Saturday, November 19, 2011

False Alarm? Russia Cyber Attack on Water System SCADA Reported
-Cybersecurity back in limelight, asserting more intrusion(s)

11/23/2011 Update - A False Alarm?
*** ANSWER: Yes ***
For the initial Nov14th report per DHS- with more "pr0f" (proof) hackery being demonstrated and investigated !

As the week of Nov 14th closed, a reportedly "confirmed" water system intrusion discovered after equipment damage prompted a sensitive fusion center advisory, quickly followed by more public coverage:

- Issue discovered Nov 8th after pump burned up due to power cycling.
- Believed credentials used stemmed from supplier/vendor breach (e.g. perhaps via phishing)
- May have been compromised for months with ongoing "instability glitches" dismissed
- Involved access from Russian Internet addresses.

A Nov 10th Illinois fusion center report serving as initial notice regarding this matter was obtained by Joe Weiss, crusader for critical infrastructure security, who then broke the story providing some particulars to major media. A statement released by DHS spokesman Peter Boogaard downplayed the matter “At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety.”

11/23/2011 Update
Illinois intelligence fusion center reported Tuesday 11/22 that earlier reports of a water utility hacked cannot be substantiated, according to a DHS announcement. Joe Weiss's quote to - “This smells to high holy heaven, because when you look at the Illinois report, nowhere was the word preliminary ever used,” Weiss said, noting that the fusion center — which is composed of Illinois state police, as well as representatives from the FBI and DHS — distributed the report to other critical infrastructure facilities in that state. “It was just laying out facts. How do the facts all of a sudden all fall apart?”

Following the initial DHS statement, a PGP signed posting by "pr0f" asserted evidence of gaining unauthorized access a second water treatment facility SCADA with five screen shots and statement, excerpt: "I dislike, immensely, how the DHS tend to downplay how absolutely F*****D the state of national infrastructure is....I've also seen various people doubt the possibility an attack like this could be done. So, y'know. The city of South Houston has a really insecure system. Wanna see? I know ya do... "

11/23/2011 Update
Sophos's Chester Wisniewski was contacted by the hacker "pr0f" regarding the South Houston, Texas intrusion. The hacker gained access through several methods (VNC variant, web portal) claiming he still has access. He also commented "Don't worry, I use my powers for good and such." And also pointed out, ".. I am under no illusions about my level of skill. These are the least secure systems. .. I was furious at the lack of proper government response. The response they gave was nothing more than 'Nothing happened. Probably.' When clearly something did happen."

What should utilities do?

Mr. Weiss provided some constructive broader recommendations in his post "Water System Hack - The System is Broken" Here are some specific suggestions for near term critical infrastructure cyber risk mitigation, especially for industrial control system (ICS) settings where cyber security may be lapsing, not addressed in a robust manner:
  1. Identify all ICS systems and their organizational management owners.

  2. Audit key baseline IT security controls, identify any serious remote and local access issues
    - e.g. protected perimeter, all accounts have defined need, management approval/review, access activity logging for review, antivirus where feasible, patching.

  3. Consider how to assert stronger positive owner access control, especially for remote access
    -e.g. remote access normally disabled when not needed, logging all access events, multifactor token required/kept in house for vendor call in, protected jump box use instead of opening full throat network paths, segmentation when multiple vendor solutions are involved.
    Note: A good place to start is closely studying NERC's July 2011 "Guidance for Secure Interactive Remote Access"

  4. Implemented initial improvement options based on risk informed priority.
    - proceed based on management engaged approval/direction, document and implement, monitor and report progress.

