When I’m done choking on bile/have some time next week, I will write a more balanced piece. I have a loathing for the “Can’t sleep, smart grid will eat me. Can’t sleep smart grid will eat me” reporting that the mainstream media has been leaning on. That being said, the Reuters piece references sound research from some very bright folks. Mind you the article’s opening salvo…anyway.
From Reuters:
Worried about the security of the Smart Grid? You should be. Security researchers warn that the Smart Grid could become a hacker’s playground. As proof, here are four ways the Smart Grid can be hacked.
Technology Review has an excellent article outlining ways in which the Smart Grid is vulnerable. Here, based on the article, are four ways it can be hacked via the smart meters that will be in businesses and people’s homes.
The piece goes on to reference research by the likes of Travis Goodspeed and others. I had a brief chat with Travis at Black Hat and found him to be a very intelligent, nice guy. Not sure how he rocks the dreads everyday but, different strokes and all that.
Getting off topic. Anyway, in order to see ways to hack the smart grid for fun and profit follow the article link.
Tags: Smart Grid
So, how would the US respond to a (gak) cyber attack? My concern would be, are they retaliating against the correct opponent. Its not like we’ve never relayed through a third party to attack…um, read about, yeah, that’s it, read about such a tactic.
But, in all seriousness I have heard a certain character in the US military recently imply that a nuclear option would be on the table. This caused me to choke on my coffee and wonder what colour the sky might be in his world. The media has been having a field day vilifying the Chinese and Russians and scaring folks in government. This will not help build level heads.
From the Associated Press:
“In the face of our almost universal reliance on untrusted systems, the United States currently is facing a grave national security challenge in the form of exploitation of our government and private-sector networks and information,” said Steven Chabinsky, assistant deputy director of cyber issues for the Obama administration’s director of national intelligence. “This exploitation is occurring on an unprecedented scale by a growing array of state and nonstate actors.”
OK, no argument there. Then he added this,
Chabinsky said the U.S. needs to figure out what it is prepared to do in the face of a cyber assault, such as an action that takes down the electrical grid. And, since the grid is privately run, officials must also decide how any counterattack should be coordinated with the corporate world.
Having been a part of the electricity vertical I can safely say that you can’t just hit the big red button that says, “shut down” and the grid goes dark. It’s no where near as simplistic as the media have lead folks to believe.
Damn you “Die Hard 4“.
So, as they examine their options I hope that cooler heads prevail and spend less time worrying about counter attacks and more on shoring up defenses.
(Image: risingpowers.foreignpolicyblogs.com)
Hello there!
My name is Lee Herloth (with a “Hard T”) and I work in critical infrastructure protection, specifically for an electric utility. I’ve been invited by the good folks here at Liquidmatrix.org to write a blog from time to time and I thank them for the opportunity.
I was ready to fire off a post about how utterly unprofessional, dangerous, and borderline criminal it is to see so many vendors testifying in front of the United States Congress in support of new legislation (no less then five active bills right now) designed, in title, to increase the security of varying critical infrastructures. However, I have thought better of that as it would not be fitting of a southern gentleman.
Instead, I will refrain from calling said vendors on the carpet for using their influence to back legislation that directs the government to use their auditing guidelines, risk assessment tools, or to anoint a singular person as the czar of all things critical infrastructure protection. Therefore, this post will be SANS any ranting lest the internal struggle of having done so Impact my Core values, for that surely would not be Weiss.
On any given day, there are tens of thousands of United States residents alone who are without power due to mundane reliability failures stemming from equipment failure, human error, weather, and physics – oh, and the occasional possum or two. However, “Oops! My bad”, isn’t a sexy headline. Instead, much like the current fuss around “swine flu”, that which has a catchy name will win the attention of the reactive politicians and people at large and the larger, more meaningful issues go unaddressed.
Yes, we are plugging in our critical infrastructure to your internet. We have no choice. You want cheap, clean, reliable power so off to the races we go. As with any new activity, there will be learning opportunities and missteps along the way, and we have much work to do.
I believe I have a rather unique insight into the industry and I’m passionate about protecting the infrastructure I’m charged to protect against all comers. Make no mistake about it – if we leave the future direction of critical infrastructure protection in the wrong hands, you will start to see a decrease in the reliability and affordability of your power. The cure, when offered by a snake-oil salesman, will be most definitely worse than the disease.
And with that, I bid you good day.
Step 1. Issue press release.
Step 2. Insert buzzwords liberally (ex. China, Russia).
Step 3. Gauge public reaction. NB. Cracking open skulls and feasting on brains == Win!
From The Wall Street Journal:
Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials.
The spies came from China, Russia and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven’t sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.
“The Chinese have attempted to map our infrastructure, such as the electrical grid,” said a senior intelligence official. “So have the Russians.”
Run screaming.
