The F.U.D. Files: CASE 010110101 Cyber Attacks On Our Water!
OMG! The Russians Are Attacking Illinois Water!
This last week we heard that a pump in a water system in Illinois ate itself and fried up. The reason for the pump doing so was soon discovered to be that someone from a Russian IP address had been messing with it remotely.
Something that should not be readily possible, but it was available online remotely. Yes, that’s right, the vulnerable system was online for anyone with an IP address to hit up AND it was in such an un-secured state that pretty much anyone with a pulse could have messed with it. However, this isn’t the story that you get from the press and the talking heads in infosec.
Instead you get...
The SCADA boogey man was out and had attacked our vital infrastructure!
Terrorism? Really? Messing about a podunk water system is now terrorism? Seems to me that this system was already having problems since it was put in by the Curran-Gardner people (Problems with the Curran-Gardener SCADA systems can be found here) from their own accounts of what they had to fix since 2008 or so including the wiring being set up wrong to start with on the system in one case as noted.
It turns out that the supervisory passwords were alleged to have come from a password database from the maker of the supervisory system that the Curran people decided to use. Now, given the poor system setup and all of the issues here so far seen in their own documents, I am hopeful that this was not a main supplier of systems to major corporations and governments.
Once again, this all seems rather opportunity based than targeted to me. Someone popped a dbase at a maker who likely had their systems hanging in the lowest of the low hanging fruit state and the skiddies went on to locate another low hanging fruit target... You guessed it... Curran-Gardner.
The fact that they used a Russian IP address is as telling as a Don Rumsfeld news conference on “known unknowns” as well. So all this hand wringing by DHS and others over this little flap need to just calm down and speak to the country soothingly…
Instead we get OMFG RUSSIA IS ATTACKING THE ILLINOIS WATER SYSTEMS! and the papers run with it.
THIS WAS NOT TERRORISM! THIS WAS SOMEONE MESSING AROUND!
How did the pump finally eat itself? Someone basically was flipping the digital light switch on and off... That’s how. It could not take being turned on and off.
Wow, what resiliency!
OMG! Some Kid Learned How To Use Shodan!
I have news for you... This is no big secret. In fact, I was talking about these systems a while back after my fracas with Ol’ Craig “The END IS NIGH” Wright. A simple Shodan search turned up many a water system online and open to being poked at.
In fact, as I remember it, the other system that has been talked about lately in Nevada, yeah, that one too was online and found on Shodan. Their systems were so horrid in fact that you could easily make a reservation to show up at Hoover dam as a VIP/Government visitor!
So, what’s the takeaway here? Well, that someone was messing around with SCADA because of two factors:
- It’s been in the news hyped ad nauseum as the panacea of the modern world and its final inescapable doom
- It’s been shown to be easy and the fools running these systems have made them even more insecure by putting the ICS online!
What have you all been thinking? Yes, you guys putting this crap online AND all of you out there SHOCKED that someone started messing with these systems that are so easily found and exploited online in bugsville Idaho!
Come on people wake up! This is just the start here... Expect more... AND NO, THEY WILL NOT BE ATTACKS COMING FROM AL-QAEDA There’s just no real interest there on their part, these types of attacks on small water systems will not sow the mayhem and fear that they desire.
Get over it... Deal with the real problems please.
OMG! SOME SCADA SYSTEMS ARE ONLINE!
Next, let me step into the wayback machine and once again talk about the SCADA systems being online. I had an... “argument” with Dr. wright about the dire circumstances of SCADA systems being online. I had said that not all of them were online and Wright pretty much said: “WE’RE DOOMED! HIDE YOUR WOMEN AND CHILDREN!”
To which I had a small aneurysm and went off on him... Lets just say that the whole thing got out of hand and Dr. Wright was shown by his own hand to be a chicken little with a tendency to spill secrets about previous engagements he had had. The net net here is this;
“Yes Mr. Wright, there are SCADA/ICS systems online, I have seen them... BUT not ALL systems are and the important ones that I dealt with, were at least nominally protected behind firewalls and v-lans”.
Hey, at least they tried huh? Unlike our water works friends in the news of late right? What’s more, I actually saw one system that was air gapped from the network proper. You would have to actually be on site to get at it.
So, yes, we are learning through Shodan searches as well as unfortunately, in the news, that there are many stupid people running those systems. However, in all the searches of ICS/SCADA systems I did on Shodan, I really only found a couple places that made me say “crap” The others were places like the podunk water supply...
And I am not worried that these will cause mass casualty events... What it said to me is if stuff went down, some people would be buying bottled water for a while.
If They Attack Our Pumps They Will Then Escalate To Our Nuclear Missiles!
