When I’m done choking on bile/have some time next week, I will write a more balanced piece. I have a loathing for the “Can’t sleep, smart grid will eat me. Can’t sleep smart grid will eat me” reporting that the mainstream media has been leaning on. That being said, the Reuters piece references sound research from some very bright folks. Mind you the article’s opening salvo…anyway.

From Reuters:

Worried about the security of the Smart Grid? You should be. Security researchers warn that the Smart Grid could become a hacker’s playground. As proof, here are four ways the Smart Grid can be hacked.

Technology Review has an excellent article outlining ways in which the Smart Grid is vulnerable. Here, based on the article, are four ways it can be hacked via the smart meters that will be in businesses and people’s homes.

The piece goes on to reference research by the likes of Travis Goodspeed and others. I had a brief chat with Travis at Black Hat and found him to be a very intelligent, nice guy. Not sure how he rocks the dreads everyday but, different strokes and all that.

Getting off topic. Anyway, in order to see ways to hack the smart grid for fun and profit follow the article link.

Article Link

Tags: Smart Grid

I don’t even know where to begin.

I feel like I’m being tortured by AM the media machine.

Lets run down the list…

First, Siobhan Gorman… you {{REDACTED}} tool.

The WSJ article you wrote is such an incredible fluff piece, my high-school newspaper editor wouldn’t have permitted it.

You have all kinds of awesome quotes, except for the ones that you actually need to be attributable in order for you to call yourself a journalist. How does trolling the clip files that Rebecca Smith found for you and calling a few embassies make your article ground breaking in any way.

Do you have NEW, SPECIFIC evidence? If you do, please forward it to the appropriate authorities or PUBLISH IT. You’ve got some speculation and it’s shit.

Next up, Dennis Fisher over at Threatpost with his “industry analyst” piece…

What the hell is your point exactly? It’s not like Kaspersky has anything to contribute here. You’re drumming up more crap without providing either details or passing your evidence to the people who need to see it.

Of course, once you’ve got one anti-virus vendor in the mix, here comes another… McAfee’s “Security Insights” blog entryby Phyllis Schneck is all about how one time, at security camp, she heard a story about a nuculer reactor being shut down by a contractor’s laptop.

And why stop at shilling your company’s failed products (why is anti-virus different from anti-spyware and sold under 200 different SKUs?) Why not start shilling your people! Watch as the University of Pittsburgh puts a plaintive call out to say “Hey, um, we got a guy!”

Gregory Reed, a professor of electrical and computer engineering in Pitt’s Swanson School of Engineering and director of the school’s Power and Energy Initiative, is available to comment on the significance of the reported espionage as an indicator of the electric power grid’s potential vulnerability.

In the fine tradition of “Will what you’re eating now KILL YOU???? We’ll tell you at Eleven!!!” television artists news journalists at ABC News would like you to know that your phone is not powered by the local utility. (It gets it’s power from the seething rage of Nortel Shareholders.)

To the retired engineer who wrote this screed on a ZD Net blog entry about the WSJ story… including this gem:

EVERY SCADA system that I have ever seen use it’s own dedicated communication network to carry data between the Master Station (the “base”), and the substation Remote Terminal Units (RTU’s) and with the powerplants.

Good lord man, SHUT THE FUCK UP. You are the reason that the system is the mess that it is – you think that’s even remotely true? I’VE NEVER SEEN A SCADA SYSTEM IN THE POWER INDUSTRY THAT WASN’T INTERNET CONNECTED. EVER.

NERC attempted to do damage control and managed to put their foot into the good work being done by their own CSO!

Cyber security is an area of concern for the electric grid. Though we are not aware of any reports of cyber attacks that have directly impacted reliability of the power system in North America to date, it is an issue the industry is working to stay ahead of. NERC and industry leaders are taking steps in the right direction to improve preparedness and response to potential cyber threats. There is definitely more to be done, and we look forward to continuing our work with the electric industry and our partners in U.S. and Canadian government to improve reliability standards, ensure appropriate emergency authority is in place to address imminent and specific cyber security threats, and ultimately ensure a safe, secure, and reliable energy future for North America.

That statement comes only one day after Michael Assante put out his ballsy “You’re not doing an ethical job of adhering to the spirit of the regulations” letter. How disingenuous is it to stab your own guy right in the back?

Those dim-witted dinosaurs at the AP of course, go to great lengths to put in actual quotes from their un-named source.

