The oil rich countries in the Middle East depend on Industrial Control Systems (ICS) to run the Energy sector which is responsible in average for generating around 70-90 % of the national GDP. and ultimately providing around 40% of the world’s total energy consumption.
Since STUXNET news surfaced 18 month ago, the region has witnessed not less than 20 different information and cyber security conferences that addressed the topic and highlighted the ICS security issue as a monumental risk to the GCC region in particular.
The Kaspersky chart below show STUXNET infection rates in the GCC countries,(UAE,Saudi,Kuwait,Bahrain,Qatar and Oman).
and recently the state of Qatar through the national CERT issued the region’s first national level ICS security Guidelines in Arabic as well as an English translated version. currently the document “planned to be updated annually” is not mandatory but the document’s roadmap is likely to see a change in the next few years.
You can download a copy of the English translation here (Download)
Press Coverage – Here
A hacker, going with the name “pr0f” has been all over the news for showing that he was able to access a SCADA system used in Texas. only to vent his anger on how the DHS underplayed a recent attack that destroyed a pump at a water facility in Illinois.
Comment: Looking into the images, in addition to South Huston Texas,they also feature screen shots labelled as (City of South Huston Nevada and Virginia)
In one of his interviews, “pr0f” said that he was able to access the systems via “two” different methods. First through a VNC connection that was accessible from the internet !!!, which helped him take the screen shots below, in addition to the ability to access the web administration portal which is still accessible till this morning !!.
When asked to comment on the Illinois incident, he said
“I dislike, immensely, how the DHS tend to downplay how absolutely (expletive) the state of national infrastructure is. I’ve also seen various people doubt the possibility an attack like this could be done,”
apparently Using a Romanian email (firstname.lastname@example.org) to post the screenshots on pastebin , the hacker told Threatpost that he discovered the vulnerable system using a scanner that looks for the online fingerprints of SCADA systems. He said South Houston had an instance of the Siemens Simatic human machine interface (HMI) software that was accessible from the Internet and that was protected with an easy-to-hack, three character password.!!!” No Comment”.
Actually there are a couple of comments:
– He might have used a publicly discussed vulnerability in Siemens allowing attackers to intercept and figure-out passwords, or change the configuration of the PLCs. So my guess is that using a harder password would not have helped much.
— the Siemens Advisory that went out last July (http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&lang=en&objid=51401544&caller=view) tells you to limit physical and logical access to the vulnerable system while they work on a patch ( which is yet still to come).
– WHY….is the system accessible from the internet? is the real question.
— I just can’t get why would someone put his critical business asset even if its an ice cream machine online and accessible from the internet…apparently not hardened ” system fingerprint was searchable” and with lots of Siemens vulnerabilities/goodies up for grabs.
“pr0f” is probably going to face some serious legal troubles for admitting his act, but his adventure makes me wonder…if this is the status of security and awareness in “some” of the critical infrastructures in the united states of america and I’m sure in other “developed” countries.
What would be the status of SCADA security in the “Developing” world ? I am making a study on the CIIP status in the developing world and found that in just one domain/sector which is oil production as of November 2010, the OPEC members “ 12 countries all considered developing countries” collectively hold 79% of the world’s crude oil reserves and 44% of the world’s crude oil production with 100% reliance on SCADA/DCS systems many of which has reported vulnerabilities or even exploits, none of those countries has a national CIIP strategy or follow/adopt an acknowledged SCADA security guideline or best practice or even consider Critical Information Infrastructure Protection a topic worthy of discussion.
A recently leaked DHS document (Download Here) warns that Hacktivist group “Anonymous” are considering attacking SCADA systems and Critical Infrastructures in some countries.
The document labelled as “for official use only” quotes several “twitter” posts believed to belong to Anonymous members discussing and exchanging information about SCADA projects.
” On 19 July 2011, a known Anonymous member posted to Twitter the results of browsing the directory tree for Siemens SIMATIC software. This is an indication in a shift toward interest in control systems by the hacktivist group.”
“An anonymous individual provided an open source posting on twitter of xml and html code that queries the SIMATIC software. The individual alleged access to multiple control systems and referred to “Owning” them.2 The Twitter posting does not identify any systems where privileged levels of access to control systems have been obtained.”
The report insinuates that experienced Anonymous hackers can quickly gain the knowledge required to hack ICS “Industrial Control Systems” which is correct. But the report didn’t mention the fact that currently there is a gold rush amongst researchers to come up with SCADA vulnerabilities, just in the past couple of weeks anyone following the right and publicly available sources can count more than a dozen zero-day vulnerabilities out there (I mean with no patch available).couple that with high motivation and you have a dangerous formula.
