Danish critical infrastructure faced the biggest online attack in the country's history in May, according to SektorCERT, Denmark's specialist organization for the cybersecurity of critical kit. Detailing the attack waves in a report, it revealed that 22 companies were breached in just a few days. Some were forced to enter …

COMMENTS

Post your comment

House rules Send corrections

Add to 'My topics'

Monday 13th November 2023 15:45 GMT Eclectic Man

Firewall updates

"Other members had deliberately opted out of the updates as there was a cost from the supplier to install them (the software itself is free). Still others simply did not know they had the devices in question in their network. Either because a supplier had installed them without telling them about it or because they did not have an overview of the devices that were connected to their network."

Umm, what is the point of having a firewall if you opt out of security updates?

27 1 Reply
1. Monday 13th November 2023 17:05 GMT fajensen
  
  Re: Firewall updates
  
  Danish IT projects are renowned for failing spectacularly, nobody would dare install anything and in any case they couldn't afford it :).
  
  3 1 Reply
  1. Wednesday 15th November 2023 11:38 GMT Eclectic Man
    
    Re: Firewall updates
    
    You should listen to the latest instalment of the British Post Office's Project Horizon saga on BBC Radio 4. It seems that Fujitsu got a contract where the customer had no rights to inspect the design or implementation, and had bought a 'black box'. One hopes fervently that this is a 'one off', but, well, how can we tell?
    
    https://www.bbc.co.uk/sounds/play/m001sd4l
    
    The Great Post Office Trial (log on on required to listen, sorry)
    
    "The Post Office Horizon Scandal has been called the widest miscarriage of justice in modern British history, with the number of former Sub Postmasters whose convictions have been overturned now over 60. Those who suffered prosecution or financial ruin due to errors on the Post Office's Horizon computer system want answers. How could this have happened? Who is responsible?
    
    Continuing the series that has helped expose the scandal since 2020, Nick Wallis draws on interviews, documents and the extraordinary revelations spilling out of the ongoing public inquiry. For the first time, the public is getting real insight into what was really going on inside the Post Office.
    
    Presenter: Nick Wallis
    
    Producer: Robert Nicholson
    
    Sound Design and Mixing: Arlie Adlington
    
    Executive Producer: Will Yates"
    
    Beat that, Denmark (well, don't, really don't).
    
    0 0 Reply
2. Tuesday 14th November 2023 02:05 GMT An_Old_Dog
  
  Re: Firewall updates
  
  Opting out of the security updates is like buying a Lamborghini, but "saving money" by not changing the oil on the manufacturer's recommended schedule.
  
  10 1 Reply
  1. Tuesday 14th November 2023 10:02 GMT jmch
    
    Re: Firewall updates
    
    " is like buying a Lamborghini, but "saving money" by not changing the oil on the manufacturer's recommended schedule."
    
    Actually it's like buying *any vehicle*, but "saving money" by not changing the oil on the manufacturer's recommended schedule.
    
    5 2 Reply
    1. Tuesday 14th November 2023 14:33 GMT Snake
      
      Re: saving money
      
      "Actually it's like buying *any vehicle*, but "saving money" by not changing the oil on the manufacturer's recommended schedule."
      
      You shouldn't go on to Owner's forums on the internet, then. If I had a penny every time someone talks about saving money on their oil changes by using off-brand filters and extending oil service intervals, after spending big $$$/£££ on *buying* the vehicle in the first place, I'd be a wealthy, wealthy, wealthy man.
      
      3 0 Reply
      1. Friday 24th November 2023 14:24 GMT druck
        
        Re: saving money
        
        But then there is the USAsians insisting you will destroy your engine unless you change the oil every 5000 miles like it is still the 1950s.
        
        Not distracting from the point about security updates which it really is worth doing as often as is practicable.
        
        0 1 Reply
  2. Tuesday 14th November 2023 10:59 GMT sanmigueelbeer
    
    Re: Firewall updates
    
    It's like a bank buying a firewall but did not buy maintenance contract to update firmware.
    
