As fate would have it, a few days after that post it was revealed that there was an ('alleged') attack on an Illinois water system.
Hackers are alleged to have destroyed a pump used to pipe water to thousands of homes in a US city in Illinois.In true fed fashion, the FBI and DHS are doing their best head-in-the-sand routine, denying that the Illinois incident was caused by a hacker penetrating the water utility's control system
Hackers with access to the utility's network are thought to have broken the pump by turning it on and off quickly.
The FBI and Department for Homeland Security (DHS) are investigating the incident as details emerge of what could be a separate second attack.
"At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety," (a DHS spokesman) said.In response, another hacker posted information online showing how to gain access to the industrial control systems for a second water utility, this one located in Houston.
The attacks are the latest in a series in which different hackers and groups have targeted so called Supervisory Control And Data Acquisition (SCADA) systems. These specialised computer systems are used to control equipment used to filter water, mix chemicals, distribute power, and route trains and trams.As I posted previously, SCADA attacks have been used to cause physical damage to Iranian nuclear facilities. People in the cyber security field have known about SCADA vulnerabilities for years, but until recently have discounted the possibility of widespread damage to this country's critical infrastructure. However, that mindset is slowly changing.
Perhaps the best indication of how seriously the feds are taking these threats can be seen in the response of DHS. While publicly pooh-poohing the risk, behind the scenes DHS is trying to manage the flow of information about SCADA exposures.
Stuxnet-style SCADA attack kept quiet after US gov tests
Security researchers decided to cancel a planned demonstration of security holes in industrial control systems ... following requests from ... a (DHS) security response team.Both the researchers and the conference organizers state they weren't pressured to cancel the presentation. The skeptic in me doubts that. I know how much time and effort I put into my research projects. In the academic field, the primary reward we get from such research is the opportunity to present our findings to our peers. To voluntarily give that up would require some serious 'persuasion.'
(The researchers) agreed to delay their presentation. "We were asked very nicely if we could refrain from providing that information at this time..."
Here's the abstract from the cancelled presentation:
SCADA exploits have recently taken center stage in the international community. These types of vulnerabilities pose significant threats to critical infrastructure. Combining traditional exploits with industrial control systems allows attackers to weaponize malicious code, as demonstrated with Stuxnet. The attacks against Iran’s nuclear facilities were started by a sequence of events that delayed the proliferation of nuclear weapons.Trust me, the exposures in SCADA systems pose a very serious threat. And also trust me when I say that there is more going on here than meets the eye...
We will demonstrate how motivated attackers could penetrate even the most heavily fortified facilities in the world, without the backing of a nation state. We will also present how to write industrial grade malware without having direct access to the target hardware. After all, if physical access was required, what would be the point of hacking into an industrial control system?
2 comments:
I have friends that work in computer security, and they can break the average Windoze security in less than five minutes over the net from a cold start... And that is WITH security 'enhancements' activated... DHS as usual is sucking hind tit, and yeah, the must have leaned on those folks pretty hard...
Windows is bad. SCADA is worse. In some versions, the password field is only three characters long. You could break that manually in about five minutes.
Post a Comment