Just by looking around, I am afraid to say that ICS are going to be the next target after the current wave of attacks on financial institutions “Occupy wall-street”.
Looking at the flow of events, Anonymous, LulzSec and Co. have already targeted Governments, Big corporates, Defense contractors,Banks and Stock exchanges….the next logical step down the food chain is Energy.
More on the topic:
Recently I attended the FIRST (Forum of Incident Response Security Teams) conference in Vienna which is the annual gathering for CERTs (Computer Emergency Response Teams) from around the world and everyone noticed that for the first time in the history of the 23 year old annual conference that the main buzzword was not some new IT security breakthrough, the most talked about vendor in the lobby and in the hallways was not Microsoft with all it’s glory, the hottest sessions were not F-SECURE’s Mikko H. Hypponen or Kaspersky’s Founder Eugene Kaspersky and the most talked about threat was not buffer overflow.
The answer for all of the above was one word…”SIEMENS”.
It was clear that things have changed and that there is a shift in the priorities of the attendees.and this is very alarming to see that in the FIRST conference specially.
The significance of the FIRST conference is that its in my opinion…the ultimate good guys gathering.
CERT teams are the real firefighters on the ground and usually those guys deal with all the dirt on a 24x7x365 basis and many of them do it country/regional level…also by design CERT staff are some of the most connected people in the information security business and most importantly they thrive on hard earned IT community trust. so if you hear them saying this is a game changer and most of us are not ready…this is your cyber strategy needs to be revised heads-up right here.
Also for the first time SIEMENS represented by SIEMENS-CERT was going to talk about Stuxnet from their perspective. although it was one of 3 parallel sessions i guess everyone in the conference was in this room to hear what SIEMENS have to say in its own defense regarding Stuxnet.
They kickstarted the session by asking everyone not to copy anything from the slides and to stop using social media completely, the slides were all marked as CONFIDENTIAL…turned out that there is nothing they can add to what everybody knew.
SIEMENS said that they completely understand why they are being scrutinized and that they did a mistake handling the Stuxnet issue…yes they said “We did a mistake” and I have to credit them for that. the mistake in their presentation was Siemens CERT not sharing any of the information at hand “early on” with other CERTs or at least proactively explaining the issue to the Media properly, this is true but its not the root cause of the problem.
Stuxnet over the week end
SIEMENS CERT first heard about Stuxnet over the weekend and at first glance they thought it can wait till monday, they started to slowly unwrap the malware only to be beaten to it by Ralf Langner initial findings posted on his blog which started a media frenzy…in their own words it was a top decision not to enter the fray until they finish the entire analysis (took them 6 month)…but who can wait with such a gem at hand. and the rest is history.
SIEMENS View on how to improve security in the future
They said that as a vendor SIEMENS value security and couldn’t be less annoyed standing here having to clear/justify this mess, and that they promise to be more open and to issue alerts, customer specific notifications and patches much sooner if anything of such nature surfaced again.
What they didn’t say and should be saying
SIEMENS never came close to acknowledge that their entire design process which has always been flawed but survived due security by obscurity came to a sad end..and to make things worse…everybody (researchers, opportunists and criminals) is now trying to play with it maybe he/she stumbles upon something that can cause more embarrassment. they need to come clean and know that the only proper way to fix this kind of fundamentally poor design issues (Hard coded passwords, leaving unnecessary ports and services open…etc)…is a totally new SDL “Security Development Lifecycle” that would eventually allow them to spot things much early on and to avoid silly mistakes as in hard coding passwords in the year 2011.
Stuxnet Code: can be downloaded from Here (Important: After downloading – Change the extension name to .RAR)
Watch Ralf Langner talk in NATOs conference on cyber conflict
ICS-CERT alert on the hard coded credentials in SIEMENS products
A recent post in the full disclosure list (FDL) claims that a Latvian Power Plant called (Latvenergo RIGAS HES-2) has been hacked. the post is strikingly similar in its approach to the recent FPL SCADA incident/Hoax.
-The FPL post was sent to the FDL at 8:22 (-7) PDT
-The RIGAS post was sent to the FDL at 8:48 (-7) PDT
-The FPL email that the hacker BGR sent me was sent from a Yahoo account, this time they used Rocketmail.com (owned by Yahoo)
-Both started by posting real IPs owned by reportedly the victims
-Both posted Images/screen shots hosted at Imageshack.us
-Both pasted the Cisco router configuration files along with the passwords
The screen shots were taken from a windows PC that also shows a lotus notes mailbox named (Leva Vaica).