    4 0 Reply
3. Tuesday 14th November 2023 10:29 GMT 0laf
  
  Re: Firewall updates
  
  There is nothing shocking in that. Many organisation refuse any downtime to apply fixes and updates to critical systems. At the same time they reduce IT budgets and refuse to pay for out of hours support when the downtime would be less impactful. This looks like a problem with a beancounter at the root of it. Again.
  
  17 0 Reply
Monday 13th November 2023 17:04 GMT Mike 137

Sounds about par for the course

"[...] Either because a supplier had installed them without telling them about it or because they did not have an overview of the devices that were connected to their network."

So Equifax was not alone in not having an inventory. Mind you, in 20 plus years of consulting I've never encountered a complete and up to date one, regardless of the scale of the enterprise. I even remember one occasion when I asked the CTO of a multinational for their WAN diagram he grabbed a sheet of A4 paper and a biro.

13 0 Reply
1. Monday 13th November 2023 18:07 GMT Eclectic Man
  
  Re: Sounds about par for the course
  
  Paraphrasing the 'conversation'.
  
  Me (in my previous position as an IT Security Consultant at a bidder meeting with the Prospective Client): What equipment do you have on your network?
  
  Prospective Client: We don't know.
  
  Me: Do you know what software and applications are running on your network?
  
  PC: No.
  
  Me: Do you know what data you have available on your network?
  
  PC: No.
  
  Me: Do you know who has access to the data on your network?
  
  PC: Not really.
  
  Me: Do you know what constraints there are on access to data you have received from other organisations ?
  
  PC: What do you mean?
  
  ME: You have data which you received from other organisations which has access constraints as it is personal or sensitive, do you know what those constraints are?
  
  PC: I don't understand.
  
  etc...
  
  (We lost the bid, the contractor that 'won' was held in breach of contract after two months. Basically we dodged a bullet with that particular 'organisation.
  
  Happy days, now that I'm retired.)
  
  24 0 Reply
  1. Tuesday 14th November 2023 19:05 GMT simkin
    
    Re: Sounds about par for the course
    
    Sounds right. I just had to fill in our cyberinsurance forms for this year.
    
    q: How many endpoints are not protected? If any, why?
    
    a: 100%. Reason, we don't employ anyone whose job it would be to manage them.
    
    1 0 Reply
2. Tuesday 14th November 2023 15:08 GMT Dimmer
  
  Re: Sounds about par for the course
  
  Never ever use MS Active Directory for your firewall :/ vpn logins
  
  It is so easy, so convenient, etc. - for the hackers. I have seen this so many times in compromised networks.
  
  In one fail swoop they have the email address and passwords for all in your org.
  
  Don’t allow management to short you on PFYs to properly maintain your border.
  
  4 1 Reply
  1. Tuesday 14th November 2023 15:47 GMT Eclectic Man
    
    Re: Sounds about par for the course
    
    Worthy of an upvote (if only for the phrase "fail swoop" - brilliant).
    
    3 0 Reply
Monday 13th November 2023 18:35 GMT Anonymous Coward

Zyxel firewalls

"In almost all cases unpatched vulnerabilities in Zyxel firewalls meant compromise was possible"

Is this a joke? What idiot would consider using Zyxel anywhere near anything business relevant, let alone critical infrastructure?

Zyxel is a bottom-of-the-barrel vendor of SoHo/prosumer networking equipment and only marginally better than Netgear. Seeing either name on networking equipment is usually a solid indicator that this was bought by someone who has no idea about networking or IT security.

Does this mean there are no competent network engineers in Denmark?

12 1 Reply
1. Tuesday 14th November 2023 02:10 GMT An_Old_Dog
  
  Zyxel Modems
  
  Remember when Zyxel made external modems? They were the cheap ones.
  
  6 0 Reply
2. Tuesday 14th November 2023 03:27 GMT Tim99
  
  Re: Zyxel firewalls
  
  "Is this a joke"? - Probably, but...
  
