back to article Inside Denmark’s hell week as critical infrastructure orgs faced cyberattacks

Danish critical infrastructure faced the biggest online attack in the country's history in May, according to SektorCERT, Denmark's specialist organization for the cybersecurity of critical kit. Detailing the attack waves in a report, it revealed that 22 companies were breached in just a few days. Some were forced to enter …

  1. Eclectic Man Silver badge
    Facepalm

    Firewall updates

    "Other members had deliberately opted out of the updates as there was a cost from the supplier to install them (the software itself is free). Still others simply did not know they had the devices in question in their network. Either because a supplier had installed them without telling them about it or because they did not have an overview of the devices that were connected to their network."

    Umm, what is the point of having a firewall if you opt out of security updates?

    1. fajensen

      Re: Firewall updates

      Danish IT projects are renowned for failing spectacularly, nobody would dare install anything and in any case they couldn't afford it :).

      1. Eclectic Man Silver badge
        Unhappy

        Re: Firewall updates

        You should listen to the latest instalment of the British Post Office's Project Horizon saga on BBC Radio 4. It seems that Fujitsu got a contract where the customer had no rights to inspect the design or implementation, and had bought a 'black box'. One hopes fervently that this is a 'one off', but, well, how can we tell?

        https://www.bbc.co.uk/sounds/play/m001sd4l

        The Great Post Office Trial (log on on required to listen, sorry)

        "The Post Office Horizon Scandal has been called the widest miscarriage of justice in modern British history, with the number of former Sub Postmasters whose convictions have been overturned now over 60. Those who suffered prosecution or financial ruin due to errors on the Post Office's Horizon computer system want answers. How could this have happened? Who is responsible?

        Continuing the series that has helped expose the scandal since 2020, Nick Wallis draws on interviews, documents and the extraordinary revelations spilling out of the ongoing public inquiry. For the first time, the public is getting real insight into what was really going on inside the Post Office.

        Presenter: Nick Wallis

        Producer: Robert Nicholson

        Sound Design and Mixing: Arlie Adlington

        Executive Producer: Will Yates"

        Beat that, Denmark (well, don't, really don't).

    2. An_Old_Dog Silver badge
      WTF?

      Re: Firewall updates

      Opting out of the security updates is like buying a Lamborghini, but "saving money" by not changing the oil on the manufacturer's recommended schedule.

      1. jmch Silver badge

        Re: Firewall updates

        " is like buying a Lamborghini, but "saving money" by not changing the oil on the manufacturer's recommended schedule."

        Actually it's like buying *any vehicle*, but "saving money" by not changing the oil on the manufacturer's recommended schedule.

        1. Snake Silver badge

          Re: saving money

          "Actually it's like buying *any vehicle*, but "saving money" by not changing the oil on the manufacturer's recommended schedule."

          You shouldn't go on to Owner's forums on the internet, then. If I had a penny every time someone talks about saving money on their oil changes by using off-brand filters and extending oil service intervals, after spending big $$$/£££ on *buying* the vehicle in the first place, I'd be a wealthy, wealthy, wealthy man.

          1. druck Silver badge

            Re: saving money

            But then there is the USAsians insisting you will destroy your engine unless you change the oil every 5000 miles like it is still the 1950s.

            Not distracting from the point about security updates which it really is worth doing as often as is practicable.

      2. sanmigueelbeer Silver badge

        Re: Firewall updates

        It's like a bank buying a firewall but did not buy maintenance contract to update firmware.

    3. 0laf Silver badge
      FAIL

      Re: Firewall updates

      There is nothing shocking in that. Many organisation refuse any downtime to apply fixes and updates to critical systems. At the same time they reduce IT budgets and refuse to pay for out of hours support when the downtime would be less impactful. This looks like a problem with a beancounter at the root of it. Again.

  2. Mike 137 Silver badge

    Sounds about par for the course

    "[...] Either because a supplier had installed them without telling them about it or because they did not have an overview of the devices that were connected to their network."

    So Equifax was not alone in not having an inventory. Mind you, in 20 plus years of consulting I've never encountered a complete and up to date one, regardless of the scale of the enterprise. I even remember one occasion when I asked the CTO of a multinational for their WAN diagram he grabbed a sheet of A4 paper and a biro.