I would assume from the pop up below that this is an Asus Laptop and not a desktop, since the EPU-4 Engine is a mother board with integrated graphics mostly used in Asus Laptops for power saving.
The entire project was saved under the name of (Leva_Test).
A group called (China Youth Hackers Alliance) claimed responsibility.
Related news: This April 28th and in the same city of the power plant (Riga,Latvia) was the Chinese Business day and trade expo (Invest EXPO 2011)
This reported incident looks like an FPL Hoax “Deja vu” or the Chinese business convoy revenge for a business deal that turned sour🙂
There has been some news that in this incident the alleged insider has faked some aspects / manipulated some screen shots to embarrass his former employers ” FPL”
***End of Update***
On April 16th (15:43 GMT) I received the following email from (bgr_24423 AT Yahoo.com) :
Here comes my revenge for illegitimate firing from Florida Power & Light Company (FPL)
… ain’t nothing they can do with it, since NM electricity is turned off !!! In some days people will know about FLP SCADA security, you are one of the first …
The email was long and contained all the details that proves that this guy had hacked the system, he even posted the complete Configuration file from the central Cisco Router and Security Device Manager. along with the passwords.
To spice things up he included 8 URLs with screen shots to proof his point. (Image URLs below).
8 ) http://img864.imageshack.us/i/94061747.png/
I immediately checked those image URLS but I found that they had (Zero Views) at the time….now its different.
Seeing that I am the first one to see the images, I had my doubts that it might be a fake email so i did some googling to make sure that its a real incident. to my surprise all my checks worked out.
Even the email header looked fine and it showed that the email was sent from outside the US…from Germany to be precise, which is only logical for an email of such nature. “go as far as possible from the crime scene is usually the international best practice”…or at least show that you are as far as possible.
The email header here :
At this point I decided to report everything to ICS-CERT. But now that the news is already everywhere I can publicly comment on the incident.
– I would assume that, he sent this email to some of the known and trusted SCADA security blogs out there, but the good thing is that none shared it publicly. “or at least thats my understanding”.
– He took the next step and shared it on the full disclosure mailing list – and then it was out of control.
– People tend to overlook the sensitivity of corporate or confidential information, once things turn personal.
– In few minutes Blogs and mailing lists around the globe had information about another country’s national Critical Infrastructure. It’s striking that what was once considered a secret that people or nations pay and recruit spies to get, is now free.
– Any lazy, couch potato spy can just sign up for a dozen of those mailing lists and he would do just fine.
– For how long would this information remain useful is FPL problem now.
– People will start discussing the configuration details this guy posted, and how insecure was their VLAN configurations…etc, but the question is how easy is it for an employee to have access to all this information.
– The router configuration file headers have the login banner of **Bellsouth** , Why ?
– Insider threat is the REAL deal, not anything else.
It’s worth mentioning that FPL made the headlines for the wrong reasons several times over the past 3 years, and they were fined by NERC more than once before, here is a quick account of the fines:
– March 31st 2009, A fine for 250,000 USD (NERC Notice of Penalty – HERE)
– March 5th 2010, A fine for 350,000 USD (FERC Penalty Notice)
– October 8th 2009, A fine for 25 Million USD (2008 Blackout settlement)
– April 2006, A fine for 130,000 USD for Sleeping guards (News)
Further more back in December 2009, Burns and McDonnel consultancy firm completed a cyber security assessment project where they handed recommendations to make FPL in compliance with NERC…This must be one useful report.
Burns & McDonnell has provided security assessments for Florida Power and Light (FPL), evaluating sites that have been considered critical assets under North American Electrical Reliability Corp. (NERC) standards for Critical Infrastructure Protection (CIP). Burns & McDonnell has made recommendations to ensure FPL is prepared to meet or exceed the NERC CIP guidelines in both physical and cyber security. These audits have included site visits and capturing system configurations to determine the current state of the security protections in place.
Source : Burns and McDonnell
This demonstration video takes a detailed look at the Stuxnet worm on a Siemens PCS7 FieldPG host. The demo provides a brief overview of the worm, and then takes a look at how it exploits Windows vulnerabilities to install itself on the target host, infect various Windows and Siemens components, and then replicate itself for installation on other hosts.
Additional information available at This demonstration video takes a detailed look at the Stuxnet worm on a Siemens PCS7 FieldPG host. The demo provides a brief overview of the worm, and then takes a look at how it exploits Windows vulnerabilities to install itself on the target host, infect various Windows and Siemens components, and then replicate itself for installation on other hosts.