In a rare public warning to the power and utility industry, a CIA analyst this week said cyber attackers have hacked into the computer systems of utility companies outside the United States and made demands, in at least one case causing a power outage that affected multiple cities. “We do not know who executed these attacks or why, but all involved intrusions through the Internet,” Tom Donahue, the CIA’s top cybersecurity analyst, said Wednesday at a trade conference in New Orleans.

Donahue’s comments were “designed to highlight to the audience the challenges posed by potential cyber intrusions,” CIA spokesman George Little said. The audience was made up of 300 U.S. and international security officials from the government and from electric, water, oil and gas companies, including BP, Chevron and the Southern Co. “We suspect, but cannot confirm, that some of the attackers had the benefit of inside knowledge,” Donahue said. He did not specify where or when the attacks took place, their duration or the amount of money demanded. Little said the agency would not comment further.

The remarks come as cyber attackers have made increasingly sophisticated intrusions into corporate computer systems, costing companies worldwide more than $20 billion each year, according to some estimates. Cyber extortion is a growing threat in the United States, and attackers have radically increased their take from online gambling sites, e-commerce sites and banks, which pay the money to prevent sites from being shut down and to keep the public from knowing their sites have been penetrated, said Alan Paller, research director at the SANS Institute, the cybersecurity education group that sponsored the meeting.

“The CIA wouldn’t have changed its policy on disclosure if it wasn’t important,” Paller said. “Donahue wouldn’t have said it publicly if he didn’t think the threat was very large and that companies needed to fix things right now.” Over the past year to 18 months, there has been “a huge increase in focused attacks on our national infrastructure networks, . . . and they have been coming from outside the United States,” said Ralph Logan, principal of the Logan Group, a cybersecurity firm.

It is difficult to track the sources of such attacks, because they are usually made by people who have disguised themselves by worming into three or four other computer networks, Logan said. He said he thinks the attacks were launched from computers belonging to foreign governments or militaries, not terrorist groups.

Over the past 10 years, electric utilities, pipelines, railroads and oil companies have used remotely controlled and monitored valves, switches and other mechanisms. This has resulted in substantial savings in man power and other costs. But to do that, the companies have installed wireless Internet connections to link the devices to central offices.

“In the past, if they wanted to go out and read a gauge on a gas well, for example, they would have to send a technician in his vehicle; he would drive 100 miles and physically read the gauge and get back in his truck,” Logan said. “Now they can read it from headquarters. But it allows attackers a gateway into the system.”

In addition, within the companies’ main offices, control equipment can be accessed from more computers than in the past. The electric utility industry has also been adding software that allows more coordination among different parts of the electricity grid and will ultimately allow utilities and individuals to control devices remotely.

This is a central part of what many firms call the “utility of the future,” which will be better able to save energy and reduce greenhouse gas emissions. “Often there are authentication methods that are less than secure,” Logan said. “Sometimes there are no authentication methods.”

On Thursday, the Federal Energy Regulatory Commission approved eight cybersecurity standards for electric utilities. They involve identity controls, training, security “perimeters,” physical security of critical cyber equipment, incident reporting and recovery. The U.S. electricity grid has always been vulnerable to outages. “Cybersecurity is a different kind of threat, however,” Joseph T. Kelliher, the commission’s chairman, said in a statement this week. “This threat is a conscious threat posed by a single hacker, or even an organized group that may be deliberately trying to disrupt the grid.”

View the article

By Ellen Nakashima and Steven Mufson

The Washington Post January 19, 2008

The Government has warned a cyberwar is being waged against Britain with key computer networks coming under attack every day.

Lord West of Spithead, the Security Minister, said a mixture of state-sponsored hackers and “those operating at a terrorist level” regularly tried to break into key networks such as banking, electricity and telecommunications.

Although he said the Government was confident about its cyber-defences, he said: “If you take the whole gamut of threats, from state-sponsored organisations to industrial espionage, private individuals and malcontents, you’re talking about a remarkable number of attempted attacks on our system – I’d say in the thousands.

“Some are spotted instantly. Others are much, much cleverer.” Lord West said the most serious threat came from terrorist-backed hackers trying to break into systems such as the National Grid. Meanwhile state-sponsored organisations were more likely to want to conduct industrial spionage and steal commercial secrets. He did concede threats to the national infrastructure were assessed as part of the National Risk Register, and the Government was confident about the country’s cyber-defences.

Earl Zmijewski, an analyst with Renesys, a company that monitors internet traffic, said: “We’re building this house of cards at the moment – connecting elements of our financial systems, as well as the systems which control nuclear power or water distribution, to the internet, and it’s a very open environment. I can launch an attack on you from anywhere.”

Lord West’s warning comes as security experts in the US said they had uncovered evidence of Russia have carried out state-sponsored cyber-warfare against Georgia by attacking government computer networks during the recent conflict.

The Russian Government admitted the possibility that individuals based in Russia might have been responsible for the attacks – overloading several sites based in the central town of Gori, causing them to collapse – but denied state involvement.

Lord West of Spithead, the Security Minister, said a mixture of state-sponsored hackers and “those operating at a terrorist level” regularly tried to break into key networks such as banking, electricity and telecommunications.

Although he said the Government was confident about its cyber-defences, he said: “If you take the whole gamut of threats, from state-sponsored organisations to industrial espionage, private individuals and malcontents, you’re talking about a remarkable number of attempted attacks on our system – I’d say in the thousands.

