backtop


Print 39 comment(s) - last by Divide Overflo.. on May 24 at 2:59 PM


  (Source: Orion Pictures)
Intruders appeared to simply watch and observe, made no attempt at sabotage

The U.S. Department of Homeland Security (DHS) this weekend disclosed in a newsletter aimed at security professionals that a "sophisticated threat actor" had penetrated a public utility's (water, sewer, power, gas, etc.) control network in recent months.
 
I. Two Major Breaches Detailed
 
The agency's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) writes in its tri-annual (Jan.-April) newsletter [PDF]:

A public utility was recently compromised when a sophisticated threat actor gained unauthorized access to its control system network. After notification of the incident, ICS-CERT validated that the software used to administer the control system assets was accessible via Internet facing hosts. The systems were configured with a remote access capability, utilizing a simple password mechanism; however, the authentication method was susceptible to compromise via standard brute forcing techniques.

Power Grid
[Image Source: energia-online.eu]

A second incident is also described, involving an internet-connected "device" -- likely a control mechanism with a utility.  ICS-CERT reports: 

The second example involved an unprotected, Internet-connected, control system operating a mechanical device. Upon investigation,
ICS-CERT determined that a sophisticated threat actor had accessed the control system server (connected via a cellular modem) through a supervisory control and data acquisition (SCADA) protocol. The device was directly Internet accessible and
was not protected by a firewall or authentication access controls.

At the time of compromise, the control system was mechanically disconnected from the device for scheduled maintenance. ICS-CERT provided analytic assistance and determined that the actor had access to the system over an extended period of time and had connected via both HTTP and the SCADA protocol. However, further analysis determined that no attempts were made by the threat actor to manipulate the system or inject unauthorized control actions.

After the incident was resolved, ICS-CERT conducted an onsite cybersecurity assessment of its larger control environment to evaluate its security posture and make recommendations for further securing its remote access to its control network. This incident highlights the need for perimeter security and monitoring capabilities to prevent adversaries from discovering vulnerable ICSs and using them as targets of opportunity.

In the case of both intrusions, the infiltrating party did no damage, merely seemed to snoop on the systems, perhaps as a test for more damaging future attacks.  China's People's Liberation Army (PLA) is, of course, a top suspect, despite its repeated denials of hacking U.S. networks.

Such intrusions are believed to be increasingly common, but are often not discussed in such explicit detail.
 
ICS-CERT typically only posts a boilerplate notice of intrusions, which list the sector, but not the specific company involved or details about the level of intrusion.  Last year, 256 such incidents were reported. ICS-CERT's report states that it dealt with security intrusion issues at 20 power plants and public utilities.  Among these was a pair of breaches at nuclear facilities.
 
It is rather rare for the federal government to offer such a detailed account of a breach in the wild, as it hurts consumer confidence in utilities, and in turn discourages utilities from sharing information about these kinds of intrusions with the government.
 
As Reuters reports:

Such cyber attacks are rarely disclosed by ICS-CERT, which typically keeps details about its investigations secret to encourage businesses to share information with the government. Companies are often reluctant to go public about attacks to avoid potentially negative publicity.

But the ICS-CERT appears to feel it is necessary to discuss this pair of breaches in more detail to highlight the growing threat to American infrastructure.
 
II. SCADA: Ticking Timebomb?
 
SCADA is a serial communications protocol commonly used in the power industry to remotely control and monitor mechanisms, such as pipeline valves.  It is also sometimes used to monitor and control heating, ventilation, and air-conditioning (HVAC) systems at large facilities such as airports.  The described incident hints that the breach occurred at yet another common use of SCADA connected devices -- manufacturing and fabrication.
 
Typically such applications are governed by the North American Electric Reliability Corp. (NERC), a nonprofit trade group responsible for setting standards for internet connected devices.  But in early February at the DISTRIBUTECH conference in San Antonio, Texas, security researchers Adam Crain and Chris Sistrunk reminded the audience that the NERC had not set strict security standards for SCADA.
 
The pair showed that the DNP3 master protocol stack had several vulnerabilities that would allow a remote attacker to seize control of a connected device.  Such a breach could allow an attacker to not only cut the device off from communication with the rest of the network, but also to gain full command and control capabilities.

