PDA

View Full Version : OT: A fun little piece of malware.....



J Tiers
03-07-2019, 11:28 PM
Just kids playing around on the internet, right?

https://www.technologyreview.com/s/613054/cybersecurity-critical-infrastructure-triton-malware/

Mike Amick
03-07-2019, 11:55 PM
The only solution I can see for that is anything hooked up to the internet should be read only. If you don't want your
machines messed with you should have an in house Station that controls the equip but is not networked. Depending on
the importance of the equipment, it might be a necessary inconvenience.

If somebody can get in, anybody can get in.

JRouche
03-08-2019, 12:28 AM
Oh Jerry.... ;(

You do know you made a header called malware and proceeded to post a link to who knows where.

And I sure as hell will not go to that link :)

Its just a coincidence. Funny though :) JR

J Tiers
03-08-2019, 12:37 AM
The link is to an article........


Oh Jerry.... ;(

You do know you made a header called malware and proceeded to post a link to who knows where.

And I sure as hell will not go to that link :)

Its just a coincidence. Funny though :) JR

Yeah, it goes right to my server, and I have set that up to inject malware into your computer until it leaks out the screen...... LOL.....

Technology review is a legit place...... has been up to now, at least.... Who knows what evil lurks in the hearts of men? The shadow knows........

vpt
03-08-2019, 09:16 AM
If you connect it to the internet you gotta expect problems.

loose nut
03-08-2019, 10:19 AM
At what point will people (companies and governments) wise up and air gap anything that is critical and can or will be targeted by thief's and terrorists.

rkepler
03-08-2019, 10:59 AM
Having worked on critical systems all I can say is that they broke several rules: 1) air gap the critical system. This means that the system running the critical software doesn't connect to an external system. 2) No one brings anything foreign in contact with the system - no USB sticks, no CDs found in the parking lot, etc. We found that disabling the USB on non-servers helped a lot (supergluing in a plug was a favorite) in reducing temptation.

Doing both of those resulted in clean systems even when they were being actively targeted. I would think those actions should be considered for a lot of industrial process systems.

J Tiers
03-08-2019, 11:05 AM
Having worked on critical systems all I can say is that they broke several rules: 1) air gap the critical system. This means that the system running the critical software doesn't connect to an external system. 2) No one brings anything foreign in contact with the system - no USB sticks, no CDs found in the parking lot, etc. We found that disabling the USB on non-servers helped a lot (supergluing in a plug was a favorite) in reducing temptation.

Doing both of those resulted in clean systems even when they were being actively targeted. I would think those actions should be considered for a lot of industrial process systems.

Of course, those things, while they work, also totally destroy one big reason for having connection..... which is the ability to operate and monitor remotely. That is the main reason for having connected systems in the electric grid. If you are not going to connect connected systems, then you may as well stay with the 1950's era equipment.

You just cannot do anything remotely without having the possibility of bad actors breaking into the system and screwing it up. SO your choice is to do the remote stuff, and accept that someone can destroy your system and cost you a lot of money and time, or stick with the old system, which will cost a lot of money and time and not work as well.

Not a great set of options.

MichaelP
03-08-2019, 11:26 AM
IMHO, security systems of the critical facilities must never be able to connect to Internet or any systems that had any Internet exposure directly or indirectly.

But, frankly, it's less costly and much more beneficial to stop being politically correct and start physically eliminating putins of the world. This will greatly diminish or fully eliminate the state sponsored terrorism in addition to getting other benefits. Naturally, it doesn't eliminate need for security improvements anyway.

We have a very short memory. Timely physical elimination of Adolf and his friends would save millions of people around the globe. Instead, they danced with him. The same is happening with Putin and those like him now. Do we really want to rebuild bomb shelters, invest additional billions of dollars into our military capacity, spend a fortune on security issues yet continue worrying? You don't try to convince a rabid dog not to bite people. You kill it.

TGTool
03-08-2019, 11:43 AM
One example of benefits and drive to inter-connectivity is with power generation. There are multiple connected generation system, distribution systems and demand. With increasing use of wind and solar power generation it also becomes more important to respond in real time to changes. The Southwest Power Pool (https://spp.org/) that we're a part of here is one example. Besides just sufficient generation, it's also trying to maintain the lowest cost by bringing higher cost producers on line later, but also modified by the characteristics of the producers such as the fact that coal turbine plants might take a long time to bring up and can't easily be shut down completely.

For interest you can go look at their website showing characteristics of the grid in real time - usage, costs of producers, etc. One interesting facet is that wind power, while one of the lowest cost when available, can sometimes slip into negative costs. How come? Well, since many have gotten subsidies to encourage development, in some conditions the subsidies are greater than actual production costs.

They're also acutely aware of the importance of security and our government issues requirements and penalties for non-conformance. $1M per day I'm told and Duke Energy was fined $8M sometime back. Among security systems are USB drives that can be erased remotely if they're somehow lost. I'm curious how they do that, but I suppose that's proprietary as well. And part of the continuing security testing and education is that employees are also sent bait emails, where clicking on them actually takes them to an education site and locks their access temporarily.

It's an impressive system but I'm sure the challenges are impressive too.