“Some are spotted instantly. Others are much, much cleverer.” Lord West said the most serious threat came from terrorist-backed hackers trying to break into systems such as the National Grid. Meanwhile state-sponsored organisations were more likely to want to conduct industrial espionage and steal commercial secrets. He did concede threats to the national infrastructure were assessed as part of the National Risk Register, and the Government was confident about the country’s cyber-defences.

Earl Zmijewski, an analyst with Renesys, a company that monitors internet traffic, said: “We’re building this house of cards at the moment – connecting elements of our financial systems, as well as the systems which control nuclear power or water distribution, to the internet, and it’s a very open environment. I can launch an attack on you from anywhere.”

Lord West’s warning comes as security experts in the US said they had uncovered evidence of Russia have carried out state-sponsored cyber-warfare against Georgia by attacking government computer networks during the recent conflict.

The Russian Government admitted the possibility that individuals based in Russia might have been responsible for the attacks – overloading several sites based in the central town of Gori, causing them to collapse – but denied state involvement.

View the article

By Chris Irvine

August 2008, Telegraph

KUALA LUMPUR (AFP) — The threat of cyber-terrorism is growing and most countries are vulnerable to attacks that can shut down critical infrastructure, global experts told a conference here Tuesday. “The hard reality is that (information technology) has become a tool for cybercrime and cyberterrorism,” said Hamadoun Toure from the United Nations’ International Telecommunications Union.

“Cybersecurity must be the cornerstone of every aspect of keeping ourselves, our countries and our world safe,” he told the conference, which the Malaysian hosts are billing as the first on cyber-terrorism and security. Toure dismissed as a dangerous myth the idea that events in the virtual world have only a limited impact on the physical world, saying that technology has “changed the dynamics of terrorism”.

Small groups or even individuals are capable of gaining control of millions of computers “which can be used, for instance, to launch denial-of-service attacks on a nation’s critical infrastructure,” he said. Malaysia said it was launching a global centre to combat cyber-terrorism which will provide an emergency response to high-tech attacks on economies and trading systems around the world.

Prime Minister Abdullah Ahmad Badawi said the centre, which is expected to be built by the end of the year at the nation’s IT hub of Cyberjaya, south of Kuala Lumpur, will be funded by governments and the private sector. “Every aspect of our daily lives, from communications, public utilities, financial networks to national defence… are highly dependent on information and communications technology to function,” he told the conference.

Abdullah said the threat of cyber-terrorism could no longer be ignored by governments, especially in the most “wired” parts of the world. “The extent of harm and damage that these cyber-threats can pose to our societies and nations should never be underestimated. Any vulnerability can easily be exploited to bring about truly catastrophic consequences,” he said.

Eugene Kaspersky, founder and CEO of Russian-based anti-virus experts Kaspersky Lab, said the number of cyber-criminals had leapt more than tenfold since last year. “This means the Internet environment is getting more dangerous… there’s nothing to stop them,” he said. David Thompson, chief information officer of anti-virus systems manufacturer Symantec Corp., said that the risk of cyber-terrorism grew as nations became more developed. “Most countries are vulnerable to cyber terrorism, it’s just that some are more prepared than others,” he said.

 view the article

August 2008, AFP

The next large-scale military or terrorist attack on the United States, if and when it happens, may not involve airplanes or bombs or even intruders breaching American borders. Instead, such an assault may be carried out in cyberspace by shadowy hackers half a world away. And Internet security experts believe that it could be just as devastating to the U.S.’s economy and infrastructure as a deadly bombing.

Experts say last week’s attack on the former Soviet republic of Georgia, in which a Russian military offensive was preceded by an Internet assault that overwhelmed Georgian government Web sites, signals a new kind of cyberwar, one for which the United States is not fully prepared.

“Nobody’s come up with a way to prevent this from happening, even here in the U.S.,” said Tom Burling, acting chief executive of Tulip Systems, an Atlanta, Georgia, Web-hosting firm that volunteered its Internet servers to protect the nation of Georgia’s Web sites from malicious traffic.

“The U.S. is probably more Internet-dependent than any place in the world. So to that extent, we’re more vulnerable than any place in the world to this kind of attack,” Burling added. “So much of what we’re doing [in the United States] is out there on the Internet, and all of that can be taken down at once.”

“This is such a crucial issue. At every level, our security now is dependent on computers,” said Scott Borg, director of the United States Cyber Consequences Unit, a nonprofit research institute. “It’s a whole new era. Political and military conflicts now will almost always have a cyber component. The chief targets will be critical infrastructure, and the attacks will emerge from within our own computer systems.”

Hackers mounted coordinated assaults on Georgian government, media, banking and transportation sites in the weeks before Russian troops invaded. Known as distributed denial of service, the attacks employ multiple computers to flood networks with millions of simultaneous requests, overwhelming servers and crippling Web sites.

Hackers shut down the Web site of the Georgian president, Mikheil Saakashvili, for 24 hours and defaced the Georgian parliament site with images of Adolf Hitler. Saakashvili blamed Russia for the attacks, although the Russian government said it was not involved.

Web sites and computer networks have been targeted by hackers for decades, although large-scale, coordinated cyberattacks are still a relatively new phenomenon. Some Internet-security experts believe that the Georgia conflict marks the first time a known cyberattack has coincided with a ground war, but others said that similar computer attacks have accompanied military operations in the Middle East and elsewhere.

The challenge to U.S. security experts is that such attacks can be mounted anonymously, and relatively cheaply, from anywhere in the world. Georgia’s attackers employed “botnets,” or malicious automated programs that take root undetected in far-flung computers and barrage their targets with useless data. By last Friday, some of those botnets were originating from Comcast Internet addresses in the United States, Burling said.

