Forgot your password?
typodupeerror
Security China

Hacking Group Linked To Chinese Army Caught Attacking Dummy Water Plant 214

Posted by Unknown Lamer
from the bad-movie-plot dept.
holy_calamity writes "MIT Technology Review reports that APT1, the China-based hacking group said to steal data from U.S. companies, has been caught taking over a decoy water plant control system. The honeypot mimicked the remote access control panels and physical control system of a U.S. municipal water plant. The decoy was one of 12 set up in 8 countries around the world, which together attracted more than 70 attacks, 10 of which completely compromised the control system. China and Russia were the leading sources of the attacks. The researcher behind the study says his results provide the first clear evidence that people actively seek to exploit the many security problems of industrial systems."
This discussion has been archived. No new comments can be posted.

Hacking Group Linked To Chinese Army Caught Attacking Dummy Water Plant

Comments Filter:
  • Actually... (Score:5, Funny)

    by djupedal (584558) on Friday August 02, 2013 @08:16PM (#44462619)
    The plant is real and the headline is a cover up/reverse sneak - because panic. But hey, if it turns out to be a honeypot, don't expect it to work twice :)
    • by plopez (54068)

      Along the lines of telling the Germans "All your spies are belong to us".

    • Re: (Score:3, Insightful)

      by icebike (68054)

      The honeypot plants may have been more real than real plants. Chances are real plants have nothing this sophisticated.

      (Some of these honeypots were designed to look like they were "located" in China, Russia, Australia, and Brazil. Did they think the attackers would be fooled by these things? Not all of those places would be running the same model of water plant.).

      Then it says:

      None of the attacks displayed a particularly high level of sophistication, says Wilhoit, but the attackers were clearly well versed in the all-too easily compromised workings of industrial control systems. Four of the attacks displayed a high level of knowledge about industrial systems, using techniques to meddle with a specific communication protocol used to control industrial hardware.

      Well which is it? Not too sophisticated, but the busted into his lame decoys easily enough.

      He was able to access data from their Wi-Fi cards to triangulate their location.

      He claims to have triangulated where the

      • Re:Actually... (Score:5, Interesting)

        by sumdumass (711423) on Saturday August 03, 2013 @12:39AM (#44463527) Journal

        Well which is it? Not too sophisticated, but the busted into his lame decoys easily enough.

        Forcing a door open is not the same as sophisticated lock picking. But nonetheless, the point about sophistication seems to be what they did once they got access. Most did menial tasks while 4 meddled with a specific communication protocol.

        He claims to have triangulated where the attacker was based on their wifi card. REALLY? How is that done? He knows where every wifi router in the world is does he? Triangulate!!! All Wifi cards use three routers? Who knew! Each of which has its position known?

        I'm not sure your reading comprehension is up to speed here. The web interface that was hacked embedded an exploit framework called BeEF [beefproject.com] so the researcher could gain access to the attackers system through the browser. What he likely did was query the networks detected by the wifi cards then crossed them to data from sites like WiGLE [wigle.net] or perhaps something even more specific.

        This is more then enough to get a Geographical location of a person and narrow it down to not only country, but city and even neighborhoods within the city.

        Oh, and the triangulation isn't on where the wifi car itself accesses a router, but with the names of the specific networks the wifi cards can see. If you see several distinctly different named networks, the odds of them being in more then one location is low so you know it has to be a location close enough to all of them to be seen at the same time. For instance, if I see the SSIDs duck_butter, shoreline, bbangsoon, and linksys, I can find that I am near the Chicago Water Commissioner's office at Pfc Milton Olive park, near the Chicago harbor. Go ahead and look it up. [wigle.net]

        Somewhere there are some people chuckling at this guy.

        I think that happens to all of us every once in a while. I was laughing pretty good earlier at someone too.

        • by AmiMoJo (196126) *

          Using a compromised machine to do your hacking is pretty basic. I imagine the wifi cards in question are in compromised machines, not the attackers.

  • by Anonymous Coward on Friday August 02, 2013 @08:20PM (#44462639)

    Why are critical systems on the 'net?
    They functioned perfectly 30 years ago without the internet...

