no prizes for good guess
which will happen first:
1) government wanting even more surveillance on everybody
2) stiff penalties for companies leaving their systems insecure
Hackers infiltrated a water utility’s control system and changed the levels of chemicals being used to treat tap water, we're told. The cyber-attack is documented in this month’s IT security breach report (available here, registration required) from Verizon Security Solutions. The utility in question is referred to using a …
Frankly, I think it would be nice to have a grown up debate as to what should, and should not be able to be accessed remotely at all.
My view is that the answer to that is something similar to Asimov's first law. "A <system> may not injure a human being or, through inaction, allow a human being to come to harm."
The ability to remotely access a car's control systems via a sodding radio's bluetooth/wifi and disable control inputs from the driver (like steering or brakes) should be burned with fire along with the people who allowed the basic system design. Industrial processes and in general anything that can cause harm should be air gapped in the same way the control systems in nuclear power plans are.
Yes, it's going to raise costs. But doing otherwise is critically dangerous with things like flouride going in drinking water:-
http://www.nejm.org/doi/full/10.1056/NEJM199401133300203
From that it seems quite clear that if a hacker had of dumped the entire flouride store into the water supply then nobody would have noticed until either they had to refill it or people started turning up in hospital. Utterly ludicrious.
The wild libertarian in me answers:
"doing otherwise is critically dangerous with things like flouride going in drinking water"
with
"Stop adding flouride to tap water, I've got an inalienable right to rotten teeth"
(and in case you think I'm a dirty cow, I am a bit OCD when it comes to brushing, so my gnashers are a pearly white.)
"Stop adding flouride to tap water, I've got an inalienable right to rotten teeth"
Then don't drink the tap water, buy your own drinking water, problem solved.
Or , stated using the same line of thtinking: "Get your nanny-state coddling out of my tap water, it's my God-given right to drink fluoride-laden water if I so choose".
Then don't drink the tap water, buy your own drinking water, problem solved.
How do you do that when the municipality you happen to be in has banned sales of bottled water. Apparently the do-gooderesses don't mind Coke, Fanta, Leed etc, but water is a definite no-no.
"From that it seems quite clear that if a hacker had dumped the entire flouride store into the water supply then nobody would have noticed until either they had to refill it or people started turning up in hospital. Utterly ludicrious."
See my Camelford link later in this thread.
> My view is that the answer to that is something similar to Asimov's first law. "A <system> may not injure a human being or, through inaction, allow a human being to come to harm."
You are obviously an idiot or too young to voice an opinion.
A public utility still using internet access after Stuxnet is liable for manslaughter charges and in any case the management need removing urgently, especially their security bods. If this had happened without such mitigation it would be an act of war. It probably still is.
I hope that Trump is as bomb proof as his predecessor because he really sounds like the sort of arse that America's enemies (or Israel's friends) want in.
"I hope that Trump is as bomb proof as his predecessor because he really sounds like the sort of arse that America's enemies (or Israel's friends) want in."
For the life of me, I cannot see why this statement is in any way relevant to the discussion.
A down vote for bad cut & paste, or stupidity, or both ...
ps: Same applies if you substitute Clinton for Trump
Yes, and then Asimov made out a good living by writing about what the three laws of robotics happened to work in some extreme corner cases (and requiring Susan Calvin to understand what really happened). Moreover it postulated the very way the positronic brain was built had them truly "hardwired" and thereby could not bypassed - without damaging the brain irreparably and inoperative. Unluckily software can be modified, and some systems can't really become wholly inoperative, unless some safety mechanism detect it and put the system is a safe state.
Truly airgapped system would require all the air to be removed, so no humans could touch those system and plug in their USB drive to watch some porn while monitoring the systems...
Well-designed, critical systems usually have hard limits built into them so that such a thing can't happen - not without someone going out there manually (with appropriate tools) and taking the situation in hand, anyway. For fluorine/chlorine and such, I would generally expect such a system to either just reject a "dump everything" command, or to merely increase things to a higher but still relatively safe level - whatever the hard limit restricts it to.
