR AND FUEL COSTS, WORKING,JUST THINK WHAT COULD HAPPEN TO my bonus.
and so a new system is born.
Until governments see infrastructure as key to the health of the realm and spend money regulating them (including threatening to send negligent bosses to jail like SOX) this will happen again and again.
Build " Crappy " systems and get rich - CRUD OS wins
Step 1 - The lowest bidder builds a crappy system for Crappy Utility Developer operator / supplier (CRUD-OS)
Step 2 - Install antiquated SCADA oversight devices ( Stuxnet used the same gateway )
Step 3 - Hackers go through the open SCADA doors and have fun
Step 4 - ( CRUD-OS) climb on the security paranoia bandwagon
Step 5 -(CRUD- OS ) suck more public money to fix their FUBAR
Step 6 - Repeat step one and up --- ad infinitum ---
Why blame the supplier?
Its often the plant owners who decide how a system is connected to the internet and what sort of firewalls are in place. I've seen some companies with very tight connections over 10 years ago and some where its tied to the customers internal network with no protection by the customer themselves.
I even help support a site that uses a hardware firewall between it and the customer's network and the system and, should a virus alert break out, will pull the connection between the two for extra safety. They need production data sent to the main office so have to connect it up somehow.
All suppliers can do is offer solutions and advise customers. We can't force or even push too hard for them to get a system secured.
So what you're saying then is that with these h4x012z having access to the "blowers" in a "waste water" plant, maybe, just maybe, the actual shit might actually hit the actual fan?
Fecal matter hitting rotary impeller
The Space Shuttle toilet was no maybe about it, that is how it worked. It had a fan to suck material down into a container, because in zero g, things don't just fall to the bottom. If memory serves, it often didn't work right, and they had to use the backup system which involved plastic bags and sticky tape. That was the original method used ever since space missions got long enough to need waste collection.
“I dislike, immensely, how the DHS tend to downplay how absolutely FUCKED the state of national infrastructure is,” the post stated. “I've also seen various people doubt the possibility an attack like this could be done.”
Or we can say they can hack into anything and break anything and start a mass panic.
Dammed if they do, dammed if they don't.
I think the argument is that they actually STOP people hacking into them by securing them, not encourage a 90s style hacker-based moral-panic.
Internet connected systems...
The problem would seem to start there, surely a critical system such as this should be heavily firewalled off not only public networks but also from the company's LAN/WAN. A VPN system would provide for much more secure remote working, you could even throw in two factor authentication for an extra security layer.
Brings back memories
That brings back memories from when I used to spend a lot of time on IRC networks. These types of systems where always being "hacked" and people used to play around.
They have never been properly secured then and now.
No financial constraints here...
"Officials are frequently aware of the risks, but financial constraints and personnel matters often trump those concerns."
Bull. If they even restricted access to a limited IP address range, this would restrict off-site access to those off-site locations instead of from anywhere on the planet. Even if they go the expensive route (like a Cisco) that'd still be under $1,000, it needs nothing special on the remote end, and it's simple to setup and maintain. A encrypted and authenticated VPN is pretty inexpensive too, using the modern equivalent of a Cisco PIX for instance. They'd want to add rules so it's not just keeping all ports and IPs accessibile via the VPN,, just what is needed. The reality is that (some of) these utilities believe in "security through obscurity" and just can't be arsed to protect their systems.
Lies, damned lies, and statistics (and DHS)
"Or we can say they can hack into anything and break anything and start a mass panic.
Dammed if they do, dammed if they don't."
Sorry but IMHO they are damned when they tell blatant, BLATANT lies to the public to try to pacify it, as DHS has done again and again. If they told the truth about the insecurity of SCADA systems, they could sugar coat it ("there may be instances where the security of these systems could be improved..."), they could point out the lack of serious incidents to date, and they could make whatever statement they want about the future (if it's way off mark, it's not a lie it's just an inaccurate prediction.)
Why are things like this CONNECTED TO THE FREAKIN INTERNET?
let me guess
we will now get the same ignorant comments that yesterdays article attracted.
We use wintel crud for scada; plc/pac programing and dcs because for years the corporate IT community nagged and nagged because process/automation people used bespoke van Neumann machines - some variant of UNIX or their own OS.
I got fed up of hearing some IT dweeb telling his management the process people use computers; they should be wintel; they should be microsoft - that would make them cheap and reliable and safer blah blah blah...
Hell first off; of course; is that wintel is horribly expensive - a £40K operator station that lasts 20 years with only vacuum cleaning being needed is one hell of a lot cheaper than any wintel solution - yes they used the same OS; unpatched with no security holes for the entire 20 years.
The IT world got its wish - COTS kit that costs a fortune to maintain. It cost so much the companies can't afford engineers or techs on-site. But they do have a bloated IT department.
So now Process Control Engineers like me maintain and run systems across the internet using vpn/extranet links. We do not recommend 'always on' links and we will NOT touch control equipment unless the engineer who made the last leg of the link is present on site.
Then we have ESD (emergency shut down) kit. This is always isolated from the rest of the control kit and is NEVER on line. So previous references to ESD for refineries/pharma/nuke/power station being connected; elsewhere in el Reg is just plain stupid; connecting an esd to the web is probably illegal in every western country in the world - it is in the UK; Holland; and afaik the US.
We told you IT types NOT to make us use wintel. We spent years trying to stop you lot putting our control kit near office networks/internet connections. We spent years insisting clients set up Process networks which ONLY push data out. to the office network through a nice fat firewall.
IT folk come along and INSIST that is not the way to do it; they are after all the IT 'professionals'
So; as you pontificate on blaming management and CEO/Finance directors and sundry cheap targets; remember they all took YOUR (the IT worlds) PROFESSIONAL advice. And ignored ours.
What idiot would build any control system on wintel ? Well any one who has to sell it to a company with an embedded IT department thats who.
So what can we do now ?
Well the first thing is to engage my colleagues in the IT world in discussions about how to make this situation safer. We now have an infrastructure where there are not enough engineers and techs/mechs to man the plants to the levels you lot would like so we HAVE to use remote connections.
So stop bitching and showing your ignorance; come up with some better ideas on defense; better ideas on active protection.
You think that we - or the maintenance managers - are happy to discover that the £1000000 motor is suddenly vulnerable to some hack ?
I am fairly confident that the ESD kit WILL work (we go to a lot of trouble to make it work; and ESD normally works by ALLOWING operation; its default action is to SHUT DOWN).
I am not at all confident my friends in IT have the vaguest understanding of the problem; hell we still have the idiots pushing damn mikysoft patches onto servers that are meant to be isolated and LOCKED DOWN; resulting in plant crashes and plant shut downs. And they ALWAYS deny it was them; until we produce the event logs and explain to management just why WE weren't to blame; for yet another IT cock up.
BTW I am not bitter; just exceedingly cynical. and fed up with meeting IT types who really can not get their head around the fact that if there was no machinery in the factory there would be no IT job in the factory; so unlike some office or corporate head office; the PROCESS network is the most important thing they have to look after AND leave alone unless some obviously stupid and inferior Process or Automation engineer ALLOWS the IT wonks to play.
IT has totally failed the Process and Automation industry. It is time they started trying to understand something a tad more complicated than delivering Outlook mail or Lotus Notes domino directories to office workers. We should have a marriage made in heaven; I should look at you lot as my best friends on site - not my worst enemies.
Rant over -- go on don't think just down vote away
Shame no one ever listens to the guys that know...
Air gap is the ONLY way to be sure.
Now just try to relax...