SCADA power network
A diagam of a SCADA-controlled water treatment network. [Image Source: Remote Pump Solutions]
 
A part of the presentation's tongue-in-cheek title -- "Serial Killer" -- alludes to the fact that such an intrusion could be used to turn plant robots against workers in a deadly sabotage plot.  Alternatively it could be used to black out a nation's power grid and fuel pipelines in a time of war. 



Mr. Crain stated to the blog ThreatPost:

What’s different about our research is that most have focused on actual field devices—devices in substations or devices on poles—and 50 percent of our testing was on the master systems, things that communicate to all of the field devices and bring that data back to the operations center.  The difference is, if you had access, here you could knock out visibility to a whole system, hundreds of substations, by affecting one or two servers that are monitoring all of that.

[That said] we have not found anything that would suggest there is anything [inherently] wrong with the specification.  These are all bugs in implementations from various vendors. There were two vendors we tested out of the 30 products where we didn’t find any detectable vulnerabilities. So at this point, it’s possible to implement the standard without a security or robustness defect.

It's highly likely that the attackers in the breach used one of the vulnerabilities; especially since security researchers have published open source tools to "study" them with penetration testing.
 
III. FERC Wants More Power; Pentagon's Fuel Chain is Vulnerable
 
NERC is under pressure to implement new security guidelines for SCADA.  It will be up to NERC's supervisor agency -- the Federal Energy Regulatory Commission (FERC) -- to push action on the issue.
 
But currently FERC's attention is divided between regulatory actions and bureaucratic negotiations.  In mid-February FERC's acting chairman, Cheryl LaFleur, called on Congress to grant it "clear and direct authority" to take action to protect the nation's infrastructure against cyberattacks.  Currently that responsibility is divided between FERC, DHS, and a variety of other government agencies.
 
She stated:
 
This authority should include the ability to require action before a physical or cyber national security incident has occurred.
 
She also commented that granting the authority would not impact the current work to draft grid reliability standards, a process that takes "several months" to complete.  It is probable those standards include work to address vulnerabilities in the SCADA protocol.
 
Lastly, the ICS-CERT report cites a study from the U.S. Army War College's Strategic Studies Institute, which characterizes the Pentagon's supply networks as weak and vulnerable.  The report -- "Hacks on Gas: Energy, Cybersecurity and U.S.
Defense" -- was written by Christopher Bronk, a fellow in IT policy at Rice University’s Baker Institute, and details the 2012 attacks on Saudi Arabian Oil Comp. (Aramco), the world's largest oil producer and privately held company.  
 
That attack successfully compromised 30,000 systems using what experts believe was possibly a modified version of the "Flame" malware.  Iran has accused the U.S. of using Flame in an attempt to infect and digitally "cripple" its oil industry.  Mr. Bronk's report suggests the Pentagon needs to beef up security for its fuel supply chain, or it could find itself crippled by the enemy during a war.

Sources: ICS-CERT newsletter [PDF], Digital Bond, Reuters, Threat Post



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

New deal
By Motoman on 5/21/2014 11:45:32 AM , Rating: 5
The next major war will be fought on 2 fronts...physical military assets like planes, tanks, and troops, and in cyberspace.

If someone attacks the USA, the first thing they'll do is crash our powergrid and communication networks. So much sh1t will hit so many fans we won't even have time to respond to the physical attacks. Nor would we be able to coordinate them anyway.

Just imagine if someone managed to get into the powergrid and set up a massive cascading overload that blows up all our major distribution points. Not much of a stretch of the imagination. There'd be months of work to put it all back together, and with that being the first strike in the war, we'd be all but helpless. Take out landline and cellular phone services, and maybe fire a rocket or two at the satellites that manage our military's satellite communications. Remember, China's already proven they can do that.

In the first 60 seconds of the next war, we could be dark nationwide, with no communications capabilities of any kind.

And then the planes come, the missiles are launched, the boats land, and the tanks roll. And we can't see them coming or coordinate the military to meet them when they get here.

I can only hope we're prepared with the same cyberattack capabilities.