    CAPTCHA = 'yourself'

    • by Jeng (926980)

      Remote access for people who don't want to be physically at the plant.

      IE: Management

      • Give them a locked down laptop for a couple thousand dollar which can only log into the VPN for the plant and fuck all else.

      • by umghhh (965931)
        I always thought that the stories about managers being worthless shitbags etc are overblown. Then I learned about managers in one of the customer systems my company was maintaining. The systems were isolated from internet orginaly and there was no need for them to be directly connected besides corporate vpn systems deemed secure enough for O&M stuff to access the sites remotely. Now manager of one of the sites complained about some problem with storage capacity (in modern times???) - the closer inspec
    • by AHuxley (892839) on Friday August 02, 2013 @08:49PM (#44462757) Homepage Journal
      Re: "Why are critical systems on the 'net?"
      So one lower cost, union free, engineer can be contracted to look over many subsystems from a great distance.
      vs having local technical staff who need paying and pensions. Local staff over time may get to know their legal rights and fight for their wages - state and federal.
      You also had heavy commercial lobby efforts to update State control systems to 'save' cash long term.
      Products using industrial "solutions" created for secure site networks where spread over vast state or regional networks via the 'internet' or 'wireless'.
      ie States trying to get rid of on site long term union staff and great sales reps moving around cities and states with networks to sell.
      • by plopez (54068) on Friday August 02, 2013 @09:19PM (#44462887) Journal

        you forgot "Based in Bangalor" in regards to the low cost engineer

    • by Anonymous Coward on Friday August 02, 2013 @08:54PM (#44462779)

      Plants nowadays always have some kind of remote SCADA. The network between sites may be isolated, but somewhere along the line there is often an internet-connected computer that will also have a connection to the isolated network for client-side monitoring and control software.

      All that it takes it to hack one of these. They pretty much always exist, even if they shouldn't. Someone will connect a cable so they can browse Facebook while monitoring sites.

      • Those computers should be set up to make sirens blare the moment they get a second network connection besides the internal LAN ... it should take intentional hacking to connect these computers to the internet or to connect a non-allowed computer to the internal network (normal computers aren't designed to be quiet on a network connection). It shouldn't be as easy as pulling a sticker off a USB/network port, or connecting your normal computer with internet into the internal network.

        The problem isn't that "so

    • by ridgecritter (934252) on Friday August 02, 2013 @08:57PM (#44462793)

      In part, perhaps because 30 years ago the advantages of/needs for large scale efficiency and coordination weren't so great as today? Isolated systems may have higher operations costs and may not efficiently integrate into big systems, but they tend to have few or no remote attack vulnerabilities. Bottom line: economics favor connected systems, and anything on the net can be pwned.

      • It's understandable that those systems need to be connected to each other, but in that case they should have their own, completely isolated network to do so, preferably one that is utterly incapable of connecting to the Internet at large. The current setup is just begging for disaster, which is a 'when', not an 'if'.

        Exposing these systems on the Internet is just lunacy.

        • by Ol Olsoc (1175323) on Friday August 02, 2013 @09:50PM (#44462987)

          It's understandable that those systems need to be connected to each other, but in that case they should have their own, completely isolated network to do so, preferably one that is utterly incapable of connecting to the Internet at large.

          But DUDE!, If we did this, we'd like, have to connect all those power grids with, like - wires! Where we gonna get that?

        • Re: (Score:2, Insightful)

          by rtb61 (674572)

          More sensibly under law, all remote control system for essential infrastructure should be banned unless they can be guaranteed (as in you 'WILL' go to prison) secure. Can't secure it to that level, then don't do it because you do not have the right to privatise the minimal gain profits whilst socialising the huge cost of failure (including lives lost).

          Quite simply this provides only two things. First, honey pots are really good at attracting a focusing attention and should be inserted on all high securit

          • Yep, the solution is that simple ... make them criminally liable and make shit roll uphill (ie. go after management). First suit behind bars is the first time they get serious about security.