  5. Pursue ongoing, broader ICS security improvements
    - after getting basic IT-centric hardening measures in place, tools such as DHS's CSET (Cyber Security Evaluation Tool) - free for critical infrastructure organizations are available to build better understanding of ICS security susceptibilities and consequences, measure risk, and identify, prioritize further security improvements.
Any such attack damaging a water utility's pump is more akin to amateur antics than part of any organized nation state effort in my opinion. Regardless, even if this turns out to be a false alarm for causing of equipment damage, many related "what ifs" will be asked by media and others. We can expect various hats of hackers (white, grey, black) interest will also increase (SHODAN anyone?). Industrial control systems, including SCADA, are widely used to support a number of critical infrastructure functions. Secured communication paths and protected remote access must be ensured. Organizations that have blindly entrusted their vendor to adequately address cybersecurity in an increasing risk environment need to do more. People, process, technology requirements addressing security in such settings must be understood, documented, supported (with enforcement), and continue to be further developed.


- Cyber Intrusion Blamed for Hardware Failure at Water Utility- KrebsonSecurity 11/18/2011
- H(ackers)2O: Attack on City Water Station Destroys Pump- 11/18/2011
- Second Water Utility Reportedly hit by hack attack - The Register 11/18/2011
-proof of concept Intrusion
- Hacker targets South Houston Sewer System - The Houston Chronicle 11/19/2011

- What You Should Know About SHODAN and SCADA - DigitalBond 11/2/2010

Tuesday, September 20, 2011

EU BlackHat 2011: Cyberwar Overhyped, Escalating Cyber Conflict The Issue
- EU Keynote counters Ex-CIA Official's Warning

While imminent Cyberwar concerns have ramped up as of late, e.g., BlackHat 2011: Cyberwar is Coming- Ex-CIA Official Warns Black Hat 2011 Attendees, an insightful EU Black Hat 2011 - Keynote (video 1:15) with Bruce Schneier offers constructive and useful perspective:

“It’s not that that we’re fighting cyberwar, we’re increasingly seeing war-like tactics used in broader cyber conflicts. Non-nations can now deploy war-like tactics... a bunch of criminals getting tanks.. now what do you do?" - Bruce Schneier EU BlackHat 2011

Schneier points out that cyber war clearly is not happening now. Rhetoric surrounding cyberwar is exaggerated and harmful in its influence over policy. The debate language lacks good definitions - Don’t know when it starts, what it looks like, who is doing it, or when it’s over. Using the term “war” implies we’re helpless, we need to duck and cover, the government should handle it. Many measures merited in war time pose greater risk in peace time. Advantage is on the attackers side in cyber space with technology pushing capabilities out- so easy, kids can do it.

Further cyberwar high-level analysis commentary addresses topics such as preparing the battlefield, conducting attacks, etc. All advanced nations will need to have some cyber offensive capability as it's part of the war fighting theater now. It's also understood that the most advanced nations have extensive capabilities, e.g., placing logic bombs into enemy systems, potentially before broader conflicts starts. Reoccurring examples of precursor cyber-attacks being followed by more traditional military conflicts. US continues dragging feet on pursing international rules and treaties involving cyber conflicts given a perceived advantage. This stance really feeds the cyber arms race problem where every side assumes the worse. Related offensive decisions also need to be made at higher levels of government- Stuxnet types of attacks are reasonable to view as an act of war.

Critical Infrastructure concerns include widely believed examples of non-US criminal extortions, blackouts from hacking, e.g. Brazil. History is rich with market failure examples where common defense not adequately addressed by private industry. Private industry can only go so far and why we need government, with regulations only part of answer. The US is clearly more vulnerable than other nations; with risk is increasing, it's important to further address.

- 60 minutes exposé - Cyber War: Sabotaging the System 6/13/2010 (video 18:02)
- “Next war might start with blackout, not a bang.” “Art of the Possible”

Tuesday, September 6, 2011

BlackHat and Defcon 2011: Top 10 Scariest Hacks
- Network World's take on a handful meriting the most concern

Las Vegas hosted Black Hat USA 2011 and Defcon 2011 conferences dished up a number of interesting hacking demonstrations applicable for critical infrastructure organizations. The wide ranging top ten identified by Network World (full slide show) included SCADA issues (Siemens, of course) and even a pretty significant ERP system issue (SAP).

