Amiga

Commodore PC Still Controls Heat and A/C At 19 Michigan Public Schools 456 456

jmulvey writes: Think your SCADA systems are outdated? Environmental monitoring at 19 Grand Rapids Public Schools are still controlled by a Commodore Amiga. Programmed by a High School student in the 1980s, the system has been running 24/7 for decades. A replacement has been budgeted by the school system, estimated cost: Between $1.5 and 2 million. How much is your old Commodore Amiga worth?
Encryption

Poor, Homegrown Encryption Threatens Open Smart Grid Protocol 111 111

An anonymous reader writes: Millions of smart meters, solar panels, and other grid-based devices rely on the Open smart grid protocol for communication and control — it's similar to SCADA's role for industrial systems. But new research shows that its creators made the common mistake of rolling their own encryption, and doing a poor job of it. The researchers believe this threatens the entire system. They say, "This function has been found to be extremely weak, and cannot be assumed to provide any authenticity guarantee whatsoever." Security analyst Adam Crain added, "Protocol designers should stick to known good algorithms or even the 'NIST-approved' short list. In this instance, the researchers analyzed the OMA digest function and found weaknesses in it. The weaknesses in it can be used to determine the private key in a very small number of trials."
Transportation

US Air Traffic Control System Is Riddled With Vulnerabilities 60 60

An anonymous reader writes: A recently released report (PDF) by the U.S. Government Accountability Office has revealed that despite some improvements, the Federal Aviation Administration (FAA) still needs to quash significant security control weaknesses that threaten the agency's ability to ensure the safe and uninterrupted operation of the national airspace system (NAS). The report found that while the "FAA established policies and procedures for controlling access to NAS systems and for configuring its systems securely, and it implemented firewalls and other boundary protection controls to protect the operational NAS environment [...] a significant number of weaknesses remain in the technical controls—including access controls, change controls, and patch management—that protect the confidentiality, integrity, and availability of its air traffic control systems."
Security

Forget Stuxnet: Banking Trojans Attacking Power Plants 34 34

New submitter PLAR writes: Everyone's worried about the next Stuxnet sabotaging the power grid, but a security researcher says there's been a spike in traditional banking Trojan attacks against plant floor networks. The malware poses as legitimate ICS/SCADA software updates from Siemens, GE and Advantech. Kyle Wilhoit, the researcher who discovered the attacks, says the attackers appear to be after credentials and other financial information, so it looks like pure cybercrime, not nation-state activity.
Security

Highly Advanced Backdoor Trojan Cased High-Profile Targets For Years 143 143

An anonymous reader points out this story at Ars about a new trojan on the scene. Researchers have unearthed highly advanced malware they believe was developed by a wealthy nation-state to spy on a wide range of international targets in diverse industries, including hospitality, energy, airline, and research. Backdoor Regin, as researchers at security firm Symantec are referring to the trojan, bears some resemblance to previously discovered state-sponsored malware, including the espionage trojans known as Flame and Duqu, as well as Stuxnet, the computer worm and trojan that was programmed to disrupt Iran's nuclear program. Regin likely required months or years to be completed and contains dozens of individual modules that allowed its operators to tailor the malware to individual targets.
Government

Hackers Breach White House Network 98 98

wiredmikey writes: The White House's unclassified computer network was recently breached by intruders, a U.S. official said Tuesday. While the White House has not said so, The Washington Post reported that the Russian government was thought to be behind the act. Several recent reports have linked Russia to cyber attacks, including a report from FireEye on Tuesday that linked Russia back to an espionage campaign dating back to 2007. Earlier this month, iSight Partners revealed that a threat group allegedly linked with the Russian government had been leveraging a Microsoft Windows zero-day vulnerability to target NATO, the European Union, and various private energy and telecommunications organizations in Europe. The group has been dubbed the "Sandworm Team" and it has been using weaponized PowerPoint files in its recent attacks. Trend Micro believes the Sandworm team also has their eyes set on compromising SCADA-based systems.
Security

Do Embedded Systems Need a Time To Die? 187 187

chicksdaddy writes: "Dan Geer, the CISO of In-Q-Tel, has proposed giving embedded devices such as industrial control and SCADA systems a scheduled end-of-life in order to manage a future in which hundreds of billions of them will populate every corner of our personal, professional and lived environments. Individually, these devices may not be particularly valuable. But, together, IoT systems are tremendously powerful and capable of causing tremendous social disruption. 'Is all the technologic dependency, and the data that fuels it, making us more resilient or more fragile?' he wondered. Geer noted the appearance of malware like TheMoon, which spreads between vulnerable home routers, as one example of how a population of vulnerable, unpatchable embedded devices might be cobbled into a force of mass disruption. Geer proposes a novel solution: embedded systems that do not have a means of being (securely) managed and updated remotely should be configured with some kind of 'end of life,' past which they will cease to operate. Allowing embedded systems to 'die' will remove a population of remote and insecure devices from the Internet ecosystem and prevent those devices from falling into the hands of cyber criminals or other malicious actors, Geer argued."
Crime

