Showing posts with label Industrial Control Systems. Show all posts
Showing posts with label Industrial Control Systems. Show all posts

May 9, 2019

@National Cybersecurity Center of Excellence



So good today to visit the NIST Cybersecurity Center of Excellence (NCCoE).

The cybersecurity solutions developed are aligned to the well-known Cybersecurity Framework (CSF). 

Got to see some of the laboratories, including demonstrations for securing the Healthcare and Energy Sectors. 

Interesting to hear about examples for securing hospitals records and even things like infusion pumps.  

The medical devices are tricky to secure, because they are built to potentially last decades and are expensive to replace, but the underlying technology changes every couple of years. 

Also, learned more about securing the energy sector and their industrial control systems.  

One scary notable item mentioned was about the "big red button" for shutdown in many of these facilities, but apparently there is malware that can even interfere in this critical function. 

It is imperative that as a nation we focus on critical infrastructure protection (CIP) and continuously enhancing our security.

Time is of the essence as our adversaries improve their game, we need to be urgently upping ours. ;-)

(Source Photos: Andy Blumenthal)
Share/Save/Bookmark

April 12, 2016

Turn, Press, Pull -- Gonna Get Ya

So as I go around town, I see more and more of these industrial-type control panels. 

The problem is that they are stupidly in the open and unprotected or otherwise easily defeated.  

While probably not a serious threat of any sort, this one apparently is a unit to control some fans in an underground garage open to the public. 

You see the knobs you can just turn.

And one with a yellow warning sticker above it.

As if that will keep someone with bad intentions from messing with it. 

You also see the red and yellow lights...hey. let's see if we can make those flash on, off, on.

Panel 13, nicely numbered for us--let's look for 1 to 12 and maybe 14+.

It just continues to amaze me that in the age of 9/11 and all the terrorism (and crime) out there that many people still seem so lackadaisical when it comes to basic security. 

Anyone in the habit of leaving doors and gates open, windows unlocked, grounds unmonitored, computers and smart phones without password protection, data unencrypted and not backed up, even borders relatively wide open, and so on. 

Of course, we love our freedom and conveniences.

We want to forget bad experiences.

Could we be too trusting at times?

Maybe we don't even believe anymore that the threats out there are impactful or real.

But for our adversaries it could just be as simple as finding the right open "opportunity" and that's our bad. ;-)

(Source Photo: Andy Blumenthal)

Share/Save/Bookmark

March 9, 2014

SCADA in Pictures




So SCADA are Supervisory Control and Data Acquisition systems.

They are a form of Industrial Control Systems (ICS) that monitor and control major industrial processes from power generation, transmission, and distribution, to water treatment, chemical production, air traffic control, traffic lights, building controls, and more. 

These are part of our nation's critical infrastructure. 

In the lab, we are able to use tools to capture and analyze communication packets and edit and re-use them to: 

- Turn on and off lights

- Open/close perimeter gates

- Control water and gas pipelines

- And even open and close a bridge

This was very scary!

No one, unauthorized, should be able to do this in real life, in the physical world. 

This is a major security vulnerability for our nation:

- SCADA systems should not be openly available online, and instead they should be able to be controlled only either locally or remotely through an encrypted virtual private network (VPN).

- SCADA systems should not be available without proper access controls--there must be credentials for user id and passwords, and even two-step authentication required. 

No one but vetted, cleared, authorized, and trained personnel should be able to monitor and control our critical infrastructure--otherwise, we are giving them the keys to disrupt it, destroy it, and use it for terror. 

We owe our nation and families better, much better. 

(Source Photos from lab: Andy Blumenthal)

Share/Save/Bookmark

September 26, 2010

Now The Computer War Games Are Real

The Associated Press is reporting that the Iranian Bushehr Nuclear Plant has been hit with a sophisticated computer worm called Stuxnet.

The Iranian nuclear program hit has been claimed for civil nuclear power but has long been suspected of being a cover for making weapons, and Iran has been unabashedly vocal about its hostile intent to many nations, even going so far as to openly threaten some, especially Israel, with complete “annihilation.”

The technical aspects of Stuxnet as a weapon are fascinating, for this is the first computer program “specifically created to take over industrial control systems.” Another article in U.K.’s The Guardian quotes another source as saying it is “one of the most refined pieces of malware ever discovered.”

This worm works by exploiting Windows operating systems security holes and taking over critical infrastructure SCADA systems (AKA Supervisory Control And Data Acquisitions systems or industrial control systems).

What is maybe even more amazing than the technical feat of Stuxnet, is that for months or years, everyone has been focused on and hypothesizing about when a traditional military strike was going to occur to the ever menacing Iranian nuclear threat. However, instead of conventional planes and bombs making a big bang (remember “shock and awe”), we get a silent but “very sophisticated” cyber worm that no one seems to have expected.

So times have certainly changed and with it warfare. Prior military engagements occurred on land, sea, and air with kinetic “bang/boom” weapons. Today they have a new domain in cyberspace with bits and bytes that are just as impactful. But I think what hasn’t really hit home with most people is that cyber war is not just virtual, like playing a video game (like the SIMS) or acting out in virtual reality (like Second Life); cyberwarfare starts online but has real physical ramifications as we see with the Stuxnet worm. Industrial systems like nuclear plants or hosts of other critical infrastructure (in manufacturing, energy, telecommunications, etc.) can be taken out with cyber bombs just like with real bombs maybe even better, faster, cheaper, and cleaner (less collateral damage).

We had all better be prepared for the fight in this new realm as the potential damage is as real as any we have ever seen before.

Share/Save/Bookmark