“It only takes a couple of experts; it doesn’t take a whole cyber infantry division to pull something like this off,” said Don Jackson, director of threat intelligence for SecureWorks, an Atlanta-based computer security firm. “For a very small investment in resources, you can have a huge impact.”

In the United States, government computer networks parry millions of attempted intrusions every day, Internet-security experts say. The U.S. Department of Homeland Security created a National Cybersecurity Center this year to coordinate federal cyberdefense efforts and quicken responsiveness. However, a recent Homeland Security Department intelligence report, obtained by The Associated Press, concluded that there are no effective means to prevent a coordinated attack on U.S. Web sites.

“When it comes to our government IT security, we’re pretty strong in protecting against [attacks],” Homeland Security spokesman William R. Knocke told CNN. “But I wouldn’t say … we’re 100 percent impenetrable.” So what would a cyberattack on the United States look like? And where is the U.S. most vulnerable? It depends on who you talk to.

Borg does not believe that the U.S. is susceptible to the kind of attacks launched at Georgia. “We can command so much bandwidth that it’s hard to overwhelm our servers,” he said. “We are vulnerable to more sophisticated attacks, but right now most of the people who want to do us harm don’t have those capabilities.”

The Web sites of key government security agencies, such as the Pentagon and the Central Intelligence Agency, are difficult to bring down, experts said. So are the computer networks of large American banks. But experts say a successful, large-scale attack on U.S. computer systems could hobble electric-power grids, transportation networks and industrial-supply chains.

“You’d see some disruption of essential services, like electricity. You’d definitely see espionage,” said James A. Lewis, a senior fellow at the Center for Strategic and International Studies in Washington. “Would it be decisive? No. Nobody’s going to win a conflict with the United States in cyberspace. But would it be disruptive and irritating? Yes.”

Federal researchers who launched an experimental cyberattack last year in Idaho caused a generator to self-destruct, prompting fears about the effect of a real attack on the nation’s electrical supply. And a May report by the Government Accountability Office found that the Tennessee Valley Authority, which supplies power to almost 9 million people in the southeastern U.S., had not installed sufficient cybersecurity measures. Spokesman Jim Allen said the TVA, the nation’s largest publicly owned utility company, is “on track” to correct the problems.

What frustrates computer-security experts is that the features that make the Internet such an invaluable resource — its openness and interconnectedness — also make it easier for hackers to do harm. As a staple of 21st-century warfare, cyberattacks will become increasingly sophisticated, forcing governments and private industry to build ever-stronger firewalls and other defenses, experts said.

Also, vague international laws and a lack of accountability will continue to make tracking down and prosecuting cyberattackers difficult. “We don’t know quite what the rules are for this kind of conflict. If it’s spying, it’s illegal. But is it an act of war? And who do you arrest?” Lewis asked. “We’re much safer [in the U.S.] than we were a year ago. But we still have a long way to go.”

View the article

By Brandon Griggs

August 2008

A nuclear power plant in Georgia was recently forced into an emergency shutdown for 48 hours after a software update was installed on a single computer. The incident occurred on March 7 at Unit 2 of the Hatch nuclear power plant near Baxley, Georgia. The trouble started after an engineer from Southern Company, which manages the technology operations for the plant, installed a software update on a computer operating on the plant’s business network.

The computer in question was used to monitor chemical and diagnostic data from one of the facility’s primary control systems, and the software update was designed to synchronize data on both systems. According to a report filed with the Nuclear Regulatory Commission, when the updated computer rebooted, it reset the data on the control system, causing safety systems to errantly interpret the lack of data as a drop in water reservoirs that cool the plant’s radioactive nuclear fuel rods. As a result, automated safety systems at the plant triggered a shutdown.

Southern Company spokeswoman Carrie Phillips said the nuclear plant’s emergency systems performed as designed, and that at no time did the malfunction endanger the security or safety of the nuclear facility. Phillips explained that company technicians were aware that there was full two-way communication between certain computers on the plant’s corporate and control networks. But she said the engineer who installed the update was not aware that that the software was designed to synchronize data between machines on both networks, or that a reboot in the business system computer would force a similar reset in the control system machine.

“We were investigating cyber vulnerabilities and discovered that the systems were communicating, we just had not implemented corrective action prior to the automatic [shutdown],” Phillips said. She said plant engineers have since physically removed all network connections between the affected servers.

Computer security experts say the Hatch plant incident is the latest reminder of problems that can occur when corporate computer systems at the nation’s most critical networks are connected to sensitive control systems that were never designed with security in mind. Specifically, experts worry that vulnerabilities were introduced into the systems that regulate the electrical grid as power companies transferred control of generation and distribution equipment from internal networks to supervisory control and data acquisition, or SCADA, systems that can be accessed through the Internet or by phone lines, according to consultants and government reports.

The move to SCADA systems boosts efficiency at utilities because it allows workers to operate equipment remotely. But experts say it also exposes these once-closed systems to cyber attacks. “Part of the challenge is we have all of this infrastructure in the control systems that was put in place in the 1980s and ’90s that was not designed with security in mind, and all of sudden these systems are being connected to [Internet-facing] business networks” said Brian Ahern, president and chief executive of Industrial Defender Inc., a Foxborough, Mass.-based SCADA security company.

Joe Weiss, managing partner at Cupertino, Calif.-based Applied Control Solutions, said Hatch is not the only plant that has suffered this type of unusual event. But he said it is one of a handful of public events of this type because the Nuclear Regulatory Commission documents all unusual events, in contrast to non-nuclear facilities that do not make their unusual events public.