    1. Eclectic Man Silver badge
      Facepalm

      Re: Sounds about par for the course

      Paraphrasing the 'conversation'.

      Me (in my previous position as an IT Security Consultant at a bidder meeting with the Prospective Client): What equipment do you have on your network?

      Prospective Client: We don't know.

      Me: Do you know what software and applications are running on your network?

      PC: No.

      Me: Do you know what data you have available on your network?

      PC: No.

      Me: Do you know who has access to the data on your network?

      PC: Not really.

      Me: Do you know what constraints there are on access to data you have received from other organisations ?

      PC: What do you mean?

      ME: You have data which you received from other organisations which has access constraints as it is personal or sensitive, do you know what those constraints are?

      PC: I don't understand.

      etc...

      (We lost the bid, the contractor that 'won' was held in breach of contract after two months. Basically we dodged a bullet with that particular 'organisation.

      Happy days, now that I'm retired.)

      1. simkin

        Re: Sounds about par for the course

        Sounds right. I just had to fill in our cyberinsurance forms for this year.

        q: How many endpoints are not protected? If any, why?

        a: 100%. Reason, we don't employ anyone whose job it would be to manage them.

    2. Dimmer Silver badge

      Re: Sounds about par for the course

      Never ever use MS Active Directory for your firewall :/ vpn logins

      It is so easy, so convenient, etc. - for the hackers. I have seen this so many times in compromised networks.

      In one fail swoop they have the email address and passwords for all in your org.

      Don’t allow management to short you on PFYs to properly maintain your border.

      1. Eclectic Man Silver badge
        Happy

        Re: Sounds about par for the course

        Worthy of an upvote (if only for the phrase "fail swoop" - brilliant).

  3. Anonymous Coward
    Anonymous Coward

    Zyxel firewalls

    "In almost all cases unpatched vulnerabilities in Zyxel firewalls meant compromise was possible"

    Is this a joke? What idiot would consider using Zyxel anywhere near anything business relevant, let alone critical infrastructure?

    Zyxel is a bottom-of-the-barrel vendor of SoHo/prosumer networking equipment and only marginally better than Netgear. Seeing either name on networking equipment is usually a solid indicator that this was bought by someone who has no idea about networking or IT security.

    Does this mean there are no competent network engineers in Denmark?

    1. An_Old_Dog Silver badge
      Windows

      Zyxel Modems

      Remember when Zyxel made external modems? They were the cheap ones.

    2. Tim99 Silver badge

      Re: Zyxel firewalls

      "Is this a joke"? - Probably, but...

      I live in a retirement village and the builder used Zyxel modems (bog standard VDSL with no WiFi) to attach each house to our central comms room about 10 years ago. Mine just kept running, with typical uptimes of about 3 months (external contractor remote upgrades?), with no problems at - Until it died last year. The supplied replacement is a cheapish TP-Link with WiFi. The standard installation is in a small metal comms box in the garage (As expected, WiFi Performance is "poor"; so normally turned off).

    3. ChoHag Silver badge

      Re: Zyxel firewalls

      > Does this mean there are no competent network engineers in Denmark?

      None who are willing to work for the peanuts that these organisations might occasionally fling their way.

    4. hmas

      Re: Zyxel firewalls

      A bad workman blames their tools. Whether it's Cisco, Checkpoint, Sonicwall or ZyXel gear vulnerabilities are a fact of life. The unforgiveable part is either assuming that your supplier is applying updates or opting out of the update program altogether due to cost.

      Unfortunately, it's a common oversight, especially in heavy industry and CNI where they apply the same patch and vulnerability policies to IT infrastructure as they do to OT/ICS/SCADA; in other words not actually having patch and vulnerability policy.

    5. Pete Sdev

      Re: Zyxel firewalls

      In all fairness, if you don't patch the software (in this case because not wanting to pay for the updates), it doesn't matter who the manufacturer is - at some point in time it will almost always become vulnerable.

    6. Snake Silver badge

      Re: Zyxel firewalls

      In all fairness, Cisco's "SoHo" router of a number of years ago (RV110) was an out-of-date piece of junk that was still being slogged well, well after it's sell-by date (and was foisted on me by the supplier by boss chose).