        • by plover (150551) on Saturday August 03, 2013 @03:17AM (#44463903) Homepage Journal

          So you would have the city leasing expensive lines between plants? I've not met too many people who complained their taxes and water rates were too low, and that they wanted the same service with more security and were willing to pay extra for it. I do, however, see a constant parade of talking heads on TV who bitch incessantly about how high taxes are, how they'll cut taxes when they get in office, or that government budgets should be cut by 10%. Well, their budgets were cut and so the cities cut their corners, and saved whatever money they could, and now their water system is in the hands of hackers. They got exactly what the taxpayers told them they were willing to pay for. We have the exact systems we deserve.

          Could they and should they beef up their security? Of course. But does each water system owner even know if they have a problem? These guys are civil engineers in sleepy little towns, not security wonks. They probably didn't install the ICS themselves, they probably contracted all that out, and among the site survey forms they filled out was "choose your system password (minimum 6 characters)" and trusted the vendor to provide the rest of the security (back in 1993 when they installed it.) They might not even know they can change it, or how to change it. or that they need to do something different. Even if they did, the first rule of ICS configuration is "DON'T TOUCH IT!" So don't expect them to get all excited about the chance to make a change.

          They would likely learn a lot more about these problems at their state's annual public works conference, if their city can afford to send them this year, and if their state can afford to hold one.

      • by jon3k (691256) on Friday August 02, 2013 @11:20PM (#44463275)
        Which is why MPLS exists and we build private WANs. The REAL answer here is because Pointy-Haired-Boss wants to be able to login from home,
        • by AK Marc (707885) on Saturday August 03, 2013 @01:04AM (#44463595)
          MPLS exists to economically sell VLANs over shared networks. You put your security in the hands of a 3rd party. Just hope they built a good network.

          The PHB is often not a manager, but a clueless engineer who spends $10,000,000 to build a SCADA network air-gapped from the IT's LAN, then sets up a computer on the LAN and SCADA with remote login enabled, and AAA managed by local user accounts on an XP system. Then, when a problem happens, goes to the COO and complains that IT is not letting him do his job.

          Don't laugh, I've seen it multiple times. Every time with oil drillers, one of which owned the Deepwater Horizon, the others in Alaska.
          • by jon3k (691256)
            Yes and no. I'm not using wide-area L2. I'm using standard RFC2547 BGP/MPLS. And why does everyone assume you can't run IPSec over private point to multipoint WANs? It's just IP and BGP as far as I'm (the customer) is concerned. I peer with the PE via BGP and the routes come out on the other end.

            But to your second point, absolutely agree.
            • by AK Marc (707885)

              And why does everyone assume you can't run IPSec over private point to multipoint WANs?

              Because the Internet is cheaper and more reliable. Sensible people run a dynamic multipoint VPN over the Internet if they are going to run full end-to-end encryption. So the only sensible assumption is that someone paying for a "private" circuit is not running encryption (aside from the US government, who leases dedicated circuits, and then encrypts everything over it).

              • by jon3k (691256)
                And why does everyone assume that all traffic can be delivered over the Internet. A bunch of arm chair network engineers on slashdot, I swear to god. Let me know when you deliver voice to a few THOUSAND registered voice endpoints over DMVPN on the Internet and tell me how it goes for you.
                • by AK Marc (707885)
                  I've never seen anything that can't be delivered over the Internet. IPX/SPX tunneled over GRE works fine.

                  Let me know when you deliver voice to a few THOUSAND registered voice endpoints over DMVPN on the Internet and tell me how it goes for you.

                  The largest DMVPN network is 20+ THOUSAND nodes. And if you are encrypting everything over MPLS, you have as many encrypted endpoints as the DMVPN solution. What are you using for your thousands of encrypted endpoints in your MPLS network?

                  • by jon3k (691256)

                    I've never seen anything that can't be delivered over the Internet

                    Now you have [wikipedia.org].

                    What are you using for your thousands of encrypted endpoints in your MPLS network?

                    GET VPN on ISR G2 at branches. Voice endpoints behind those.