Sparky_NY
03-08-2019, 11:50 AM
Of course, those things, while they work, also totally destroy one big reason for having connection..... which is the ability to operate and monitor remotely. That is the main reason for having connected systems in the electric grid. If you are not going to connect connected systems, then you may as well stay with the 1950's era equipment.

You just cannot do anything remotely without having the possibility of bad actors breaking into the system and screwing it up. SO your choice is to do the remote stuff, and accept that someone can destroy your system and cost you a lot of money and time, or stick with the old system, which will cost a lot of money and time and not work as well.

Not a great set of options.

Internet is not the only choice for operating and monitoring remotely. Microwave links , dedicated phone lines and other means have been used FAR before the Internet became popular. Take a close look at a local electrical substation and you will probably see a tiny microwave dish, same for remote television/radio transmitters, oil pipeline systems..... list goes on forever.

J Tiers
03-08-2019, 01:03 PM
Internet is not the only choice for operating and monitoring remotely. Microwave links , dedicated phone lines and other means have been used FAR before the Internet became popular. Take a close look at a local electrical substation and you will probably see a tiny microwave dish, same for remote television/radio transmitters, oil pipeline systems..... list goes on forever.

Those ARE very possibly internet connected..... just not at the point of control.... You do not think they end up somewhere with an internet connection? Probably they do. And so there could be a vulnerability that way. The bad actors in russia, china, and NK, etc, have time and motivation to find their way into major systems in the US and elsewhere. Then it is "do what we say, when we say it, or back to the stone age you go". Probably a demonstration of destruction of some regional system would come before the demand.

Plus, those microwave systems (or wired systems) are not immune to interception and intrusion. They might be more easy to hack, because it is assumed they are not going to be attacked, and they may not be as well protected. The only difference is that the bad actor needs to be in-line with a tower to do the work. But he's gone before anyone is looking for him. Maybe not even a break-in, just dynamite a few towers in the best places.

It's not even a question of "if" that will happen, it is a matter of "how soon" it will happen. Every fixed installation is just a target, and has maybe 20 different effective but reasonably simple ways to be attacked. Malware is just easy (relatively), done remotely, can be very destructive, and not easily traceable to a person or even an "agency".

old mart
03-08-2019, 03:24 PM
My old firm had pc's all over the machine shop, people were emailing each other over a few hundred feet distance. They got hit with a virus which shook them up, but I'm not sure if the management were intelligent enough to just disconnect from the internet every pc that didn't have a real requirement for going online.

Sparky_NY
03-08-2019, 04:07 PM
Those ARE very possibly internet connected..... just not at the point of control.... You do not think they end up somewhere with an internet connection? Probably they do.


Point is, that you missed, that remote control / monitoring can be done in many ways besides the internet. Previous posts have talked about maintaining a "air gap" which is pretty standard procedure. ANY system is vulnerable if you have dummies designing it.

As for point to point microwave systems not being immune to interception and intrusion.... well.... there is a decent chance it would be noticed if a helicopter is hovering for extended periods in the narrow beam width. Foreign hackers are not going to just shimmy up a tree with their all-band shortwave radio and intercept the signal.

Your arguments are beyond weak.

J Tiers
03-08-2019, 04:23 PM
...

Your arguments are beyond weak.

Your opinion is your opinion and need not have any more relation to facts than anyone else's.

And how many complex systems supposedly secure turn out to be hacked into? Yep, lots, from the military on down. I'm very happy for you being supremely confident that everything is locked up tight..... the newspapers regularly report a different account, of course..... but thre's a name for that. ANY comm system can be hacked into, because so much of it is in uncontrolled areas

Sparky_NY
03-08-2019, 04:28 PM
Your opinion is your opinion and need not have any more relation to facts than anyone else's.

Very true and applies to your posts as well. Tomato just pointed this out the other day quite well.

BobinOK
03-08-2019, 04:51 PM
Spent 20 years with Motorola, dial up is pretty easy to hack if you know the phone number, microwave not so easy. One might get on a repeater link and interrupt the signal but as soon as the link went down even for a few seconds someone would be dispatched to check it out. If it was me when I was working my Browning High Power was with me. Mostly for snakes and critters but if attacked I had the means to defend myself. On top of that the critical links are encrypted. Only way would be to have someone on the inside which could happen but difficult.

J Tiers
03-08-2019, 05:11 PM
Spent 20 years with Motorola, dial up is pretty easy to hack if you know the phone number, microwave not so easy. One might get on a repeater link and interrupt the signal but as soon as the link went down even for a few seconds someone would be dispatched to check it out. If it was me when I was working my Browning High Power was with me. Mostly for snakes and critters but if attacked I had the means to defend myself. On top of that the critical links are encrypted. Only way would be to have someone on the inside which could happen but difficult.

The usual way in these days is "phishing" and acquiring system rights of someone with access. Even low level access then allows use of weaknesses of security to upgrade your access rights. That seems to nave been responsible for a lot of recent major hacks. People are the least secure part of the chain. That seems to be much simpler than a direct hack attack.

And, even the most secure systems have insiders. We have "moles" in russia, they have moles here, people are the MOST vulnerable part, it seems. Look at the guy who released gigabytes if secure US diplomatic and other material.... he had security clearances.... Lots tougher checks than corporate stuff, but it happened.

Smarter to work on damage limiting, and recovery than to assume you can lock out everything, because it is fairly certain that you can't.