Showing posts with label Scada. Show all posts
Showing posts with label Scada. Show all posts

May 9, 2019

@National Cybersecurity Center of Excellence



So good today to visit the NIST Cybersecurity Center of Excellence (NCCoE).

The cybersecurity solutions developed are aligned to the well-known Cybersecurity Framework (CSF). 

Got to see some of the laboratories, including demonstrations for securing the Healthcare and Energy Sectors. 

Interesting to hear about examples for securing hospitals records and even things like infusion pumps.  

The medical devices are tricky to secure, because they are built to potentially last decades and are expensive to replace, but the underlying technology changes every couple of years. 

Also, learned more about securing the energy sector and their industrial control systems.  

One scary notable item mentioned was about the "big red button" for shutdown in many of these facilities, but apparently there is malware that can even interfere in this critical function. 

It is imperative that as a nation we focus on critical infrastructure protection (CIP) and continuously enhancing our security.

Time is of the essence as our adversaries improve their game, we need to be urgently upping ours. ;-)

(Source Photos: Andy Blumenthal)
Share/Save/Bookmark

June 6, 2018

Radio-Activity

So earlier in the week, I had a great opportunity to visit the NIST Center for Neutron Research (NCNR). 

It was fascinating to see the reactor, control room, and all the cool experiments--not things you see every day, right? 

For safety, we had to wear devices that measured radioactivity and also go through machines that checked us afterward. 

When one person in our group went through the scanner, it went off with a red alert, and the poor individual obviously got really scared--like OMG is there some contamination on me or something.

But they went through again and it turned out it was just a false positive, thank G-d. 

I guess these really can be dangerous substances to work around, but still so marvelous how the scientists harness these neutron beams and direct them to all sort of fascinating scientific experiments. 

Being around all this science makes me think whether if I could do it all again--wondering aloud--whether I would pursue an education in one of these amazing scientific disciplines and work in the lab like a "mad scientist"--exploring and discovering new things and figuring out the mysteries of the universe and how the world really works. 

What a fun, fun field to work in!  ;-)

(Source Photo: Andy Blumenthal and Art by 4th grader, Phillip Kenney)
Share/Save/Bookmark

October 19, 2017

Never Ever More Vulnerable

So we have never been more technology advanced. And at the same time, we have never been more vulnerable

As we all know, our cybersecurity have not kept near pace with our ever growing reliance on everything technology.

There is virtually nothing we do now-a-days that does not involve networks, chips, and bits and bytes. 

Energy
Transportation
Agriculture
Banking
Commerce
Health
Defense
Manufacturing
Telecommunications

If ANYTHING serious happens to cripple our technology base, we are toast!

From a crippling cyberattack that disables or hijacks our systems, steals or locks down our data, or creates massive chaotic misinformation flow to a EMP blast that simply fries all our electronic circuitry--we are at the mercy of our technology underpinnings. 

Don't think it cannot happen!

Whether it's Wannacry ransonware or the Equifax breach of our privacy data or the Kaspersky Labs hidden backdoor to our top secret files or North Korea threatening to hit us with an EMP--these are just a few of the recent cyber events of 2017!

Technology is both a blessing and a curse--we have more capability, more speed, more convenience, more cost-effectiveness than ever before, but also there is greater vulnerability to complete and utter death and destruction!

This is not just a risk that life could become more difficult or inconvenient--it is literally an existential threat, but who wants to think of it that way?

People, property, and our very society is at risk when our cybersecurity is not what it must be.

It's a race of defensive against offensive capability. 

And we can't just play defense, we had better actually win at this! ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

April 12, 2016

Turn, Press, Pull -- Gonna Get Ya

So as I go around town, I see more and more of these industrial-type control panels. 

The problem is that they are stupidly in the open and unprotected or otherwise easily defeated.  

While probably not a serious threat of any sort, this one apparently is a unit to control some fans in an underground garage open to the public. 

You see the knobs you can just turn.

And one with a yellow warning sticker above it.

As if that will keep someone with bad intentions from messing with it. 

You also see the red and yellow lights...hey. let's see if we can make those flash on, off, on.

Panel 13, nicely numbered for us--let's look for 1 to 12 and maybe 14+.

It just continues to amaze me that in the age of 9/11 and all the terrorism (and crime) out there that many people still seem so lackadaisical when it comes to basic security. 

Anyone in the habit of leaving doors and gates open, windows unlocked, grounds unmonitored, computers and smart phones without password protection, data unencrypted and not backed up, even borders relatively wide open, and so on. 

Of course, we love our freedom and conveniences.

We want to forget bad experiences.

Could we be too trusting at times?

Maybe we don't even believe anymore that the threats out there are impactful or real.

But for our adversaries it could just be as simple as finding the right open "opportunity" and that's our bad. ;-)

(Source Photo: Andy Blumenthal)

Share/Save/Bookmark

November 22, 2014

Dire Warnings On CyberSecurity

This week Adm. Michael Rogers, the Director of the National Security Agency and head of U.S. Cyber Command issued a stark warning to the nation about the state of cybersecurity:

With our cybersecurity over the next decade, "It's only a matter of the 'when,' not the 'if,' that we are going to see something dramatic."

