FBI announces ongoing Russian attacks against American electric grid, water processing, air

Great Debates
81

Can they shut down a plant? My bet is they can find a way that may or may not be a neat and clean switching action.

But, it goes way beyond that. We’ve had blackouts across regions for reasons that had to do with controlware actions in various places.

My bet is the power grid as a whole has controlware all over the place, where networked communication is required and where tampering could cause mayhem, possibly without even involving a power plant.

It is NOT as if a power plant simply emits as much power as it wants. It’s more complex than that and requires communication.

Look up such terms as “wide area synchronization”.

82

How did that work before the WWW? Just unplug the damn things.

83

This isn’t news; we’ve known this for a while. Every nation that potentially sees the United States as an adversary is doing the same thing. Don’t think China isn’t doing the same thing, and don’t think we don’t have the same capabilities and that we haven’t tested them ourselves on Russian and Chinese infrastructure - we have. We could easily take their grids and water treatment facilities offline, just as they can do with us. Putin wouldn’t actually go so far as to take a power grid down unless he wanted us to respond in kind, and he doesn’t. He’s just making sure that we understand that he has that kind of capability.

What Putin can do - as long as we have sanctions in place against his regime - is to disrupt our electoral process. That’s the perfect crime because he can exploit our differences against us. If Democrats win an election Republicans think they should win, then one half of the country is angry at the other. If Republicans win an election Democrats think they should win, then one half of the country is angry at the other. If he takes a power grid or a nuke plant, everyone’s pissed and wanting answers and someone to retaliated against. Putin won’t do that, but he will let us know he has that kind of power. He also has the power to wipe out your retirement savings if you’ve got stocks and bonds and 401Ks and all that good stuff. He could order his cyber thugs to attack Wall Street, go take a piss, and have us all in a panic by the time he’s finished shaking his love lizard and zipped up his pants.

84

Asahi Yes. All of those things, quite likely. Of course, we’re all out there playing cyber games. This one is getting particularly serious. Look at the whole pattern, however. Russia’s playing with electronics,

And, shooting down planes.
And killing people in the UK.
And interfering in elections in ~20 countries.
And annexing land, going back to Georgia.

What gets their attention short of a hot war? Would a tighter alliance with OPEC hurt them more, hurt them enough, on the oil/gas side to get them to slow their roll? Is China an ally against them at this point (geographical proximity and regional jostling) or an ally of theirs (historical leanings)? I’ve heard that boycotting the World Cup would be an effective slap in the face. I buy that it would offend Putin. I’m not sure it would do anything helpful.

What options do we have?

Carnivorous Plant - see Boyard’s comment above about “air gapping”. Sensitive equipment can be protected by not being connected to any network.

85

My company makes Operational Management Software that interfaces directly with SCADA systems. By design, it’s just read access, but of course, that can be changed. Especially with PDC access. Our stuff is in place at a shitload of US power utilities. You can bet your britches we’re taking this very seriously - I doubt our ops sec guys are getting any sleep this weekend. Monday is going to be “fun” for the rest of us.

86

Just wait until Russian hackers send a “turn hard left immediately” command to all the self driving cars via “On Star” or whatever app they have. Then they reprogram the GPS sats to randomly change their signal timing, thus their accuracy, then black out the FAA’s Air Traffic Control radar - on a stormy night. There’s so much they could do that can screw us in so many ways, and of course, we talk about it. And talk.

87

I’m not a power plant engineer, but my guess would be that before the power plants were connected, there were far more smaller blackouts and brownouts. Now, when one power plant is struggling to meet demand, other power plants with more capacity can seamlessly help out, avoiding blackouts, etc.

I don’t think these are all networked together for shits and giggles. I have to assume there was some reason, efficiency or cost or something, that justified the investment it took to network the power plants. I’m sure it wasn’t just to make them less secure.

88

There is a fallback if one or more power plant loses communication, and I would think that it can be implemented at any time if need be.

89

To understand someone, put yourself in that person’s position. Imagine you were Putin. How would you see the world? What would you want?