The FUD approach is an unfortunate one. Let’s be honest and call this what it is. It’s an attempt to raise support for the Senate Bill S.773. The bill can be found by searching the THOMAS Search engine from the Library of Congress. At this point the full text has (still) not been uploaded yet. Draft copies have been seen in the wild. I’m unclear as to the legality of posting the drafts so, you won’t find them here.
Here description from the THOMAS site:
A bill to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes.
So, a crew of contractors to build a DeathStar? Heh.
The best part is that amidst this cloud of FUD, a breather. The CSO for NERC, Michael Assante released a letter to NERC entities. The long and the short of it is that the “come to $deity time” is upon them and they are gonna have to belly up to the bar with respects to their compliance reporting. For the ones that stuck their heads in the sand they will soon have a boot in their ass.
From Digital Bond:
NERC entities declaring no critical assets may want to take another look at their risk based assessment methodologies. Michael Assante, NERC CSO, issued a letter to industry today that challenges self certification survey results that show only 31 percent of all entities declared at least one critical asset. Only 23 percent reported having at least one critical cyber asset. I don’t think there is anyone who can justify numbers that low. (Although I would be interested to hear it!)
And that’s the rub. Some entities will cook up some wild ass logic to avoid (in their minds) having to comply with NERC CIP.
They will fail.
I was pretty much forced to write about this article after I read it.
In an utter disregard for buzzwords, CNN Homeland Security Correspondent Jeanne Meserve has drunk heavily from the fountain of cyberdouchery. The article entitled “Smart Grid May Be Vulnerable to Hackers” briefly discusses the United States and its respective power companies anxiously deploying a high-tech power grid while simultaneously abusing the words “cyber” and “smart”.
Power companies are installing new automated meters at an astonishing rate which seems to be the first step in the roll out. The eventual goal is to improve electricity efficiency and reliability using sensors on your home meters that talk back to the power grid. President Obama is on board dishing out $4.5 billion towards all this.
So where does the problem lie?
Well some interesting quotes throughout the article define the issue very clearly. One of our friends at InGuardians, Ed Skoudis chimed in stating,
“I think we are putting the cart before the horse here to get this stuff rolled out very fast.”
Also, Matt Spaur, a product marketing analyst added my favorite tidbit,
“Any network can be hacked.”
All in all, this is obviously a huge security issue and if you even remotely (no pun intended) glanced at Live Free or Die Hard you’d get the picture. Electric grids are all ready “hackable” you just have to not be afraid of heights and be a huge fan of rubber. The automation wouldn’t necessarily create many new vulnerabilities, it would most definitely increase the risk by increasing the likelihood and severity of exploitation.
With this system in place there really is no room for “roll it out and patch it later.” We can all hope that the money makers take their time on this one and do it right.
Note from James – When Matt submitted this story, I was pleased to see that it’s not just the bitter old timers like Dave and I who find this stuff beyond the pale. What is important to remember though is that there is room to make all of these things happen, but it needs to start with everyone, including Smart-Ass Security Youngsters like me, dropping the ego at the door and coming back with solutions rather than just pointless bitching and moaning. There’s an opportunity to be awesome here, we should all, collectively, take it.
UPDATE: Businessweek gets in on the action… watch out, you’ve managed to get your Wall Street all over my Critical Infrastructure.
Tags: cyberdouchery, cnn, smart grid
Of late I have been enjoying playing with an app on my iPhone called WiFiTrak. It has been a handy way to scan for wireless networks and it doesn’t appear as obvious as it would were I carrying around a laptop. I have seen a great many open or WEP ’secured’ corporate networks that should have been fixed a long long time ago.
Bad vendor delivery? Well, in one case the state of New York decided that they have had their fill and pulled the rug out from under M/A-COM who was contracted to build out a public safety wireless network statewide.
From Computer World:
New York State has canceled the multibillion-dollar contract it awarded to M/A-COM to build a statewide wireless network for public safety use, saying the vendor has failed to adequately deliver on the deal.
A document released by the state showed excessive equipment failures after testing, including radios with stuck volume controls, “black screens” that render the devices unusable and microphones that randomly turn on, unintentionally transmitting audio.
According to the state, testing done in November showed that M/A-COM failed to fix 15 of 19 deficiencies described in an earlier complaint. M/A-COM, however, is disputing the charges. “We believe that M/A-COM has fulfilled its contractual obligations and delivered a state-of-the-art system that would benefit the residents of New York. We recognize that the State’s current priorities may no longer support the construction of a statewide network and we have made several attempts to address this amicably with the State. Tyco Electronics and M/A-COM will take all necessary steps to protect the company’s rights under the contract,” it said in a statement.
The state of NY still intends to build the network but, they will now have to hunt for a new vendor.
Read on.
SCADA, there is a term that tends to scare the crap out of little children and small furry animals these days thanks to the FUD factories. The disconnect is often painful to read about. I have read that SCADA systems are easily hacked into and the perception that one gets from reading these stories is that all hell has broken loose and that Nero is halfway through his solo. Rather frustrating to a flaw. We hear talking heads say that the “cyberterrorists” are gunning for critical infrastructure. When they attack it will be catastrophic.