“The vulnerability may be bigger than we think,” the official said, adding that the level of sophistication necessary to pull off such intrusions is so high that it is “almost without a doubt” done by state sponsors.

(Please note that our team did a pen-test in 2001 and achieved access, without any more state-sponsoring than the engagement letter.)

Things do SLOWLY get better…

Forbes attempts to pull a “fair and balanced” piece out of the wreckage of “journalism” expressed so far.

The usually bright and adroit folks at the BBC even picked up the story… shame on you, you should know better. At least you quote @dakami thus gaining back some credibility, who really does grok the issues since our face off at DEFCON last summer (forever to be known as the “Killer Oreos” discussion).

Eventually, sanity returns and several organizations manage to put an extinguisher to all of the flaming hair…

• Infrastructurist interviews Stephen Flynn.
• 
  Federal Computer Week thinks FERC should get on the job.
• bNet tries to calm you with soothing quotes.
• Kevin Poulsen over at Wired manages to not piss me off and tells you to follow the money – the NSA wants to pwn the grid.

I’m just absolutely beside myself.

Here’s some facts:

1. The grid is not secure now.
2. The grid cannot be made secure by using existing technology and (most importantly) staff.
3. The asset owners are working actively to avoid doing anything.
4. The government doesn’t know where to start – in the US or elsewhere – as they are busy with other things and too pwn’d by special interest groups.
5. There is no CIP firewall.
6. Your product does not (in and of itself) make anything NERC compliant.
7. There are ways to solve the problems of the existing systems, but you’re going to have to think out-of-the-box… way out.
8. There are always bad people.
9. It is not currently in any nation-state’s interest to de-stabilize the US. (I’m leaving out crazy dictatorships on purpose.)
10. It is simply a matter of following the money.
11. The Senate, the NSA, DHS, and others are invested in this.
12. I’m frustrated and I wish that the WSJ had handled this story with a lot more intelligence.
13. I need to lie down now.

Thankfully there are a few sources of humour in all of this…

Watch out for the Amish

(picture CC from waltjabsco’s flickr stream)

Tags: SCADA, WSJ, cyberterror, BULLSHIT, DUMBASSES

Step 1. Issue press release.
Step 2. Insert buzzwords liberally (ex. China, Russia).
Step 3. Gauge public reaction. NB. Cracking open skulls and feasting on brains == Win!

From The Wall Street Journal:

Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials.

The spies came from China, Russia and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven’t sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.

“The Chinese have attempted to map our infrastructure, such as the electrical grid,” said a senior intelligence official. “So have the Russians.”

Run screaming.

The FUD approach is an unfortunate one. Let’s be honest and call this what it is. It’s an attempt to raise support for the Senate Bill S.773. The bill can be found by searching the THOMAS Search engine from the Library of Congress. At this point the full text has (still) not been uploaded yet. Draft copies have been seen in the wild. I’m unclear as to the legality of posting the drafts so, you won’t find them here.

Here description from the THOMAS site:

A bill to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes.

So, a crew of contractors to build a DeathStar? Heh.

The best part is that amidst this cloud of FUD, a breather. The CSO for NERC, Michael Assante released a letter to NERC entities. The long and the short of it is that the “come to $deity time” is upon them and they are gonna have to belly up to the bar with respects to their compliance reporting. For the ones that stuck their heads in the sand they will soon have a boot in their ass.

From Digital Bond:

NERC entities declaring no critical assets may want to take another look at their risk based assessment methodologies. Michael Assante, NERC CSO, issued a letter to industry today that challenges self certification survey results that show only 31 percent of all entities declared at least one critical asset. Only 23 percent reported having at least one critical cyber asset. I don’t think there is anyone who can justify numbers that low. (Although I would be interested to hear it!)

And that’s the rub. Some entities will cook up some wild ass logic to avoid (in their minds) having to comply with NERC CIP.

They will fail.

Ah, the HMI and other wonderful pieces of [REDACTED], er, software. Wesley McGrew is presenting today his talk which delves into a vulnerability with GE Fanuc’s iFIX product.

From McGrew Security Blog:

The specific examples discussed in these slides and my talk are problems with the architecture (and password storage!) of GE Fanuc’s iFIX. The above-described vulnerabilities were discovered on version 4.5, but are also present in the recently released 5.0 (older versions almost certainly have the same problem). They were reported to US-CERT (VU# 310355) and the vendor about six months ago, and this represents the first public disclosure of the problems, though they are basic/fundamental enough that any security geek would spot them pretty quickly upon taking a look at this product.