  1. Siemens S7 hack (top one!). Very scary considering just how dependent real world facilities are to systems with related security problems, issues go well beyond being specific to Siemens solutions!
  2. VoIP botnet control. Clever data ex-filtration, command and control methods using VoIP channel, touch tones phones.
  3. Powerline device takeover. Demonstrating a device that can tap into home power lines, monitor and control home alarm/security cameras, e.g., enable intruders to jam security gear then break in.
  4. Hacker drone. Off-the-shelf electronics used to create WASP (wireless aerial surveillance platform) executing flight plans while doing its work (crack codes, pick up cellphone calls, etc).
  5. Car hijack via phone networks. Using text messages over phone links to hack a Subaru Outback car alarm, unlock doors, starting vehicle. Similar to devices used in some critical infrastructure settings, raising concerns about knocking out power grids and water supplies.
  6. Hack faces to find Social Security numbers. Acquiring a person's Social Security number using nothing more than social networking photo, face recognition software, and a deducing algorithm.. interesting!
  7. Remotely shut down insulin pumps. Exposing a very difficult to resolve wireless security problem- could be fatal in wrong circumstances. The diabetic security researcher focused on issues with his own wireless pump.. "devices weren't designed with security in mind"
  8. Embedded Web server menace. Embedded web servers in photocopiers, printers may them easier to administer and be compromised, potentially pilfering produced documents. Easy fingerprinting and attack approaches demonstrated.
  9. Spreading false router tables. Demonstrated OSPF (open shortest path first) routing protocol having weaknesses permitting attackers to install false table entries on uncompromised routers, potentially affecting data streams (sending info to remote attacker) or just crippling networks.
  10. SAP flaw- Authentication. Showed how SAP system can be broken into, gaining administrative privileges. The researcher determined that half the systems examined were vulnerable to this issue. Easy to locate target systems with Google search. SAP is working towards releasing a related security update.
- Insulin pump attack prompts call for federal probe‎ - Register 8/19/2011- Committee urges investigation into security standards for wireless medical devices.
- Black Hat 2011 USA Archive video, audio, slides added since Aug 2011 conference
- DEF CON 19 Archive - site stood up 9/5 w/slides, etc from Aug 2011 conference

Wednesday, August 24, 2011

BlackHat 2011: Cyberwar is Coming
- Ex-CIA Official Warns Black Hat 2011 Attendees

Former U.S. counter-terrorism official Cofer Black, who warned of 9/11 terrorist attacks, raised the alarm earlier this month during his Black Hat 2011 keynote that cyberwar is an imminent threat.

Cyber warfare has been brought up as a significant concern by US intelligence, former officials for some time – even concerns of potential tampering with IT supply chains, etc. Most view US leading with others catching up in offensive capabilities. Turnabout is fair game. Besides the obvious appeal and resonance this official’s message has with the Black Hat community and media coverage, some related points that can be made:

  • Stuxnet is the most significant example of a cyber attack against another nation state’s critical infrastructure since the Russian gas pipeline explosion in June 1982. In the June 1982 attack, a CIA operation was launched that embedded a Trojan horse in gas pipeline regulator software the CIA knew would be stolen by the Russians. The Russians did indeed steal the software and used it in a production gas line in Siberia. The Trojan horse corrupted the gas pipeline regulation which resulted in a massive explosion, initially thought to be nuclear, until later evidence showed this wasn’t the case. The incident was classified, then later released and infamously documented in the Farewell Dossier. The KGB at the time said the blast was accidental. (Source: Defending Against Stuxnet Type Threats – invincea blog)
  • Government officials fear that foreign powers could surreptitiously design something into a component or printed circuit board that would end up in a piece of equipment used by the government "Maliciously tampered ICs cannot be patched," retired General Wesley Clark said in 2009. "They are the ultimate sleeper cell."
  • Many are very skeptical that a huge US electronic 9/11 or Perl Harbor event is imminent – a view I share. All advanced militaries have cyber­attack capabilities, including EMP strike options against information technology based systems. We can expect significant nation state sponsored cyber incursions to continue, often for information gathering purposes. This may not be a true “war” but that doesn't mean we aren't losing.