Friday, November 18, 2011

Hackers damage Water system

Of course, SCADA* control systems were connected to the Internet.  My old friend and colleague Dave LeBlanc (one of the smartest security guys I know) likes to say "boot it, and they will come."  Well, they came:

Hackers destroyed a pump used by a US water utility after gaining unauthorized access to the industrial control system it used to operate its machinery, a computer security expert said.

Joe Weiss, a managing partner for Applied Control Solutions, said the breach was most likely performed after the attackers hacked into the maker of the supervisory control and data acquisition software used by the utility and stole user names and passwords belonging to the manufacturer's customers. The unknown attackers used IP addresses that originated in Russia.
This is me, looking shocked.

“Over a period of two to three months, minor glitches had been observed in remote access to the water district's SCADA system,” Weiss said during an interview, in which he read a verbatim portion of the document to The Register. He said that the attackers were able to burn out one of the utility's pumps by causing either the pump or the SCADA system that controlled it to turn on and off “repeatedly.”
These control systems absolutely, positively should not be connected to the Internet.  Yes, that makes them hard to access remotely.  That's the point.

Yes, it's a drag having to get up at Oh Dark Thirty and drive 50 miles to the pump house.  But hooking the control system to Al Gore's Intarwebz means you're placing a bet that the Bad Guys will find someone else.  Your entire security strategy is I feel lucky.

Damn punks, always messing with the SCADA.

* Supervisory Control And Data Acquisition computers, which run factories, refineries, the power grid, and (in this case) the water system.  Security isn't an after thought, it's not thought of at all.


SiGraybeard said...

I think I once said the SCADA systems were too stupid to hack.

That statement was too stupid.

chiefjaybob said...

As you implied in an earlier post, all that is needed to fix this is a pair of diagonal cutters.

TJIC said...

> These control systems absolutely, positively should not be connected to the Internet. Yes, that makes them hard to access remotely. That's the point.

My security background is less than yours (and dealing more with crypto), but I venture to disagree here.

Systems that can launch nukes should be off the internet, but for everything else, there's a cost / benefit analysis...and I suspect that having things online, but behind strong firewalls, is the winning strategy.

We don't keep banks off of roads (even though that would make robberies and getaways much much harder). We just put the money in a vault and build decent security in the the processes and procedures.

Borepatch said...

TJIC, you have a good point. I perhaps skipped several steps that should have been spelled out more explicitly.

You could probably set of a pretty secure remote access for SCADA. But you'd need to do a risk assessment, a threat assessment, develop a monitoring/auditing strategy, and make sure that proper supervision and compliance controls are in place.

But what happens is that Cletus from the graveyard shift plugs a Cat-5 cable into the broadband.

And so, I think we're back to the "these systems should never be on the Internet". Q.E.D.


Eagle said...

BP, the problem isn't that "Cletus from the graveyard shift plugs a Cat-5 cable into the broadband".

The problem is that Cletus is most probably a union member and can't be fired for "unintentionally violating security". And that's what he'll be charged with 'cuz he's a dumb, lazy, give-a-sh*t civil servant **with union protection**.

And then, when the situation goes public and Cletus is revealed to be the asshat that he is, the ACLU (et al) will come to his defense because he "isn't well educated", is "doing the best he can", and because it is "unfair to blame him - blame corporate management instead".

Meanwhile, nobody will be paying attention to the man behind the curtain (iron or whatever) who is laughing at American strategic asset security. Well, actually, the LACK thereof.

This country is sooooooooo screwed... :-(

Anonymous said...

Yeah, Hurray for my home town.

City Water Light and Power (CWLP) is the city owned power and water company that sits on a man made lake in my home town of Springfield, IL.

This isn't the first time something big has broken at the plant due to negligence, and I doubt it will be the last.

We did put in a new (old) mayor. One of his campaign promises was to clean up the power company - and to his credit, there has been some trimming of the fat. For the last decade or so in memory (sorry, I'm young) the head positions have mostly been political appointments with little regard to actual knowledge or experience. (That's what consultants are for, right?)

DaddyBear said...

You don't have to have a Cletus to get your air-gapped systems messed with. The SCADA systems in the Iranian nuclear project were probably borked because someone brought in a targeted piece of malware on a USB stick or infected laptop. Same goes for the UAV controllers the Air Force uses.

The answer isn't to make the castle walls thicker and higher, it's to make each and every node on the network a castle unto itself and regularly check to make sure there aren't new chinks in the armor. Of course, that's easier said than done, especially with something as thoroughly hosed up as SCADA.

Dave H said...

The latest: it wasn't a breakin after all.