Kansas Water Facility Switches to Manual Operations Following Cyberattack (securityweek.com) 28
A small city in Kansas switched was forced to switch its water treatment facility to manual operations after a suspected cyberattack was discovered on September 22. The precautionary measure was taken "to ensure plant operations remained secure," the city said. It reassured residents that the drinking water is safe and the water supply remains unaffected. SecurityWeek.com reports: Arkansas City says it has notified the relevant authorities of the incident and that they are working with cybersecurity experts to address the issue and return the facility's operations to normal. "Enhanced security measures are currently in place to protect the water supply, and no changes to water quality or service are expected for residents," the city said. While the city's notification does not share further details on the incident, it appears that the water treatment plant might have fallen victim to a ransomware attack. Switching to manual operations suggests that systems were shut down to contain the attack, which is the typical response to incidents involving ransomware.
Good (Score:5, Insightful)
Good, now leave it that way. By placing critical infrastructure online we've created a lazy way for anyone who doesn't like us to bring us down while sitting in their underwear anywhere in the world.
Can we all agree at this point there is no such thing as 'secure' when it comes to being connected to the wider internet? Hell, Natanz, which was disconnected from the internet, was *much* harder to sabotage, but they did it. The point is, we should make it that hard for all critical infrastructure. Put it offline and keep it there.
Re:Good (Score:5, Insightful)
Can we all agree at this point there is no such thing as 'secure' when it comes to being connected to the wider internet?
You can communicate with the wider internet without being on the internet.
Industrial systems like this can have outbound status/alarm/I'm-still-alive communication with the outside world via a gateway to the internet. While I would discourage inbound communication from the internet there is good reason to have remote-control over an isolated communications network for things like "emergency shutdown" if the equipment is at an unmanned location or you want a backup "go into safe mode" plan in case everyone (or the only person) at the location is simultaneously incapacitated.
Isn't this included in disaster planning/testing? (Score:4, Interesting)
Shouldn't public utilities and critical infrastructure do regular disaster planning a different levels?
1, Single non-critical system failure
2. Multiple critical system failures
3. Internet / network connectivity goes down for 48 hours
4. Cyberattack, fall back to manual operations
Some level of those may not be possible, but as far as can be reasonably done there should be planning and actual testing of disaster recovery.
And, rebooting all the Windows XP machines is specifically excluded from a disaster recovery test
Re: (Score:2)
Re: (Score:2)
"now leave it that way"
Sure, just get everyone pay the higher taxes so we can staff at these levels all the time instead of on an emergency basis.
Re: (Score:2)
Nope, the taxes were never lowered when this shit was deployed, so why should they go up when it's removed? People are far cheaper than computers anyway. Because for every business that has a computer, they need an IT guy, and if not, then an IT company. Think of all the money they'll save.
Re: (Score:2)
It seems to me that they handled this pretty well. When disaster struck, they had a fallback plan and implemented it. That's how DR works. You consider the risks, mitigate them, and then make cost/benefit decisions. If a sports player gets a concussion playing their game of choice, we don't ban all sports. We take the risk into account and work to reduce it, and we keep playing.
Being connected to the internet has many advantages, including being able to lower costs. Just because an incident occurs, doesn't
Re: (Score:2)
Re: (Score:2)
The most insecure part of any computer network is the humans using it. Replacing computers with humans just makes them the hacking target.
This is the dumbest shit I've ever heard. Come over to my house and hack me, big boy.
our windows XP box with team viewer broke down so (Score:4, Funny)
our windows XP box with team viewer broke down so now we go manual.
Re: (Score:2)
Re: (Score:3)
Amen to that. Every SCADA water system i've seen has the most awful security and is usually so old it belongs in a museum. Almost.
How there hasn't been a major incident yet is beyond me.
Re:our windows XP box with team viewer broke down (Score:4, Informative)
You should think of hackers as scouts, their job is to explore, find connections and vulnerabilities, test the waters. The point is to make a list of compromised hosts, and to take over the systems just to see if it's possible, to see how to do it, without being too obvious or destructive. Then the hackers leave,and come back a few months later just to check it still works.
The major incidents are reserved for when the war starts.
Where is "Kansas switched" located? (Score:1)
A small city in Kansas switched was forced to switch its water treatment facility to manual operations
Where is "Kansas switched" located? I searched for it on a map and I couldn't find anything...
Re: Where is "Kansas switched" located? (Score:1)
Mad as hell (Score:4, Insightful)
In the early computer era, c1950-1980, computers inspired sci-fi books, movies, tv's that explored the upside and the noir cautionary downside, but mostly it was fun, and the overall tenor about computers was one of optimism.
