Archive

Posts Tagged ‘SCADA Incidents’

SCADA Security Evaporates in Texas

November 22, 2011 Leave a comment

A hacker, going with the name “pr0f” has been all over the news for showing that he was able to access a SCADA system used in Texas. only to vent his anger on how the DHS underplayed a recent attack that destroyed a pump at a water facility in Illinois.

Comment: Looking into the images, in addition to South Huston Texas,they also feature screen shots labelled as (City of South Huston Nevada and Virginia)

In one of his interviews, “pr0f” said that he was able to access the systems via “two” different methods. First through a VNC connection that was accessible from the internet !!!, which helped him take the screen shots below, in addition to the ability to access the web administration portal which is still accessible till this morning !!.

Screen shots:

Texas SCADA Hack

Texas SCADA Hack

When asked to comment on the Illinois incident, he said

“I dislike, immensely, how the DHS tend to downplay how absolutely (expletive) the state of national infrastructure is. I’ve also seen various people doubt the possibility an attack like this could be done,”

apparently Using a Romanian email (pr0f_srs@ue.co.ro) to post the screenshots on pastebin , the hacker told Threatpost that he discovered the vulnerable system using a scanner that looks for the online fingerprints of SCADA systems. He said South Houston had an instance of the Siemens Simatic human machine interface (HMI) software that was accessible from the Internet and that was protected with an easy-to-hack, three character password.!!!” No Comment”.

Actually there are a couple of comments:

– He might have used a publicly discussed vulnerability in Siemens allowing attackers to intercept and figure-out passwords, or change the configuration of the PLCs. So my guess is that using a harder password would not have helped much.
— the Siemens Advisory that went out last July (http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&lang=en&objid=51401544&caller=view) tells you to limit physical and logical access to the vulnerable system while they work on a patch ( which is yet still to come).

– WHY….is the system accessible from the internet? is the real question.
— I just can’t get why would someone put his critical business asset even if its an ice cream machine online and accessible from the internet…apparently not hardened ” system fingerprint was searchable” and with lots of Siemens vulnerabilities/goodies up for grabs.

“pr0f” is probably going to face some serious legal troubles for admitting his act, but his adventure makes me wonder…if this is the status of security and awareness in “some” of the critical infrastructures in the united states of america and I’m sure in other “developed” countries.

What would be the status of SCADA security in the “Developing” world ? I am making a study on the CIIP status in the developing world and found that in just one domain/sector which is oil production as of November 2010, the OPEC members “ 12 countries all considered developing countries” collectively hold 79% of the world’s crude oil reserves and 44% of the world’s crude oil production with 100% reliance on SCADA/DCS systems many of which has reported vulnerabilities or even exploits, none of those countries has a national CIIP strategy or follow/adopt an acknowledged SCADA security guideline or best practice or even consider Critical Information Infrastructure Protection a topic worthy of discussion.

IT consultant confesses to SCADA tampering-Using Multiple user accounts

September 30, 2009 Leave a comment

Another disgruntled employee incident, the report says that from the company offices this consultant could have had access to remotely operate giant oil platforms !!
—–
A former IT consultant for a California oil and gas company has admitted he intentionally tampered with its computer systems after he was turned down for a permanent position there.

Mario Azar of Upland, California pleaded guilty to one felony count of intentionally damaging a computer system used in interstate and foreign commerce, according to documents filed in federal court in Los Angeles. He was an IT consultant for Long Beach, California-based Pacific Energy Resources until around May 8, 2008, when he received his final paycheck.

Beginning on that date, Azar “knowingly caused the transmission of programs,” codes, and commands that impaired the computer systems of the company, prosecutors said. Parts of those systems were used to remotely operate giant oil platforms from the company’s offices. The systems were also used to detect gas leaks.

Such SCADA, or supervisory control and data acquisition, systems are frequently used to control sensitive equipment at dams, gasoline refineries and other large industrial sites. Security watchers have warned that they are vulnerable to disgruntled insiders or malicious hackers who figure out ways to exploit computer weaknesses.

Azar had set up parts of the Pacific Energy Resources computer system and had established multiple user accounts on it, according to court documents. They didn’t make clear whether company administrators had deleted the accounts after the consultant left the company.

Source: The register-UK

A Shortlist of Reported SCADA Incidents

June 21, 2009 2 comments

In a good report by the Infrastructure Security Partnership (TISP.org) called THE ROADMAP TO SECURE CONTROL SYSTEMS IN THE WATER SECTOR I found a good list that helped me remember several of the well-known, “Reported” SCADA incidents including:

Insider hacks into sewage treatment plant (Australia, 2001)—A former employee of the software development team repeatedly hacked (46 occasions) into the SCADA system that controlled a Queensland sewage treatment plant, releasing about 264,000 gallons of raw sewage into nearby rivers and parks. ( My Comments: If I remember correctly He was able to use the company WIFI from the company’s Parking Lot”.
Equipment malfunction at water storage dam (St. Louis, MO, 2005)—The gauges at the Sauk Water Storage Dam read differently than the gauges at the dam’s remote monitoring station, causing a catastrophic failure which released one billion gallons of water.
Intruder plants malicious software in a water treatment system (Harrisburg, PA, 2006)—A foreign hacker penetrated security of a water filtering plant through the internet. The intruder planted malicious software that was capable of affecting the plant’s water treatment operations.
Reported Vulnerability (Aurora 2007)—CNN reported a control system vulnerability that could damage generators and motors. (My Comments: Many argued the credibility of this test, But I think it was deliberately downplayed for the right reasons”.
Intruder sabotages a water canal SCADA system (Willows, CA, 2007)—An intruder installed unauthorized software and damaged the computer used to divert water from the Sacramento River.
• CIA Confirms Cyber Attack Caused Multi-City Power Outage (New Orleans, 2008)—CIA has information that cyber intrusions into utilities (followed by extortion demands) have been used to disrupt power equipment in several regions outside the United States.

I would like to add the following Incidents:

• January 8, 2008 –Teenage boy ‘hacks’ into the track control system of the Lodz city tram system, derailing four vehicles
He had adapted a television remote control so it could change track switches.

• In 2003 Slammer worm crashed Ohio nuke plant network “This is in essence a backdoor from the Internet to the Corporate internal network that was not monitored by Corporate personnel” quoted the full report HERE (http://www.securityfocus.com/news/6767)

• In 2000 Hackers cracked Gazprom security, controlled gas-flow switchboard,”we were very close to a major natural disaster” commented a russian minister as Reported Here : http://www.time.com/time/magazine/article/0,9171,901020617260664,00.html

Also the report listed the following under How Can Cyber Events Affect Water Systems?

Cyber events can affect water system operations in a variety of ways, some with potentially significant adverse effects in public health. Cyber events could do the following:
• Interfere with the operation of water treatment equipment, which can cause chemical over or under-dosing
• Make unauthorized changes to programmed instruction in local processors to take control of water distribution or wastewater collection systems, resulting in disabled service, reduced pressure flows of water into fire hydrants, or overflow of untreated sewage into public waterways
• Modify the control systems software, producing unpredictable results
• Block data or send false information to operators to prevent them from being aware of conditions or to initiate inappropriate actions
• Change alarm thresholds or disable them
• Prevent access to account information
• Although many facilities have manual backup procedures in place, failures of multiple systems may overtax staff resources—even if each failure is manageable in itself
• Be used as ransomware