      So just because it has a nice manufacturer's label doesn't mean much nowadays...

    7. jazzyDK

      Re: Zyxel firewalls

      I have installed VOIP solutions in many companies and you would be surprised how bad many companies network are. As they often just have someone assigned to IT with no knowledge. Just that they have firewall is hugh compared to others i have seen. They are were never happy when i told them that they had to rip out everything before i could start.

  4. may_i Silver badge

    Puff piece

    SektorCERT describe themself on their own web site with the banner: "Together we strengthen cyber security in Danish critical infrastructure" and say things like: "Among other things, we handle the monitoring of the companies in the sectors that are connected to our extensive sensor network. Via the sensor network, we monitor internet traffic with a view to detecting cyber attacks against Danish critical infrastructure." They describe their business form as: "SektorCERT is a non-profit association owned and financed by Danish companies within critical infrastructure."

    It sounds much more to me like some Danes thought, "Hej, CERT pulls in loads of cash, so let's set ourselves up as a Danish CERT, Danish companies will pay lots of money for that." and are now trying to get their organisation mentioned in as many puff pieces as possible based on a poor war story from May this year.

    I don't see how they have provided the businesses which fund them any particular value. Given their "extensive network of sensors" and on their own admissions in the article, they appear to be running some kind of perimeter firewall/proxy for their members: "As the devices weren't available for scanning on services like Shodan, SektorCERT said it's not clear how the attackers were able to identify the vulnerable firewalls."

    If you're trying to be a security organisation which actively defends their members' networks, you don't allow internal router management interfaces to be accessible from the Internet at large, ever. You don't let your "critical infrastructure" clients use Chinese Home/SOHO routers on their networks either! These mistakes show a fundamental lack of network security understanding. Not being able to work out how the attackers reached these supposedly protected interfaces, particularly considering how long they have had to work it out, is piss poor for a company which claims that it is "protecting the Kingdom of Denmark's critical infrastructure".

    They need to get a better writer for their next puff piece and have a new war story that doesn't make them look like an unnecessary bunch of amateurs. And if they're really a CERT organisation, where's the English version of their web site?

  5. CowHorseFrog Silver badge

    One has too wonder why so many of these systems are connected to the internet.

    Who are the fucking experts that supported or recomended this idea.

    A coal power plant etc has no business being on the internet...

    1. hammarbtyp

      The 1990's are calling and want there comment back.

      There are many good reasons for a powerplant to be on the internet. For example you may want to combine power predictions with weather data

      The issue is not that it is connected to the internet, it is how it is connected and how the control system is isolated from say the enterprise system. For example you may want to connect a data diode to ensure data is only going outwards.

      The problem tends not to be the internet, but the fact that organizations get lazy. The original Sandworm attack on Ukraine infrastructure was due to someone decided to bypass the firewall with a dedicated link (I'm guessing because all the security stuff was getting in the way of their day job)

      1. CowHorseFrog Silver badge

        hammer: The 1990's are calling and want there comment back.

        cow: given whats happening was it worth connecting those computers to the internet ?

        ~

        hammer: There are many good reasons for a powerplant to be on the internet. For example you may want to combine power predictions with weather data

        cow: heres an idea, use a separate computer to get the weather... Im sure copying a few temps from a weather website isnt worth risking a cyber attack...

        Even if its more than a few numbers, again safety first, use an ipad, and copy those numbers over...

        ~

        hammer: The issue is not that it is connected to the internet, it is how it is connected and how the control system is isolated from say the enterprise system. For example you may want to connect a data diode to ensure data is only going outwards.

        cow: or you coul djust be safe and not connect that computer to the net...

        Now tell me given todays news would my recommedation have worked ?

        Was it the end of the world not to connect those computers to the net ?

        Of course not. Pretty sue a power plant can afford another computer to read the weather.

        hammar: The problem tends not to be the internet, but the fact that organizations get lazy. The original Sandworm attack on Ukraine infrastructure was due to someone decided to bypass the firewall with a dedicated link (I'm guessing because all the security stuff was getting in the way of their day job)

        cow: which is why one should make plans according to reality not some perfect planet where idiots dont exist.

    2. hoola Silver badge

      Mainly because pretty much everything needs some sort of Internet connection to work.