For a copy of his slide deck click here (.PDF) (local archive 3+ MB) UPDATE: Due to a very polite request from GE Fanuc we have elected to take down our local copy of the presentation. Sorry folks.

If you are at the SANS SCADA Summit be sure to check out Wesley’s talk.

Article Link (thx to Peter G for the link)

SCADA, there is a term that tends to scare the crap out of little children and small furry animals these days thanks to the FUD factories. The disconnect is often painful to read about. I have read that SCADA systems are easily hacked into and the perception that one gets from reading these stories is that all hell has broken loose and that Nero is halfway through his solo. Rather frustrating to a flaw. We hear talking heads say that the “cyberterrorists” are gunning for critical infrastructure. When they attack it will be catastrophic.

Well, piss on that.

Why? Simple. That’s the least of the problems that face critical infrastructure. We hear news reports about how insecure control systems are and how SCADA is so “hackable” but, has anyone stopped to wonder why that might be? The press has set upon critical infrastructure of late for the low hanging fruit. “If it bleeds, it leads”. Well, that much is true. The sector is bleeding but, not for the lack of a responsible crew manning the battlements. No, much more dire than that. Critical infrastructure has been taken hostage by its vendors. Often a patch set will come out for Windows, Linux et cetera and being diligent folks they try to roll out the security patches only to be thwarted by the vendors.

Why?

Because the vendors have not “certified” the patches with regards to their software. A process that can often take an exceptional amount of time. The end result being that without that nebulous “certification” they will refuse to support their customers if they forge ahead with the application of said security patches.

A sad state of affairs.

Critical Infrastructure needs to get the attention it requires. The highest levels of government need to start paying close attention to these vendors that, through negligence, indifference or apathy, are jeopardizing the security of their national infrastructures. They need to have their feet held to the fire.

The Wonderware security vulnerability that was released back in March of this year has now found its way into the Metasploit framework.

The code example is available over on Milw0rm. It was posted yesterday.

From Secunia (May 08):

The vulnerability is caused due to an error within the Wonderware SuiteLink Service (slssvc.exe) when handling Registration packets. This can be exploited to cause the service to crash via a specially crafted Registration packet containing an overly large length field sent to default port 5413/TCP.

For more on this vulnerability check out CVE-2008-2005

Tags: SCADA, SCADA Security, Wonderware, Metasploit

Security is an interesting thing. Some people get it. Others just have no idea. A few days ago Myrcurial found that a DHS document had been erroneously posted on the Water ISAC site. Mistakes happen lets be fair. But, rather than say “Yup, we goofed. It won’t happen again and here’s why” the rather apt description of the Keystone fellas reared its head, again.

An email was sent out on the SCADA security mailing list instructing folks to cease talking about this issue (thx to anonymous for the copy).

So, being a curious sort I went to the publicly accessible archive to view the message thread so I could catch up on the story.

Only to discover that any message relating to the document posting was now deleted. Guess they might have forgotten that every subscriber on the list also has a copy.

How can one ever hope to have a frank and open discussion about security in the critical infrastructure space when the default action is to close your eyes and bury your head in the sand?

Anyway. So, I decided to go have a look at the archived document on Google. Nope, not there anymore. Guess someone had Google take the link down. Well, that showed me.

Or did it?

Oh right, there are other search engines besides Google. You might of heard of some of them like say a small little site called Yahoo?

Yup, they have an archived copy as well. As will the rest of the search engines out there.

What’s the moral of the story? Once the genie is out of the bottle on the internet there really is no way to get that sucker back in. As our readership from the various three lettered agencies can attest.

WaterISAC and other organizations that have critical infrastructure roles really need to review their document classifications and how things get published to the web. Seriously, this isn’t rocket science. Be a little more careful next time folks.

Oh, and WaterISAC, please turn off directory browsing on your web server.

Tags: WaterISAC, FOUO, DHS, security advisory, boreas

Yet again, it seems that the Keystone Kops are running the show in Washington.

A little bit of wandering about the tubes leads to the Water-ISAC site exposing FOUO government files…

Hrm… wonder what’s in that PDF. Looks juicy…

Hrm. There’s some interesting reading…

What’s a Boreas?

