Hack attack causes 'massive damage' at steel works

Capt'n Midnight

Not exactly news , more something you can point as an example that this sort of stuff actually happens.

It's just Spear Phishing and why you shouldn't connect control systems to the interweb.

http://www.bbc.co.uk/news/technology-30575104

A blast furnace at a German steel mill suffered "massive damage" following a cyber attack on the plant's network, says a report.

Details of the incident emerged in the annual report of the German Federal Office for Information Security (BSI).

It said attackers used booby-trapped emails to steal logins that gave them access to the mill's control systems.

This led to parts of the plant failing and meant a blast furnace could not be shut down as normal.

The unscheduled shutdown of the furnace caused the damage, said the report.

Hibernosaur

I work in Enterprise networking and agree totally. Having a back door into a production control system that opens out to the internet is nearly always a bad idea. Regardless of how much security you think you have implemented.

Impetus

There apparently was a hacking attack on three nuclear power plants in the Republic of Korea over Christmas.

I agree that the only solution is isolation of control systems from the internet. Which means having to run two networks - one isolated intra-net with its own set of terminals, networks, servers, and another completely separate network platform, complete with terminals etc connected to the internet. Two PCs on every desk etc. No USB connections etc on the isolated intranet. Extreme measures might be required - such as non-RJ45 connectors on the isolated intranet to prevent accidental or malicious interconnections.

This would make running real-time reporting of plant statistics challenging to implement - though not impossible - eg http://www.eirgrid.com/operations/systemperformancedata/systemdemand/

http://rt.com/news/217967-korea-nuclear-deadly-leak/

The "network of things" will be less deadly than a power plant, but will be composed of billions of targets, most of which will have crap security infrastructure surrounding them.

Capt'n Midnight

Impetus wrote: »

This would make running real-time reporting of plant statistics challenging to implement - though not impossible - eg http://www.eirgrid.com/operations/systemperformancedata/systemdemand/

simples, you just have read only meters connected to the interweb.

The "network of things" will be less deadly than a power plant, but will be composed of billions of targets, most of which will have crap security infrastructure surrounding them.

smart tv's have already shown that internet of things won't have proper security,timely updates, or even support beyond the warranty , and that they could spy on you

hmmm

Impetus wrote: »

I agree that the only solution is isolation of control systems from the internet. Which means having to run two networks - one isolated intra-net with its own set of terminals, networks, servers, and another completely separate network platform, complete with terminals etc connected to the internet. Two PCs on every desk etc. No USB connections etc on the isolated intranet.

I agree fully. Unfortunately you'll run into the pig-ignorant senior manager who wants the latest production reports emailed to him on his iPad automatically by the production software, or the software manufacturer that wants a "call home" facility via the Internet or some other equally awful idea that will involve connecting the manufacturing control network to an untrusted network.

Impetus

Capt'n Midnight wrote: »

simples, you just have read only meters connected to the interweb.

Surely having a separate meter attached indirectly to the internet is no different to the “2 PCs on every desk” scenario? You will still need another meter connected to the intranet for production monitoring.

Perhaps a better example is a bank. The bank will probably have multiple core data warehouses each containing “the truth” in terms of transactions and bank account data. Assuming it offers online internet / mobile banking, I would guess that most banks keep the shadow systems that deal with internet / mobile banking in separate boxes. Probably the counter terminals and ATMs also work with the shadow system.

The question in my mind with the increase in hacking at an industrial scale is how can an organization post movements from the front facing shadow system used by internet banking etc to the core system that contains the truth (so that remains up to date)? Similar challenges lie for any company offering direct customer / supplier access over the internet to their in-house systems.

While the RBS case seems to have involved a bug in an update, rather than a hack, they don’t appear to have a bullet proof backed up system to hold the truth. If they did, their customers would not have had to wait for weeks to get access to reliable and timely transaction data for their accounts.

This is even more critical in the SEPA era. In the good old days, a company would typically receive the bulk of its revenue cycle in the form of cheques which would have been recorded in its own systems prior to banking them. Similarly the payables cycle was largely cheques, again recorded in their system. Periodical reconciliation with the bank gave assurance of the accuracy of both systems. These checks and balances are no longer (almost).

SEPA and TARGET2 (the system run for the ECB to clear all payments in the Eurozone) is interconnected via the SWIFT system to all banks. In my view there are massive security implications for a major hack on the financial system in the paperless banking era, with all these interconnected entities.

All these interconnections need to be considered by banks (and by their potential customers before risking opening an account with them). The lack of funding to the Data Protection Authority makes the matter rather alarming in my view.