Zombie webcams? Pah! It's the really BIG 'Things' that scare me I have a new name for the abundance of widgets springing up around the world: the Internet of Little Things. I’m playing with an IoLT starter kit in my office right now, and it lets me do things like sense when doors open or close, turn sockets on and off and fiddle with the mood lighting. I can spend a couple of hundred quid …
Engineers who know about the tech may well only have average computer security knowledge.
But they may also think they are smarter than the average home user.
A dangerous cocktail.
Manipulating a building control system. Not just part of the plot from MI:2.
Thing is there is ABSOLUTELY no reason for any SCADA-style system EVER being visible on the Internet. It should be behind firewall and VPN like access, and with some 2FA system as well.
Sadly the most productive way of dealing with this risk is to make the bosses of companies liable for any serious failings, and more over to have some system in place where finding a SCADA system gets both the company fined AND the finder rewarded from that money, no questions asked.
Guess how many SCADA systems would still be visible a month after that law came in to play?
"Thing is there is ABSOLUTELY no reason for any SCADA-style system EVER being visible on the Internet. It should be behind firewall and VPN like access, and with some 2FA system as well."
Take it a step further.
There may be some cases where internet access is needed. In others, however, a directly wired system would be better.
Connect your substations directly to your control room rather than via the internet. Certainly a direct connection can also be intercepted but at least it raises the ante for your attackers; they can't do it from half a continent away.
And as for Dave's suggestion that a building supervisor could turn on the aircon from home for a manager who needs to go into work, why not let such a manager have access to the local control panel instead?
LT;DR Just because you can it it via the internet it doesn't mean you have to.
"Connect your substations directly to your control room rather than via the internet."
Sounds good in principle, but difficult to implement this late in the day. Imagine the cost of directly wiring every electrical substation in the UK to all the relevant control centres.
We shouldn't be afraid of using the Internet for communications, that's what it's there for; but we should always be aware of the risks and employ appropriate security measures, which means spending money on network security - this doesn't just mean installing software; software alone is never a solution, there needs to be investment in people to monitor the systems and react when threats are detected. It's the same as real-world security, you can't just lock a door and then walk away and hope no-one with lock-picking skills comes along and opens it; you have to have security patrols to reduce the opportunity for mischief.
Sounds good in principle, but difficult to implement this late in the day. Imagine the cost of directly wiring every electrical substation in the UK to all the relevant control centres.
It would be possible to run a VPN and not connect that to the Internet at all. But more importantly, electrical power is part of the critical infrastructure since no electricity for a week and we are in serious trouble as the supply of pretty well everything is dependent on it. I can't help thinking that making the resilience of the electrical supply dependent upon the broadband infrastructure and sundry telecoms companies seems like a really bad idea. So, whilst it might be very expensive to build a private wired network incorporating every electrical substation, it does seem a very prudent thing to do. Certainly a better thing to spend money on than on smart meters.
Imagine the cost of directly wiring every electrical substation in the UK to all the relevant control centres.
It costs peanuts. BT will install a phone line for a few hundred quid + monthly rental. In the exchange it's "connected" (via some digital tricks) to a trunk & thence to a phone line at the control centre. It's a basic private circuit. Uses the same infrastructure as the internet, but is completely separated from it, and needn't even be an IP network.
>It costs peanuts. BT will install a phone line for a few hundred quid + monthly rental. In the exchange it's "connected" (via some digital tricks) to a trunk & thence to a phone line at the control centre.
I think you'd find that all you've done is outsource the packet-switched VPN to BT.
That might be a good thing if your security expertise is low, but it isn't going to be a direct connection and if someone is targeting you (rather than just using your resources) there's nothing to stop them tapping your analogue system.
There is no substitute for security expertise and good procedures.
wiring directly to a control room works brilliantly until that control room is underwater.
would you want to be the one explaining that everything north of birmingham has no power because of a burst pipe?
at least with internet connected substations if control room 1 is out of action control room 2 (100 miles away) can take over control
I used to write security tools for a global entity that ran a secure isolated network spanning 400+ countries. One of the tools I wrote wandered round the network looking for illegal routes connecting our "isolated" network to the internet. We used to see the odd packet on sensors that didn't look legitimate in origin hence the effort to quantizise the problem.
The first time I ran the scanning tool on the network, we thought it was broken when it identified 3000+ unauthorised routes, so we took a random sample and tested them for false positives manually and all were valid and breaching our security to the internet at large. A grab bag of undeclared routers, misconfigured cisco's, modems stuck in so some manager could work remote etc. And this in a company where connection of unapproved equipment was supposed to represent immediate dismissal. We spent the next year trying to get the 100 worst offenders taken out, and it was shockingly difficult to achieve because of local politics in each branch.
Chances of a scada remote connected solution being done properly? not very much, I doubt they even want to spend the resource to find out how exposed they are, let alone resolve it.
I've seen some remote connected business automation servers too, and they make me shudder with how insecure and lackadasical they are. Most of the efforts seem to be involved in getting the server to stay up for more than a couple of days at a time, let alone resist a remote attack.