RE: New deal
By Reclaimer77 on 5/21/14, Rating: 0
RE: New deal
By ianweck on 5/21/2014 12:36:02 PM , Rating: 2
I'm just curious to know what you're basing this on. Motoman laid out a fairly plausible scenario, with the most damaging part being the lack of communication capabilities. I'm as gung-ho as the next guy but still if we can't coordinate we're screwed. So what are you basing your response on? We're not playing Halo here.


RE: New deal
By blueaurora on 5/21/2014 12:57:20 PM , Rating: 4
Civilian forces would be limited but military forces have alternative communication access that doesn't rely on less secured public infrastructure. Our biggest problem would be organizing the populous who can't communicate. DHS has some techniques to deal with this. The worst would be rioting and looting from the disadvantaged populations.

It would be scary.


RE: New deal
By Motoman on 5/21/2014 1:34:21 PM , Rating: 2
The military's alternative communication systems are satellite based.

China has already destroyed a satellite in orbit with a missile.

This is not conjecture.


RE: New deal
By Bad-Karma on 5/21/2014 2:25:53 PM , Rating: 1
They can hit a LEO, but comm satellites are much further out in space, usually geosynchronous. Which is orders of magnitude harder to reach.


RE: New deal
RE: New deal
By Reclaimer77 on 5/21/2014 3:09:41 PM , Rating: 2
So China can take out satellites, interesting.

Hey, fun fact? We can take out CHINA.

The second part of your scenario is literally impossible from a logistics standpoint. China landing troops, tanks, and air-power on American soil?

Exactly how, pray tell, are they going to pull that off? Even if they take out every satellite on the planet, we're not deaf dumb or blind to let something on a massive scale happen right under our noses.


RE: New deal
By Reclaimer77 on 5/21/2014 3:20:42 PM , Rating: 3
quote:
Motoman laid out a fairly plausible scenario


Uhh no, he didn't. His scenario is basically this:

1. Disrupt communications
2. Land massive ground forces with air cover on American soil
3. WINNING!

That's some dumbass armchair strategist if there ever was any.

I invite you to look at a map of the world. Then examine China's Navy, oh right, WHAT navy?

It would take a massive blue water navy to pull off such a feat. Also there's no way China could execute a buildup of forces that significant without us finding out.

quote:
I'm as gung-ho as the next guy but still if we can't coordinate we're screwed.


There's no way China could successfully destroy all means of communication or even disrupt them for a significant period of time. Hell I suppose in his "scenario" China will simultaneously hack and also send sappers to destroy every POTS system in the country as well as blowing up all our satellites?

Is that before or after Jeff Goldbloom uploads the mega-virus to our mothership with a MacBook?


RE: New deal
By ianweck on 5/21/2014 4:09:19 PM , Rating: 3
quote:
Is that before or after Jeff Goldbloom uploads the mega-virus to our mothership with a MacBook?


I agree, that was the lamest part of the movie.

Other than that, if it were me I would do just as he suggested: take out the civilian power grid and communications, sit back and let the populace eat itself for awhile and then attack. Even if the military was left intact I think there would be so much chaos that eventually, without an imminent risk of invasion (we're sitting back for the moment, remember) the military would be stretched thin enough to be less effective at repelling an invasion. Hell, two months into a total loss of power and I bet a good part of the military would scatter and go home to protect their families.

But what do I know, maybe you're right. I like your outcome better than mine anyway.


RE: New deal
By Spuke on 5/21/2014 5:03:43 PM , Rating: 3
quote:
Other than that, if it were me I would do just as he suggested: take out the civilian power grid and communications, sit back and let the populace eat itself for awhile and then attack.
You guys have ZERO idea how the US military works. But that is actually a good thing because that means no one else does either. Communications are layered from high tech to two cans and some string. This entire conversation sooo 20th century but I'll play. The US military does not depend on the civilian infrastructure to operate. It does not matter in the least how the civilian populace fairs at all, it has no affect on operations. It doesn't even matter if the government is functioning, it has no affect on operations. These scenarios were thought about and practiced, ad nauseam, before some of us were born.


