Archive

Posts Tagged ‘SCADA Security’

SCADA Security Evaporates in Texas

November 22, 2011 Leave a comment

A hacker, going with the name “pr0f” has been all over the news for showing that he was able to access a SCADA system used in Texas. only to vent his anger on how the DHS underplayed a recent attack that destroyed a pump at a water facility in Illinois.

Comment: Looking into the images, in addition to South Huston Texas,they also feature screen shots labelled as (City of South Huston Nevada and Virginia)

In one of his interviews, “pr0f” said that he was able to access the systems via “two” different methods. First through a VNC connection that was accessible from the internet !!!, which helped him take the screen shots below, in addition to the ability to access the web administration portal which is still accessible till this morning !!.

Screen shots:

Texas SCADA Hack

Texas SCADA Hack

When asked to comment on the Illinois incident, he said

“I dislike, immensely, how the DHS tend to downplay how absolutely (expletive) the state of national infrastructure is. I’ve also seen various people doubt the possibility an attack like this could be done,”

apparently Using a Romanian email (pr0f_srs@ue.co.ro) to post the screenshots on pastebin , the hacker told Threatpost that he discovered the vulnerable system using a scanner that looks for the online fingerprints of SCADA systems. He said South Houston had an instance of the Siemens Simatic human machine interface (HMI) software that was accessible from the Internet and that was protected with an easy-to-hack, three character password.!!!” No Comment”.

Actually there are a couple of comments:

– He might have used a publicly discussed vulnerability in Siemens allowing attackers to intercept and figure-out passwords, or change the configuration of the PLCs. So my guess is that using a harder password would not have helped much.
— the Siemens Advisory that went out last July (http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&lang=en&objid=51401544&caller=view) tells you to limit physical and logical access to the vulnerable system while they work on a patch ( which is yet still to come).

– WHY….is the system accessible from the internet? is the real question.
— I just can’t get why would someone put his critical business asset even if its an ice cream machine online and accessible from the internet…apparently not hardened ” system fingerprint was searchable” and with lots of Siemens vulnerabilities/goodies up for grabs.

“pr0f” is probably going to face some serious legal troubles for admitting his act, but his adventure makes me wonder…if this is the status of security and awareness in “some” of the critical infrastructures in the united states of america and I’m sure in other “developed” countries.

What would be the status of SCADA security in the “Developing” world ? I am making a study on the CIIP status in the developing world and found that in just one domain/sector which is oil production as of November 2010, the OPEC members “ 12 countries all considered developing countries” collectively hold 79% of the world’s crude oil reserves and 44% of the world’s crude oil production with 100% reliance on SCADA/DCS systems many of which has reported vulnerabilities or even exploits, none of those countries has a national CIIP strategy or follow/adopt an acknowledged SCADA security guideline or best practice or even consider Critical Information Infrastructure Protection a topic worthy of discussion.

Advertisements

Florida Power and Light (FPL): – Sharing SCADA Secrets

April 18, 2011 Leave a comment

***Update***

There has been some news that in this incident the alleged insider has faked some aspects / manipulated some screen shots to embarrass his former employers ” FPL”
Sources: Here

***End of Update***

On April 16th (15:43 GMT) I received the following email from (bgr_24423 AT Yahoo.com) :

Here comes my revenge for illegitimate firing from Florida Power & Light Company (FPL)
… ain’t nothing they can do with it, since NM electricity is turned off !!! In some days people will know about FLP SCADA security, you are one of the first …

The email was long and contained all the details that proves that this guy had hacked the system, he even posted the complete Configuration file from the central Cisco Router and Security Device Manager. along with the passwords.

To spice things up he included 8 URLs with screen shots to proof his point. (Image URLs below).

1) http://img838.imageshack.us/i/49986845.png/
2) http://img718.imageshack.us/i/24380855.png/
3) http://img24.imageshack.us/i/58868342.png/
4) http://img228.imageshack.us/i/85258364.png/
5) http://img163.imageshack.us/i/90736853.png/
6) http://img217.imageshack.us/i/55439027.png/
7) http://img40.imageshack.us/i/87526089.png/
8 ) http://img864.imageshack.us/i/94061747.png/

I immediately checked those image URLS but I found that they had (Zero Views) at the time….now its different.

Seeing that I am the first one to see the images, I had my doubts that it might be a fake email so i did some googling to make sure that its a real incident. to my surprise all my checks worked out.

Even the email header looked fine and it showed that the email was sent from outside the US…from Germany to be precise, which is only logical for an email of such nature. “go as far as possible from the crime scene is usually the international best practice”…or at least show that you are as far as possible.