Regarding the concern about dumping an entire storage tank of fluoride into the water system, I have two bits of information that may make you more comfortable.
First, fluoride has a bitter taste. So if there is a severe overdose, people will not drink the water. Trying to cover up this bitterness is a large part of why toothpaste has a strong flavor added, as well as the fluoride treatments at your dentist's office.
Second, most regulators require that for chemicals added to the water that the system run off of what is termed a "day tank". The day tank only stores a limited amount (usually about one day's worth), exactly to prevent the type of overdose that you are referring to. . There are other benefits. Because it is a smaller tank, minor changes in feed rates are noticed sooner.
By the way, this second idea was started long before hackers were born. It is a practical solution that prevents excessive dosing for whatever reason.
It probably IS illegal in just about any jurisdiction you'd like to think of, with probably very large penalties.
Problem 1 - the kind of scum who do this sort of thing tend to be criminals with every intent of causing mayhem - either for blackmail or political reasons. They know full well what they’re trying to do, know the penalties and know the risks.
Problem 2 - the authorities in many of those jurisdictions will either (a) not understand their own laws and prosecute on a minor technicality, (b) seek to minimise the crime to cover either their own ineptitude or that of those who run the vulnerable systems or (c) don't want to upset the nice terrists in case they get really mad - hearts and minds and all that carp.
Solutions 1 - Hit the perps hard - a lot of this stuff endangers life and health apart from being costly. Be aware that this will likely lead to war in some cases. Be aware that it's pointless going to war unless you're prepared to win - and clear up afterwards.
Solution 2 - Make it very clear in law that there's a clear audit trail of criminal responsibility for all those responsible for critical systems and their security, including their design and maintenance INCLUDING THOSE IN GOVERNMENT. With appropriate penalties. Not chosen by lazy incompetent greedy fat ....
One can dream.
Well considering the SCOTUS pitched a fit and overturned the one time the government actually convicted a large corporation (Arthur Anderson) of outright fraud #2 is a pipe dream. At least they can still go after executives for bad behavior you know like they did after the mortgage meltdown. Funny how that works when your whole culture is based around corporatism.
"which will happen first:
1) government wanting even more surveillance on everybody
2) stiff penalties for companies leaving their systems insecure"
#) Nothing. It's not like They urinated in a reservoir or anything serious like that.
If you store credentials
Question is what credentials. Some credentials - such as what you need to access CRM have to be stored.
Now the fact that the credentials were such that they allowed to manipulate the actual live industrial control systems is the "criminal negligence" bit. As these control chlorine, cloramine and access to drinking water supply there are quite a few criminal charges applicable for the execs of the water company in question in most legislation. Criminal negligence is just the start. I would slap onto them "being accessory to terrorism" without having a second thought.
... and what's with the pejorative "ageing as/400" smack-talk?
Yes. A swing and a miss there for Leyden. I'd much rather have the back end be an AS/400 running, oh, some release of OS/400 V3 than, say, an almost-certainly-misconfigured Win2K system, or never-patched Linux of similar vintage.
I would imagine the billing system is probably polling information from the control system. And presumably the treatment controls are on the same system as the network/metering ones. Obviously this should be via a locked down account with no permissions - but I guess it isn't. Well, even more obviously, it shouldn't even be connected - that info should be going to an offline database first.
I can understand wanting to have central control of the system. Rather than having to control things individually at each pumping station and works. But that should be via a private network, not the internet. And there certainly shouldn't be a bloody web server.
Admittedly they do regular testing of the water. But although some of that will be manual, so not vulnerable to computer intrusion, I'd expect that this will also be moving towards automation though.
You can do an amazing amount of damage though. If you control valves, pumps, or worse pumps and valves - then you can easily cause pipes to burst. With chemical dosing you can either overdose or underdose the water and cause problems. Sewage plants are also delicately balanced, in that they have beds which use bacteria to break down some of the waste products - and if too much of certain chemicals gets in there, it kills off the colonies, and stops the treatment plant working.