RE: New deal
By drycrust3 on 5/21/2014 4:16:19 PM , Rating: 2
It depends on how you define "attacked successfully". If you define it as simply achieving the primary aim of the actual attack, then there have been lots of successful attacks against America. For example, the primary aim of the attack on Pearl Harbour was to sink the American Naval Fleet, and since most of the American Naval Fleet was damaged or sunk then that attack was successful. The important point here is the primary objective was achieved.
Using cyberspace as an example, the primary aim of clandestinely accessing a computer or network is to secretly access a computer or network so as to copy, corrupt, or delete information. The fact that later on this was discovered overlooks the fact the primary aim was achieved: the information on that network or computer was accessed and then copied, corrupted, or deleted. The discovery of the attack later on doesn't stop the attack from having been a success. e.g. the copying of credit card information and then use of it, which would lead to the copying being discovered still means the clandestine copying was a success.
On the other hand, if there were security features that prevented the accessing, copying, corruption, or deletion of information, e.g. not getting through a firewall, then the attack wasn't a success.


RE: New deal
By Reclaimer77 on 5/21/2014 4:23:46 PM , Rating: 2
quote:
And then the planes come, the missiles are launched, the boats land, and the tanks roll. And we can't see them coming or coordinate the military to meet them when they get here.


This is what Moto said. He's talking about an OCCUPATION of the American mainland. Not some random "attack".

And I'm sorry, but this is a virtually impossible scenario. China would need a supply line stretching across an entire ocean, with virtually NO blue water Navy to speak of to defend it from the pure rape it would suffer at the hands of the US, British etc etc's navy.


RE: New deal
By FITCamaro on 5/22/2014 7:57:57 AM , Rating: 2
You know I largely agree with you. The issue I see is that China is trying to expand their Navy while ours is shrinking. And our Navy is vulnerable to fighters. Sure we have our own but the majority of that force is 30 years old at best. We have less than 200 F22s. China isn't going to stop at that many for their own stealth fighter once its finished and in full production.

We have the advantage today. But in the future if we continue to go down our present road, that will be gone.


RE: New deal
By Reclaimer77 on 5/22/2014 8:39:44 AM , Rating: 2
China's stealth fighter isn't made for carrier ops though. So unless they plan on flying them across the ocean somehow, I don't see how they can get them over here so they can make a difference.

And China's naval expansion seems to be all about buying 20+ year old Russian rust buckets.

I'm just saying, North America is in a geographically ideal location to defend against attacks. Traversing an ocean and establishing a supply line under wartime conditions is no small feat.

Also the sheer size of America is a problem in of itself. It would require a MASSIVE occupying force to neutralize our many military bases and national guard units. It doesn't even seem feasible honestly.

They would have to establish a forward base or staging area, and I can't very well imagine us sitting by and letting them use Cuba or a South American nation for that purpose.


RE: New deal
By bah12 on 5/22/2014 12:19:54 PM , Rating: 2
And don't forget an armed populous.

WOLVERINES!!!!!


RE: New deal
By Reclaimer77 on 5/22/2014 1:07:25 PM , Rating: 1
No kidding, and what an armed populous we have! Nearly a gun for every person living here.

Also you have our "civilian" police to contend with. Which are practically paramilitary organizations in their own right.

You would have to be straight up crazy to invade America, just...it's impossible. Sorry everyone, the fantasy is over. Not gonna happen, never can happen.


RE: New deal
By drycrust3 on 5/22/2014 5:15:18 PM , Rating: 2
quote:
China would need a supply line stretching across an entire ocean, with virtually NO blue water Navy to speak of to defend it from the pure rape it would suffer at the hands of the US, British etc etc's navy.

One of the important lessons from WW2 was that an enemy will attack you in a way you don't expect. France built a hugely expensive defensive system called the Maginot line which could easily have inflicted huge casualties to a head on attack by the German Army, so the Germans got out their chainsaws and cut a road through the Ardennes Forest. Voila! No huge casualties.
See the problem the French government had? They thought that if the Germans did attack it would be along the main road, they didn't think the Germans would make their own road, so they had built their defensive systems as static defences, not mobile. Consequently, when a highly mobile army turned up, all the guns on the Maginot Line were pointing in exactly the wrong direction.
The same applies to America: an enemy isn't going to attack you in the area where you are strongest (e.g. via a Naval assault), they are going to attack you in the area where you are weakest.