      You need updates

      Metrics and alerting "Phone home"

      Remote support

      Now add in all the office infrastructure that simply cannot function without an Internet connecting and you see why we are where we are.

      Almost all business applications are online or some sort of cloud SaaS service. There is very little that is not.

      1. Zack Mollusc

        Yes and no

        The vast majority of those things 'need' internet access in the same way that the Financial Director 'needs' cocaine . cannot function without it, but it does not have to be this way.

        1. CowHorseFrog Silver badge

          Re: Yes and no

          Can you actually quote this from a manufacturer or supplier ?

          links...

      2. CowHorseFrog Silver badge

        Heres an idea, given how many billions are involved in energy, im sure the software supplier wouldnt mind sending a memory card or whatever with the latest update...

        Fuck is it really that hard to think of alternatives ?

        Is it really worht he risk of connecting a nuclear power plant to the internet so some operator one day downloads crap that makes a take over possible ?

    3. Pete Sdev

      Whilst you wouldn't directly connect the SCADA to the internet, the site as a whole needs some way of receiving and transmitting data.

      Data-In:

      Demand level from the national grid

      Weather and weather forecasts

      At least in the past: TV programming, with scheduled break times and predicted viewing figures

      Data-Out:

      Status (off, warming up, on, spinning down)

      Current Power produced

      etcetera.

      You could do this with say fax (which may have been the case in the past, any former power station engineers here?) but for a modern grid you may as well use IP.

      It's a question of DMZs and isolation that determines the security, not the connectivity itself.

      1. CowHorseFrog Silver badge

        And given firewalls etc didnt work is it really worth the risk ?

    4. hmas

      Where do you start?

      You have infrastructure with a service lifecycle far in excess of Enterprise IT equipment. Some of this kit makes mainframes and mid range systems look positively spritely and youthful.

      Most of these environments have evolved over time and more and more complexity has been bolted on. Some of the underlying infrastructure still uses serial and closed protocols to communicate. As for secure communications - forget it.

      So, against that backdrop, deploying lots of smaller edge firewalls to protect such networks seems logical

    5. tip pc Silver badge
      Holmes

      A coal power plant etc has no business being on the internet...

      You are right in that strictly speaking a coal plant and other critical infrastructure doesn't need connecting directly to the internet, but it does need connecting to a centralised management system.

      once upon a time we used to have these things called Wide Are Networks, so called as they connected a companies facilities/buildings/factories/offices/HQ etc via a private network and there was centralised Internet connectivity, usually at HQ.

      Most telco's started using generic circuits and using techniques like MPLS or VPN's to keep WAN traffic seperate from Internet traffic in their telco network so to the companies buying private circuits it was segregated.

      Modern gungho types decided that there is no need for private WAN circuits and the Internet can be the WAN, so cheap dsl type circuits get thrown in and protected by those fabled "firewalls" to provide that segregation they used to enjoy in the private days.

      My view has always been that if its important, always do private circuits, with encryption on those if its really important.

      Today point to point or multipoint DWDM's are a thing so use those again with encryption on top.

      Its expensive but if its needed buy it.

  6. ChoHag Silver badge

    The organisation which is supposed to protect its clients from vulnerabilities did bugger all for a week after discovering a new one then the organisations that blindly rely on them for their own safety did bugger all for another two.

    They do provide nice toys to play with to find out just how fucked you've been by their and your negligence though, which this puff piece shows off well.

  7. John_Ericsson

    "Danish critical infrastructure ..... Some were forced to enter island mode operation, where they had to disconnect from the internet"

    DareI suggest critical infrastructure should remain isolated?

    1. Eclectic Man Silver badge

      re: Isolation

      Isolation may be acceptable for some CNI, but the telecommunications network is also CNI, as are the mains services (water / sewerage, electricity, gas), blue light services (Police, Fire, Ambulance, Mountain rescue, Coast Guard) and supermarket stocking and ordering systems.

  8. Anonymous Coward
    Boffin

    CyberInsecurity: The Cost of Monopoly

    Running your entire critical infrastructure on the same on the same hardware/software is obviously an imperfect solution. This software monoculture leading to such breeches as described in the article.

    CyberInsecurity: The Cost of Monopoly (2003)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like