  I live in a retirement village and the builder used Zyxel modems (bog standard VDSL with no WiFi) to attach each house to our central comms room about 10 years ago. Mine just kept running, with typical uptimes of about 3 months (external contractor remote upgrades?), with no problems at - Until it died last year. The supplied replacement is a cheapish TP-Link with WiFi. The standard installation is in a small metal comms box in the garage (As expected, WiFi Performance is "poor"; so normally turned off).
  
  3 0 Reply
3. Tuesday 14th November 2023 09:32 GMT ChoHag
  
  Re: Zyxel firewalls
  
  > Does this mean there are no competent network engineers in Denmark?
  
  None who are willing to work for the peanuts that these organisations might occasionally fling their way.
  
  5 0 Reply
4. Tuesday 14th November 2023 09:45 GMT hmas
  
  Re: Zyxel firewalls
  
  A bad workman blames their tools. Whether it's Cisco, Checkpoint, Sonicwall or ZyXel gear vulnerabilities are a fact of life. The unforgiveable part is either assuming that your supplier is applying updates or opting out of the update program altogether due to cost.
  
  Unfortunately, it's a common oversight, especially in heavy industry and CNI where they apply the same patch and vulnerability policies to IT infrastructure as they do to OT/ICS/SCADA; in other words not actually having patch and vulnerability policy.
  
  5 0 Reply
5. Tuesday 14th November 2023 10:54 GMT Pete Sdev
  
  Re: Zyxel firewalls
  
  In all fairness, if you don't patch the software (in this case because not wanting to pay for the updates), it doesn't matter who the manufacturer is - at some point in time it will almost always become vulnerable.
  
  4 0 Reply
6. Tuesday 14th November 2023 14:39 GMT Snake
  
  Re: Zyxel firewalls
  
  In all fairness, Cisco's "SoHo" router of a number of years ago (RV110) was an out-of-date piece of junk that was still being slogged well, well after it's sell-by date (and was foisted on me by the supplier by boss chose).
  
  So just because it has a nice manufacturer's label doesn't mean much nowadays...
  
  3 0 Reply
7. Tuesday 14th November 2023 14:40 GMT jazzyDK
  
  Re: Zyxel firewalls
  
  I have installed VOIP solutions in many companies and you would be surprised how bad many companies network are. As they often just have someone assigned to IT with no knowledge. Just that they have firewall is hugh compared to others i have seen. They are were never happy when i told them that they had to rip out everything before i could start.
  
  0 0 Reply
Monday 13th November 2023 21:39 GMT may_i

Puff piece

SektorCERT describe themself on their own web site with the banner: "Together we strengthen cyber security in Danish critical infrastructure" and say things like: "Among other things, we handle the monitoring of the companies in the sectors that are connected to our extensive sensor network. Via the sensor network, we monitor internet traffic with a view to detecting cyber attacks against Danish critical infrastructure." They describe their business form as: "SektorCERT is a non-profit association owned and financed by Danish companies within critical infrastructure."

It sounds much more to me like some Danes thought, "Hej, CERT pulls in loads of cash, so let's set ourselves up as a Danish CERT, Danish companies will pay lots of money for that." and are now trying to get their organisation mentioned in as many puff pieces as possible based on a poor war story from May this year.

I don't see how they have provided the businesses which fund them any particular value. Given their "extensive network of sensors" and on their own admissions in the article, they appear to be running some kind of perimeter firewall/proxy for their members: "As the devices weren't available for scanning on services like Shodan, SektorCERT said it's not clear how the attackers were able to identify the vulnerable firewalls."

If you're trying to be a security organisation which actively defends their members' networks, you don't allow internal router management interfaces to be accessible from the Internet at large, ever. You don't let your "critical infrastructure" clients use Chinese Home/SOHO routers on their networks either! These mistakes show a fundamental lack of network security understanding. Not being able to work out how the attackers reached these supposedly protected interfaces, particularly considering how long they have had to work it out, is piss poor for a company which claims that it is "protecting the Kingdom of Denmark's critical infrastructure".

They need to get a better writer for their next puff piece and have a new war story that doesn't make them look like an unnecessary bunch of amateurs. And if they're really a CERT organisation, where's the English version of their web site?

5 0 Reply
Tuesday 14th November 2023 07:58 GMT CowHorseFrog

One has too wonder why so many of these systems are connected to the internet.

Who are the fucking experts that supported or recomended this idea.

A coal power plant etc has no business being on the internet...

5 8 Reply
1. Tuesday 14th November 2023 08:53 GMT hammarbtyp
  
  The 1990's are calling and want there comment back.
  
  There are many good reasons for a powerplant to be on the internet. For example you may want to combine power predictions with weather data
  
  The issue is not that it is connected to the internet, it is how it is connected and how the control system is isolated from say the enterprise system. For example you may want to connect a data diode to ensure data is only going outwards.
  
  The problem tends not to be the internet, but the fact that organizations get lazy. The original Sandworm attack on Ukraine infrastructure was due to someone decided to bypass the firewall with a dedicated link (I'm guessing because all the security stuff was getting in the way of their day job)
  
  8 1 Reply
  1. Wednesday 15th November 2023 12:25 GMT CowHorseFrog
    
    hammer: The 1990's are calling and want there comment back.
    
    cow: given whats happening was it worth connecting those computers to the internet ?
    
    ~
    
    hammer: There are many good reasons for a powerplant to be on the internet. For example you may want to combine power predictions with weather data
    
    cow: heres an idea, use a separate computer to get the weather... Im sure copying a few temps from a weather website isnt worth risking a cyber attack...
    
    Even if its more than a few numbers, again safety first, use an ipad, and copy those numbers over...
    
    ~
    
    hammer: The issue is not that it is connected to the internet, it is how it is connected and how the control system is isolated from say the enterprise system. For example you may want to connect a data diode to ensure data is only going outwards.
    
    cow: or you coul djust be safe and not connect that computer to the net...
    
    Now tell me given todays news would my recommedation have worked ?
    
    Was it the end of the world not to connect those computers to the net ?
    
    Of course not. Pretty sue a power plant can afford another computer to read the weather.
    
    hammar: The problem tends not to be the internet, but the fact that organizations get lazy. The original Sandworm attack on Ukraine infrastructure was due to someone decided to bypass the firewall with a dedicated link (I'm guessing because all the security stuff was getting in the way of their day job)
    
    cow: which is why one should make plans according to reality not some perfect planet where idiots dont exist.
    
    0 1 Reply
2. Tuesday 14th November 2023 09:15 GMT hoola
  
  Mainly because pretty much everything needs some sort of Internet connection to work.
  
  You need updates
  
  Metrics and alerting "Phone home"
  
  Remote support
  
  Now add in all the office infrastructure that simply cannot function without an Internet connecting and you see why we are where we are.
  
  Almost all business applications are online or some sort of cloud SaaS service. There is very little that is not.
  
  3 0 Reply
  1. Tuesday 14th November 2023 09:41 GMT Zack Mollusc
    
    Yes and no
    
    The vast majority of those things 'need' internet access in the same way that the Financial Director 'needs' cocaine . cannot function without it, but it does not have to be this way.
    
    8 0 Reply
    1. Wednesday 15th November 2023 12:28 GMT CowHorseFrog
      
      Re: Yes and no
      
      Can you actually quote this from a manufacturer or supplier ?
      
      links...
      
      0 1 Reply
  2. Wednesday 15th November 2023 12:28 GMT CowHorseFrog
    
    Heres an idea, given how many billions are involved in energy, im sure the software supplier wouldnt mind sending a memory card or whatever with the latest update...
    
    Fuck is it really that hard to think of alternatives ?
    
    Is it really worht he risk of connecting a nuclear power plant to the internet so some operator one day downloads crap that makes a take over possible ?
    
