True to my word, herewith, the second installment of my new weekly (or so) series, ‘dark news from the cyber-side’, or something like that…
Today the main topic will be about the security of critical infrastructure; in particular, about the problems and dangers to be on the watch for regarding it. Things like attacks on manufacturing & nuclear installations, transportation, power grid and other industrial control systems (ICS).
Actually, it’s not quite ‘news’ here, just kinda news – from last week: fortunately critical infrastructure security issues don’t crop up on a weekly basis – at least, not the really juicy bits worthy of a mention. But then, the reason for that is that probably that most issues are kept secret (understandable, but worrying all the same) or simply no one is aware of them (attacks can be carried out on the quiet – even more worrying).
So, below, a collection of curious facts to demonstrate the current situation and trends as regards critical infrastructure security issues, and pointers to what needs to be done in face of the corresponding threats.
Turns out there are plenty of reasons to be bowled over by critical infrastructure issues…
The motto of engineers who make and install ICS is ‘ensure stable, constant operation, and leave the heck alone!’ So if a vulnerability in the controller is found through which a hacker can seize control of the system, or the system is connected to the Internet, or the password is actually, really, seriously… 12345678 – they don’t care! They only care about the system still running constantly and smoothly and at the same temperature!
After all, patching or some other interference can and does cause systems to stop working for a time, and this is just anathema to ICS engineers. Yep, that’s still today just the way it is with critical infrastructure – no seeing the gray between the black and the white. Or is it having heads firmly stuck in the sand?
In September last year we set up a honeypot, which we connected to the Internet and pretended was an industrial system on duty. The result? In one month it was successfully breached 422 times, and several times the cyber-baddies got as far as the Programmable Logical Controllers (PLC) inside, with one bright spark even reprogramming them (like Stuxnet). What our honeypot experiment showed was that if ICS is connected to the Internet, that comes with an almost 100% guarantee of its being hacked on the first day. And what can be done with hacked ICS… yes, it’s fairly OMG. Like a Hollywood action movie script. And ICS comes in many different shapes and sizes. For example, the following:
A novel way to see in the New Year… One of the computers of the control center of the Monju nuclear power plant in Japan just hours into 2014 was found to be infected with some malware that had wound up there during an update of some free software! Nope, I am not joking folks.
It took a while for me to take this in.
Shift employees using free software on the controller of a NUCLEAR REACTOR? Updating a video player to break up the long and lonely nightshifts? And this comp being connected to the Internet in the first place?????
Just to bang this home once and for all: An industrial comp needs to be like a hermit: absolutely no contact with the outside world. Simple as that. And that extends to USB sticks: every single one that comes into contact with such an important installation needs investigating real carefully. Let’s not forget that Stuxnet got inside Natanz on a USB.
I’ve mentioned a Die Hard 4 scenario before – how it’s half Hollywood nonsense, half a totally credible portrayal of what could one day happen. Here’s something similar that also demonstrates what might one day happen…
A researcher found the time to see if it were possible to set up disco lights on the streets of US cities – by breaking into the control system of traffic lights.
The researcher’s report is pretty convincing. I especially liked the following conclusions:
- “…it wasn’t difficult to find vulnerabilities [in the traffic control systems] (actually, it was more difficult to make them work properly, but that’s another story)”
- “I even tested the attack launched from a drone flying at over 650 feet, and it worked!”
- “250+ customers in 45 US states and 10 countries”
- “Regarding another vulnerability, the vendor said that it’s already fixed on newer versions of the device. But there is a big problem, you need to get a new device and replace the old one.”
Cocaine flavored bananas
Practically everything everywhere is controlled by computers today. And whenever you have a computer, there’s always the possibility it can be hacked; and if it’s possible to hack, then a scenario like that in Watch_Dogs becomes more and more realistic.
Here’s an example from Belgium.
Ever more inventive South American drug traffickers added some Colombian marching powder to some freight containers carrying bananas. The containers were transported by ship over to Europe and put into a warehouse in Antwerp. Next, hackers in the employ of the yayo peddlers took over the operation: Using malware they’d somehow got inside the control system of the warehouse, they tracked the location of the Charlie-containing containers. They were then able to send in lorry drivers to extract the contraband before the consignee of the bananas turned up.
With this example we see how traditional narco-mafia and cybercrime are converging – firmly in the arena of industrial systems.