                    • by AK Marc (707885)

                      The Real-time Transport Protocol (RTP) defines a standardized packet format for delivering audio and video over IP networks

                      Your link proves you wrong. Perhaps you meant to include "with some arbitrary SLA I assign", but without such caveots, I will not add them for you.

                      GET VPN on ISR G2 at branches.

                      GET VPN *is* a dynamic multipoint VPN (And GET VPN and DMVPN are often combined, in practice). Both work fine over the Internet (and in fact, were both designed to do so). Note, I didn't say DMVPN, until addressing your comments on it. I spelled it out in lower case, including all dynamic multipoint VPNs, not just Cisco's proprietary DMVPN (tm).

                      As a security

                    • by jon3k (691256)
                      Ok, you're missing the point here so I'll spell it out: you cannot reliably deliver voice service over the public Internet in an enterprise environment. MPLS provides guaranteed RTT and QoS, end-to-end. I don't sell anything. I run a medium-large enteprise IP WAN and deliver voice service to several thousands sccp endpoints (along with mgcp/h.323 gateways, many thousands of VG analog ports, etc). You cannot reliably provide the same service over the public Internet with DMVPN.
                    • by jon3k (691256)
                      OH, a "security expert". Gotcha. You really aren't qualified to have a discussion on the delivery of voice service to a large, geographically distributed IP WAN with me. Twas nice talking to you.
                    • by AK Marc (707885)
                      I've done all that. You are wrong on every point. A "VoIP" expert has installed Asterisk once on a home PC and (optional) uses it as an answering machine. Funny how you are wrong on all points, provably so (using quotes from your own cites that directly contradict you), and declare me unqualified so you can stop discussing the facts (not that you ever started) because you know you are 100% wrong and look like a fool.
                    • by jon3k (691256)
                      Haha, suuuuure. I can tell by the fact that you don't know the difference between MPLS and VPLS that you're quite the expert on WAN design.
                    • by AK Marc (707885)
                      For various definitions of "public Internet". Back before VoIP was a big thing, I did what you claim is hard. You want to know what worked great? Using the "public Internet" when all nodes are on the same carrier (presuming you did the research to verify the traffic between the nodes won't leave the network, as happens with AT&T today for a variety of routes). US to SE Asia with voice quality that exceeds the older private network at under 10% of the cost. Did that 10+ years ago. Yawn. Wake me wh
                    • by jon3k (691256)
                      You cannot deliver VoIP (RTP) to a geographically dispersed WAN over the Internet at scale. I've done it, you haven't.

                      MPLS exists to economically sell VLANs over shared networks.

                      Read this carefully: You. Have. No. Idea. What. You. Are. Talking. About.

                      Bye.

                    • by AK Marc (707885)

                      Ok, you're missing the point here so I'll spell it out: you cannot reliably deliver voice service over the public Internet in an enterprise environment

                      So you were lying when you said "The Internet can't carry RTP". Glad you cleared that up, but that doesn't make you right on any particular point.

                    • by AK Marc (707885)

                      You cannot deliver VoIP (RTP) to a geographically dispersed WAN over the Internet at scale. I've done it, you haven't.

                      It can't be done, but you've done it? And you've done it, but know for a fact I can't and haven't?

                      You aren't even bothering to remain consistent within the same sentence.

                      Read this carefully: You. Have. No. Idea. What. You. Are. Talking. About.

                      Yeah, I'm a top technical guy working on one of the largest MPLS networks on the planet, and *I'm* the one that doesn't know what it is...

                      You are wrong on every point, but getting so emotionally attached to your superiority that you've lsot it. Some frothing-at-the-mouth cave dweller mad because someone somewhere might be better at what

                    • by jon3k (691256)
                      No you fucking idiot, I'm saying you cannot deploy VoIP on the public Internet. Fuck you're dim. Of course you can literally SEND rtp traffic over the Internet, it's just UDP datagrams. What I'm saying is IN PRACTICE YOU CANNOT DO IT AND HAVE A FUNCTIONING VOICE PLATFORM.
                    • by jon3k (691256)
                      One of us is advocating deploying VoIP on the public Internet. The other is advocating deploying VoIP over a secure MPLS network. One of us knows what the fuck he's talking about. The other one doesn't. I'll let you guess which is which.