Well, I was one of those customers and given just how little Severn Trent seemed to know about the incident and how it happened it made me wonder too.
After 8 hours there was still much confusion. I saw them doing what looked to me as pumping out a water tower into a long like of waiting tankers the next day.
When I was down getting my 4 litres of free water (generous or what!) We asked the ST woman there why we couldn't shower in it and she said it's chlorine and it's way stronger in concentration that you'd get at the swimming baths. (She really couldn't stress just how much we really shouldn't use it to even wash hands). So if something looked like a computer error or hack this is a likely candidate.
Then again, could just be coincidence. Guess we will never know!
Many water companies who abstract ground water (like ST) use superchlorination - they add a lot of chlorine to guarantee to kill any bugs then reduce the chlorine levels before it hits supply, without needing an intermediate tank/reservoir - it goes straight down the pipe. A mechanical/electrical failure at any point in the dosing system could allow high chlorine levels to get through to supply without the system getting hacked.
Yep - super chlorination, or shock dosing.
Anything above 0.5 ppm HClO will kill most bacteria, and your average swimming pool will be 1 to 3 ppm to ensure all those scutty people who don't shower before going for a swim doesn't bring in any nasties, and also to make sure if little Johnny curls off a floater, then it won't need the pool to be evacuated and drained!
Obviously you don't want to be drinking the contents of your local pool, but it won't kill you.
Hot spas and things like that can be maintained between 3 and 6 ppm, but as you aren't in for too long, it won't cause any problems.
Anything above 6ppm however is really not advised, as at this concentration, you will start to get bleaching, and sensitive skin can start getting rashes and irritation.
If you hit anywhere above 10 - 12 ppm, and you really really do have a problem. I can only assume that the STW recent problem had HClO levels way above 3 - 6 ppm.
(I recently did the STA water treatment course.....)
Anyone remember Milton Sterilising Tablets? Maybe someone bunged a few of these into the reservoir.......
Hey shit happens. Back in the 1990s, when I worked in a chemical factory, we had a water treatment guy in to dose the cooling tower water with biocide (legionnaires). Unfortunately they didn't tell anyone that they'd done it. So some maintenance fellows comes on shift and opens up a valve to let water into the local canal. A few hours later the surface of the canal was covered in dead and dying fish.
Could this be STW? A couple of decades ago (and before Sir Tim invented WWW) I worked on a SCADA system for Severn Trent that could, in theory, be used to control a water treatment plant. Being pre-WWW it didn't have a front end server, and it ran on hardware that was somewhat more mature than the AS/400, (not that I'm prepared to say what it ran on). I did hear from a reliable source that the old software had been ported to new hardware (AS400?) and it is entirely possible that a ropey old web front end was bolted on to the port. I also wonder if this is a coincidence.
Monzy Merza, Splunk’s director of cyber research and chief security evangelist, commented: “Dedicated and opportunistic attackers will continue to exploit low-hanging fruit present in outdated or unpatched systems. We continue to see infrastructure systems being targeted because they are generally under-resourced or believed to be out of band or not connected to the internet.”
“Beyond the clear need to invest in intrusion detection, prevention, patch management and analytics-driven security measures, this breach underscores the importance of actionable intelligence. Reports like Verizon’s are important sources of insight. Organisations must leverage this information to collectively raise the bar in security to better detect, prevent and respond to advanced attacks. Working collectively is our best route to getting ahead of attackers,” he added.
Every card a winner!
Seriously, who writes this stuff?
And Verizon Enterprise, the guys who do write these intrusion reports, got hacked themselves, according to krebsonsecurity...
http://krebsonsecurity.com/2016/03/crooks-steal-sell-verizon-enterprise-customer-data/
I heard that another US-based hacktivist group had got away with doing similar tricks for some years before they were stopped.
Because there was a time when "consolidation" was the buzzword like cloud is today (cloud is still a form of consolidation...). The mantra was to run everything on fewer, more powerful systems to save money. Done in the right way it could be OK, done in the wrong way by clueless people "hey, we have this AS/400 let's run both the water control system and accounting from it! See how much we saved?" leads to these situations. Of course IBM told (and sold) you you could run different workloads on it, so why not? The AS supported hardware partitioning - but if used by clueless syadmin, little changes...