Why Portland Should Have Kept Its Water, Urine and All 332 332

Ars Technica has nothing good to say about the scientific understanding (or at least public understanding) that led Portland to drain 38 million gallons of water after a teenage prankster urinated into the city's water supply. Maybe SCADA systems shouldn't be quite as high on the list of dangers, when major utilities can be quite this brittle even without a high-skill attack.
Bug

Bugs In SCADA Software Leave 7,600 Factories Vulnerable 70 70

mspohr (589790) writes with this news from the BBC: "The discovery of bugs in software used to run oil rigs, refineries and power plants has prompted a global push to patch the widely used control system. The bugs were found by security researchers and, if exploited, could give attackers remote access to control systems for the installations. The U.S. Department of Homeland Security said an attacker with 'low skill' would be able to exploit the bugs. About 7,600 plants around the world are using the vulnerable software. 'We went from zero to total compromise,' said Juan Vazquez, a researcher at security firm Rapid7 who, with colleague Julian Diaz, found several holes in Yokogawa's Centum CS 3000 software which was first released to run on Windows 98 to monitor and control machinery in many large industrial installations. The researchers also explored other SCADA software: 'We ended up finding over 1,000 bugs in 100 days.'" The vulnerabilities reported are in Yokogawa's Centum CS 300 industrial control software.
Security

Is Analog the Fix For Cyber Terrorism? 245 245

chicksdaddy writes "The Security Ledger has picked up on an opinion piece by noted cyber terrorism and Stuxnet expert Ralph Langner (@langnergroup) who argues in a blog post that critical infrastructure owners should consider implementing what he calls 'analog hard stops' to cyber attacks. Langner cautions against the wholesale embrace of digital systems by stating the obvious: that 'every digital system has a vulnerability,' and that it's nearly impossible to rule out the possibility that potentially harmful vulnerabilities won't be discovered during the design and testing phase of a digital ICS product. ... For example, many nuclear power plants still rely on what is considered 'outdated' analog reactor protection systems. While that is a concern (maintaining those systems and finding engineers to operate them is increasingly difficult), the analog protection systems have one big advantage over their digital successors: they are immune against cyber attacks.

Rather than bowing to the inevitability of the digital revolution, the U.S. Government (and others) could offer support for (or at least openness to) analog components as a backstop to advanced cyber attacks could create the financial incentive for aging systems to be maintained and the engineering talent to run them to be nurtured, Langner suggests."
Or maybe you could isolate control systems from the Internet.
Security

CanSecWest Presenter Self-Censors Risky Critical Infrastructure Talk 66 66

msm1267 writes "A presenter at this week's CanSecWest security conference withdrew his scheduled talk for fear the information could be used to attack critical infrastructure worldwide. Eric Filiol, scientific director of the Operational Cryptology and Virology lab. CTO/CSO of the ESIEA in France, pulled his talk on Sunday, informing organizer Dragos Ruiu via email. Filiol, a 22-year military veteran with a background in intelligence and computer security, said he has been studying the reality of cyberwar for four months and came to the decision after discussions with his superiors in the French government. Filiol said he submitted the presentation, entitled 'Hacking 9/11: The next is likely to be even bigger with an ounce of cyber,' to CanSecWest three months ago before his research was complete. Since his lab is under supervision of the French government, he was required to review his findings with authorities.

'They told me that this presentation was unsuitable for being public,' Filiol said in an email. 'It would be considered as an [incentive] to terrorism and would give precise ideas to terrorists on the know-how (the methodology) and the details regarding the USA (but also how to find weaknesses in other countries)."
Privacy

3 Reasons To Hate Mass Surveillance; 3 Ways To Fight It 120 120

This site's "Your Rights Online" section, sadly, has never suffered for material. The revelations we've seen over the last year-and-change, though, of widespread spying on U.S. citizens, government spying in the E.U. on international conferences, the UK's use of malware against citizens, and the use of modern technology to oppress government protesters in the middle east and elsewhere shows how persistent it is. It's been a banner year on that front, and the banner says "You are being spied on, online and off." A broad coalition of organizations is calling today "The Day We Fight Back" against the growing culture of heads-they-win, tails-you-lose surveillance, but all involved know this is not a one-day struggle. (Read more, below.)
Security

Electric Cybersecurity Regulations Have a Serial Problem 40 40

msm1267 writes "A class of SCADA vulnerabilities discussed at a recent conference is getting attention not only for the risks they pose to master control systems at electric utilities, but also for illuminating a dangerous gap in important critical infrastructure regulations. The flaws, many of which have been patched, demonstrate how an attacker could target a non-critical, serial-based piece of field equipment at an electrical substation and knock out visibility over all of a utility’s substations. 'Where serial lines come into a master station, for instance, they won’t have the same level of protection that a TCP/IP-based connection would have,' said Michael Toecker, an ICS security consultant and engineer at Digital Bond. 'There’s a complete regulatory blind spot there in the current version of the NERC standards.' Some of the non-critical devices Crain and Sistrunk talked about at S4 rely largely on physical security to keep them safe, and are not covered by NERC regulations. Initiatives such as the Smart Grid are all about pushing intelligence away from substations and into areas where it may not be practical to have adequate physical security. 'No camera. No fence. Just a lock pick away from somebody getting at that cabinet and then affecting visibility for a huge subset of the distribution system,' Crain said."
Security

Hackers Gain "Full Control" of Critical SCADA Systems 195 195

mask.of.sanity writes "Researchers have found holes in industrial control systems that they say grant full control of systems running energy, chemical and transportation systems. They also identified more than 150 zero day vulnerabilities of varying degrees of severity affecting the control systems and some 60,000 industrial control system devices exposed to the public internet."
Space

International Space Station Infected With Malware Carried By Russian Astronauts 226 226

DavidGilbert99 writes "Nowhere is safe. Even in the cold expanse of space, computer malware manages to find a way. According to Russian security expert Eugene Kaspersky, the SCADA systems on board the International Space Station have been infected by malware which was carried into space on USB sticks by Russian astronauts."
Security

Stuxnet Expert Dismisses NIST Cyber Security Framework, Proposes Alternative 32 32

An anonymous reader writes "Ralph Langner, the security expert who deciphered how Stuxnet targeted the Siemens PLCs in Iran's Natanz nuclear facility, has come up with a cybersecurity framework for industrial control systems (ICS) that he says is a better fit than the U.S. government's Cyber Security Framework. Langner's Robust ICS Planning and Evaluation, or RIPE, framework takes a different approach to locking down ICS/SCADA plants than the NIST-led one, focusing on security capabilities rather than risk. He hopes it will help influence the final version of the U.S. government's framework."
Security

Hacking Group Linked To Chinese Army Caught Attacking Dummy Water Plant 214 214

holy_calamity writes "MIT Technology Review reports that APT1, the China-based hacking group said to steal data from U.S. companies, has been caught taking over a decoy water plant control system. The honeypot mimicked the remote access control panels and physical control system of a U.S. municipal water plant. The decoy was one of 12 set up in 8 countries around the world, which together attracted more than 70 attacks, 10 of which completely compromised the control system. China and Russia were the leading sources of the attacks. The researcher behind the study says his results provide the first clear evidence that people actively seek to exploit the many security problems of industrial systems."
Security

Honeynet Project Researchers Build Publicly Available ICS Honeynet 18 18

msm1267 writes "Conpot, short for Control Honeypot, is one of the first publicly available honeypots for industrial control systems (ICS) and SCADA gear. Built by two researchers from the Honeynet Project, the hope is that others will take what they started, deploy it on their own critical infrastructure networks and share the findings. 'The main goal is to make this kind of technology available for a general audience,' said Lukas Rist, one of the developers. 'Not just for security researchers, but also for people who are sysadmins setting up ICS systems who have no clue what could happen and want to see malware attacks against their systems and not put them in any danger.'" Unlike previous ICS Honeypots, this one simulates the control systems rather than requiring that you happen to own an actual industrial control system.
Security

Cylance Hacks Google Office Building Management System 46 46

Gunkerty Jeb writes "Industrial control minded researchers from the security firm Cylance launched a custom exploit against a building management system deployed at Google's Sydney, Australia office, gaining access to a configuration file containing device administration passwords that could be used to gain complete control of the device in question. This vulnerability in Tridium's Niagara framework affects an unknown number of organizations aside from Google. In fact, Tridium claims on its website that 'there are over 245,000 instances of the Niagara Framework deployed worldwide.' Cylance said its scans revealed some 25,000 similarly vulnerable systems facing the Internet."
Security

Thousands of SCADA, ICS Devices Exposed Through Serial Ports 66 66

Trailrunner7 writes "Serial port servers are admittedly old school technology that you might think had been phased out as new IT, SCADA and industrial control system equipment has been phased in. Metasploit creator HD Moore cautions you to think again. Moore recently revealed that through his Critical IO project research, he discovered 114,000 such devices connected to the Internet, many with little in the way of authentication standing between an attacker and a piece of critical infrastructure or a connection onto a corporate network. More than 95,000 of those devices were exposed over mobile connections such as 3G or GPRS. 'The thing that opened my eyes was looking into common configurations; even if it required authentication to manage the device itself, it often didn't require any authentication to talk to the serial port which is part of the device,' Moore told Threatpost. 'At the end of the day, it became a backdoor to huge separate systems that shouldn't be online anyway. Even though these devices do support authentication at various levels, most of the time it wasn't configured for the serial port.'"