RE: New deal
By chromal on 5/21/2014 9:20:30 PM , Rating: 2
We've never been as vulnerable as we are today.


RE: New deal
By kattanna on 5/21/2014 1:13:49 PM , Rating: 2
quote:
In the first 60 seconds of the next war, we could be dark nationwide, with no communications capabilities of any kind. And then the planes come, the missiles are launched, the boats land, and the tanks roll. And we can't see them coming or coordinate the military to meet them when they get here.


first up.. what are you smoking.. and WHY are you not sharing??

are you really that willfully ignorant of how things works?


RE: New deal
By Motoman on 5/21/2014 1:33:23 PM , Rating: 1
What are you smoking? The scenario is eminently plausible.

1. Hacking into power control systems - already been done. And the article above only mentions the last 2...that we know about.

2. Phone systems are all entirely computerized, and vulnerable to hacking. Either into the phone systems themselves, and/or to the phone companies' systems. Can disable and/or disrupt them either way.

3. China has already successfully launched a missile and destroyed a satellite in orbit. On their first try. If you think they don't know which satellites our military uses for communications, you're nuts.

No sir, it is you who are wildly and willfully ignorant. There is nothing there that's a stretch at all.


RE: New deal
By kattanna on 5/21/2014 2:23:34 PM , Rating: 2
what you are talking about is civilian in nature, and yes it would create havok

but the military? no.

nothing short of a MASSIVE nuclear attack would blind the country big enough to prevent any sort of follow-up invasion afterwards

as it would take many weeks to then gather such an invasion force to be able to penetrate our shores. and thats not even counting the carrier groups that would be in the area

any pre-buildups would be noticed LONG before they would be of any effective size.

also.. any country of any real size also knows that to take out the US financial system would only be to do so at their own expense as well.

but also.. there is no combined military right now that even has an ocean capable fleet that they could gather to harm us


RE: New deal
By valkator on 5/21/2014 2:34:59 PM , Rating: 2
Stop watching so many movies motoman. I hate that when people try to sound knowledge about things they no nothing about based on what they see in movies.

Although there is a vague truth to what you are saying, it isn't by a snap of a finger.

I am sure soon he will be telling us that Godzilla is going to invade the US.


RE: New deal
By Hakuryu on 5/21/2014 4:02:01 PM , Rating: 2
You act like the US is a small city with your assumptions.

The military has their own networks, both power and communications, and portable generators that could power military actions for a long time. I was a 31C in the Army, radio telecommunications, with a little 'house' on the back of a Humvee and a set of generators; easily two weeks up time with less gas than we could carry.

Too much TV and movies for you I'm guessing.


RE: New deal
By Reclaimer77 on 5/21/2014 4:49:46 PM , Rating: 3
I think he watched "Olympus Has Fallen" one too many times. Where North Korea takes the whole country hostage using one C-130, some miniguns, and a few plainclothes soldiers with RPG's.

I can see Moto sitting there cramming popcorn into his pie-hole saying "TOTALLY PLAUSIBLE!!!"


RE: New deal
By bigboxes on 5/21/2014 11:55:42 PM , Rating: 2
I'm not sure why you've gone of on this tangent, but why you'd think China would ever do such a thing is beyond me. Mess with their biggest customer? Let's say that our relationship has deteriorated enough where China would contemplate such actions. Now, think about what we would be planning on doing to them. Cyber wars aside, our military would eviscerate their global capabilities in short time. There's only one superpower that controls the seas and the air.


RE: New deal
By Iantech on 5/22/2014 12:31:50 AM , Rating: 2
quote:
There's only one superpower that controls the seas and the air.


That's just what the Romans thought.


RE: New deal
By Divide Overflow on 5/24/2014 2:59:02 PM , Rating: 2
I'm certainly not smoking whatever it is that you are!
You might be helpless if your cellphone and internet connection were taken away but don't think that everyone else would. The US military might be marginally disrupted but by no means combat ineffective. The fact that you are clueless to the reason why is somewhat reassuring!


