[LINK] America's Hackable Backbone

[Richard Chirgwin]

Bernard Robertson-Dunn wrote:
> <brd>
> Now I have a metal hip joint, I get seriously frisked every time I go 
> through airport security.
>
> This, I am told is for my own safety.
>
> But is critical infrastructure protected? Doesn't look like it, from 
> this story.
>
> There's a distinct lack of balance and completeness in all this 
> anti-terrorism stuff. It's almost as though those who are elected to 
> represent us want to be seen to be doing something, even if it is less 
> than useful and over the top. When what they should be doing is 
> everything that needs to be done and at a consistent level.
> </brd>
...Balance and completeness? There's none at all. Cyberterror is like 
Goosebumps books: "scare and sell".

The facts of the Vitek Boden case are misreported (he did not "remotely" 
access the network; he directly accessed the network. That is, he used a 
node on the network to log into the network, nothing "remote" about it).

The facts of the New York State electricity shutdown are misreported, in 
that the denial that Slammer was involved was based on identifying the 
system that really caused the problem - IIRC, a Unix system managed by 
General Electric as contractor, but I may have slipped.

The facts of the "nuclear plant break-in" are reported from a single 
source with no verification.

The simplest solution is to completely disconnect critical SCADA from 
the Internet, and use only private networks: Dark fibre, private 
point-to-point radio networks, DDS links, naked copper ... etc. But this 
"simplest solution" doesn't leave room for a good Goosebumps book.

My summary of the Forbes piece: there's so much steaming dung it's hard 
to find nourishment...