“Consequently, it is expected that non-nuclear facilities have experienced similar events,” Weiss said. “The Hatch event illustrates the unintended consequences that could occur when business information technology systems interconnect with industrial control systems without adequate design considerations.”

Weiss said unplanned, automatic shutdowns such as what happened at the Hatch plant are costly, forcing utilities to purchase power from other parts of the grid to the tune of about $1 million a day. But more importantly, Weiss said, automatic shutdowns unnecessarily challenge nuclear safety systems.

“Anytime you have to shut down, especially with an automatic shutdown, you’re challenging the safety systems,” he said. “What happened [at Hatch] was absolutely what the plant was designed to do, but there’s always that chance that something could go wrong.”

The NRC has for years had regulations in place that require that all plants be able to defend against cyber attacks. But the agency is still in the final stretch of implementing more specific cyber-security regulations that would require plants to detail their plans for defending their digital networks as a condition of maintaining their operating license, said Scott Morris, deputy director for reactor security at the NRC.

“The plants are expanding their use of digital technology to put more megawatts on the grid, and because of that these lessons are going to occur,” Morris said. “But our expectation is that when these types of events happen, that [plant operators] correct the problem and share the information broadly with the rest of the industry.”

Unplanned nuclear plant shutdowns used to be a fairly common event, but not anymore, Weiss said. In fact, he said, another shutdown of a U.S. nuclear plant was also precipitated by a cyber event. In August 2006, Unit 3 of the Browns Ferry nuclear plant went into a shutdown after two water recirculation pumps failed. An investigation found that the controllers for the pumps locked up due to a flood of computer data traffic on the plant’s internal control system network.

Weiss said many people in charge of SCADA systems have sought to downplay the threat that hackers pose to these complex networks. But he cautioned that internal, accidental cyber incidents at control system networks can be just as deadly as a carefully planned attack from the outside.

In June 1999, a steel gas pipeline ruptured near Bellingham, Wash., killing two children and an 18-year-old, and injuring eight others. A subsequent investigation found that a computer failure just prior to the accident locked out the central control room operating the pipeline, preventing technicians from relieving pressure in the pipeline.

“To people in the IT world, cyber means ‘attacks,’ but what I tell people is that in our world the predominant cyber events are unintentional,” he said. “The flip side of that is if it can happen unintentionally, it can probably be caused intentionally and be a whole lot worse.”

News of the Hatch incident also comes as the cyber-security posture of the electric and nuclear power industry is coming under increasing scrutiny from Congress and government investigators. Last month, the Government Accountability Office issued a scathing report about cyber security weaknesses at the Tennessee Valley Authority, the nation’s largest public power company and operator of three nuclear plants, including Browns Ferry.

The GAO found that TVA’s Internet-connected corporate network was linked with systems used to control power production, and that security weaknesses pervasive in the corporate side could be used by attackers to manipulate or destroy vital control systems. The agency also warned that computers on TVA’s corporate network lacked security software updates and anti-virus protection, and that firewalls and intrusion detection systems on the network were easily bypassed and failed to record suspicious activity.

View the article

By Brian Krebs

June 2008

SCADA scares me, and I’ve seen enough things on the Internet to be desensitized to many things, but attacks against SCADA threaten our national security in a very real and topical way by attacking power grids, water treatment plants, nuclear plants, etc.  Hacking networks that SCADA devices reside on and using that access to interact with the SCADA system is nothing really new, it’s been covered in the media quite a bit… including the infamous Idaho National Labs research video which was ridiculously disclosed to CNN by our very own Department of Homeland Security director, who should’ve been keeping this to himself and creating a serious plan to address these issues, rather than giving terrorists something to salivate over.  If you haven’t seen this video, I suggest you have a look as you’ll see a generator connected to a SCADA device nearly blow up when sent an Internet based attack.

What we haven’t seen a ton of are specific attacks against SCADA devices and protocols.  Why?  SCADA devices can be expensive, or impossible to setup and replicate for those doing vulnerability research (with Idaho National Labs maybe being one of the examples where this isn’t an issue) and clients typically would be well advised to NOT assess the protocols on their direct production systems (seems obvious, but you never know).  So what’s new about my article today?  Well, our good friends at Core Security Technologies in Boston released an advisory today about a buffer overflow attack in a specific SCADA product.

In an exclusive interview with the Associated Press, Core Security Technologies and the article author, Jordan Robertson, comment on the advisory: Citect Pty. Ltd., which makes the program called CitectSCADA, patched the hole last week, five months after Core Security first notified Citect of the problem. But the vulnerability could have counterparts in other so-called supervisory control and data acquisition, or SCADA, systems. And it’s not clear whether all Citect clients have installed the patch.

First off, not to call CitectSCADA out, cause I’d imagine this is not something they deal with all of the time, but five months is a long time to have an issue of this magnitude in such critical pieces of our nation’s infrastructure.  Again, I don’t fault Citect on that, I’m simply stating the prospect is scary.  Vulnerabilities in the software that manages SCADA devices, the protocols associated with that interaction, and other areas of SCADA technologies have been talked about for quite some time as security concerns.  In fact, not that long ago several people on Full Disclosure’s mailing list were discussing direct research being performed on specific SCADA devices which led to some Denial of Service vulnerabilities.

Second, the fact that Citect and other SCADA companies may not have considered things like patch management (by the way, I’m only theorizing here, I don’t pretend to know how Citect handles their patch management process, but it would seem likely to be something a lot of SCADA companies have not considered) is very concerning as this simple yet devestating issue could be around for a lot longer.  The Associated Press article goes on to say:

The Citect vulnerability is of a common type. Called a “buffer overflow,” it allows a hacker to gain control of a program by sending a computer too much data. “It’s not a very elaborate problem,” Ivan Arce, Core Security’s chief technology officer, said in an interview. “If we found this thing — and this was not that hard — it would be easy for someone else to do it.”