The Wall Street Journal reports that he gave " a candid acknowledgement that the U.S. ISN'T yet prepared to manage the threat!"

China and "one or two others" [i.e. Russia etc.] are infiltrating our SCADA networks that manage our industrial control systems, including our power turbines and transmission systems,.

The cyber spies from the nation states are "leaving behind computer code that could be used to disable the networks  in the future."

Can you imagine...you must imagine, you must prepare--not if, but when. 

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

March 9, 2014

SCADA in Pictures




So SCADA are Supervisory Control and Data Acquisition systems.

They are a form of Industrial Control Systems (ICS) that monitor and control major industrial processes from power generation, transmission, and distribution, to water treatment, chemical production, air traffic control, traffic lights, building controls, and more. 

These are part of our nation's critical infrastructure. 

In the lab, we are able to use tools to capture and analyze communication packets and edit and re-use them to: 

- Turn on and off lights

- Open/close perimeter gates

- Control water and gas pipelines

- And even open and close a bridge

This was very scary!

No one, unauthorized, should be able to do this in real life, in the physical world. 

This is a major security vulnerability for our nation:

- SCADA systems should not be openly available online, and instead they should be able to be controlled only either locally or remotely through an encrypted virtual private network (VPN).

- SCADA systems should not be available without proper access controls--there must be credentials for user id and passwords, and even two-step authentication required. 

No one but vetted, cleared, authorized, and trained personnel should be able to monitor and control our critical infrastructure--otherwise, we are giving them the keys to disrupt it, destroy it, and use it for terror. 

We owe our nation and families better, much better. 

(Source Photos from lab: Andy Blumenthal)

Share/Save/Bookmark

September 28, 2013

Insuring Against Cyber Attacks

More and more, our technology is at risk of a cyber attack. 

In fact, just today the Wall Street Journal reported that Iran has hacked into the Navy's unclassified network. 

While we can fix the computers that were attacked, the damage done in terms of data exfiltration and malware infiltration is another matter.

To fix the computers, we can wipe them, swap out the drives, or actually replace the whole system. 

But the security breaches still often impose lasting damage, since you can't get the lost data or privacy information back or as they say "put the genie back in the bottle."

Also, you aren't always aware of hidden malware that can lie dormant, like a trojan horse, nor can you immediately contain the damage of a spreading computer virus, such as a zero-day attack. 

According to Federal Times, on top of more traditional IT security precautions (firewalls, antivirus, network scanning tools, security settings, etc.), many organizations are taking out cybersecurity insurance policies.

With insurance coverage, you transfer the risk of cybersecurity penetrations to cover the costs of compromised data and provide for things like "breach notification to victims, legal costs and forensics, and investigative costs to remedy the breach."

Unfortunately, because there is little actuarial data for calculating risks, catastrophic events such as "cyber espionage and attacks against SCADA industrial controls systems are usually not covered. 

DHS has a section on their website that promotes cybersecurity insurance where they state that the Department of Commerce views cybersecurity insurance as an "effective, market-driven way of increasing cybersecurity," because it promotes preventive measures and best practices in order to lower insurance premiums and limits company losses from an attack. 

Moreover, according to the DHS Cybersecurity Insurance Workshop Readout Report (November 2012) cybersecurity insurance or risk transfer is the fourth leg of a comprehensive risk management framework that starts with risk acceptance, risk mitigation, and risk avoidance. 

I really like the idea of cybersecurity insurance to help protect organizations from the impact of cybersecurity attacks and for promoting sound cybersecurity practices to begin with.  

With cyber attacks, like with other catastrophes (fire, flood, accident, illness, and so on), we will never be able to fully eliminate the risks, but we can prepare ourselves by taking out insurance to help cover the costs of reconstituting and recovery. 

Buying insurance for cybersecurity is not capitulating our security, but rather adding one more layer of constructive defense. ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

July 21, 2013

Like Buying A Nuke On The Black Market

Buying a serious computer vulnerability is now like acquiring a nuke on the black market. 

Nations and terrorists will pay to find the fatal flaw in computer programs that will enable them to perpetrate everything from subversive cyber spying to potentially massively destructive cyber attacks. 

As the world is focused on nuclear non-proliferation, computer weapons are the new nukes--able to do everything from a targeted strike on an organization or agency to taking out vast swaths of our nation's critical infrastructure.

According to the New York Times (13 July 2013), there is a great interest in buying "zero-day exploits"--one where governments or hackers can strike using a computer vulnerability before anyone even knows about it and can correct it. 

The average zero-day exploit persists for "312 days--before it is detected"--giving amble time for attackers to cash-in!

Brokers are now working to market the computer flaws for a 15% cut, with some even "collecting royalty fees for every month their flaw is not discovered."

