Hack at German steel works.

[PlacidCasual]

http://www.bbc.co.uk/news/technology-30575104

I work in a process industry which will have similarities to steel works. We generally imagine that even if hackers could penetrate our IT security they wouldn't be able to interpret the control system adequately to cause damage because of the complexity of the process and the bespoke and datex nature of the infrastructure.
This seems like a somewhat naive belief in light of recent events.
I was particularly taken by Benjamin Sontag's comment at the end. I know that practically every major control system in my industry is internet connected. As a practical matter we can't afford to employ enough trained competent people to be on site all the time and some specialist resource is central and needs remote access.

What are people thoughts on this development. Personally i think the risks may be overrated but my confidence is a little shaken.

 

[Rroff]

We generally imagine that even if hackers could penetrate our IT security they wouldn't be able to interpret the control system adequately to cause damage because of the complexity of the process and the bespoke and datex nature of the infrastructure.
This seems like a somewhat naive belief in light of recent events.

Very naive IMO - while not everyone will have the skills a fair few will. (Having worked for a company that produced bespoke database solutions, etc. I can usually pick up on that kind of stuff pretty quickly).

 

[benjii]

Very naive IMO - while not everyone will have the skills a fair few will.

Indeed. It seems rather unlikey your average hacker goes for a steel mill without a motive. Therefore, any hacker pursuing such a target will most likely have some knowledge of how the system works.

 

[Judgeneo]

Its far worse than that. SCADA systems aren't designed with security in mind at all, are very hard to patch, and their long lifespans means that many systems are running known-bad software, but its not economically viable to replace.
This isn't the first attack against a commercial industrial system, and it certainly won't be the last.

In fact, at where I work we've recently released a product designed at combating this exact threat

 

[kindai]

Indeed, doesnt matter how bespoke or custom something is, it doesnt take much figuring out once you're in.

 

[Rroff]

Indeed. It seems rather unlikey your average hacker goes for a steel mill without a motive. Therefore, any hacker pursuing such a target will most likely have some knowledge of how the system works.

Seems an odd choice of target unless it was some kind of revenge which usually means inside job or ex-employee or otherwise a practise run for something bigger.

 

[bitslice]

Been going on forever
http://pipelineandgasjournal.com/hacking-industrial-scada-network

SCADA systems never get updated because they are busy working and it is expensive,
plus nobody thinks about security anyway because nobody is paying for it.

basic rule:
don't let naive/arrogant management sit on the same network as your control systems, shove all their toys some place where they can't do any damage.

If you can screw an industry by sending an email then the IT sucks

 

[Caged]

Why wouldn't you have the control systems airgapped from the "I'm going to look at my company email" systems?

 

[Judgeneo]

don't let naive/arrogant management sit on the same network as your control systems, shove all their toys some place where they can't do any damage.

Indeed, imagine the global implications if the Saudi Aramco attack in 2012 had hit their control systems, instead of "just" wiping out the entirety of their IT.

 

[norm]

How long until we see the first hack to switch off the power grid or parts of it, then we'll really have entered an era of cyber espionage and warfare.

 

[Abraxaz1]

I work in the British version of this site (port talbot) and a few years back we had a similar thing with a virus/root kit brought into the steel works via thumb drives.
It wrecked havoc, slowing the system down to a crawl, which in turn reduced production due to SCADA systems being slow and buggy. Also it took out are model programs as well, which set us about 3 years back in the upgrade project.

Now the current system is the PLC's/DCS + SCADA servers are now unconnactable from Outside, i.e. to gain access you need to be either on the actual station or remoting in via a PC with this function and trust level.
All the Networked PC's run through a server that controls out going communications which only have internet access when head PC &A engineers log on to them. All remote logins are off individual username and passwords, which have to contain set amount of upper/lower case letters and numbers, which are changed regularly.
All programs and SCADA's are backed up via soft and hard copies, hard copies are kept in a fire proof safe off site.

All operator PC's are now on a separate network to that of the office computers, except for shift tech and Day technicians. and pulpit PC's are stored in control rooms with a KVM link to the pulpit.
All offices PC's have monitored network traffic and have no internet access, the usb ports are disabled as is the CD trays.

As pointed out an ideal system would have no physical link between the plant and the open world, but this would be unusable in the real world. A shift technician / engineer need to be able to remotely access programs/scada to provide changes to the systems to run the plant at optimal conditions, either that or he will spend 11:40 hours of a shift walking from control room to control room.

In a Ideal world the entire plant would be controlled by remote IO to a main server room with a multi level PLC system, with isolated SCADA clients/servers, with KVMs to control rooms but that requires a shed load of investment.