RE: New deal
By Argon18 on 5/21/2014 3:15:42 PM , Rating: 2
"So much sh1t will hit so many fans we won't even have time to respond to the physical attacks. Nor would we be able to coordinate them anyway."

That's nonsense. The military has satellite as well as terrestrial communications systems that are proven to be secure, and have zero dependency on civilian infrastructure.

Also google RACES. Ham Radio is still alive and well with many licensed radio operators (yours truly included). RACES was designed specifically for the scenario you describe.

Heck even plain old CB radios will work in a vacuum, no dependency on any external infrastructure.


RE: New deal
By ritualm on 5/21/2014 11:01:03 PM , Rating: 2
quote:
That's nonsense. The military has satellite as well as terrestrial communications systems that are proven to be secure, and have zero dependency on civilian infrastructure.

Also google RACES. Ham Radio is still alive and well with many licensed radio operators (yours truly included). RACES was designed specifically for the scenario you describe.

Heck even plain old CB radios will work in a vacuum, no dependency on any external infrastructure.

If they're not EMP shielded, all that stuff's as good as dead.


RE: New deal
By msheredy on 5/21/2014 7:23:01 PM , Rating: 2
This!!!

Thank God the second amendment isn't constantly being challenged, then we'd really be screwed... wait...


RE: New deal
By TSS on 5/21/2014 7:48:00 PM , Rating: 2
I think you'll find the next major war will be fought on the economical front first. It'll be alot easyer to attack the US when the military budget isn't the next 10 nations combined.

That's not too far fetched. Since the whole crimea business and sanctions, Russia has sold about 20% of it's US treasury holdings. China's not been buying and japan's not exactly been piling it on either.

You know who has? Belgium. They went from $201 billion at the end of november 2013 to $381 billion at the end of march 2014. Their GDP was $483 billion in 2012 (it'd be the equivalent of the US buying $6 trillion worth of treasuries in 4 months). Belgium's a proxy used by a company called Euroclear (based in belgium), who's then again a middleman for many central bank transactions. It's impossible to tell who the treasuries are then really going to.

No matter how you look at it, *that* is a real national security threat that's not going to end well. You can use the militairy against virusses and missiles, but how are you going to use them against countries not buying US debt?


RE: New deal
By degobah77 on 5/22/2014 8:50:54 AM , Rating: 2
This article is nothing but scare tactics released by the department to justify to the populace why we need to keep handing over more freedoms and keep giving the gov't more and more power.


you dont know what SCADA is
By stephenBA on 5/22/2014 12:23:10 AM , Rating: 2
SCADA is NOT a protocol. It stands for Supervisory Control And Data Acquisition, which refers to the entire system and that system is implemented with many protocols like DNP3.

Many many parts of your article say things like "the SCADA protocol" or "SCADA-controlled" which make NO sense! Do a quick Wikipedia search before you write about something!!! Even the quote you pulled in doesn't make this mistake but you didn't seem to notice that!




By flyingpants1 on 5/22/2014 6:04:55 AM , Rating: 2
Right. The quote refers to "the SCADA protocol", as in, the specific communication protocol used by the SCADA system in this case.

Jason made the mistake of assuming this meant "the SCADA protocol", as in "The protocol called SCADA".

It would be more accurate to say "The SCADA system", as Wikipedia does.


WTF is "sophisticated threat actor"?
By Zak on 5/22/2014 12:13:41 PM , Rating: 2
A clever hacker maybe?




Serial killer?
By villageidiotintern on 5/22/2014 1:10:54 PM , Rating: 2
What does this have to do with Cap'n Crunch?




Quid Est Veritas
By Iantech on 5/22/2014 11:58:39 PM , Rating: 2
I highly suggest watching Charlie Rose's recent interview with secretary of defense Chuck Hagel (in its entirety) for words straight from the top on the reality of the vulnerability.




Sorry
By MadAd on 5/23/2014 1:44:40 PM , Rating: 2
"Sorry

Because of its privacy settings, this video cannot be played here."

I guess I wont watch it then.




"So if you want to save the planet, feel free to drive your Hummer. Just avoid the drive thru line at McDonalds." -- Michael Asher














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki