Hackers, Piracy and Other Threats to SCADA and the World's Critical Infrastructures

Thomas Reed, who served as Ronald Regan's Secretary of the Air Force, published in his book "At The Abyss" an account of how the CIA coordinated the delivery of faulty SCADA software to the Russians. The software in question managed and controlled the Russian natural gas pipelines, a massive grid covering hundreds of thousands of miles.

Reed stated in his book that "The pipeline software that was to run the pumps, turbines, and values was programmed to go haywire, after a decent interval, to reset pump speeds and valve settings to produce pressures far beyond those acceptable to pipeline joints and welds."

According to Reed, this software resulted in the pipeline blowing and a three-kiloton blast in a far off, remote area of Siberia in 1982. The pipelines not only delivered natural gas to critical areas, but served as a major cash generating engine for the struggling USSR.

Did CIA Hackers help end the Cold War with a SCADA attack?

Richard Clarke, Presidential Adviser for Cyberspace Security: "What we found on Al Qaeda computers were two things. One, the kind of simple hacking tools that are available to anyone who goes out on the Internet looking for them, tools such as LOphtCrack that allows you to get into almost anyone's password if they've used a simple eight-digit password...."

"But we also found indications that members of Al Qaeda were from outside the United States doing reconnaissance in the United States on our critical infrastructure. Where were the railroad crossings? Where were the big natural gas depositories? Where were the bridges over rivers that also carried the fiber for the backbone of the Internet?..."

Full Article here.

In 2007 a few MIT students hacked into a changeable message sign, just like the one above advertising live nudes. Demonstrating that they were simply having fun, the sign was changed to inform passersbys that the Mass Ave bridge would be closed to appease Godzilla.

Many of these message signs are controlled via remote connections to centralized management facilities. These signs are used to update the public on traffic conditions, closures, toll information, amber alerts and dozens of other uses.

One can only imagine the possibilities of a not so "light hearted" hacker were to take control of one of the signs. Just imagine the potential chaos one could create with these signs. Anything posted on them is essentially coming from the authorities and would almost certainly be believed.

Full text here.

In 2000, using only a laptop and a wireless radio, Australian Vitek Boden released millions of liters of untreated sewage into public waterways. For over two months, the Engineer took revenge on his former employers, sabotaging pumps and waste control systems literally reversing the flow of sewage.

Boden, who was looking for an engineering consulting job, actually applied for the position to clean-up the sewage. Located in the Australian resort town north of Maroochydore, Boden had quit his job at Hunter Watertech and wanted a new one with the city, cleaning up his own mess.

This article is from Forbes Magazine. The full text can be found here.

The first time Scott Lunsford offered to hack into a nuclear power station, he was told it would be impossible. There was no way, the plant's owners claimed, that their critical components could be accessed from the Internet. Lunsford, a researcher for IBM's Internet Security Systems, found otherwise.

"It turned out to be one of the easiest penetration tests I'd ever done," he says. "By the first day, we had penetrated the network. Within a week, we were controlling a nuclear power plant. I thought, 'Gosh. This is a big problem.'"

Originally published by GCN.com.

Amid a kerfuffle over the resistance of the nation's electrical-grid control systems to cyberattack, a system known as physical device recognition (PDR) technology, first developed to foil computer software pirates, now is being shifted to the task of shielding electrical-grid control systems from cyberattack.

The cybersecurity risks linked to industrial-process control networks known as supervisory control and data acquisition systems came into focus during a May 21 hearing of the House Homeland Security subcommittee on cybersecurity. Information technology specialists agree that SCADA systems have become riskier in recent years because of their increasing interconnection with enterprise systems that ultimately link to the Internet.

PDR technology, developed by Uniloc USA, is being moved into the SCADA hardening world from its current home as a tool to prevent software pirates from exploiting intellectual property.

Full story available here.

Analysis: Einstein and U.S. cybersecurity
Published: March 3, 2008 at 1:34 PM
Original Link Here

WASHINGTON, March 3 (UPI) -- The Einstein program -- the most significant element yet unveiled of the classified multibillion-dollar cybersecurity initiative President Bush signed last month -- will still leave the U.S. government's IT security lagging the private sector, say lawmakers and industry experts.

At a hearing last week on Capitol Hill, officials faced close, skeptical questioning about the program, an intrusion detection system that will automatically monitor and analyze Internet traffic into and out of federal computer networks in real time -- allowing officials at the Department of Homeland Security to scan for anomalies that might represent hackers or other intruders trying to gain access or steal data.

"There are still some gaping holes," said Rep. James Langevin, D-R.I., of the House Homeland Security Committee.

Officials at the hearing linked Einstein with the White House Office of Management and Budget's Trusted Internet Connections initiative. TIC requires all federal departments and agencies to report on all their external network connections, with the aim of reducing the current 4,000 or so across the federal government down to 50 by June this year.

Einstein will be deployed at all those points of access, Scott Charbo, the Homeland Security official responsible for the program, told United Press International in a recent interview.

Departments and agencies will "deploy the sensors to the portals identified" as being among the 50 or so that will remain open, he said.

But some Democrats and industry observers are skeptical about Einstein's capabilities.

"It is not timely," said Rep. Jane Harman, D-Calif., "I don't get any sense of urgency, I don't think much of it will work."

Harman added that the private sector considers Einstein "too passive" and believes "it doesn't deliver information in real time."

Intrusion detection and analysis programs like Einstein "are absolutely standard in the private sector," Casey Potenzone, chief information officer of computer security firm Uniloc, told UPI. "It is not revolutionary or state of the art," he added, calling the rollout of the program across federal networks "very logical and something that should have been done a long time ago."

More after the jump.

CMS, or changeable message signs, are common place traffic management devices. There are several classes of changeable message signs ranging from the small speed limit signs on the side of the road, to the large over head monsters before bridges and tunnels.

On March 9th, 2008 in Berks County, PA, exit 45 of the I-78 Highway had a CMS sign touting live nudes.

This is certainly not what the Pennsylvania Department of Transportation wants to use their CMS signs for.

Bethel Township resident Rick Yeakley passed the sign shortly after 7 a.m. as skies were brightening.

"I saw it and thought, 'That can't be right,' " he said.

Exit 45 is for Route 863 in Lehigh County.

Yeakley said he was headed to military duty at the Lehigh Valley Navy Operational Support Center when, somewhere between the Kutztown and Lenhartsville exits, he spotted the electronic sign on the eastbound shoulder.

"It took me a minute or two, but then I called a buddy of mine and he said I should turn back and get a picture of it."

Fortunately for all of us, he decided to share his picture.

Although this specific sign was controlled via a local keyboard and simply behind a pad lock, most permanently mounted CMS signs are controlled via remote connections. These remote connections are often wireless, DSL or POTS lines, and have little in ways of security. I'm sure we'll all be seeing more of this.

Full text here

You know IP-based information is everywhere, even at stoplights, since traffic engineers get real-time data on vehicle flow from loop detectors and video feeds from cameras. But does such data need to be secured? Casey Potenzone, CIO at Uniloc USA Inc. in Irvine, Calif., argues that it does. He says cities are beginning to merge their IP data traffic, including information from intersections, onto single metropolitan networks.

IT secures other data, but that stoplight flow is ignored. He claims that could be a problem if hackers decide to mess with a city's traffic, as depicted in the film Live Free or Die Hard. Since most urban areas won't have Bruce Willis to save the day, Potenzone contends that they'll need to put a StrongPoint appliance at critical intersections. Unveiled last week, the appliance links to a StrongPoint server in a data center and encrypts all communications between the intersection and authorized personnel in the data center. Pricing for the field-hardened appliance starts at $2,500. Server software starts at $5,000 to manage up to 25 appliances. "Nobody says no to security," Potenzone says. Or, as Willis character John McClane says, "Welcome to the party, pal."

Government Executive
May 1, 2008
Original and full text here.

Security experts nervously eye critical infrastructure that is increasingly vulnerable to failure and sabotage.

After the bridge carrying Interstate 35W across the Mississippi River in Minneapolis collapsed on Aug. 1, 2007, during the evening rush hour, killing 11 people and injuring more than 100, there was a lot of hand-wringing about the state of the country's infrastructure. The American Society of Civil Engineers estimates the nation has to invest $1.6 trillion over a five-year period just to bring bridges, roads, waterways, dams, and water and sewage systems up to par. More than 160,000 bridges alone are in need of repair.

But those numbers mask an even deeper problem with the nation's infrastructure, security professionals say. The growing interdependence of various economic sectors - banking, energy, transportation and others - and vulnerabilities in the electronic bridges that link them are exposing Americans to ever more serious threats.

"Critical infrastructure is overworked, out of date and crumbling in so many ways," says Richard Cooper, formerly the business liaison director for the Homeland Security Department's Private Sector Office and now a principal at the Washington-based public relations firm Olive, Edwards and Cooper.

But the biggest vulnerability, Cooper believes, is in the computer systems and networks that undergird all that vital physical infrastructure. "The cyber piece has become the central nervous system to everything else. One person at the stroke of a key can literally send infrastructure into a tailspin. We look at weapons of mass destruction as things that can cause a lot of carnage. I would argue there are people capable of creating [the same kind of] effects with the stroke of a key."

In January, Tom Donahue, a CIA cybersecurity analyst, created a stir at the Process Control and Security Summit, a meeting in New Orleans of utility industry engineers and security managers, when he described at least two cases in which hackers had infiltrated electric utility networks outside the United States to create power outages in schemes to extort money from foreign governments.

Casey Potenzone, who attended the briefing as the chief information officer at Uniloc USA, a technology security company in Irvine, Calif., says government needs to be working with industry to establish security standards that go beyond traditional stovepipes. This is especially an issue at the municipal level, where the business focus has been on improving efficiency and public access to information by linking formerly closed technology systems to the Internet, he says.

"When you look at the capacity for disruption, it's huge," says Potenzone. He cites the case of two high-ranking transportation engineers in the Los Angeles automated traffic surveillance center now facing felony charges stemming from unauthorized access to the city's computer system in the fall of 2006. On the eve of a transportation workers strike, they allegedly tampered with signal settings at busy intersections to create traffic chaos unprecedented even in Los Angeles. It reportedly took authorities four days to undo the damage.

Apparently the FBI has been buying counter-fit Cisco gear and using it in its offices. Earlier this month the FBI raided its own offices confiscating fake computer hardware as part of Operation Cisco Raider.

AN investigation into the sale of counterfeit Chinese computer components to the US Government recovered about 3500 bogus devices worth up to $US3.5 million ($3.7 million), the FBI has said.

The criminal probe came amid concerns that counterfeit network components could enable hackers to access secure government databases, according to sources with knowledge of the investigation.

According to ABC News "the operation involved 15 investigations at nine FBI field offices and the execution of 39 search warrants."

The existence of the operation came to light after an FBI slide presentation on the operation's findings appeared on intelligence and conspiracy theory website Above Top Secret. The FBI made the presentation on January 11 to another government agency.

"This unclassified briefing was never intended for broad distribution or posting to the internet," said James Finch, assistant director of the FBI's Cyber Division.

FBI slides posted to the website showed cases in Massachusetts, Ohio, Missouri, Minnesota, Oklahoma, Texas, Colorado and California.

The presentation depicted counterfeit components moving from companies inside China to the US Government through distributors in the US, Canada, Germany, the Netherlands and Britain.

Other components were purchased through the internet auctioneer eBay or with government credit cards from non-government vendors.

Some counterfeit routers sold for as little as $US234 each, compared with a retail price of $US1375 for the genuine article, according to the presentation.

In one case, a subcontractor shipped counterfeit components to the US Navy from a supplier in China.

ABC News reported that authorities around the world, including in the US, Canada and China, have made more than 400 seizures with an estimated value of $US76 million.

Paul Blomgren performs security assessments and control reviews for a living. In 2002 his company assessed a a large southwestern utility that serves about four million customers.

Here's what he had to say:
" Our people drove to a remote substation," he recalled. "Without leaving their vehicle, they noticed a wireless network antenna. They plugged in their wireless LAN cards, fired up their notebook computers, and connected to the system within five minutes because it wasn't using passwords.

Within 15 minutes, they mapped every piece of equipment in the operational control network. Within 20 minutes, they were talking to the business network and had pulled off several business reports.

Full and Original Text Here

The $50 BILLION computer glitch... This is taken directly from the NERC Report, available here.

"Starting around 14:14, FE [FirstEnergy] control room operators lost the alarm function that provided audible and visual indications when a significant piece of equipment changed from an acceptable to problematic status. Analysis of the alarm problem performed by FE after the blackout suggests that the alarm processor essentially "stalled" while processing an alarm event. With the software unable to complete that alarm event and move to the next one, the alarm processor buffer filled and eventually overflowed. After 14:14, the FE control computer displays did not receive any further alarms, nor were any alarms being printed or posted on the EMS's alarm logging facilities.

"FE operators relied heavily on the alarm processor for situational awareness, since they did not have any other large-scale visualization tool such as a dynamic map board. The operators would have been only partially handicapped without the alarm processor, had they known it had failed. However, by not knowing that they were operating without an alarm processor, the operators did not recognize system conditions were changing and were not receptive to information received later from MISO and neighboring systems. The operators were unaware that in this situation they needed to manually, and more closely, monitor and interpret the SCADA information they were receiving."

Tim Bennet, former president of the Cyber Security Alliance, states that US intelligence official's have confirmed China's People's Liberation Army gained access tot he network controlling the electric power grid in the northeastern United States. Bennet's information claims, with confidence from US Intelligence Officials, that the PLA had access to the network in 2003 prior to the massive northeastern US power outage.

Officially the blackout has not been attributed to Chinese hackers, but multiple experts have come out to support Bennet saying the Chinese hackers are most likely to blame for the Florida Blackout.

The Chinese hacker's access to US power plants comes on the heals of CIA confirmed hackers have been holding power facilities hostage outside the US.

Full coverage here in: Government Executive.com