Putin has a lot of dead bodies to his name - everyone knows that, most certainly he of all people. He knows a lot of people want him in jail or dead. He assumes (probably correctly) that the only way to ensure his survival to the end of his natural life span, is to maintain his grip on power for life. This whole thing goes back to the late 1990s and early 2000s when he was criminally investigated for corruption during his time in St. Petersburg. Then, just as now, he concluded he had a choice: either allow the prosecution to go forward, get convicted, and spend years or even decades behind bars in a violent Russian prison…or gain even more power, rig the political system to his advantage, and wipe out his enemies. He chose the latter, and he’s been effective in doing just that.

But the more enemies he wipes out, the more enemies he makes. The more that he rigs Russia’s political system to his favor, the less it favors everyone else, which is something that doesn’t escape notice. Even if he doesn’t make enemies, he creates critics of his leadership, and they of course eventually become his enemies in the end. The farther a leader like Putin (or Kim Jung Un, Assad, Saddam, Fidel, or whoever) goes down this path, the greater the risk of political (and even physical) death. The deeper into the political jungle they go, the more necessary it becomes for them to bear their fangs and devour their opposition. They live in an eat or be eaten world.

Countries like the United States represent a threat because they have the power to disrupt Putin politically, and he has probably lied awake many a night fearing what American economic and political resources could do to his regime (and hence, his ability to survive). The policies of regime change, of overthrowing dictators, and supporting democracy movements in authoritarian societies (some of which are directly related to Russia’s economic interests) are the realization of his nightmares. And that is why he is determined to wrest former Soviet states away from Western European and American political influence. He considers the West, NATO, and America threats to Russia’s political stability and his ability to control his country. From our point of view, Russia is fighting an offensive war; from Putin’s vantage point, he’s fighting a defensive war.

I’m not a Putin apologist, but we need to figure out what we can live with and what we can’t. We can’t live with Putin downing civilian aircraft and assassinating people on our turf and there should be consequences for that. However, I think we’ve at times ignored our behavior and our own role in Putin’s anxieties. We’ve lived with bad actors in the past - we’ve even armed them and done business with them. Just being bad isn’t a reason not to negotiate with Putin and to come to some terms with him. I doubt the strategy of applying more pressure is going to succeed in the short run; it’ll just make him more desperate. Putin is not Gorbachev. He’s not looking for a way to the negotiating table. He’s throwing down the gauntlet.

90

A rare breath of fresh air around here. Thanks for that! :slight_smile:

91

Depends on your definition of trolling I suppose. Yours and mine are different. :dubious:

92

But, but, but, he’s the mod. He’s gonna win.

93

Okay, I read the security report, and pretty much know exactly what they have managed to do. And no, they do not have access to control systems - probably. I’ll get to the ‘probably’ in a minute.

For background, I have been working with control systems software for almost 20 years. I have contributed to software almost exactly like what’s shown in that screenshot.

So what you saw in that screenshot was an HMI for a SCADA package. When you build out a control system for a plant, you design the plant in the SCADA software, which produces the diagram you saw. If the software was live, you would see that screen shot animated, showing the actual state of all the controls defined for the project. For example, a valve will be represented with a symbol, and that symbol will show whether or not the valve is open.

Now, the actual SCADA systems in any factory with better than half-assed IT will be on its own internal network. So what these guys managed to glom onto is either a copy of the control software running on a test network, or output from a control system that some engineer copied for study or a report, or something like that. It could have been just a static screen shot stored in someone’s e-mail. The presence of that screen shot does NOT indicate that hackers have actual access to control systems inside the facility. Just that they have the definition of the facility, including how it’s structured, what types of equipment and material are being used, and perhaps recipes for manufacture or operations - that sort of thing.

The risk here is that their phishing will uncover someone doing something stupid, like having installed remote desktop software on a server on the factory network for ‘convenience’, and then getting access to that RDP server and being able to control the actual SCADA system from there. Or, they might be able to control it a backdoor way - by modifying the code stored in the dev repository that could be on the main network, then hoping it gets migrated to the actual control system. That sort of thing.

But Maddow was wrong, and the New York Times was wrong. This report itself does not suggest in any way that hackers have actually gained access to the factory control system itself. However, what they have is bad enough. They have the complete definition of the facility, including how everything in it is wired together and probably complete definitions of the control system, which will allow them to reverse-engineer an awful lot. Couple that with all the other data they’ve no doubt collected, and they have a lot of ammunition that can be used for further hacking/social engineering attacks.

The state of tech reporting in the media is godawful.

94

In this one case, I’m going to need more than your “I’ve been doing this for…” because so has Boyard, and, if we’re laying it out there, so have I. There are a lot of reputable cites up there in addition to our personal opinions, which is why I didn’t just start with my credentials.

Again, we have a problem, and NOT just with this, which is bad enough.

asahi please elaborate on our role in Putin’s anxieties. If you mean his clear desire to bring back the USSR, then yes, we played our part. If you’re alluding to something smaller that would impact which steps we should or should not take now, I would like to discuss it.

95

Sam, did you read the entire US-CERT report? Looks like the attackers were in control of a workstation that used VNC to connect to the SCADA device. That’s effectively control of the device.

Anyway, Sunny, I’m crushed that you keep misspelling my name. :frowning:

ETA: FWIW, I run the infosec at a manufacturing facility that uses lots of ICS/SCADA systems. My background is incident response and forensics. I’m not panicking over the report, but this is worrisome.

96

Well, I’m not a systems or control programmer, but it seems to me that Bayard said essentially the same thing as Sam, which is that the systems aren’t directly connected to the internet, and that the policy SHOULD be that no system that can be remote controlled SHOULD be connected to a external system, but that it’s possible someone (very stupid) has done so to make their lives supposedly easier. The article in the OP doesn’t actually demonstrate one way or the other that such a bridge system is in place and that this is what has been compromised. To me, it could go either way…could be what Sam is saying that what we are seeing isn’t such a bridge system compromised (I agree with Sam…what we ARE seeing is bad enough, as knowing the architecture of a secure system is huge) or it might be exactly that. I don’t see how throwing ones credentials about really does much in this case, as we don’t know based on the evidence presented so far. Anecdotally I’ve seen instances where some idiot puts remote controlling software on a bridge system, compromising the supposed secure and isolated system because it lets them remote control something, enabling them to do whatever it is they are trying to do from home so they don’t have to come in at night or on a weekend or when they are on vacation. If this is the case here, then a couple of things. First, whoever did it and probably their boss needs to be fired. Secondly, whoever is doing their security audits and PEN testing needs to be fired as well…and possibly looked at for legal action (might be that whoever did it covered it up during the testing, so maybe not too). Third, this doesn’t really say anything about the overall state of our grid wrt potential Russian attack in general.

ETA: Well, based on Bayard’s post above mine, it looks like they DID have a bridge system and that it was the one compromised. So, yeah…that’s even worse if true.

97

I restricted my comments specifically to that security doc and what it implies. I’m fully aware that there are serious security concerns in factory automation and control systems.

98

If people only did what they should do, or what is smart, I’d have to find a new line of work. Which would suck, 'cuz I have no other skills.

99

Shit, shit, shit. :frowning: Bayard It shall never happen again.

100

I did see that, which was why I added the ‘probably’ to my statement about their not having access to the actual control systems. I saw the VNC comment in the report, but it wasn’t clear to me exactly what they were connecting to. It could have been a PLC controller on a dev or test network, for example. Hence my qualifier.

In any event, I am not trying to downplay the seriousness of this - What they have is damaging enough, and I am certain that there are factories and installations out there with vulnerabilities in their control systems - and plenty of them. Some of them aren’t even in the hardware, but in the training of the people. With the amount of data these guys have, there all all kinds of social attacks available to them. Who needs to crack sophisticated systems when you can just get someone to give you the password? Or if you can just follow a group of people into the building and slip a USB key into a computer inside the protected network?

The more information you have about the people and processes insde a firm, the easier it is to pull off such attacks.

You probably have lots of cool stories. I’ve got a few myself. Like the software we audited where the password was hardcoded, in cleartext, inside the software snd getting access required putting that cleartext password in an unsecured HTTP header. And once a bad actor knew it, the only way to change the password was through recompiling the software. A terrifying implementation from top to bottom.

Programmers take security much more seriously now, but there are a lot of legacy systems out there which date back to the era where security was very perfunctory.