Ok, that is an interesting result. I ran a honey pot BBS for a while (kremvax) which was fun to watch folks try to break into but this is more unsettling. Given the exploitable javascript also talked about at the conference it seems like if you were in a tor node you might still be able to do the equivalent of the DNS hack where private addresses are inverse spoofed.
One of the things about radar guided missiles that interested me early on is that you pretty much have to have your radar on for them to work, and if you had a radar on you could find it and kill it (hence the variety of HAARM missiles). Similarly when people are trying to exploit our search engine it is hard to obfuscate since they have to include what they are trying to find in the search query in order for it to work. And now netwar requiring network traffic which has to return to the source to be useful.
At the end of the day, it is not in China's best interest to harm the US economy.
J. P. Getty said "If you owe the bank $100 that's your problem. If you owe the bank $100 million, that's the bank's problem." We owe China a lot more than that.
Great quote. However you're under the assumption that China will always act in the best interests of their people. You are right in that should China harm the US economy they would enter a massive recession, but who says the CPC care?
Many civilizations (look at some of Africa and the Middle East for that last several hundred years) haven't particularly cared about their citizens beyond collecting tax. This helps to explain why North Korea and Iran do what they do despite the damage to their people.
What I don't understand is why systems like power grids and water plants need to be connected to the public internet. Why couldn't the owners of these systems lease some fiber optic cables from the internet backbone operators (AT&T, Sprint, Level 3, etc.) and set up their own control networks that are totally isolated from the internet? From what I understand, there's lots of "dark fiber" capacity that's not currently being used, so it couldn't be that expensive to lease. Or, they could just contract with the existing backbone operators to run these private secure networks for them.
And if that's too difficult or expensive, why not just set up secure VPN tunnels over existing internet connections to connect these sensitive sites?
Anyone have any insight into why this isn't happening?
Well, as far as I know "professionally run" (e.g. multi-site plants run by a big corporation with a dedicated network-security staff and so on...) industrial automation networks are using VPNs, isolation of special-purpose segments with dedicated gatways, VPNs and similar technology. This I've learned from what I could see from contemporary power-plant projects.
But "smaller" projects (for example when a few-people engineering firm builds a water-plant with one or two PLCs and tries to give the owner access to monitor it from the office) still just puts a port-forward to a basically unprotected device into the plastic DSL modem/router.
Why's that?
In my experience the guys running industrial automation were very always concerned about the reliability of their field-busses, redundancy of links, possibility of faults. But they only ever concerned themselves about the possibility of someone introducing faults deliberately and maliciously when we pointed it out explicitly. It was something that, in their world of professionally installed point-to-point-links, in armoured cable ducts on fenced industrial plants, did not exist.
And that mind-set is still very much alive in the heads of the designers/engineers but takes a lot of effort to adjust to threats as they exist these days. Without a IT/Plant security department enforcing the rules (to the annoyance of all involved parties...) convenience, cheap hardware, less labor and planning will win.
I have absolutely no special knowledge of the situation, and I share your puzzlement and frustration.
But my simple (though completely speculative) theory (and I fully expect it to be the correct one) is that security is simply not something which integrates well into our economy right now.
Our economy is based on maximizing profit and efficiency, like safety, security is extremely difficult to quantify and even harder to accurately value. Therefore companies and individuals looking to minimize their bottom line are finding it naturally difficult to justify sane implementations such as your suggestions.
The simple reality, in other words, is that our current economic system does not adequately value security until disaster happens. It would not be hard to do as you suggest, but consider this thought experiment: would you spend $150 more for plane tickets if they would reduce your chance of crashing by 0.05%?
This is a similar scenario to that which faces these infrastructure companies. Until the 0.05% contingency actually materializes, the economy (unless the risk is demonstrated as serious and imminent) rewards the -$150 option as being "the better option".
I agree with your assessment. There was a New Yorker article last week on an unrelated topic (Slow Ideas) that came to a similar conclusion about inherent inefficiencies in our market system:
"This has been the pattern of many important but stalled ideas. They attack problems that are big but, to most people, invisible; and making them work can be tedious, if not outright painful. The global destruction wrought by a warming climate, the health damage from our over-sugared modern diet, the economic and social disaster of our trillion dollars in unpaid student debt—these things worsen imperceptibly every day. Meanwhile, the carbolic-acid remedies to them, all requiring individual sacrifice of one kind or another, struggle to get anywhere."
The article continues in a health-care context to discuss the importance of doing-things-that-don't-scale efforts to educate and change behavior. I anticipate the connection here would be some utility-by-utility effort to subscribe to best practice. I worry the opposite will occur.