The average flaw "now sells for around $35,000 to $160,000" and some companies that are selling these are even charging an annual $100,000 subscription fee to shop their catalog of computer vulnerabilities in addition to the cost for each one that varies with it's sophistication and the pervasiveness of the operating system behind the exploit. 

While governments and terrorists are on the prowl to buy the exploits for offensive purposes, technology companies are competing to purchase them and are offering "bug bounties" in order to identify the flaws and fix them before they are exploited. 

We've come a long way from people and organizations buying software with their regular upgrades and patches to nations and hackers buying the knowledge of the flaws--not to patch--but to spy or harm their adversaries. 

You can buy the bomb shelter or software patch, but someone else is buying the next more lethal bomb or vulnerability--the question is who will pay more to get the next exploit and when and how will they use it. 

(Graphic by Andy Blumenthal adapted from here with attribution for the mushroom cloud photo to Andy Z.)
Share/Save/Bookmark

July 3, 2013

Magic Computer Displays


This is some awesome technology from Tactus Technology.

It is called a dynamic tactile touchscreen

Here's how it works:

When you want to type with a tablet or other touchscreen display, not only do you see a QWERTY keyboard, but also the buttons actually rise out of of the flatscreen display--for a tactile typing experience. 

Using microfluidics, the fluids in the screen actually change shape--and form buttons.

When your done typing, the keyboard buttons melt away back down into the screen. 

It all happens in a split second and has negligible impact on power consumption (i.e. less than 1%). 

This type of tactile experience with computer displays can be used for tablets, smartphones, gaming devices, and I would imagine even SCADA devices (e.g. for turning a dial, pulling a level, etc. all virtually on a monitor).

Goodbye physical controls and hello magic touchscreen--presto chango.  ;-)
Share/Save/Bookmark

May 26, 2013

Mayim Chaim

You can only live about 3 days without water--that's why protecting our water is so critical.

Emergency Management (May/June 2013) says, "There are numerous ongoing threats to our water supply. Some of them [natural or man made] could be catastrophic."

- Water poisoning: Already in the 1st century, Roman Emperor Nero poisoned the wells of his enemies.  These days you'd need a large supply, like "several dump trucks of cyanide or arsenic to poison a reservoir.  Plus the water system is monitored and has purification protections such as chlorine, so it's not that simple. We can also issue "boil alerts" for people to boil the water before drinking it. Then again, we saw what some radiation did to the Japanese water supplies after Fukushima.

- Blowing it up: The water system infrastructure can be disrupted using explosives, so keeping intruders far away from it is important to keeping it safe.

- Earthquakes/Hurricanes: Much of the water system pipes are old--some built during the Civil War--and these can be destroyed by natural disasters or even a construction crew jackhammer hitting in the wrong place. 

- Electrical outage: If you shut down the electricity, you shut down the water pumps...and even with generators taking over for a while, your up against the clock, if you don't get the juice flowing again soon. 

- Cyber Attack: Our water systems, like other industrial control systems are vulnerable to cyber attack. A hacker that gets control of the systems could overheat it, overtreat it, flood it, or otherwise break it and shut it down. 

Keeping our water infrastructure secure, the water supply safe and potable, the transport pipes intact, the electricity working, and the systems under control--are not little matters--they are the difference between life and death for millions. 

As in The Rime of The Ancient Mariner, when the ship gets blown off course into unchartered waters and the crew is thirsty for water and desperate to survive, the poet states, "Water, Water. Everywhere. And All The Boards Did Shrink; Water, Water, Everywhere. Nor Any Drop To Drink."

In Hebrew, there is a short saying that sums up this topic, "Mayim Chaim"--water is life. ;-)

(Source Photo: Dannielle Blumenthal)

Share/Save/Bookmark

February 27, 2013

Cyberweapons Power Up

In you haven't heard of Project Aurora, this is a wonderful segment from 60 Minutes on this cyberwar project. 

Faced with some of the worst case scenarios for cybergeddon, Idaho National Labs set out in 2007 to test what would happen to a 27-ton power generator if the researchers hacked into it from a mere laptop. 

The turbine was sent instructions that would essentially tear itself apart--and in the video you can see what happened--it shudders, shakes, smokes, and ultimately destroys itself. 

The test was a grand success demonstrating our capabilities to conduct cyberwar operations against an adversary.  

Interestingly, Reuters reported the Symantec researchers "uncovered a version of Stuxnet from the end of 2007 that was used to destroy two years later about 1,000 Iranian centrifuges used in their Natanz nuclear uranium enrichment facility for alleged development of weapons of mass destruction. 

The flip side of this cyberwar test is the realization of the potential blowback risk of cyberweapons--where adversaries can use similar technology over the Internet against our critical infrastructure--such as SCADA industrial control systems for the power grid, water treatment, manufacturing, and more--and cause potentially catastrophic events.

As stated toward the end of the video, this is a type of "pre 9/11 moment" where we identify a serious threat and our vulnerability and we need to act to prevent it--the question is will we? 

Share/Save/Bookmark