"I used to write security tools for a global entity that ran a secure isolated network spanning 400+ countries"
Quite impressive given that there are less than half that many in reality. From http://www.worldatlas.com/nations.htm :
"Depending upon the source you acknowledge, there may be 189, 191, 192, 193, 194, 195 or 196 independent countries in existence upon our globe today."
Yes I should have wrote "countries including dependancies, offshore, quasi-dependancies, remote islands and bits we've got two main offices in because we pretend theyre seperate entities" but I figured people would work that out for themselves having seen how the average network evolves in the real world over time from neat tidy principles into some sprawling unmanageable spaghetti beast, apart from the odd pedant.
doors, sensors, lights.
None of that needs the Internet.
Plenty of simple boxes / boards / routers etc with ethernet or wifi can securely connect the controller(s) of little things. That's the only sensible architecture, though in most cases don't connect sensors or controllers to the internet.
Such cheap controllers / kits are THIRTY years old.
I used to work with Modbus based devices that had tried to implement security. They had added an extension to modbus that required you to send a special message type with a password before they would respond to any other requests. After a period of 30 minutes idle, the password would be required again.
When they implemented it, the devices used serial connections for all their comms so it wasn't so terrible (just not great); unfortunately someone had later thought, we can add a serial to ethernet converter to the back of the device and sell it at a huge premium (over $3k). This meant that you had an authorised computer that would unlock the device and then poll it for data every minute so that anyone else on the network could just make requests and it would respond without requiring them to authenticate. The device's software didn't understand that the requests were any different to the ones from the authorised computer as it only understood serial.
Good example of how companies can add functionality without considering the security consequences. And these devices were from the market leader who had sold tens of thousands of these devices around the world, many of them controlling critical infrastructure with potential for huge damage (and potential loss of life) if they were tampered with.
MODBUS security can be done. Any system with MODBUS capability should support write windowing and any TÜV approved system must. So if correctly configured you should not be able to write to things that should not be written to. If a factory conveyer that can legitimately be written to tries to achieve 1000mph because there's no bounds limit on your motor drive then it is not configured correctly. No amount of added security layers will be enough if the ones that are there are not used correctly. If a device doesn't support write windowing use something else or add a MODBUS firewall such as a Tofino.
Really big stuff, refineries and so on, will be protected adequately. There are plenty of standards and networking talent in the industry. The risky ones are the medium sized installations where there likely isn't the budget. Where refineries have been hacked it has only been office systems affected. Stuxnet sure but that was exceedingly targeted, relied on massive target knowledge that could not all be obtained remotely and required meatspace delivery. I would argue that IoBT is pretty good so long as we don't get complacent.
Building HVAC and substations are perfect examples of the scale of stuff that is likely to be vulnerable. Internet of Medium sized Things. IoMT. And within that space there's little impact in an office HVAC trying to make the building a fridge. There is impact beyond the fence when a substation goes down. So the ones to worry about are a subset of IoMT.
By your logic, the Iranian centrifuges should have been fine. And we DO have at least one nation-state targeting ICSs--as was mentioned happened in Ukraine. In the event of serious hostilities, expect really bad things to be attempted.
Google runs hard lines to its datacenters because its internal network might go down. These things are not optional, and, if done right, can move the decimal point around quite a bit.
No I am not saying the Iranian centrifuges should have been fine, just the opposite. When faced with a nation state attack with resources that vast you are going to lose. Natanz was not internet connected, the attack was delivered on a USB stick.
The biggest facility to come under remote cyber attack over an internet connection is Saudi Aramco. Here the office systems were infected and there was a big cleanup to be done. But squiddly dot happened to the plant. Big plant, deep pockets, correctly implemented layered defences were effective in this case at preventing the attack reaching the systems that matter.
"...within that space there's little impact in an office HVAC trying to make the building a fridge. There is impact beyond the fence when a substation goes down."
I could be missing something here, but a few blocks of buildings in midtown Manhattan all suddenly cranking heat AND AC to maximum seems like it would play hob with power substations without an attacker ever having to target them directly. There MAY be a dividing line between "Stuff We Don't Have to Worry About" and "Stuff We Have to Worry About", but I'm not sure where that line is, and I don't think that this is it.
(But then, I tend to be a bit paranoid -- Don't ask what I was expecting to find out that the REAL plan on 9/11 was!)
you can aim them all at the sky and capture aload of UFO's with motion detection
https://www.youtube.com/playlist?list=PL2JTSTxq2fcX1r9witd9TAetGlr80WI7d
"if your living room’s funky lighting suddenly flips from red to blue and the Sonos starts playing Justin Bieber on a loop it’s hardly life-changing."
All the other useful information and discussion aside, it's hard to take the author seriously after reading this phrase. Hardly life-changing? Bieber on a loop? Good Grief!
(On a more serious note, "Bieber on a loop" may become my new expostulation.)
How about the impact of someone turning your central heating on full blast and your fridge-freezer off the day you set out for a two week cruise?
Or maybe turning on all the burners on your stove (just because they can)? Or unlocking the front door? Or starting your car?