Did they use partitions or not? The fact the AS/400 supports LPARS doesn't mean it was in use.
Also, even today running software at different security level on the same hypervisor *can* be a security issue. There are bugs in hypervisors (and even in CPUs...) that let an attacker compromise other VMs. Thus, even if it costs more, may be sensible to run software on truly separated hardware.
But everything becomes useless if there are easy channels between systems and powerful credentials are stored everywhere.
Because organizations which run generally safe, sane, and relatively secure systems like the AS/400 (and its successors) don't usually see the need to carve things up unnecessarily, although some separation of duties may have been a wise decision in this particular case. But I have worked with/for several companies now who have gone down the path of "modernizing" their systems, by moving things over to some number of different (mostly) dedicated servers, only to often quickly run into the problem of not knowing why/when/where things are going wrong, nor of course how to fix it.
I'm dealing with that very issue right now, in fact, where instead of things staying on the AS/400 where they really belonged, they've been spread out across several different servers of various types. But critical things are occasionally failing now where they didn't fail before, and the situation is getting progressively worse, and nobody really understands enough about the whole set-up (nor do they generally have the time or the patience) to really be able to go in and find the problem and fix it. Which is where I come in, because I've had to run such rabbits down in the past, at other organizations.
All critical national infrastructure (water, power, etc) should be air gapped from the internet immediately, and anyone who attempts to implement internet connectivity as a cost cutting measure should be imprisoned. Cost cutting will bite us all on the ass eventually.........
Why the hell is a control system on a publicly accessible network in the first place? Something like that should be on a self-contained network to prevent anything like this being possible. It beggars belief that all these utility companies don't have better network designs.
Maybe I'm being too pedantic but 'hacktivist' is not a term I ever associated with causing actual harm to people - messing about with the chemical balance of a water supply is a long way off that. It doesn't matter that they didn't succeed in the end.
That said, I see the main concern is that the customer information wasn't used for fraud, so maybe I just have my values all wrong.
"maybe I just have my values all wrong"
You have. Google Camelford incident. That was an operational cock-up but it seems likely that something similar or worse could be achieved deliberately through illegal access to SCADA networks.
Having said that, if details of 2.5 million customers were exposed then they should be notified irrespective of whether there's any evidence of fraud. In fact, if they weren't notified it would be difficult to know whether there had been fraud or not. Hiding the whole incident behind a pseudonym is just irresponsible.
You mean 'pour'.
Your vengeance-filled angry reaction originates from somewhere very close to your reptilian brain stem. It's thus about as interesting or thoughtful as the firing of a single neuron in a Petri dish.
I've noticed this sort of ugly reaction style post over the years, it's a very consistent style, and it's become something of a pet peeve for me. (Sorry.)
Typically the thread degenerates into a contest with subsequent entries like "No! Pour FLAMING PETROL down their throats. Cut their d#$&s off." "No! Use flaming Bunker fuels and pump it into their ears..." Etc. Etc. Etc.
It would be useful to come up with a catchy name for the style of post, to make it easier to denigrate. Any ideas?
"It would be useful to come up with a catchy name for the style of post, to make it easier to denigrate. Any ideas?"
A 'post-tard', as in retard at posting, and rhymes with postcard which are used for brief inane messages.
Similarly 'mutard' for those who don't know how to use the mute button on a conference call and end up talking to themselves.
Yes, pour.
I see you are from the cupcake generation, where nobody gets punished, and everyone gets a trophy.
I am from the worked for it generation, where if you hurt someone you get hurt, if get a trophy you worked hard for it.
I have no sympathy for those that would inflict suffering on others for amusement, and see punishment for such actions as just. But maybe you want to give them a lollypop? and if your children are hurt or killed by these people you might see the world as it is and not though rose tinted glasses.
Call my reaction Vigilant, and I will call yours Cupcake.