 

[fez]

You are working from the assumption that someone has decided to have a jolly on your behalf when the more likely event is that someone is targeting the company specifically with knowledge of your systems.

http://en.wikipedia.org/wiki/Stuxnet

Look at the damage that caused. Think about the complexity that went into designing something that advanced and the amount of knowledge required to do so.

 

[benjii]

Seems an odd choice of target unless it was some kind of revenge which usually means inside job or ex-employee or otherwise a practise run for something bigger.

I concur. Either that or rival business.

 

[StriderX]

How long until we see the first hack to switch off the power grid or parts of it, then we'll really have entered an era of cyber espionage and warfare.

It has probably already occurred and probably by the West.

 

[Boycey0211]

http://www.bbc.co.uk/news/technology-30575104

I work in a process industry which will have similarities to steel works. We generally imagine that even if hackers could penetrate our IT security they wouldn't be able to interpret the control system adequately to cause damage because of the complexity of the process and the bespoke and datex nature of the infrastructure.
This seems like a somewhat naive belief in light of recent events.
I was particularly taken by Benjamin Sontag's comment at the end. I know that practically every major control system in my industry is internet connected. As a practical matter we can't afford to employ enough trained competent people to be on site all the time and some specialist resource is central and needs remote access.

What are people thoughts on this development. Personally i think the risks may be overrated but my confidence is a little shaken.

I think that the assumption that it may be difficult to understand is true, however any industrial network potentially could be brought down by maybe reversing machine values? I.e Steel mill furnace is set to value 95, change to 9000 and see what happens?

I know its not that clear cut but thats what I mean, even if the data is vague maybe it can still be changed that way.

It has probably already occurred and probably by the West.

DERP.

 

[D.P.]

Very naive IMO - while not everyone will have the skills a fair few will. (Having worked for a company that produced bespoke database solutions, etc. I can usually pick up on that kind of stuff pretty quickly).

Indeed, if they can hack through the security then controlling any systems is probably much easier although there might be some luck involved.

I had to reverse engineer the control system for a robotic arm a few years ago, got a few PDFs online that weren't that useful and just found to API documention installed on the computer. Didn't take long to figure out all the controls.

 

[D.P.]

Been going on forever
http://pipelineandgasjournal.com/hacking-industrial-scada-network

SCADA systems never get updated because they are busy working and it is expensive,
plus nobody thinks about security anyway because nobody is paying for it.

basic rule:
don't let naive/arrogant management sit on the same network as your control systems, shove all their toys some place where they can't do any damage.

If you can screw an industry by sending an email then the IT sucks

Plus most of these industries run by a "if it ain't broke don't fix it" mentality which means known security flaws live forever.

Plus there are a number of other weaknesses. Such systems are typically controlled by a fairly high level language which gets later compiled down to c code or is interpreted in some way. These high level control scripts are easily understood by any programmer with a small a'pu of understanding of such systems. It's like looking at a bash script on an unknown serve, won't take you long to figure what it does.

 

[OhEsEcks]

 

[PlacidCasual]

I'm not a C+I engineer btw.

I had a chat about this at work today. We have a 3 level firewall apparently with the ability to isolate the control system if needed. The interesting thing was we couldn't think of a way to seriously damage the plant throught the control system. The process is unstable naturally and even small changes can push it outside certain limits which will cause hard wired trips and interlocks to operate. The few ideas we could come up with were marginally plant damaging but in no way hazardous. The biggest risk of a hack would be the almost certain trip. But we could imagine that some plants in our industry could be damaged but it would probably require inside knowledge of the industry to choose the appropriate parameters the right amount to cause damage without it being noticed or tripping.
I guess in this instance a steel mill has considerable kinetic and thermal energy which if improperly controlled can cause damage.

It's an interesting risk our development has created.

 

[Raumarik]

The problem is companies which do invest in protective measures i.e. decent firewalls and penetration testing regimes then go and allow people, usually higher up remote access from home via their unsecured home networks and PCs directly into the core network. The investment makes them over confident and frankly their senior staff are almost never the right people to have access from home. The same can be said with third party companies which they work with, they initially allow them access, bypassing certain security measures in the process then forget to remove that access when it's no longer required or where the contact expires. I've seen this sort of thing at almost every single company I've worked at, does my head in.

I'm convinced some managers think there's a wall light in ICT or Security which blinks when a hack is detected, or an alarm that goes off. Truth is the best hacks are those you dont' know happened, or where you find out only after the hackers decide it should be made public. There was a conference last year where they claimed the AVERAGE duration of a hack was 210 days before the IT department found out about it.