Archive

Archive for June, 2009

National Traffic Engineering

June 29, 2009 Leave a comment

I was going through some nice reports from (Arbor Networks) and some regional ISPs showing how Iranian internet traffic was manipulated and controlled before/during and after the elections ( also applicable for any scenario in which a government is trying to be in foul control ).

The reports show that the government controlled telecom provider -Data communication Company of Iran- (or DCI) couldn’t block the internet in general because that would be impossible without impacting business ( emails …etc ) and perhaps causing further social unrest.

So (DCI) choose a more balanced approach that utilizes application firewalls to selectively rate-limit selected Internet applications (either by payload inspection or ports) , mainly trying to limit video streaming and file sharing.

As you can see from this graph (Source Arbor Network report ) showing how the video traffic was high in demand right after the elections ” due to global interest” then traffic was suddenly blocked due to (DCI’s) application filtering policies

Video streaming in Iran

Apparently the new policy was to block (SSH , Streaming Video and File sharing ) all with a blocking rate of +80% , and rate-limit (Mail, HTTP and FTP ) all around 50% block rate. (See Blow)

Block Rates

Block Rates

You can see how the internet traffic in general was suffering exactly 1 day after the elections ( Graph below )

Iranian Internet Traffic

The Full reports can be found under :

Iranian Traffic Engineering
A Deeper Look at The Iranian Firewall

My Comments: State owned and controlled communication infrastructures and national internet gateways is the common setup in many countries so a similar scenario is always a valid threat, but I think that as more businesses and more economies come to rely on the internet its unlikely that we will see that happening again. or at least it will be a much tougher and costly decision exponentially with time.

Advertisements

AT&T and Qwest Joins the Holy Grail Race (aka SMART GRID )

June 24, 2009 Leave a comment

Companies are repositioning themselves to grab a piece of the smart grid lucrative pie. after my previous post talking about CISCO,HP,GOOGLE..etc all announcing SMART initiatives… it was about time for the telco giants to join the race.

Qwest Communications has partnered with Current Communications on a smart-grid offering for utility companies that combines the former’s DSL network with the latter’s broadband-over-powerline (BPL) technology.

Last march SmartSynch and AT&T signed a partnership whereby AT&aT’s wireless network is used to connect smart meters at commercial and industrial locations to around 100 different utilities’ back offices. “See Picture Bellow”

smartsynchmeter

smartsynchmeter

Yesterday AT&T announced that they are targeting a much more diverse SMART GRID role as previously perceived

“We are starting at the meter and working our way back up the grid to the power production plant and looking at automating all the different elements along that chain,” said Abhi Ingle, vice president of industry and mobility application solutions at AT&T. “We’re embedding wireless intelligence at different points in the grid to not just capture usage and dynamic pricing information from the end user, but to also look at outage management, fault detection and things of that nature.”

In the news report published HERE , Its mentioned that Under the terms of the agreement, AT&T and Cooper will co-sell two products, OutageAdvisor and VARAdvisor. OutageAdvisor is a sensor that hangs on electric delivery lines every couple of miles to locate and isolate faults and then communicate them directly back within the system in real-time over AT&T’s network. Ingle said this will lessen the time it takes to identify and correct faults, as well as reduce the likelihood of an outage.

The VARAdvisor sensor will serve as an alternative to manual inspection of equipment that controls the voltage supplied to consumers and detects fuse failures, which Ingle said will also help reduce the need for on-site inspections.

Categories: SMART GRID Tags:

A Shortlist of Reported SCADA Incidents

June 21, 2009 2 comments

In a good report by the Infrastructure Security Partnership (TISP.org) called THE ROADMAP TO SECURE CONTROL SYSTEMS IN THE WATER SECTOR I found a good list that helped me remember several of the well-known, “Reported” SCADA incidents including:

Insider hacks into sewage treatment plant (Australia, 2001)—A former employee of the software development team repeatedly hacked (46 occasions) into the SCADA system that controlled a Queensland sewage treatment plant, releasing about 264,000 gallons of raw sewage into nearby rivers and parks. ( My Comments: If I remember correctly He was able to use the company WIFI from the company’s Parking Lot”.
Equipment malfunction at water storage dam (St. Louis, MO, 2005)—The gauges at the Sauk Water Storage Dam read differently than the gauges at the dam’s remote monitoring station, causing a catastrophic failure which released one billion gallons of water.
Intruder plants malicious software in a water treatment system (Harrisburg, PA, 2006)—A foreign hacker penetrated security of a water filtering plant through the internet. The intruder planted malicious software that was capable of affecting the plant’s water treatment operations.
Reported Vulnerability (Aurora 2007)—CNN reported a control system vulnerability that could damage generators and motors. (My Comments: Many argued the credibility of this test, But I think it was deliberately downplayed for the right reasons”.
Intruder sabotages a water canal SCADA system (Willows, CA, 2007)—An intruder installed unauthorized software and damaged the computer used to divert water from the Sacramento River.
• CIA Confirms Cyber Attack Caused Multi-City Power Outage (New Orleans, 2008)—CIA has information that cyber intrusions into utilities (followed by extortion demands) have been used to disrupt power equipment in several regions outside the United States.

I would like to add the following Incidents:

• January 8, 2008 –Teenage boy ‘hacks’ into the track control system of the Lodz city tram system, derailing four vehicles
He had adapted a television remote control so it could change track switches.