It’s a great point made by Ivan, which I think a lot of people miss when thinking about security research.  If the good guys can find it, so can the bad, and it’s irresponsible to think they haven’t or aren’t looking.  The article also describes how this might be attacked as follows:

For an attack involving the vulnerability that Core Security revealed Wednesday to occur, the target network would have to be connected to the Internet. That goes against industry policy but does happen when companies have lax security measures, such as connecting control systems’ computers and computers with Internet access to the same routers. A rogue employee could also access the system internally.

Ok, so hang on here, I tend to disagree with this a bit.  So, when the term Internet is used in this context, I’m going to assume that the author of the article means the externally accessible Internet, where as the internal only accessible piece of the Internet is going to be called a company’s Intranet.  This is pretty standard terminology, but we need to point it out to be on the same page.  Really, the statement that the target network would have to be connected to the Internet is actually untrue.  The article mentions rogue employees, and that covers another threat, but these are what I see as the actual threats:

1. Rogue employees that can access the SCADA network from their corporate Intranet
2. Third-party contractors given guest access to any network in a corporation, as trust relationships between domains can be leveraged to gain access to other networks
3. Third-party or employees given VPN access to the corporate Intranet, as depending upon the implementation of VPN access, this could be vulnerable to attack… especially consider web application VPN portals that might be vulnerable to cross-site scripting allowing me to steal a valid VPN user’s session giving me the capability to load the VPN connection/software
4. The Internet (hopefully a SCADA devices is not corrected direct to the Internet)
5. Any firewall bypassing attacks that might be useful leading to vulnerability linkage getting us to this internal SCADA network.  This one is really important.  There’s a lot of web application based attacks
6. See Protocol Handler Abuse, research published by myself, Billy Rios, and Rob Carter
7. See anti-DNS pinning attacks including research by myself, Billy Rios, Rob Carter, Dan Kaminsky, Kanatoko, Martin Johns, etc.
8. These types of attacks may allow an attacker to deploy serious attacks to a high traffic web application, using cross-site scripting as the deployment vector.  Once a user has been compromised by the cross-site scripting attack, the attacker can use anti-DNS pinning to use the victim’s browser to interact with internally accessible resources to the network the victim is on, or use protocol handling attacks to try to compromise the underlying operating system of the victim’s machine, thus giving the attacker a foothold into the internal network.
9. For even more in application/browser flaws that turn into extremely serious issues, see my talk at Black Hat Vegas ‘08 this year with Rob Carter, John Heasman, and Billy Rios… teaser here.

These web application attacks that allow crossing over the boundary put in place by the firewall are extremely concerning when you consider vulnerability linkage which may ultimately lead to the compromise of a SCADA device.  Consider the impact of a successful compromise of a SCADA device, which the original AP article so accurately described:

Security experts say the finding highlights the possibility that hackers could cut the power to entire cities, poison a water supply by disrupting water treatment equipment, or cause a nuclear power plant to malfunction by attacking the utility’s controls.

Eeek… the article also mentions that Citect suggests that companies using SCADA devices segregate the devices from the Internet… well, that’s certainly a great recommendation, but they go on to mention proper firewall configuration, etc.  Again, this is a great step, but I think it is very important to underscore that simple firewall rules to the outside world of the Internet only eliminate a piece of the attack space.  As I mentioned, internal employees, third-parties given access, and compromise of users of the companies network may again put the SCADA device at risk.

So then, we need to ask ourselves… is the threat real?  Hopefully you saw the video I linked to above, but if that wasn’t enough to get your concern level up, the CIA reported that a power outage in several cities outside of the United States was actually caused by hackers who had demanded money or threatened to turn out the lights.  Another example that strikes much closer to home is something I think a lot of us will remember, when the lights went out on a large portion of the eastern seaboard.  National Journal Magazine conducted interviews with government officials who believed the power outages to have actually been caused by Chinese hackers:

One prominent expert told National Journalhe believes that China’s People’s Liberation Army played a role in the power outages. Tim Bennett, the former president of the Cyber Security Industry Alliance, a leading trade group, said that U.S. intelligence officials have told him that the PLA in 2003 gained access to a network that controlled electric power systems serving the northeastern United States. The intelligence officials said that forensic analysis had confirmed the source, Bennett said. “They said that, with confidence, it had been traced back to the PLA.” These officials believe that the intrusion may have precipitated the largest blackout in North American history, which occurred in August of that year. A 9,300-square-mile area, touching Michigan, Ohio, New York, and parts of Canada, lost power; an estimated 50 million people were affected.

So in conclusion, the threat is real.  If you are a vendor of SCADA devices, get your products assessed.  If you are a company using SCADA devices, get an Internet/Intranet/Extranet assessment done to try to determine how well you’ve segregated these devices from the rest of the network and make appropriate corrections based upon those results.

View the article

By Nathan McFeters

June 2008

Chief executive Eva Chen argues antivirus companies have over-hyped the effectiveness of their products, and misled customers, for years

Eva Chen, chief executive of Trend Micro, has strong views about how effective the antivirus industry has been over the past 20 years. According to Chen, the security industry has over-hyped how effective its products are - and so has been misleading customers - for years.

Chen believes that no single company can offer adequate protection against the sheer volume of new viruses that are being churned out by cybercriminals. According to the security industry, five and a half million new samples were detected in 2007.

Q: Trend Micro has recently moved to an ‘in-the-cloud’ service. Surely traditional security methods are still effective enough?