                      I mourn for your users.

                      Well, considering my network provides end-to-end delivery guarantees and you use the best-effort Internet, I think mine will be far better off. Oh right, you don't actually build networks. You're a "Security Expert".

                  • Then you are the most inexperienced of computer users.

                    You really mean to say you've never experienced lag? That alone is why VoIP sucks ass in every single instance I've ever seen.

                    • by AK Marc (707885)
                      Lag doesn't break the connection. VoIP sucks because VoIP "experts" (like jon3k) are idiots. Lag is irrelevant. I've had calls over double-satellite-hop, and it was unpleasant, but "worked". (and I've done VoIP over satellite double-hop as well, no worse than double-hop PSTN/MPLS) Jitter is worse. Most "experts" don't know the difference, or get so used to dumbing it down for PHBs it makes them dumber.
        • by evilviper (135110)

          Which is why MPLS exists and we build private WANs.

          Sorry, but your MPLS WAN is far LESS SECURE than a proper IPSec tunnel over the internet, while being vastly more expensive.

          • by jon3k (691256)
            First of all, you assume I'm not using IPSec. And I get a little thing called QoS which let's me deliver voice and video.
            • by evilviper (135110)

              you assume I'm not using IPSec

              Yes, because if you are, then the high cost of MPLS is quite pointless for you. The end-points being on an MPLS network are harder to reach by the public, but you could pretty well accomplish the same thing with a good firewall dropping communications to/from your IPSec endpoint from every IP other than the single intended source/destination IP address. You could harden it to an extreme degree with a bridging/transparent firewall.

              And I get a little thing called QoS which let'

              • by jon3k (691256)
                You have no idea what you're talking about. Plain and simple. MPLS provides end to end SLA and packet prioritization. This allows me to classify voice/video over other traffic by setting DSCP values. That's how voice still works instead of being stomped on by other traffic. You cannot deliver voice over the Internet with any type of delivery guarantee. That's why private IP networks like frame relay and MPLS exist.
                • by evilviper (135110)

                  You cannot deliver voice over the Internet with any type of delivery guarantee

                  No, but you don't NEED a "guarantee". A great many people use VoIP successfully over the internet every day. There are extremely few companies where the quality of the calls are ultra-critical. A 911 emergency response center would be one, but even for high profile business activities, a rare packet delay or drop will barely be noticeable, and won't have any effects on business operations.

                  That's how voice still works instead of

                  • by jon3k (691256)
                    I don't know if you're a troll or ignorant, but I always follow this rule of thumb: never attribute to malice what you can attribute to ignorance, so I'll assume the latter.

                    Having QoS on the routers, firewalls, or whatever endpoint at BOTH ends, will also allow you to prioritize voice traffic, and throttle all others.

                    Long gone are the days of congested backbones. The congestion is in the "last mile", and you can control that with QoS queue prioritize and throttling at both of your endpoints.

                    MPLS is a terribly expensive choice if all you need it for is allowing you to avoid doing proper QoS on your own network.

                    I want to touch on this in particular, because I think you're confused. It's not about QoS on MY network, it's about all the intermediary devices respecting the QoS values that I set on traffic, and that traffic is delivered to CPE with the correct priority. What you do at the edge of your network, towards the Internet, has absolutely

                    • by evilviper (135110)

                      I don't know if you're a troll or ignorant, but I always follow this rule of thumb: never attribute to malice what you can attribute to ignorance, so I'll assume the latter.

                      Actually, the problem is YOUR ignorance, here, so you're still failing to understand what I'm explaining to you.

                      The fact that you can write a route-map and slap a DSCP value on a packet as it leaves your router out onto the Internet does absolutely NOTHING to guarantee delivery

                      I never said anything about DSCP. "Tagging" a packet is the

                    • by jon3k (691256)

                      That's a SLA contract issue, NOT a technical one.

                      I'm talking about RTT latency guarantees. My provider guarantees a CONUS 65ms RTT. I'm not talking about outage response time. I realize you have clearly never worked with leased circuits so this is totally lost on you. I'm sure you're learning a lot today.