Circa 1980-2005, the PC age, then the early internet and smartphones brought even more exuberant optimism for the wonderful ways they would change our lives.
Make no mistake about it, the benefits and upside optimism are real - but they have been overshadowed.
The negatives and criminal abuse have overtaken the news, and the problems have spiraled beyond comprehension in the past 20 years.
In the "two to tango" principle of human society, the partner or facilitators of the criminals are the victims. People or organizations buy into or believe the hype of what some software or system can do, for the usual reasons - riding the bandwagon, fomo, the emperor's new clothes, a sucker's born every minute, fomo, a fool and his money are soon parted, fomo - and similar weak minded excuses to switch your enterprise to new computer technologies "just because".
Sure, many enterprises or systems do indeed need technology, but many worked fine for decades or centuries without computer "help", but they made the switch because "wow, that's cool, we need that too".
In the same vein of this article, the adjacent Slashdot post on air traffic control systems has this comment by davidwr ( 791652 ):
https://news.slashdot.org/stor... [slashdot.org]
Quote:
Not a problem. My income-tax suite runs just fine on mid-20th-century tech, namely, a ballpoint pen and paper.
Computerizing systems that can run fine without them brings risks.
It costs money for services and products from outside, often shady, unvetted, or unreliable vendors.
It deadens the worker skills who then maintain software instead of machinery, adles their brains and system knowledge.
Switching to manual operations reduces tech risk.
It creates local employment.
It maintains brains and vital skills.
It seems to me that the three main technological advances of computers in the past 5-10 years are:
Creeping invasion of privacy and abuse by companies and government.
Criminal activities and quasi-criminal such as crypto.
AI
None of these are hardware or foundational tech achievements, just more effort to use well-established tech for nefarious purposes, sadly ignored by corrupt and dysfunctional "governments" everywhere.
I suspect - or at least hope - we will start seeing more and more articles like this - small companies, people, municipalities, organizations, etc. fighting back by getting rid of the problem which is the tech.
For modernists who cannot image life without their cell phones and Facebook and Tinder accounts, this is not a return to a Neolithic lifestyle. It is potentially a return to a more balanced lifestyle when people had, or are taking back, some basic controls and privacy and protection in their lives.
Enough is enough.
Like Howard Beale said in the 1976 movie Network, "I'm as mad as hell, and I'm not gonna take this anymore."
Maybe we are starting to see the start of a new movement.
Or, maybe people are so brain-adled at this point that they still do not care.
Interesting times.
We shall see.
Re: (Score:2)
And since the incoming kids only know "Ethernet", that's the hammer they swing. Serial data (over wires and radio) were common when I started; despite some of the tradeoffs, one can't really hack "serial" unless he is present locally, and even that would be limited.
Further, to the IT and desk jockies who think these sy
Re: (Score:2)
I've been in water for 20 years
Your skin must be pretty wrinkled by now.
I have an app for that.
Seriously though, thanks for the kind words and the additional examples.
Re: (Score:2)
Your skin must be pretty wrinkled by now. I have an app for that.
Does it come with rice to dry out the phone afterward?
Testing the waters (Score:2)
Nation state sponsored hackers testing the waters so to speak? Practice on the small fish before reeling in the big catch.
Re: (Score:2)
Nation state sponsored hackers testing the waters so to speak?
I don't think so.
Nation states don't put their cards on the table for low stakes.
Sure, they may learn something from an attack, but the defender will learn far more.
This was a kid in a basement. Maybe it was Suki [youtube.com].
Re: (Score:2)
Or maybe that is what they want us to think. Hmmmm.....
Common Sense (Score:3)
Re: (Score:2)
This should be a no-brainer: get mission critical infrastructure off of the internet.
WhAAAAt? But that's NOT what Gardner says to do. It's off to "Complete Online AI" for us -- there, we don't have to do anything but watch the glorious computers control our entire physical planet!
Just THINK of it -- Google Mini and Amazon's Alexa (and now Rufus) existing EVERYWHERE and managing your fridge, cooking your meals, and managing you bank account.
"Alexa, cook me a steak."
- "I'm sorry Dave, I can't do that. Your daily subscription fees haven't gone thru yet since your bank account is ne
In other words (Score:2)
Someone found the internet facing VNC service running on a Windows XP computer and guessed the password (probably "waterwet" or something)...
It's a series of tubes (Score:2)