For Official Use Only

Boreas Vulnerability Checklist

A vulnerability has been identified and verified within the firmware upgrade process used in industrial control systems. Successfully exploiting this vulnerability could cause components within the control system to malfunction or shut down, potentially damaging the equipment and/or process. To identify whether a component is susceptible to this vulnerability, please review and answer the following questions.

Questions:

* Do control system components (controllers, processors, etc.) contain reprogrammable firmware?

* Is the process of reprogramming firmware potentially accomplished remotely across a network?

* Does the process of reprogramming firmware lack an authentication mechanism or is it accomplished with publicly available authentication credentials?

* Are firmware image files stored in an unencrypted format anywhere on the system?

If you answered “yes” to more than one of these questions, you are potentially susceptible to this identified vulnerability. Development and implementation of a mitigation plan is needed to protect the installed customer base and the process used in industrial control systems of the nation.

Boreas Vulnerability Mitigation Steps

* Short Term
o Disable the capability to perform remote firmware upgrade.
o Block network firmware upgrades with appropriate firewall rules.
o Use local (direct physical device access) methods to upgrade firmware.
* Long Term
o Physically secure and encrypt firmware upgrade files during development, storage, transmission and use.
o Utilize authentication techniques in next generation control system networks.
o Secure the control system network using defense-in-depth techniques.

Questions should be directed to cssp@dhs.gov, the Department of Homeland Security’s National Cyber Security Division.

Warning: This document is UNCLASSIFIED/FOR OFFICIAL USE ONLY (U/FOUO). It contains information that may be exempt from public release under the Freedom of Information Act (5 U.S.C. 552). It is to be controlled, stored, handled, transmitted, distributed, and disposed of in accordance with DHS policy relating to FOUO information and is not to be released to the public, the media, or other personnel who do not have a valid “need-to-know” without prior approval of an authorized DHS official.

For Official Use Only

The greek god of the north wind sure sounds like an awfully generalized discussion of bad firmware update practices.

This isn’t so much a technical vulnerability as it is:

• Truly excremental design on the part of the device manufacturer
• Facile and immature thinking on the part of the integrator/operator
• A security advisory which would be more usefully titled “Basic IT Operations for DUMMIES”
• About the most useless problem space description and mitigating actions discussion available on the topic
• Yet another example of the fact that no actual hackers or criminals are interested in disrupting these systems as it is childs-play to DOS the entire system

And yet another case which proves the point that I made at DEFCON. When you fuzz or “break” a SCADA system, generally it just stops. And in stopping, it’s up to the safety systems to keep things safe. Losing control of the cookie plant does not cause the cookie plant to start manufacturing cookies that kill you. It just makes a big mess.

Tags: WaterISAC, FOUO, DHS, security advisory, boreas

Ah the joys of critical infrastructure. One wrong move with a software upgrade and the whole house of cards could come tumbling down.

Case in point.

From Washington Post:

A nuclear power plant in Georgia was recently forced into an emergency shutdown for 48 hours after a software update was installed on a single computer.

The incident occurred on March 7 at Unit 2 of the Hatch nuclear power plant near Baxley, Georgia. The trouble started after an engineer from Southern Company, which manages the technology operations for the plant, installed a software update on a computer operating on the plant’s business network.

The computer in question was used to monitor chemical and diagnostic data from one of the facility’s primary control systems, and the software update was designed to synchronize data on both systems. According to a report filed with the Nuclear Regulatory Commission, when the updated computer rebooted, it reset the data on the control system, causing safety systems to errantly interpret the lack of data as a drop in water reservoirs that cool the plant’s radioactive nuclear fuel rods. As a result, automated safety systems at the plant triggered a shutdown.

Um, whoops.

Article Link

From the AP:

Authorities sealed off a nuclear plant in southeastern Sweden after a welder arrived for work with a plastic bag containing traces of an explosive substance, police and plant officials said.

Investigators were questioning the man, a welder who was scheduled to do work at the Oskarshamn plant on Wednesday, police spokesman Sven-Erik Karlsson said.

Plant operator OKG downplayed the incident, saying there was no threat to the safety of the plant, located about 150 miles (250 kilometers) south of Stockholm.

Police said the man was carrying a plastic bag with an unknown amount of triacetone triperoxide, or TATP, an explosive used in the London bombings in 2007.

However, plant spokesman Anders Osterberg said there were no explosives inside the bag, though traces of an explosive substance were found on the bag’s handle.

Read on.

Article Link