A: In the antivirus business, we have been lying to customers for 20 years. People thought that virus protection protected them, but we can never block all viruses. Antivirus refresh used to be every 24 hours. People would usually get infected in that time and the industry would clean them up with a new pattern file.

In the last 20 years, we have been misrepresenting ourselves. No-one is able to detect five and a half million viruses. Nowadays there are no mass virus outbreaks; [malware] is targeted. But, if there are no virus samples submitted, there’s no way to detect them.

But how about analysis using other methods? You don’t need to rely solely on antivirus.

Every year there’s a new industry buzzword, but they always fail. Heuristics use a rule to inspect the file, but virus writers know this. They split the complete malicious program into different files, and download each file to test it against the heuristic rule. Each file looks innocent but, when combined, they become a virus.

Three years ago, the buzzword was ‘personal firewalls’, but you can’t block everything. To have an effective personal firewall, you’d have to block port 80, but HTTP uses port 80. If you blocked that, no-one could use [the internet]. HIPS [host-based intrusion-prevention systems] have a lot of rules to tell if this application is trying to touch another application. HIPS behavioural monitoring requires files to be executed, so virus writers make sure they evade the rules.

So isn’t ‘in-the-cloud’ computing suffering from the same hype?

Trend Micro has gone to cloud computing because it’s a necessity. Usually, hackers now Trend Micro has gone to cloud computing because it’s a necessity. Usually, hackers now infiltrate websites. When a user clicks on a URL they are redirected to a malware-hosting site. They download the first components, usually a downloader, which downloads more components and a recompiler.

Two Trend Micro sites were infiltrated in March, weren’t they?

That shows that it’s everybody’s problem. Our websites were outsourced and, in [website code], there are a lot of commands that can be compromised. An attacker can insert an Iframe through SQL injection. It was an Iframe-injection attack on the page we outsourced to a developer. I don’t know which development company it was.

Do you know who attacked the Trend Micro sites?

We don’t know who did it. It was a mass attack - 20,000 sites - so very hard to trace.

Trend Micro is in the process of a lawsuit against Barracuda Networks over a patent dispute. As Barracuda uses the open-source ClamAV engine, there has been disquiet in the open-source community that any company that incorporates ClamAV into a gatewaysecurity product will be sued by Trend Micro. Is this the case?

I’m suing Barracuda, not ClamAV. The patent is about how to stop viruses in transmission. We’ve traded patents with IBM and Symantec, and settled with McAfee when they were Network Associates. We won the litigation with Fortinet. We respect other people’s intellectual property; we just want people to respect ours. This has nothing to do with free software. It’s about the implementation.

View the article

By Tom Espiner

June 2008

The first time Scott Lunsford offered to hack into a nuclear power station, he was told it would be impossible. There was no way, the plant’s owners claimed, that their critical components could be accessed from the Internet. Lunsford, a researcher for IBM’s Internet Security Systems, found otherwise. “It turned out to be one of the easiest penetration tests I’d ever done,” he says. “By the first day, we had penetrated the network. Within a week, we were controlling a nuclear power plant. I thought, ‘Gosh. This is a big problem.’”

In retrospect, Lunsford says–and the Nuclear Regulatory Commission agrees–that government-mandated safeguards would have prevented him from triggering a nuclear meltdown. But he’s fairly certain that by accessing controls through the company’s network, he could have sabotaged the power supply to a large portion of the state. “It would have been as simple as closing a valve,” he says.

The disturbingly vulnerable system that Lunsford hijacked is powered by Supervisory Control and Data Acquisition software, or SCADA, a type of software made by companies including Siemens, ABB, Rockwell Automation and Emerson. SCADA systems are used around the country to control infrastructure like water filtration and distribution, trains and subways, natural gas and oil pipelines, and practically every kind of industrial manufacturing. And as some security professionals are pointing out, those weaknesses are increasingly connected to the Internet, leaving large parts of America’s critical infrastructure exposed to anyone with moderate information technology training and a laptop.

At the DefCon hacker conference earlier this month, security researcher Ganesh Devarajan gave a presentation detailing how researchers can find flaws in SCADA systems using “fuzzing,” a technique that floods software with data and tracks which input causes a crash, allowing hackers to inject their own commands.

“These are simple bugs, but very dangerous ones,” says Devarajan, associate security analyst at 3Com-owned security firm TippingPoint. He says he’s alerted SCADA software vendors to all the flaws he’s found, but he nonetheless imagines a scenario in which someone plants a contaminant in a water reservoir and hacks into water-quality sensor systems to prevent detection. “If someone can provide false data,” he says, “They own the system.”

To be sure, the threat of attacks on major SCADA systems isn’t entirely new, and the wave of cyberterrorism redictions that followed Sept. 11, 2001, have largely been dismissed as hype and paranoia. But given SCADA systems’ vulnerability, many experts wonder why those attacks haven’t yet materialized.

One answer may be the sheer complexity of major infrastructure systems: Though SCADA computers have weak external security, controlling them takes engineering expertise. Most hackers could only gain enough control to create the fear that they’re capable of something worse, says Alan Paller, director of the SANS Institute.

That means that even if outright attacks aren’t increasing, there’s a growing threat of extortion, says Paller. In fact, the SANS Institute hosts a crisis response center for cyberattacks, and Paller says he’s learned of multiple threats within the last year and a half from hackers claiming to have infiltrated SCADA systems and demanding ransom. Other shakedowns have likely gone unreported.