'Vigilant'? Hardly. If your plan was Vigilant it would have involved actually looking at something rather than giving them and their kids injections in the eyes of radioactive napalm-spiders.
The people responsible for this are the ones who shared credentials for critical systems on front-end web services. Those who made it so that the control systems were connected to the public Internet.
The hackers were, according to the report, basically as clueless as the security bods and management who enabled them. The hacker was probably just a script kiddie arsing about and found this system, or a student looking to drop his water rate. He/she may not even have known it was a control system. So save the "crush their testicles with Osmium-booted rhinoceroses" talk for the people who caused the problem rather than those who bumbled into exploiting it.
"The people responsible for this are the ones who shared credentials for critical systems on front-end web services. Those who made it so that the control systems were connected to the public Internet."
Hmmm, I can't disagree that it's completely stupid to do what you've outlined above and that they have a level of responsibility but your argument is a bit like "it's your fault for being burgled as you have nice stuff!". Regardless of the cluelessness of the individuals who perpetrated this, they are ultimately responsible for what they do and "bumbling into exploiting it" does not absolve them from that responsibility....
My view - YMMV.
"The people responsible for this are the ones who shared credentials for critical systems on front-end web services. Those who made it so that the control systems were connected to the public Internet."
A characteristic of the "cupcake" generation, is their willingness to blame others for their own (and others') ill deeds. While the sysadmins in this case were clearly misguided, clueless and/or negligent, they are not responsible for the breach.
Responsibility lies clearly with the perp. End of story.
A "hacktivist" group with ties to Syria....
Verizon's RISK Team uncovered evidence that the hacktivists had manipulated the valves controlling the flow of chemicals twice – though fortunately to no particular effect.
To be sure, if they weren't caught they would have been back.
Simply remove email and Internet access from the majority of your employees. Far too many seem to assume it is a right to have a company email address and Internet access when the reality is very few employees actually need it for their jobs. Other messaging systems (such as Lync) can be limited to internal only conversations, removing the spearfishing threat and yet providing the same or better internal service than email. Then air-gap those few systems used for external email for those users whose role does require email from access to core networks.
Occam's razor folks,
Never attribute to malice that which be adequately explained by stupidity :
http://www.bbc.co.uk/news/uk-england-cornwall-17367243
Alright it may have been hacktivists, but it may have been water authority fuckwits.
paris, to fuck yur wits in the meantime....
This may be news to many of our younger adherents, of course.
Read and learn, gentlemen.
Another example of what happens when the bean counters decide free is better and the coders think using the internet for everything is way cool. Only fools and idiots will put sensitive, proprietary, or mission critical software onto the internet. They keep forgetting that a net is a bunch of string held together by holes and that a cloud is a bunch of holes held together by vapor.
The crux of the problem is why were the two systems ever linked to begin with. Treatment plant control systems have no need to be linked to the customer payment system or even on the Internet. Scada systems 30 years ago were not linked to anywhere but the control room which is one site so the connections were hardwired. This worked and still works.
The coroner Mr Rose got ir completely wrong in the inquest on Carole Cross. The presence of aluminium in the brain of an Alzheimer's sufferer is a consequence of, and not a cause of, the illness. Alzheimer's is caused by the development of amyloid plaques in the brain which then adsorb any aluminium whihc may be present in the bloodstream. Aluminium is present in the diet from other sources and not necessarilt the water supply. For example, the average cup of tea contains aluminum which comes from the tea leaves.
At least twice I've registered with Verizon Security Solutions in order to gain some offered benefit. "Fill in this form and we'll send you this or that info." Batting ZERO-for-two in them following through. The name 'Verizon Security Solutions' has thus acquired an aroma of incompetence. Negative brand equity.
What is it with people in the 'IT Security' field?
I would be willing to bet that the reason they are accessible from the web is due to lazy engineers who use VNC to remote in. In fact some engineers are so lazy they do not want to use a password to log on.
If you have never heard of this site http://vncroulette.com and the absolute insane things they find, What they find is open VNC servers open to the world