Well, piss on that.
Why? Simple. That’s the least of the problems that face critical infrastructure. We hear news reports about how insecure control systems are and how SCADA is so “hackable” but, has anyone stopped to wonder why that might be? The press has set upon critical infrastructure of late for the low hanging fruit. “If it bleeds, it leads”. Well, that much is true. The sector is bleeding but, not for the lack of a responsible crew manning the battlements. No, much more dire than that. Critical infrastructure has been taken hostage by its vendors. Often a patch set will come out for Windows, Linux et cetera and being diligent folks they try to roll out the security patches only to be thwarted by the vendors.
Why?
Because the vendors have not “certified” the patches with regards to their software. A process that can often take an exceptional amount of time. The end result being that without that nebulous “certification” they will refuse to support their customers if they forge ahead with the application of said security patches.
A sad state of affairs.
Critical Infrastructure needs to get the attention it requires. The highest levels of government need to start paying close attention to these vendors that, through negligence, indifference or apathy, are jeopardizing the security of their national infrastructures. They need to have their feet held to the fire.
The Wonderware security vulnerability that was released back in March of this year has now found its way into the Metasploit framework.
The code example is available over on Milw0rm. It was posted yesterday.
From Secunia (May 08):
The vulnerability is caused due to an error within the Wonderware SuiteLink Service (slssvc.exe) when handling Registration packets. This can be exploited to cause the service to crash via a specially crafted Registration packet containing an overly large length field sent to default port 5413/TCP.
For more on this vulnerability check out CVE-2008-2005
Tags: SCADA, SCADA Security, Wonderware, Metasploit
Over the weekend the code for the CitectSCADA exploit was incorporated into Metasploit project. I find this of zero surprise. This has been out for sometime. There is no surprise that this came to pass. OK, maybe surprise from various control operators. Short story, every script kiddie now has a chance to play SCADA hacker. Maybe they’ll even put on a crappy presentation at Defcon. Nope, scratch that. Been done.
OK, show of hands. Who didn’t see this one coming? C’mon now. Be honest. OK, for everyone who put their hands up. Please see “Knuckles” out by the loading dock to collect your prize. What’s that? Oh, right. Knuckles wants to make sure you understand that its nothing personal.
From The Register:
The exploit code, published over the weekend as a module to the Metasploit penetration testing tool kit, attacks a vulnerability that resides in CitectSCADA, software used to manage industrial control mechanisms known as SCADA, or Supervisory Control And Data Acquisition, systems. In June, the manufacturer of the program, Australia-based Citect, and Computer Emergency Response Teams (CERTs) in the US, Argentina and Australia warned the flawed software could put companies in the aerospace, manufacturing and petroleum industries at risk from outsiders or disgruntled employees.
This is really not rocket science. SCADA systems by and large are rife with problems. The culture of silence in the SCADA community would make La Cosa Notra proud. That being said I know of a few folks that have zero day exploits and have tried, at least in one instance, to contact the vendor. CitectSCADA basically slammed the door on one researcher. Great bridge building exercise with a researcher who is trying to help you.
But, I digress. My point is simple. The security community has tried time and again to help. Only to routinely be looked down on by certain halfwits on the SCADA mailing list. Sadly, I think this may be the only way to ever get things accomplished.
Security is an interesting thing. Some people get it. Others just have no idea. A few days ago Myrcurial found that a DHS document had been erroneously posted on the Water ISAC site. Mistakes happen lets be fair. But, rather than say “Yup, we goofed. It won’t happen again and here’s why” the rather apt description of the Keystone fellas reared its head, again.
An email was sent out on the SCADA security mailing list instructing folks to cease talking about this issue (thx to anonymous for the copy).
So, being a curious sort I went to the publicly accessible archive to view the message thread so I could catch up on the story.
Only to discover that any message relating to the document posting was now deleted. Guess they might have forgotten that every subscriber on the list also has a copy.
How can one ever hope to have a frank and open discussion about security in the critical infrastructure space when the default action is to close your eyes and bury your head in the sand?
Anyway. So, I decided to go have a look at the archived document on Google. Nope, not there anymore. Guess someone had Google take the link down. Well, that showed me.
Or did it?
Oh right, there are other search engines besides Google. You might of heard of some of them like say a small little site called Yahoo?
Yup, they have an archived copy as well. As will the rest of the search engines out there.
What’s the moral of the story? Once the genie is out of the bottle on the internet there really is no way to get that sucker back in. As our readership from the various three lettered agencies can attest.
WaterISAC and other organizations that have critical infrastructure roles really need to review their document classifications and how things get published to the web. Seriously, this isn’t rocket science. Be a little more careful next time folks.
Oh, and WaterISAC, please turn off directory browsing on your web server.
Tags: WaterISAC, FOUO, DHS, security advisory, boreas
