Wednesday, 26 October 2011

How soon we forget

If it is not local, we forget quickly. This is nothing new. In 2008, a teen hacker broke into the Polish Rail Network.

In this incident, the attacker used the trains like a toy and in the process derailed 4 trains.

I have posted on Rail systems and SCADA and how these need better security. Here in NSW Australia, we are no better. The SCADA and control engineers are afraid of anything breaking right now, what about if an attacker actually does this?

I have been accused in recent weeks of creating the scenario. That the issue is how I am noting these flaws. It seems that these individuals see an attack as a consequence of my posts. That only in having written on this topic can it exist.

Well it exists.

Even had I not written on this topic, it would remain a threat. As I have noted above, it has really occurred. Not as people such as myself have made others aware, but as it was discovered and exploited.

The question now is when it will happen again, not if.

1 comment:

F said...

Below are just few examples I collected in a very short amount of time… But there are lots of examples about cyber attacks against critical infrastructure.  Few examples are quoted below:
Cyber Attacks against banks
Cyber attacks against Electricity Power Grid
Releases by GAO focus concerns upon our critical infrastructure.
-           In 2003. “Control systems can be vulnerable to a variety of attacks, examples of have already occurred. Successful attacks on control systems could have devastating consequences, such as endangering public health and safety; damaging the environment; or causing a loss of production, generation, or distribution of public utilities.”
-          In 2010 “As public and private organizations use computer systems to transfer more and greater amounts of money, sensitive economic and commercial information, and critical defense and intelligence information, the likelihood increases that malicious individuals will attempt to penetrate current security technologies, disrupt or disable our nation’s critical infrastructures, and use sensitive and critical information for malicious purposes.”
The status quo or... in status quo res errant ante… Before what?? Before it happens??
Denials about the reality of focused cyber threats against critical infrastructure reside among the wide security community.  There is a general tendency to believe that security through obscurity is a benefit of the complexity of SCADA systems.  Such belief highlights that:
SCADA systems are monolithic (erroneous atomistic conception),
SCADA protocols are customized, proprietary and specialized functionally
SCADA systems are secure physically and the physical access control is strongly enforced
SCADA systems are not connected through IP or TCP
Security through obscurity is no longer an option. For instance, let’s take the protocol DNP. DNP was developed and created to propagate and communicate alerts. In a nutshell, SCADA alerts are collected by the dedicated PLC, IED, RTUs, which then are collected and communicated via UDP/TCP - DNP through the human machine interface (from raw data to human readable or/and interpretable).  DNP was created and designed to maximize functionality and rapid performance for SCADA intercommunication but there are no authentication mechanism integrated into the protocol itself.
There exist vulnerabilities within our critical infrastructure and knowing, learning, or talking about existing vulnerabilities and plausible threats are necessary.  Security through clarity is a substitute to security through obscurity.  
As just a seed for final thoughts --- Millions throughout the world “know” that the World Trade Center in U.S. was attacked in September 2001, but how many folks know that a bomb (urea-nitrate-hydrogen) was detonated under the North tower of the World Trade Center in February 1993 (the bomb was supposed to collapse the building)?