Paller predicts that those incidents will increase. “There’s been very active and sophisticated chatter in the hacker community, trading exploits on how to break through capabilities on these systems,” he says. “That kind of chatter usually precedes bad things happening.”

Extortion is more than an economic problem; racketeers could easily trigger an accident while trying to demonstrate control over a facility, says Marcus Ranum, chief security officer for Tenable Security. “To spin a pump or move a valve, you don’t have to be a petroleum engineer,” he says. “Then again, you could spin the wrong pump and blow something up.”

Not every SCADA sabotage scenario is so hypothetical. In 2000, Vitek Boden, a 48-year-old man fired from his job at a sewage-treatment plant in Australia, remotely accessed his former workplace’s computers and poured toxic sludge into parks and rivers; he hoped the plant would re-hire him to solve the leakage problem.

In January 2003, computers infected with the Slammer worm shut down safety display systems at the Davis-Besse power plant in Ohio, though the plant was already shut down at the time. Seven months later, another computer virus was widely suspected by security researchers of leading to a power loss at a plant providing electricity to parts of New York State, despite the Nuclear Regulatory Commission’s argument that no evidence of virus-involvement was found.

SCADA systems’ lack of security features is a symptom of their age; most were developed at a time when critical infrastructure systems weren’t connected to the Internet and needed no intrusion prevention. Some have a 20-year life span, making them obsolete for years after they’re installed. And many of the companies that develop SCADA software make installing security patches difficult or, fearing that patches will hamper the software’s operation, don’t offer customer support for patched systems.

All of which still leaves U.S. infrastructure open to crippling attacks by criminal hackers or cyberterrorists, says Jim Christy, director of future exploration at the Department of Defense’s Cyber Crime Center. “This is an Achille’s heel for several of our critical systems,” Christy says. “Nation-states and terrorist organizations are definitely looking at this as an option, a weapon of mass disruption.”

That kind of risk means major security changes are necessary, says Christy. But because SCADA systems are largely owned by the private sector, critical infrastructure like power plants and water systems may remain vulnerable until the problem affects profits–or leads to disaster. Christy argues that we can’t wait that long: His unofficial opinion is that SCADA needs government regulation.

“The government mandates fire sprinklers. Those cost builders money, but they save property and lives,” he says. “If critical infrastructure is important to our national security, shouldn’t there be minimum standards it has to meet?”

View the article

By Andy Greenberg

June 2008

WASHINGTON — Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials. The spies came from China, Russia and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven’t sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.

“The Chinese have attempted to map our infrastructure, such as the electrical grid,” said a senior intelligence official. “So have the Russians.” The espionage appeared pervasive across the U.S. and doesn’t target a particular company or region, said a former Department of Homeland Security official. “There are intrusions, and they are growing,” the former official said, referring to electrical systems. “There were a lot last year.”

Many of the intrusions were detected not by the companies in charge of the infrastructure but by U.S. intelligence agencies, officials said. Intelligence officials worry about cyber attackers taking control of electrical facilities, a nuclear power plant or financial networks via the Internet. Authorities investigating the intrusions have found software tools left behind that could be used to destroy infrastructure components, the senior intelligence official said. He added, “If we go to war with them, they will try to turn them on.”

Officials said water, sewage and other infrastructure systems also were at risk. “Over the past several years, we have seen cyberattacks against critical infrastructures abroad, and many of our own infrastructures are as vulnerable as their foreign counterparts,” Director of National Intelligence Dennis Blair recently told lawmakers. “A number of nations, including Russia and China, can disrupt elements of the U.S. information infrastructure.”

Officials cautioned that the motivation of the cyberspies wasn’t well understood, and they don’t see an immediate danger. China, for example, has little incentive to disrupt the U.S. economy because it relies on American consumers and holds U.S. government debt. But protecting the electrical grid and other infrastructure is a key part of the Obama administration’s cybersecurity review, which is to be completed next week. Under the Bush administration, Congress approved $17 billion in secret funds to protect government networks, according to people familiar with the budget. The Obama administration is weighing whether to expand the program to address vulnerabilities in private computer networks, which would cost billions of dollars more. A senior Pentagon official said Tuesday the Pentagon has spent $100 million in the past six months repairing cyber damage.

Overseas examples show the potential havoc. In 2000, a disgruntled employee rigged a computerized control system at a water-treatment plant in Australia, releasing more than 200,000 gallons of sewage into parks, rivers and the grounds of a Hyatt hotel. Last year, a senior Central Intelligence Agency official, Tom Donahue, told a meeting of utility company representatives in New Orleans that a cyberattack had taken out power equipment in multiple regions outside the U.S. The outage was followed with extortion demands, he said.

The U.S. electrical grid comprises three separate electric networks, covering the East, the West and Texas. Each includes many thousands of miles of transmission lines, power plants and substations. The flow of power is controlled by local utilities or regional transmission organizations. The growing reliance of utilities on Internet-based communication has increased the vulnerability of control systems to spies and hackers, according to government reports.

The sophistication of the U.S. intrusions — which extend beyond electric to other key infrastructure systems — suggests that China and Russia are mainly responsible, according to intelligence officials and cybersecurity specialists. While terrorist groups could develop the ability to penetrate U.S. infrastructure, they don’t appear to have yet mounted attacks, these officials say.

It is nearly impossible to know whether or not an attack is government-sponsored because of the difficulty in tracking true identities in cyberspace. U.S. officials said investigators have followed electronic trails of stolen data to China and Russia. Russian and Chinese officials have denied any wrongdoing. “These are pure speculations,” said Yevgeniy Khorishko, a spokesman at the Russian Embassy. “Russia has nothing to do with the cyberattacks on the U.S. infrastructure, or on any infrastructure in any other country in the world.”