• In 2003 Slammer worm crashed Ohio nuke plant network “This is in essence a backdoor from the Internet to the Corporate internal network that was not monitored by Corporate personnel” quoted the full report HERE (http://www.securityfocus.com/news/6767)

• In 2000 Hackers cracked Gazprom security, controlled gas-flow switchboard,”we were very close to a major natural disaster” commented a russian minister as Reported Here : http://www.time.com/time/magazine/article/0,9171,901020617260664,00.html

Also the report listed the following under How Can Cyber Events Affect Water Systems?

Cyber events can affect water system operations in a variety of ways, some with potentially significant adverse effects in public health. Cyber events could do the following:
• Interfere with the operation of water treatment equipment, which can cause chemical over or under-dosing
• Make unauthorized changes to programmed instruction in local processors to take control of water distribution or wastewater collection systems, resulting in disabled service, reduced pressure flows of water into fire hydrants, or overflow of untreated sewage into public waterways
• Modify the control systems software, producing unpredictable results
• Block data or send false information to operators to prevent them from being aware of conditions or to initiate inappropriate actions
• Change alarm thresholds or disable them
• Prevent access to account information
• Although many facilities have manual backup procedures in place, failures of multiple systems may overtax staff resources—even if each failure is manageable in itself
• Be used as ransomware

Social Media and Cyber Security

June 18, 2009 1 comment

I was reading a friend’s blog on how twitter decided to reschedule its maintenance downtime to accommodate the iranian elections !! As per twitter status blog, “A critical network upgrade must be performed to ensure continued operation of Twitter. In coordination with Twitter, our network host had planned this upgrade for tonight. However, our network partners at NTT America recognize the role Twitter is currently playing as an important communication tool in Iran. Tonight’s planned maintenance has been rescheduled to tomorrow between 2-3p PST (1:30a in Iran).” (official twitter blog post HERE )It is interesting that twitter decided to be offline during US peak hours, for the availability in Iran.

according to a ZDNET blog Apparently twitter was successfully used to coordinate a DDoS attack on several key pro-Ahmadinejad Iranian web sites, including the President’s homepage which continues returning a “The maximum number of user reached, Server is too busy, please try again later…” message.

Also, Back in April 2008 a group of Egyptian youth used Facebook to create a group (+70,000 members) to organize and coordinate a nationwide strike that quickly became a regional media hype (The Group’s page ).

under the twitter.com basic terms of service it clearly says that:

“You may not use the Twitter.com service for any illegal or unauthorized purpose. International users agree to comply with all local laws regarding online conduct and acceptable content.” yet they agree to reschedule the maintenance schedule to accommodate the “freedom fighters” !

Its clear that web 2.0 is here to change the game, the problem is that its a game with no rules…yet.

He who can harness the power of hundreds of millions of “mostly teenage” users and direct them in any way imaginable will be the ultimate Bot master.

iranian_pro-ahmadinejad_site_attack_twitter_1

iranian_pro-ahmadinejad_site_attack_twitter_1

Incident Response Cheat Sheets

June 17, 2009 Leave a comment

Something is not feeling right , maybe you are hacked. You don’t know for sure yet, but you need to quickly qualify the potential incident. You also need to ask questions to make sense of the situation and determine how to proceed. It’s easy to make mistakes in the heat of the moment; Here are two cheat sheets that may help. (Source SANS.org)

The first sheet “Shown Below” is for system administrators, the second is for incident responders.

Incidents Response cheat Sheets

Incidents Response cheat Sheets

Download the (Security Incident Survey Cheat Sheet for Server Administrators)

Download the (Initial Security Incident Questionnaire for Responders)

A Worm Opens Door to Power-Grid Botnet

June 13, 2009 Leave a comment

A recent article in the Register(UK) quoted ioactive’s security experts that they managed to write the First Power-Grid worm, to be demonstrated in the upcoming BlackHat conference in Las Vegas.

The researchers tested about half a dozen smart meters and found that most of the devices ask for no encryption or authentication.

The worm will use the unauthenticated P2P update feature that comes with smart meters to send the malicious code.

Some US-Market numbers from (EnergyPulse) to think about:

-More than two million smart meters in field use today
-Additional 17 million devices on order by over 73 participating utilities
-Smart Meters once deployed are expected to last 10-15 years.
-Many of the smart meters currently in production are built using vulnerable hardware like the Texas Instruments MSP430 “shown below from ebay”

The smart grid will gain a lot of momentum in the next few years due to many political, environmental and financial incentives. efforts worldwide are underway to develop/update the required legal and technical frameworks. Yet there are some pressing debates and issues. for Example:

-Is it OK to build the smart meters in a foreign country using foreign components? ( Chinese Firm Huawei hits back at cyberspy claims )
-Should a government impose or name a certain communication encryption algorithm?
-Should SCADA vulnerabilities be publicized as regular PC vulnerabilities ? we don’t hear often about vulnerabilities in the medical equipment/industry …do we?
– Its BlackHat 2020 and the freedom hackers group has just announced several critical vulnerabilities in the hardware deployed at millions of homes.. when shall I expect the electricity guy to come and replace my vulnerable meter ?

TI MSP 430

TI MSP 430

Cyber Assessment Methods for SCADA Security

June 10, 2009 Leave a comment

A good old white INL (Idaho National Labs) paper that describes vulnerability assessment methodologies used in ongoing research and assessment activities designed to identify and resolve vulnerabilities in SCADA systems. it was published in 2005 so some of the tools referenced might be outdated but the methodologies are nicely put.

Download the paper (HERE)