Moving on, one of the things that really peeved me off here about this little story on Illinois was that some were alluding that this could be the clarion bell that the end is nigh. The thought process goes something like this:
“If they can hack this place, then they can escalate through their network to uber important systems!”
Ok, yes, the Curran-Gardner systems were located within a company that covered both water and power, so yes, they could have jumped to the local grid for the area. They could have hopped over (mostly because these guys have already proven themselves to be clueless about security) and messed maybe with some power regulation to home customers in the area.
No big explosions... No watershed event... Other than once again pointing out that the emperor has no clothes and is functionally dumb really. This is an object lesson and one hopes that the local nuclear plant is not online for the Joey Pardell’s of the world to access via the internet. However, such systems that could cause mass casualties may also be in the same state, and this is worrisome.
So far though, I haven’t seen them.
Make No Mistakes... There Will Be Deaths...
Once again, there is always the possibility that there could be a mass casualty event with regard to SCADA systems controlling pipelines etc. However, I do not see this as a prelude to war nor really an effective means of terrorism just yet.
IF someone does exploit a system to cause a pipeline explosion it would be just to sow fear, and that is pretty much it. Sure, you take out a big enough system such as the ones in the Gulf, you “could” have a cascade effect on the supply chain as well as roll over to the financial base of the country.
C’mon, you have all seen this in the movies right? You know what I am talking about.
However, we have not seen this yet and if these systems are so piss poor, then why haven’t we? I mean SCADA issues have been around for a long time now. Why haven’t our enemies used this yet to their advantage? No, I say that the likelihood is that someone will be messing around and accidentally cause an explosion or cascade failure.
The FUD response from this by the government and the media will be the real disaster that will cause the most damage.
Nope, I place the probability of the dark nightmares that the Dick Clarkes of the world are predicting up there with the probability that Bigfoot will walk up to my door, ring the bell, and offer to sell me “Bigfoot Cookies”.
So, whatever happened to sanity? I surely think our collective sanity has been eroded by the likes of the media and our overly risk averse government. Since 9/11 they have been hyping (press) and dancing (gov) around the problems we have. In the case of the digital landscape of hacking and security, neither has a solid grip on reality.
This is really disappointing as they are the ones feeding the fear to the masses. Never mind those in the security industry who seek to make money as well as those who have no qualifications to speak on subjects but feel they must to get the headlines.
It’s a Mobius loop of stupidity and fear mongering.
We need to get our collective heads out of our collective asses here...
- Yes, there are SCADA systems online and yes, they can be made to eat themselves
- Yes, this is a problem, but it is NOT the end of the world
- No, the terrorists are not using this as a vector of attack.. trust me.
- NO, the Russians and the Chinese are not attacking here.. Those guys have been in and out of our systems without us knowing (ni hao!)
- NO, no one will be launching nukes from SCADA/ICS attacks
- NO, no one will be causing a China Syndrome from SCADA
- Yes, you may see more pumps eating themselves and you may have to buy some potable water
- Yes, once the smart *giggle* grid is online you might find yourself without power or unexpected large bills (bad hackers!)
- Yes, this is all a problem… But more a nuisance than the apocalypse
So, lets all sit back and breathe a bit ok? Yes, there are problems here, but, in the scheme of things, this is not worth all of the attention it is getting from everyone. Never mind the worries that many seem to have... and are using to their advantage perhaps to sell you services?
Yeah, I went there... Better watch out, LIGATT soon will have offerings in SCADA security I am sure.
The Teachable Moment
This is all what they call a “Teachable Moment” as someone on my Twitter F-list said the other day. The lessons to be learned are simple ones and you have to step back, take a breath, and think a bit here:
- Don’t place inherently insecure systems (as we know SCADA to be) online for access to the internet and anyone on the globe
- Don’t believe everything you read in the news.. Often times the reporters have no clue
- Don’t listen to every doomsayer or alleged “expert” online or on the media as to the dire straights we are in due to this
- Research the problems… compare and contrast.. Use your brains people!
- Ok, so we found this one out there and it failed because it was messed with… Now take it and every other one offline (connectivity to the net)
- Force the SCADA manufacturers to securely code their systems
- Force the government to perform DUE DILIGENCE on critical infrastructure (i.e. audit them all for this and other security problems)
- THEN FORCE THEM TO FIX THEM!
- DO NOT PROCLAIM THIS THE END OF THE WORLD
- DO NOT INTONE IT IS TERRORISM WITHOUT EVIDENCE
- DON’T LISTEN TO THE CHICKEN LITTLE’S OF THE WORLD (Craiggy)
This is my take away from this little incident. Like I said, there are problems, but we know they are out there now..
GO FIX THEM AND CUT THE FUD!
Cross-posted from Krypt3ia