                      VoIP has been designed to handle a reasonable amount of packet loss. An occasional bit of jitter or packet loss will not ruin your conversation.

                      VoIP is delivered via RTP, a UDP protocol. A packet lost is an interruption in voice. You cannot redeliver it, because it would arrive out of order. The fact that you think "an occasional bit of jitter or packet loss will not ruin your conversation

                    • by evilviper (135110)

                      ignorance + arrogance = idiocy

                      Factually inaccurate statements make me doubt your story about deploying VoIP on a large scale. UDP makes no difference, and your incorrect assertion that VoIP has ZERO forward error correction is something I wouldn't even expect from an entry level CCNA.

                      And for the record, you most certainly can throttle incoming connections, it's just not as finely controllable and beneficial as outgoing QoS, which is more common. But I made it clear the first time around I was talking abou

                    • by jon3k (691256)

                      Factually inaccurate statements make me doubt your story about deploying VoIP on a large scale. UDP makes no difference, and your incorrect assertion that VoIP has ZERO forward error correction is something I wouldn't even expect from an entry level CCNA.

                      Will not solve the problems associated with running large VoIP deployments on the public Internet. Period. You have clearly never done this, you're just guessing because you used Skype once. You don't seem to understand how sensitive voice traffic is, so I'd suggest you do a little reading [voip-info.org].

                      And for the record, you most certainly can throttle incoming connections, it's just not as finely controllable and beneficial as outgoing QoS, which is more common. But I made it clear the first time around I was talking about controlling both ends of the connection.

                      Not on the Internet. Let me explain this in a concrete example so you understand why you can't run QoS on the Internet.

                      1. User A starts a VoIP call over your Internet connection. For some reason you QoS outbound V

    • by plopez (54068)

      You don't get it dude. It's the Internet, a whole new paradigm. It' different this time. Now your workers can work from home 24/7 BYOD through a cloud enabled clustered virtual remote systems management tool.

    • by interval1066 (668936) on Friday August 02, 2013 @09:40PM (#44462959) Homepage Journal
      There are a lot of upsides to putting controls systems on the net. Not applauding it, just sayin'. I wrote a blog article about it; here 'tis [wordpress.com].
      • by postbigbang (761081) on Friday August 02, 2013 @10:06PM (#44463043)

        Yeah! Fun! Saves money!

        Here are the downsides: you're attacked at every IPv4 address about 100x a day by the bots, and much more densely if you look interesting. Without an air gap, you expose all your stuff to a bunch of hackers ranging from script-kiddies to those with power tools. None of them wants your PLC to run after they tweak a few knobs.

        Multiple authentication and encryption methods (see the https attacks 'announced' at Black Hat) are becoming child's play. All of the incredible engineering that these things have gone through haven't had the funds needed/expended towards making them brutally difficult to crack. It's always an afterthought after the sales guy leaves.

        It's also my biggest problem with the IEEE-- lots of wonderful protocols. Security is an afterthought, rather than being built from the onset into each platform. Look at the ludicrousness of WEP and WPA1. Tell me these guys were thinking. Sure, glorious and fast, and with security as paper-thin as can be.

    • and now the PHB saves big by remoteing it out to one office.

    • Random guess?

      TCP/IP is less expensive than developing your own network protocol. Using public data lines (the Internet) is less expensive than using your own private, leased lines. Using no encryption is less expensive than mediocre encryption, and a hell of a lot less expensive than serious encryption (you are either paying for developer time, or a library, or both).

    • Why are critical systems on the 'net? They functioned perfectly 30 years ago without the internet...

      CAPTCHA = 'yourself'

      Because these systems were not actually functioning perfectly 30 years ago. They are systems that are a bit newer than that, hence they didn't exist 30 years ago, thus they have the capability to be connected to the 'net. Networks reduced the cost of maintenance...

      Look, just because the reasons aren't good reasons, doesn't mean they aren't reasons. I'm not disagreeing with you. You're the one asking "why?" In truth, I can't really tell you "why?" That's a religious question, and I'm a basement dwel

    • by evilviper (135110)

      Why are critical systems on the 'net?
      They functioned perfectly 30 years ago without the internet...