RC
>
> America's Hackable Backbone
> Andy Greenberg,
> 08.22.07, 6:00 PM ET
> Forbes
> http://www.forbes.com/2007/08/22/scada-hackers-infrastructure-tech-security-cx_ag_0822hack.html 
>
>
> The first time Scott Lunsford offered to hack into a nuclear power 
> station, he was told it would be impossible. There was no way, the 
> plant's owners claimed, that their critical components could be 
> accessed from the Internet. Lunsford, a researcher for IBM's Internet 
> Security Systems, found otherwise.
>
> "It turned out to be one of the easiest penetration tests I'd ever 
> done," he says. "By the first day, we had penetrated the network. 
> Within a week, we were controlling a nuclear power plant. I thought, 
> 'Gosh. This is a big problem.'"
>
> In retrospect, Lunsford says--and the Nuclear Regulatory Commission 
> agrees--that government-mandated safeguards would have prevented him 
> from triggering a nuclear meltdown. But he's fairly certain that by 
> accessing controls through the company's network, he could have 
> sabotaged the power supply to a large portion of the state. "It would 
> have been as simple as closing a valve," he says.
>
> The disturbingly vulnerable system that Lunsford hijacked is powered 
> by Supervisory Control and Data Acquisition software, or SCADA, a type 
> of software made by companies including Siemens (nyse: SI - news - 
> people ), ABB (nyse: ABB - news - people ), Rockwell Automation (nyse: 
> ROK - news - people ) and Emerson.
>
> SCADA systems are used around the country to control infrastructure 
> like water filtration and distribution, trains and subways, natural 
> gas and oil pipelines, and practically every kind of industrial 
> manufacturing. And as some security professionals are pointing out, 
> those weaknesses are increasingly connected to the Internet, leaving 
> large parts of America's critical infrastructure exposed to anyone 
> with moderate information technology training and a laptop.
>
> At the DefCon hacker conference earlier this month, security 
> researcher Ganesh Devarajan gave a presentation detailing how 
> researchers can find flaws in SCADA systems using "fuzzing," a 
> technique that floods software with data and tracks which input causes 
> a crash, allowing hackers to inject their own commands.
>
> "These are simple bugs, but very dangerous ones," says Devarajan, 
> associate security analyst at 3Com-owned security firm TippingPoint. 
> He says he's alerted SCADA software vendors to all the flaws he's 
> found, but he nonetheless imagines a scenario in which someone plants 
> a contaminant in a water reservoir and hacks into water-quality sensor 
> systems to prevent detection. "If someone can provide false data," he 
> says, "They own the system."
>
> To be sure, the threat of attacks on major SCADA systems isn't 
> entirely new, and the wave of cyberterrorism predictions that followed 
> Sept. 11, 2001, have largely been dismissed as hype and paranoia. But 
> given SCADA systems' vulnerability, many experts wonder why those 
> attacks haven't yet materialized.
>
> One answer may be the sheer complexity of major infrastructure 
> systems: Though SCADA computers have weak external security, 
> controlling them takes engineering expertise. Most hackers could only 
> gain enough control to create the fear that they're capable of 
> something worse, says Alan Paller, director of the SANS Institute.
>
> That means that even if outright attacks aren't increasing, there's a 
> growing threat of extortion, says Paller. In fact, the SANS Institute 
> hosts a crisis response center for cyberattacks, and Paller says he's 
> learned of multiple threats within the last year and a half from 
> hackers claiming to have infiltrated SCADA systems and demanding 
> ransom. Other shakedowns have likely gone unreported.
>
> Paller predicts that those incidents will increase. "There's been very 
> active and sophisticated chatter in the hacker community, trading 
> exploits on how to break through capabilities on these systems," he 
> says. "That kind of chatter usually precedes bad things happening."
>
> Extortion is more than an economic problem; racketeers could easily 
> trigger an accident while trying to demonstrate control over a 
> facility, says Marcus Ranum, chief security officer for Tenable 
> Security. "To spin a pump or move a valve, you don't have to be a 
> petroleum engineer," he says. "Then again, you could spin the wrong 
> pump and blow something up."
>
> Not every SCADA sabotage scenario is so hypothetical. In 2000, Vitek 
> Boden, a 48-year-old man fired from his job at a sewage-treatment 
> plant in Australia, remotely accessed his former workplace's computers 
> and poured toxic sludge into parks and rivers; he hoped the plant 
> would re-hire him to solve the leakage problem.
>
> In January of 2003, computers infected with the Slammer worm shut down 
> safety display systems at the Davis-Besse power plant in Ohio, though 
> the plant was already shut down at the time. Seven months later, 
> another computer virus was widely suspected by security researchers of 
> leading to a power loss at a plant providing electricity to parts of 
> New York State, despite the Nuclear Regulatory Commission's argument 
> that no evidence of virus-involvement was found.
>
> SCADA systems' lack of security features is a symptom of their age; 
> most were developed at a time when critical infrastructure systems 
> weren't connected to the Internet and needed no intrusion prevention. 
> Some have a 20-year life span, making them obsolete for years after 
> they're installed. And many of the companies that develop SCADA 
> software make installing security patches difficult or, fearing that 
> patches will hamper the software's operation, don't offer customer 
> support for patched systems.
>
> All of which still leaves U.S. infrastructure open to crippling 
> attacks by criminal hackers or cyberterrorists, says Jim Christy, 
> director of future exploration at the Department of Defense's Cyber 
> Crime Center. "This is an Achille's heel for several of our critical 
> systems," Christy says. "Nation-states and terrorist organizations are 
> definitely looking at this as an option, a weapon of mass disruption."
>
> That kind of risk means major security changes are necessary, says 
> Christy. But because SCADA systems are largely owned by the private 
> sector, critical infrastructure like power plants and water systems 
> may remain vulnerable until the problem affects profits--or leads to 
> disaster. Christy argues that we can't wait that long: His unofficial 
> opinion is that SCADA needs government regulation.
>
> "The government mandates fire sprinklers. Those cost builders money, 
> but they save property and lives," he says. "If critical 
> infrastructure is important to our national security, shouldn't there 
> be minimum standards it has to meet?"
>
>