All because you felt the need for mood lighting on the cheap and fell in love with the ease of the Internet of Tat.
All this idiot stuff needed to be thought out better years ago.
The big white elephant that nobody is discussing is self-driving cars or, worse, self driving lorries. We've seen the effectiveness of vechicles as terrorist weapons. How about a fleet of compromised self-driving vechicles? All the lovely devices required to avoid hitting pedestrians or other vechicles can just a easily be used to target them deliberatly. And Google et al have already proven that they can't make make a secure OS.
It's strange thing this IoS stuff. We in IT see the need for security and keeping things locked down. The number of hacks/attacks alone point to that. The manufacturers don't care as they're hitting their profit margins and happy. So we look to the regulators and what to we find... "Meh. No regulation needed until someone is hurt".
It's going to get a lot worse before it gets better. The longer everyone puts off security on crap, the worse the shitstorm will be when it finally hits. Pretty damn sad that the only ones who are those of us in IT who will have to clean up the messes because no one else can be arsed to demand that this stuff be fixed and fixed quickly.
Big Co's.
With Really Big Things.
Plugged into the intertubez with little to no security.
Scary stuff yes.
News?
Noooooooooo.
There is a device in a plant that I drive by every day. It does the job of about 15 people. It freaking *advertises* both its existence, and that it has no security on its wifi connection. <and that's just from my 10 year old asking "Can I use this wifi dad?" when we were parked across the street>
<appropriate icon>
If you put such a device on the internet, most likely you will at least give some thought to security. The problem is more the devices that are only connected to internal networks, and thus being "safe", are left with default configurations/passwords, or passwords that have never been changed even as employees have left, or never get patched, or other associated problems.
Then all you need to do to attack it is gain access to the internal network. Generally that isn't going to be very hard, even if it has perfect firewalls that that protected against all known and unknown hacks and malware entering from outside, all you need to do is compromise one device that gets carried inside by an employee or contractor, and then you have a jumping off point to attack the ICS, or attack other systems/networks that serve as the gateway to the ICS.
So here's the thing..The service provider supporting the day to day operations is off shore, the security ops team looking after the SCADA system is off shore, the vendor supporting the SCADA application wants to get feeds from the SCADA system to debug any developing issues. The analytics for the millions of SCADA points which will provide valuable detail to allow for the reduction of costs to the consumer of the electricity, gas and water distributed by the SCADA system is in the CLOUD. Lets' now talk about the customer who wants real time data about his utility and it's required by the regulator to tell him whenever he has an outage. "Thing is there is ABSOLUTELY no reason for any SCADA-style system EVER being visible on the Internet. " is a mind set of the 60's when we all paid our bills at the utilities office.
What is needed is to provide applications where the security is not applied last, where protocols that require control can't be spoofed, where malware can't exist because the surface is so small that it is detected as soon as it is present.
SCADA systems are legacy applications which have all had a face lift but even that face lift just added a larger attack surface to make it look more modern or run it in a browser.
The dark web is only now being pointed at SCADA and we don't understand the pay off to the actors who will successfully find the exploit that brings our modern community to it's knees.
Advice: stock up on water, batteries, candles.
The dark web is only now being pointed at SCADA and we don't understand the pay off to the actors who will successfully find the exploit that brings our modern community to it's knees.Advice: stock up on water, batteries, candles.
That's the thing that scares me the most about the coming "darkness" - when these things start to get exploited or when some natural disaster causes issues. When we were kids (assuming you're in the right age group, apols if you're a lot younger :) ) just about every one who had a yard had a garden, enough food growing to support the family for a few days or weeks. People had food stockpiled; cupboards laden with tinned goods etc. And people had "alternative cooking systems" as well. Of course, this was back in the days when you could have a couple of decent (more than a few hours) blackouts in a year, rather than today where you can go for years without blackouts. People trusted that power/water etc would generally be there, but they also knew that it could fail and they were prepared.
Now? How many households in the western world have less than a weeks supply of food and less than a few hours supply of water? How many are solely reliant on electricity for cooking and heating? Even worse would be a major disruption to out food delivery - most people only get their food from a supermarket and would be lost without them, and those of us who do have stores of food could become targets for those who didn't plan ahead.
Kill the power for long enough in winter, or kill the supermarkets, watch as the chaos and panic soon sets in (may get a week's grace)... El Reg we need a "scares the shit out of me" icon!
The other, arguably more fundamental difference between IoLT and SCADA / ICS / IoBT is the motivation, intention and resources of attackers. Few financial fraudsters want to shut down the power grid (or just blow up everyone's gennys or aircon units) -- WannaCry being the exception that proves the rule; I bet when the authors realised their sorcerer's apprentice code was happily self-replicating in the NHS they had a brown trousers moment, because (a) no pay off, and (b) srs investigatory response likely to be forthcoming. As with the Ukrainian power network and a few other such incidents, any deliberate targeted attacks are far more likely to be state actors. It follows that they have rather more srs aims, goals and objectives. They're not after your credit cards, they're after triggering massive disruption in your country's infrastructure.
Blue Team TTP flow from this understanding.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