A spokesman for the Chinese Embassy in Washington, Wang Baodong, said the Chinese government “resolutely oppose[s] any crime, including hacking, that destroys the Internet or computer network” and has laws barring the practice. China was ready to cooperate with other countries to counter such attacks, he said, and added that “some people overseas with Cold War mentality are indulged in fabricating the sheer lies of the so-called cyberspies in China.”

Utilities are reluctant to speak about the dangers. “Much of what we’ve done, we can’t talk about,” said Ray Dotter, a spokesman at PJM Interconnection LLC, which coordinates the movement of wholesale electricity in 13 states and the District of Columbia. He said the organization has beefed up its security, in conformance with federal standards.

In January 2008, the Federal Energy Regulatory Commission approved new protection measures that required improvements in the security of computer servers and better plans for handling attacks. Last week, Senate Democrats introduced a proposal that would require all critical infrastructure companies to meet new cybersecurity standards and grant the president emergency powers over control of the grid systems and other infrastructure.

Specialists at the U.S. Cyber Consequences Unit, a nonprofit research institute, said attack programs search for openings in a network, much as a thief tests locks on doors. Once inside, these programs and their human controllers can acquire the same access and powers as a systems administrator. The White House review of cybersecurity programs is studying ways to shield the electrical grid from such attacks, said James Lewis, who directed a study for the Center for Strategic and International Studies and has met with White House reviewers.

The reliability of the grid is ultimately the responsibility of the North American Electric Reliability Corp., an independent standards-setting organization overseen by the Federal Energy Regulatory Commission. The NERC set standards last year requiring companies to designate “critical cyber assets.” Companies, for example, must check the backgrounds of employees and install firewalls to separate administrative networks from those that control electricity flow. The group will begin auditing compliance in July.

 View the article

By Siobhan Gorman

April 2008

Systems that control dams, oil refineries, railroads and nuclear power plants have a vulnerability that could cause a system takeover, according to a recent research report.

Researchers on March 21 announced that the systems which control dams, oil refineries, railroads and nuclear power plants have a vulnerability that could be used to cause a denial of service or a system takeover.

The flaw, reported by Neutralbit , is the first remotely exploitable SCADA security vulnerability, according to the security services provider. SCADA (supervisory control and data acquisition) is a large-scale, distributed measurement and control system used to monitor or control chemical or transport processes in municipal water supply systems, to control electric power generation, transmission and distribution, gas and oil pipelines and other distributed processes. Wikipedia has a schematic of SCADA here.

Neutralbit identified the vulnerability in NETxAutomation NETxEIB OPC (OLE for Process Control) Server. OPC is a Microsoft Windows standard for easily writing GUI applications for SCADA. It’s used for interconnecting process control applications running on Microsoft platforms. OPC servers are often used in control systems to consolidate field and network device information.

Neutralbit reports that the flaw is caused by improper validation of server handles, which could be exploited by an attacker with physical or remote access to the OPC interface to crash an affected application or potentially compromise a vulnerable server. Neutralbit has also recently published five vulnerabilities having to do with OPC.

This isn’t the first time that this vital bit of national infrastructure has gotten a black eye. Errata President Robert Graham published a scathing report last year titled “SCADA Security and Terrorism: We’re Not Crying Wolf.” In that report and in his more recent blog , he called SCADA “completely open to attack, especially OPC.”

Graham described the OPC Windows applications as being used to translate between Windows primitives such as MS-RPC/DCOM to back-end protocols that do the actual monitoring and controlling of switches, valves, pressure gauges, thermometers, and so forth.

“These backend protocols are often based upon standards that pre-date Windows,” Graham wrote in his blog. “They are horribly insecure because few people in the SCADA industry know what a ‘buffer-overflow’ is.”
Graham said that it took him all of five minutes to find a remotely exploitable bug when he downloaded sample implementations from the OPC Foundation a few years ago.

Graham said that the real problem isn’t vulnerabilities but the fact that OPC installations are normally run without authentication such as a username and password. ” – That – means a hacker can control them without having to mess around with things like buffer overflows,” he wrote.

If proper authentication and encryption are in fact enabled, a hacker can’t actually remotely exploit OPC installations without first logging on, Graham said. This is the case with the vulnerability reported by Neutralbit, he said: “It’s only exploitable if the user has login privileges.”

In fact, Graham said, he doesn’t believe that many SCADA organizations will take this recent vulnerability warning seriously because they know that since their systems are already wide open to attack, patching them against this bug won’t stop a hacker.

“That would be wrong,” Graham said. “First, there is the possibility of – a – worm exploiting these bugs. Second, at some point the SCADA industry is going to have to catch up with the rest of the world with regards to securing their products.

“Neutralbit has done an excellent job of explaining to you potential problems with OPC, but they’ve also explained them to hackers and cyber-terrorists. Any kid who wants to prove he’s a vulnerability hunter now knows he can go onto eBay, get some cheap OPC products, find vulnerabilities in them, and announce them to the world.”

Graham says there’s a “good chance that many more OPC vulnerabilities will be announced and/or exploited in the next couple years.”

NETxAutomation has addressed the flaw by releasing version 3.0.1300 of the NETxEIB OPC Server. The company has also released a patch for NETxEIB OPC Server version 3.0. US-Cert recommends restricting remote access to the server to only trusted hosts by using firewalls or only connecting them to private networks, until a fixed version of the server can be deployed.

According to its Web site , Neutralbit has issued the vulnerability disclosure in collaboration with US-CERT – whose advisory is here – and the affected vendors.

View the article

March 2008