      RIGHT! Having a dial-in modem on the PTSN was OH-SO-MUCH MORE SECURE!

      Has absolutely NOBODY here ever seen the movie "War Games"?

    • by mwvdlee (775178)

      Next time you think of posting a comment like that, could you please use a quill to write it on a piece of parchment and have it delivered by horse drawn mail carriage to the slashdot offices?

  • Next Steps (Score:5, Funny)

    by FarField12 (2804063) on Friday August 02, 2013 @08:31PM (#44462683)

    Spoof the interface to make the attackers believe they are attacking a foreign industrial plant.
    In reality, they are attacking the utility plant located down street based on WiFi location.
    The main purpose of the honeypot system is to obfuscate the true location of the target (the attackers own infrastructure).
    Then watch hilarity ensue.
    Defense systems would be great. You could get countries to nuke themselves using their own cyber ops team.

     

    • by kesuki (321456)

      "Defense systems would be great. You could get countries to nuke themselves using their own cyber ops team."
      most nuke plants are water cooled turning off a water plant would cause the nuke plants that depend on that cooling water to melt their cores if not safely shut down. so yeah there is nuclear concerns and even a coal or nat gas plant also requires cooling and most are not near much water, as they tend to push them out of sight of normal people. so this is pretty serious stuff.

      • There may be a nuclear plant that relies on a public water system for cooling water, but I bet not. Most are located near reliable water sources such as rivers, oceans, you know...

    • I guarantee those evil socialist Chinese don't allow plants to be networked like ours are.

    • by plover (150551)

      H@xx0n> Hey, look, I've hacked into the City of Endersgame! Watch me pwn their electric generator!

      H@xx0n has left the channel.

  • Bull (Score:5, Insightful)

    by WGFCrafty (1062506) on Friday August 02, 2013 @08:36PM (#44462699)

    "The researcher behind the study says his results provide the first clear evidence that people actively seek to exploit the many security problems of industrial systems."

    Uhhhhhh Stuxnet was an exploit of Siemen's industrial control systems which regulated the RPMs of centrifuges....

    • Re:Bull (Score:5, Insightful)

      by CriminalNerd (882826) on Friday August 02, 2013 @09:12PM (#44462855)

      His point was that industry systems in the US (and outside of Iran) are also prone to attack, and that it's not just some security paranoia that the site manager could just brush off so he can get to the admin controls via Remote Desktop.

  • ... how many people file insurance claims for water damage to their homes when the fictitious pumps were commanded to full power.

    • by slick7 (1703596)

      ... how many people file insurance claims for water damage to their homes when the fictitious pumps were commanded to full power.

      How many people have been damaged by the acts of out of control politicians who answer to anyone that has the price to pay? When do the voters get their chance to be heard?

  • by NobleSavage (582615) on Friday August 02, 2013 @09:20PM (#44462895)
    This just one more example of why critical systems should never be connected to the internet. The should always be an air gap.
    • by Skapare (16644)

      These systems get their tech support and vendor updates via ... the internet (and most likely not encrypted). Oh, I agree. The air gap needs to be mandated.

    • by evilviper (135110) on Friday August 02, 2013 @11:21PM (#44463287) Journal

      Why are critial systems hooked into the net?

      Because exchanging information with other systems is necessary.

      Because people off-site want or need to monitor the status.

      Because routinely plug a USB flash drive into a net-connected computer, and then into the air-gapped network (to update software or exchange other info/data) isn't actually much more secure.

      Because there are varying degrees of "critical".

      Because if it's really a "critical" system, you don't want to wait for tech support to arrive on-site to get problems fixed.

      Because "the internet" itself happens to be a "critical" system.

      Because the old days of connecting systems to the PSTN (eg. dial-in modems) wasn't actually any more secure than connecting them to the internet.

      Because having an air-gapped network provides a false sense of security, that can fall apart in a big way.

      This just one more example of why critical systems should never be connected to the internet.

      Platitudes are oh-so-easy to spout off, no matter how ignorant you are of the issue, but don't offer any insight or solutions to the root cause of the problems.