    0 1 Reply
3. Tuesday 14th November 2023 12:10 GMT Pete Sdev
  
  Whilst you wouldn't directly connect the SCADA to the internet, the site as a whole needs some way of receiving and transmitting data.
  
  Data-In:
  
  Demand level from the national grid
  
  Weather and weather forecasts
  
  At least in the past: TV programming, with scheduled break times and predicted viewing figures
  
  Data-Out:
  
  Status (off, warming up, on, spinning down)
  
  Current Power produced
  
  etcetera.
  
  You could do this with say fax (which may have been the case in the past, any former power station engineers here?) but for a modern grid you may as well use IP.
  
  It's a question of DMZs and isolation that determines the security, not the connectivity itself.
  
  0 0 Reply
  1. Wednesday 15th November 2023 12:29 GMT CowHorseFrog
    
    And given firewalls etc didnt work is it really worth the risk ?
    
    1 1 Reply
4. Tuesday 14th November 2023 12:32 GMT hmas
  
  Where do you start?
  
  You have infrastructure with a service lifecycle far in excess of Enterprise IT equipment. Some of this kit makes mainframes and mid range systems look positively spritely and youthful.
  
  Most of these environments have evolved over time and more and more complexity has been bolted on. Some of the underlying infrastructure still uses serial and closed protocols to communicate. As for secure communications - forget it.
  
  So, against that backdrop, deploying lots of smaller edge firewalls to protect such networks seems logical
  
  0 0 Reply
5. Tuesday 14th November 2023 14:45 GMT tip pc
  
  A coal power plant etc has no business being on the internet...
  
  You are right in that strictly speaking a coal plant and other critical infrastructure doesn't need connecting directly to the internet, but it does need connecting to a centralised management system.
  
  once upon a time we used to have these things called Wide Are Networks, so called as they connected a companies facilities/buildings/factories/offices/HQ etc via a private network and there was centralised Internet connectivity, usually at HQ.
  
  Most telco's started using generic circuits and using techniques like MPLS or VPN's to keep WAN traffic seperate from Internet traffic in their telco network so to the companies buying private circuits it was segregated.
  
  Modern gungho types decided that there is no need for private WAN circuits and the Internet can be the WAN, so cheap dsl type circuits get thrown in and protected by those fabled "firewalls" to provide that segregation they used to enjoy in the private days.
  
  My view has always been that if its important, always do private circuits, with encryption on those if its really important.
  
  Today point to point or multipoint DWDM's are a thing so use those again with encryption on top.
  
  Its expensive but if its needed buy it.
  
  0 0 Reply
Tuesday 14th November 2023 09:36 GMT ChoHag

The organisation which is supposed to protect its clients from vulnerabilities did bugger all for a week after discovering a new one then the organisations that blindly rely on them for their own safety did bugger all for another two.

They do provide nice toys to play with to find out just how fucked you've been by their and your negligence though, which this puff piece shows off well.

3 0 Reply
Tuesday 14th November 2023 09:54 GMT John_Ericsson

"Danish critical infrastructure ..... Some were forced to enter island mode operation, where they had to disconnect from the internet"

DareI suggest critical infrastructure should remain isolated?

3 0 Reply
1. Tuesday 14th November 2023 17:12 GMT Eclectic Man
  
  re: Isolation
  
  Isolation may be acceptable for some CNI, but the telecommunications network is also CNI, as are the mains services (water / sewerage, electricity, gas), blue light services (Police, Fire, Ambulance, Mountain rescue, Coast Guard) and supermarket stocking and ordering systems.
  
  0 0 Reply
Tuesday 14th November 2023 12:51 GMT Anonymous Coward

CyberInsecurity: The Cost of Monopoly

Running your entire critical infrastructure on the same on the same hardware/software is obviously an imperfect solution. This software monoculture leading to such breeches as described in the article.

CyberInsecurity: The Cost of Monopoly (2003)

3 0 Reply