The email header here :

FPL Email Header

FPL Email Header

At this point I decided to report everything to ICS-CERT. But now that the news is already everywhere I can publicly comment on the incident.

My Comments:

– I would assume that, he sent this email to some of the known and trusted SCADA security blogs out there, but the good thing is that none shared it publicly. “or at least thats my understanding”.
– He took the next step and shared it on the full disclosure mailing list – and then it was out of control.
– People tend to overlook the sensitivity of corporate or confidential information, once things turn personal.
– In few minutes Blogs and mailing lists around the globe had information about another country’s national Critical Infrastructure. It’s striking that what was once considered a secret that people or nations pay and recruit spies to get, is now free.
– Any lazy, couch potato spy can just sign up for a dozen of those mailing lists and he would do just fine.
– For how long would this information remain useful is FPL problem now.
– People will start discussing the configuration details this guy posted, and how insecure was their VLAN configurations…etc, but the question is how easy is it for an employee to have access to all this information.
– The router configuration file headers have the login banner of **Bellsouth** , Why ?
– Insider threat is the REAL deal, not anything else.

It’s worth mentioning that FPL made the headlines for the wrong reasons several times over the past 3 years, and they were fined by NERC more than once before, here is a quick account of the fines:

– March 31st 2009, A fine for 250,000 USD (NERC Notice of Penalty – HERE)
– March 5th 2010, A fine for 350,000 USD (FERC Penalty Notice)
– October 8th 2009, A fine for 25 Million USD (2008 Blackout settlement)
– April 2006, A fine for 130,000 USD for Sleeping guards (News)

Further more back in December 2009, Burns and McDonnel consultancy firm completed a cyber security assessment project where they handed recommendations to make FPL in compliance with NERC…This must be one useful report.

Burns & McDonnell has provided security assessments for Florida Power and Light (FPL), evaluating sites that have been considered critical assets under North American Electrical Reliability Corp. (NERC) standards for Critical Infrastructure Protection (CIP). Burns & McDonnell has made recommendations to ensure FPL is prepared to meet or exceed the NERC CIP guidelines in both physical and cyber security. These audits have included site visits and capturing system configurations to determine the current state of the security protections in place.

Source : Burns and McDonnell

Siemens Official Slides on Stuxnet

November 4, 2010 1 comment

A couple of days ago Siemens Internal CERT released some slides about Stuxnet as a form of “Official Communication” within their constituents.

Siemens Stuxnet Slides

Siemens Stuxnet Slides

In the official slides (Here) , Siemens confirmed that its a targeted attack by using terms like “targeting a very specific configuration, certain PLC blocks and specific processes or (project)“. These bold statements simply means that Stuxnet makers had (one target) in mind, and this should eliminate any theory out there denying that its a state sponsored malware.

The slides confirmed that the malware is capable of transferring data outside of the infected system back to the command and control servers, yet nothing has been proven specially that the two C&C servers ( • www[.]mypremierfutbol[.]com • www[.]todaysfutbol[.]com ) were brought down by Symantec.

Then the slides claim that all known infections are now clean and zero plant damages reported. yet they didn’t specify their definition of “damage”, is it seeing the plant up in flames or few bytes of data going out ?

The slides go on listing the great deeds of siemens since the discovery of the malware : “white papers, cleaning tools, contacting customers, working with top AV vendors, even magazine interviews”. isn’t this what they are paid to do ?

What really got on my nerves was their genius conclusion that future infections are “Unlikely” , and that is because the malware pattern is now detected by up to date Anti Virus programs. Eureka !!

Yes, future “Stuxnet” infections might be unlikely, but this is certainly not the end of this type of attacks as long as top vendors like Siemens still use “Hard coded & publicly available” passwords on critical systems in the year 2010 and dont even admit that this is the REAL problem.

Another statement that also reflects severe undermining of the terms “due diligence, and responsibility ” is a question they highlighted in yellow : “Has the customer done all he can ? “.

Imagine a car manufacturing company that sold you a very expensive car, supposedly equipped with a seatbelt, then you run into an invisible wall that someone deliberately put in front of you and built it in a very special way, using specific materials that takes advantage of known and published weaknesses in your seatbelt buckle lock design. Imagine yourself sitting in the hospital wondering how on earth you gonna fix this messed-up face of yours, then the car makers dudes comes up and tell you that its partially your fault for not trying to do all you can, perhaps you could have tried holding the buckle with your teeth !