  • by koan (80826)

    "The researcher behind the study says his results provide the first clear evidence that people actively seek to exploit the many security problems of industrial systems."

    The first eh? I guess he hasn't heard of the tools included in such common distros as Back Track, why do you suppose SCADA exploitation apps are in there?

  • by MavEtJu (241979) <slashdot@mavetj[ ]rg ['u.o' in gap]> on Friday August 02, 2013 @10:42PM (#44463165) Homepage

    As somebody who left the network / sysadmin business before the attacks started from the inside (send enough malware to everybody inside a company and you will get lucky at a certain moment), how would you protect it best?

    Airgap it (or properly firewall it), and people will complain about the costs of duplicate infrastructure, remote support from vendors will be a pain etc.

    Monitor the network and spot anomalies, it's a hard task but could be the way to go. Except that you need skilled people there (not saying that there aren't, my experiences in a TAC shows that there aren't many).

    Letting the attackers waste time in a honey-pot while your own network is isolated? At least you learn from it and you give them a false sense of victory.

    What is wisdom, any thoughts?

    • by satuon (1822492)

      Non-text attachment automatically scrubbed.
      Non-intranet hyperlink automatically censored.
      Text looking like a non-intranet hyperlink automatically censored.
      ^^^
      Secure corporate intranet email client.

  • by Required Snark (1702878) on Friday August 02, 2013 @11:27PM (#44463305)
    Nice to know that the Republicans and the US Chamber of Commerce are supporting Chinese and Russian hackers testing cyber-warfare against our critical infrastructure. Because we all know that left to their own devices corporations always put public welfare ahead of short term profit.

    http://articles.latimes.com/2012/aug/03/nation/la-na-cyber-security-20120803 [latimes.com]

    U.S. Chamber of Commerce leads defeat of cyber-security bill

    Gen. Keith Alexander, head of the National Security Agency, and Gen. Martin Dempsey, chairman of the Joint Chiefs of Staff, were among those who pressed for a White House-backed cyber-security bill to regulate privately owned crucial infrastructure, such as electric utilities, chemical plants and water systems.

    If the senators didn't act, they argued, it would make it harder to stop hackers, criminals and hostile nations from wreaking unimaginable havoc, such as knocking out sections of New York City's electrical grid for days during a summer heat wave. But theU.S. Chamber of Commerceand other business groups strenuously opposed the measure, condemning it as excessive government interference in the free market and arguing that cumbersome federal regulations could hamper companies trying to defend against cyber intrusions.

    Democrats overwhelmingly supported the legislation, but for Republicans, it meant a stark choice between competing constituencies: national security officials and business leaders. Even after the bill's backers made the standards voluntary, the Chamber of Commerce, which spends more on lobbying than any other trade group, opposed it.

    On Thursday, the Senate cyber-security bill failed to overcome a Republican-led filibuster. Analysts say the bill couldn't breach a wall of anti-regulatory sentiment that proved resistant to the dire warnings.

    The measure fell short of the 60-vote threshold needed to end debate, 52 to 46, with 40 Republicans joined by six Democrats voting in support of the filibuster.

    "Rarely have I been so disappointed in the Senate's failure to come to grips with a threat to our country," said Sen. Susan Collins, the ranking Republican on the Senate Homeland Security Committee and one of the bill's chief sponsors, who had tried in vain to sway her GOP colleagues. Just four sided with her.

    But theU.S. Chamber of Commerceand other business groups strenuously opposed the measure, condemning it as excessive government interference in the free market and arguing that cumbersome federal regulations could hamper companies trying to defend against cyber intrusions.

  • 1 Every nation war games every scenario and as a part of securing the ability to realize those scenarios should they have to, they carry on things with potentially sinister applications. News at 11.

    2 Just saying this so no one gets drummed up into the idea that "this means they're going to attack!" or "this is totally outrageous !!" It is outrageous, on PlanetNice where humans are banned. Back on Earth, where humans are what they are ...goto 1

The Universe is populated by stable things. -- Richard Dawkins

Working...