And you thought Apple was slow patching? With ICS it’s much worse
The problem of ICS security is exacerbated not only by operators’ reluctance to interfere in ICS’s operation, it’s also caused by the ICS vendors.
However, at least now the situation has slowly started to improve; it’s been some time since I’ve come across outrageous instances of developers blatantly stonewalling with regard to obvious oversights in the security of their products. But in order to understand the real problems here, let me tell you about the case involving the company RuggedCom, which manufactures network equipment for energy, industrial, transportation and other critical sectors.
And this case isn’t a unique one; just the opposite – it’s typical.
In early 2011 a researcher found a hole in RuggedCom equipment allowing relatively easy retrieval of admin access details. He told RuggedCom about the vulnerability and kept asking – for a year! – that they do something to address the security breach, or at least recommend customers to block remote access. All in vain. Ignored. So after a year he decided he’d had enough, and went public – by going to US-CERT.
Of course, after that the doo-da really hit the proverbial ventilator and such a fuss was made that the vulnerability was immediately patched. And everyone sighed a deep sigh of relief including the intrepid researcher (good work!). Problem is, I bet far fewer than half of all users actually got round to patching the breach. Eek. All those vulnerable systems still out there…
Could you pass the stuffing please, your holey-ness?
To illustrate just how holey modern ICS can get, let me give you an example.
Early morning on Thanksgiving Day, another security researcher, who incidentally was totally new to ICS, decided to have a dig into and a poke around some ICS software (a day off? What else is a researcher meant to do?:). By turkey time, he’d fairly freaked out. He found the first zero-day in seven minutes, and then 20 more before the day was out – several of which permitted running code remotely!
As said one of the speakers at SAS said: “ICS is still in the nineties“. These systems were made in the last century, by people from the last century, according to standards of the last century – but are still in operation today.
If things turn ugly in terms of global cyber-turmoil, and governments start to press those red cyber-buttons that will really start the cyber-chaos, that’s when the holey-ness of ICS will be exploited to its fullest. That’ll be when the lower – massive – part of the iceberg will come into view. Rather, we’ll hear it. Errr, no… rather – we’ll read about it… NO! We won’t even find out about it: nothing will work!
I’ve no doubt that in five or so years swarms of flying, running and crawling drones of different breeds and purposes will be all around us.
Last year’s announcement by Amazon about its plans for express deliveries of goods by drones is not just futuristic PR. It’s real: the drones are coming! The problems will be legal as much as technical – since it’ll be necessary to create special air routes, introduce new rules for flights for these drones, distribute reports of flying weather, license users and manufacturers and so on and so forth.
But that’s the way things are headed!… And not only in the air. Recently Google presented concepts of its first driver-less cars (the term ‘automobile’ finally comes into its own after more than a century:).
Drones are even making their way into the critical infrastructure arena.
On the one hand, this is all good: drones can automate many unpleasant/ difficult/ unprofitable… processes. On the other, all this automation could one day come crashing down with a hellishly loud din. That’ll be when the popcorn should be gotten in…
Yes, there will be light!
To close, a little ‘romance’.
From the early 2000s we’ve known that electricity networks are susceptible to virus attacks – as vulnerable as they are to them as the home computer of Joe Bloggs.
A French photographer has produced this here curious series of pics called ‘Darkened Cities‘, which shows what things might look like after such an attack: startling night views of Hong Kong, New York, San Francisco, Paris, Shanghai, São Paulo, and many other metropolises – without electric light. So if one night sat at home suddenly all the lights go out – don’t panic. It’s possible it’s just a virus or hacker attack. Actually, maybe panic…
Before then, will everyone be getting down under the sheets or behind the sofa like when you’d watch Doctor Who as a child? Or slowly moving to the cemetery? Are things really looking so bad and set to get worse?
Yes, things are looking real bad – we’ve been balancing on the edge of the abyss for years already. Key elements of critical infrastructure at any moment can fall like a house of cards. But at least we’re here – security experts :).
To fold paws and whimper – that’s not the way. I’m certain that the world will cope with the problem and do it along three avenues: developing a new generation of software, development of new, more secure architecture for critical infrastructure, and development of national and global standards of security.
As a result of such a three-pronged strategy, any absence of light will only be the result of a few burned out lightbulbs, and nothing else :).