The UN is offering SCADA security training

December 15, 2009 Leave a comment

SCADA security and CIP has been recognized by the UN as areas that pose significant threat to the international scene and has included both topics in their upcoming UN Cyber Crime training programs

The UN Courses has two difficulty levels:

-Basic : 1400 Euro
-Intermediate: 2500 Euro

– Snippets from the UN website-

The Basic-level SCADA & NCI Security course is 3 days long and is meant to provide a non-technical audience with an overview of the current state of SCADA and NCI architectures, and will include the following:

Introduction and examples of SCADA & NCIs,
Examples of real past incidents involving SCADA security failures,
Existing standards and best practices,
The difference between traditional IT security and SCADA/PCS security,
A special guest: an inside view from a SCADA vendor.

The 5-day Intermediate course is addressed to a technical audience and will include:

A special guest, highlighting the question of Open-source vs. SCADA,
Many live lab sessions showcasing both offensive and defensive techniques within a networked SCADA environment,
Historical and recent security incidents,
A special guest, discussing the task of hardening a SCADA infrastructure,
Discussion on performing penetration tests against NCIs.

More can be found on : UN SCADA Cyber Training

SCADAmobile for iPhone

November 25, 2009 1 comment

I just came across this iPhone App (ScadaMobile) from SweetWilliam Automation. (Company Website)

The App description states that the product can Monitor (display and change) PLC variables (tags) through local or remote wireless access.
ScadaMobile Interface

The Manual wich can be downloaded here describes how the App will access the PLCs over the internet.

“ScadaMobile is designed to communicate with PLCs without using dedicated servers or any specific software installed on a PC.

ScadaMobile communicates with OMRON PLC by sending FINS protocol commands. To establish a remote connection, a GPRS or ADSL router is needed at the PLC site, which will act as a bridge between the PLC LAN (Local Network) and the WWAN or WAN (Internet) to which a remote iPhone or iPod Touch will have access to. ” (Source: Section 4.1 in the Manual)
ScadaMobile Connectivity

As for the Security, The product seems to support VPN (L2TP/IPSEC) as well as TLS/SSL in addition to a PLC-stored password mechanism.

A password will be stored in the PLC data memory address D19998 as a 16 bit hexadecimal value (0 to FFFF) and you must match the password in your iPhone.
PLC Validation Password

My Comments:

– Apart from the Validation code, All the Network security controls are “Optional”
– No Password Complexity Requirements
– I couldn’t find anything about how the password is stored on the IPhone- But My guess that its not Encrypted. I guess I will try to find this by myself and will keep you posted.

It seems that there are many more remote access apps on the way and I would love to see independent code-security reviews on each and every one.

Finally, There are two versions from the app, ScadaMobile Lite for 3.0 $ with limitations on the number of processes. and the full version for 74.0 $.

The Empire Strikes Back – More on Brazil Blackouts

November 11, 2009 1 comment

2005, 2007 and now you can add November 2009.

Yesterday the Itaipu dam an important hydroelectric dam shared by Brazil and Paraguay failed last Tuesday night, pushing a large swath of central and southern Brazil into darkness, said the country’s minister of mines and energy, Edison Lobao. source (CNN)

A recent comment by bernardo from Brazil (Here) on my previous post implies that this is a coordinated attack that took place at exactly 22 hours. when die hard 4.0 was about to begin on FX Cine Latin America !!.
Die Hard 4.0 Schedule

The Official response so far was ” the exact cause was not yet known but atmospheric problems, an intense storm, may have contributed to or caused the transmission lines to Itaipu to shut down.” said the the country’s minister of mines and energy, Edison Lobao to reuters.

While the real cause of the problem remains to be unclear, it appears that hackers are not fond of the itaipu dam IT infrastructure. One thing for certain is that the itaipu servers has been “visited” before.

itaipu servers hacking incidents in 2000 and 2001

itaipu servers hacking incidents in 2000 and 2001

Incident Record Source: Zone-h

Brazil: 2007 Blackout Was not Caused by Hackers

November 10, 2009 4 comments

Few days Ago CBS’s “60 Minutes” featured a report about alleged cyber incidents that took place in Brazil back in 2005 and 2007. claiming that the major power outages that affected millions was caused by hackers.

Brazil Power Outage

Brazil Power Outage

Today Wired.com reported that Brazilian government officials disputed the CBS report over the weekend, and Raphael Mandarino Jr., director of the Homeland Security Information and Communication Directorate, told the newspaper Folha de S. Paulo that he’s investigated the claims and found no evidence of hacker attacks, adding that Brazil’s electric control systems are not directly connected to the internet.

The utility company involved, Furnas Centrais Elétricas, told Threat Level on Monday, it “has no knowledge of hackers acting in Furnas’ power transmission system.”

You can watch CBS “60 Minutes” Video (Here)
Source: Wired.com Report