These places are owned by many private companies, who might not understand the threats they face, or there is a culture where it is not a priority, plus there is no standard between these many companies, each has rolled their own solutions. Some might not be connected to the internet, but others are, there is a total mismatch between them. So, government has started to step in, by creating cybersecurity standards for infrastructure [1]. This will hopefully create a standard for everyone to start locking down their infrastructure in a consistent and reproducible way. This also plays into the moves to reduce data centers across the government [2], so they can create a standard, and hopefully reduce their security exposure.
And many are monopolies that have little incentive to prepare for black swans. They will just be bailed out or allowed to raise rates to clean up a catastrophe.
Tokyo Electric Power Company in Japan was allowed to borrow billions after their colossal failure at Fukushima. A failure that could have been avoided with better planning. But with no competition, what incentive was there?
Medium & large utilities frequently do run their own fiber and/or microwave links. These places also tend to have some level of infosec awareness.
Small municipal utilities (primarily water/wastewater treatment) frequently do very bad things* for convenience and because they don't know better or they take view that nobody would want to attack them. If a security audit was required along with the water quality testing they'd learn pretty quickly...
* Things like not separating control and office networks, open wifi that is "secure" because DHCP is disabled, plain open wifi on the control network, etc.
The attack was launched via an infected Word file. You can separate your internal network from the public Internet - which power companies do - but that only reduces your attack surface, it doesn't eliminate it. Attack vectors are still available.
Why can those online newspapers never cite/link to the original works? Or at least cite the correct title of the talk, so it's easily googable? It's a pithy.
I don't understand why these systems need to be on the Internet. If engineers really need to be able to connect to them remotely, those seeking to connect shouldn't be establishing the connection, just requesting that one be established. Like the old modem connections where you just wait for a call at an already known phone number.
If Snowden is to be believed, the US is sponsoring attacks on Hong Kong infrastructure (and probably Chinese as well, though I only know of him releasing a list of IP addresses in Hong Kong).
2 wrongs don't make a right - but how many countries have had their infrastructure attacked by the US in the last few years? The US ways (that I know of) usually involved explosives however.
imagine an attack on the power grid. Now think about a large portion of the US without electricity and it won't come back because these hackers have full control of the power grid.
The only thing scarier than terrorists? Cyber-terrorists, right?!
The paranoid, cynical parts of me think this system was set out with flashing lights so it would be easily compromised, so people can justify "cyber-security" bills like CISPA.
It doesn't even take a lot of cynicism or conspiracy theory to believe the powers that be had a wishlist before 9/11, hence USAPATRIOT Act etc. If we have a "cyber-9/11", I'm sure they'll be ready with that wishlist too, and octogenarian technophobic legislators will be more than happy to do their part to look like they're doing something.
It isn't in China's interest to switch off the US power grid - because then how would those 313 million people recharge their iPads, iPhones, tablet or switch on their LCD televisions, laptop computers or wash their trainers, socks, shirts etc. that all come from China?
Thats why I don't believe this was targeted. There is nothing China can learn from US automation systems. If they need to break into them into the future they would be able to. More interesting is business intelligence. This sounds like an automated phishing campaign that just happen to step on a control system.
- Some areas lost water pressure because pumps lacked power. This loss of pressure caused potential contamination of the water supply.
- With the power fluctuations on the grid, power plants automatically went into "safe mode" to prevent damage in the case of an overload. This put much of the nuclear power normally available offline until those plants could be slowly taken out of "safe mode".
- Amtrak's Northeast Corridor railroad service was stopped north of Philadelphia, and all trains running into and out of New York City were shut down,
- Many gas stations were unable to pump fuel due to lack of electricity. In North Bay, Ontario, for instance, a long line of transport trucks was held up, unable to go further west to Manitoba without refueling. In some cities, traffic problems were compounded by motorists who simply drove until their cars ran out of gas on the highway.
- Cellular communication devices were disrupted. This was mainly due to the loss of backup power at the cellular sites where generators ran out of fuel.
- Large numbers of factories were closed in the affected area, and others outside the area were forced to close or slow work because of supply problems and the need to conserve energy while the grid was being stabilized.
This was just a few days. Imagine 30 days of this. It would total chaos. A lot of people forget how much we rely on electricity and the power grid.
The question is, how do they maintain full control over the grid for a month, when all the network equipment they rely on to hack the grid relies on electricity to operate?
One of the things about radar guided missiles that interested me early on is that you pretty much have to have your radar on for them to work, and if you had a radar on you could find it and kill it (hence the variety of HAARM missiles). Similarly when people are trying to exploit our search engine it is hard to obfuscate since they have to include what they are trying to find in the search query in order for it to work. And now netwar requiring network traffic which has to return to the source to be useful.